Analysis
-
max time kernel
55s -
max time network
58s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
01-07-2024 10:57
Errors
General
-
Target
sv.exe
-
Size
63KB
-
MD5
c095a62b525e62244cad230e696028cf
-
SHA1
67232c186d3efe248b540f1f2fe3382770b5074a
-
SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
-
SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
SSDEEP
1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM
Malware Config
Extracted
xworm
amount-acceptance.gl.at.ply.gg:7420
-
Install_directory
%ProgramData%
-
install_file
svhost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 64 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sv.exe"C:\Users\Admin\AppData\Local\Temp\sv.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rxofcx.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\shutdown.exeshutdown -r -t 30 -c "Stop using this!"3⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\uhzfiy.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a80055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svhost.exeFilesize
63KB
MD5c095a62b525e62244cad230e696028cf
SHA167232c186d3efe248b540f1f2fe3382770b5074a
SHA256a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA5125ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XCFODRP5\edgecompatviewlist[1].xmlFilesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52431029b8517efea93a9398e1329f1a4
SHA163d24072c9ebe9464591c0bdb7775490a2963535
SHA25640f51f896db3df4814f6a09005335c66c70165688f1c02addf77ebc514990e46
SHA51217d1e68d549f45921fb3a19a2ccaf17b3273f23973224e3a345c2c4c3abd283bf794acc79b70ebae18f33001a6242c96a4b14f61b421e70dbb2da0452bdfd266
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD571c473e661b7b2cb3c45d719888501ff
SHA1450a1d10d1867c3361495dbd91dbd59ac1a4a719
SHA256be7903d697576b24392af5144ee61b018d84540f39a203f806ecc691ba143ad9
SHA51237dfd95c5eb7b136db3c9897bf9055dab688251ccf69f2f42bfc4809c582fdf0e2b72321f964771cafa1d0e956668ed2a5d6dd4a3f7f675a6f461727021b524b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD538f6c7cdda155e14cf539450ce80010e
SHA1f8dc0603887968ae946ef4bc34e90f584e7661c9
SHA256d76ce66bd78f1293fbbbe3851475af4a21d5c210e3f692a79a312c98e3b72bdd
SHA512064cbd065e76133869687feb34c09a1df125161d571ce4ccebef3ae677923cdebfc6917170fcebf95a44905bd0e0b17b6548351b724d3119242718d1a4e9061e
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1VHY566D\base[1].jsFilesize
2.5MB
MD5ac3de75c235d50e7bfeef4cd1a467f8f
SHA11a9de51907658212c157f8437d2b0fe0ea529dfe
SHA2561785ae6a10434e5bd2321fb74f654b2c891ece01e90e4aa6eb048b9384f483a8
SHA5122e345e269abdafce4f33a2528ff30c299569497d1029e96f9757ee6aed678cb0f940cff6408d8c9ebfff3d6ea5d18b60d8974272594d413acd219dcc3d3fa048
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1VHY566D\desktop_polymer[1].jsFilesize
8.5MB
MD5897bf1aa3ced028df66570c9806356b9
SHA1bb67b634acbd0b0acca069e75f32c4a23386d506
SHA2562920fe109a0c2a541060bc7a082b056f0d036158e94e0bbde7e6967b96be40b3
SHA512d582c3a35a01050d92f3a34f4be7a0543a1987982536287d6221fe7a39551660245eeab2a15303d2bfc1a0c031854addc838b7ed89b0243d0808af5c6d43d30f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1VHY566D\web-animations-next-lite.min[1].jsFilesize
49KB
MD59e1f5b2285bce3a471297b1505058b57
SHA1c0cbe8b0a96f32c25adbae33932188d495a4135c
SHA256708021b0a03278843afdf5190777b25bead3458548e7c221ac1ff6f6e6e17bad
SHA512a10b9f0fa257580a1e44b5f756f99a149193d6b71f98590eba7bff2a6a3853c32a0d8d44a8967154eefab884d7964d148d38991393cc4785249f38253242099b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ELFG4B5W\css2[1].cssFilesize
2KB
MD55912f3bba71c222672dfa244a60acef0
SHA1317a49729bb8654c3986e6b32278258a1d692d81
SHA25648708ab3b01bc53a736f7f85e0badd9174872faa981e78b32c16c4efcaa59d99
SHA512770f13af0d6ebe7ff9d925efccd05b0b2e5afd5fbe19770562d88936d541a298a49aea028f5122a255fb5026b4a5f37c0cf52831212ecaaf378a5769ff0379f7
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ELFG4B5W\webcomponents-ce-sd[1].jsFilesize
95KB
MD52b26e985df91c84424c744d8557bba69
SHA1901e4665ee79cd7420139e39fcee2db0eea683ee
SHA2564011a87b53c8fedc7e54076929d677a2d8f8cd76ab20ce4eb2e027778083cfcd
SHA512c9a27e9970123f2ae0d692834b6f1117f2f20d5835a1670a3bace470123471cd7754425976abccce4abac7612659bf31f755e3e8ad9ff807d0d3e74db4154a78
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ELFG4B5W\www-onepick[1].cssFilesize
739B
MD59ace9ca4e10a48822a48955cbd3f94d0
SHA11f0efa2ee544e5b7a98de5201fb8254b6f3eb613
SHA256f8fdbb9c5cdceb1363bb04c5e89b3288ea30d79ef1a332e7a06c7195dd2e0ec4
SHA51225354aeecb224fd6d863c0253cd7ad382dce7067f4147790ee0ce343f8c3e0efb84e54dd174116e7ad52d4a7e05735039fa1085b739abbe80f9e318e432eed73
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FRFMJ7YG\intersection-observer.min[1].jsFilesize
5KB
MD5e02d881229f4e5bcee641ed3a2f5b980
SHA129093656180004764fc2283a6565178eb91b5ef3
SHA2568037c1f1e0e4d3d7955f591a14a4b4d090141f1d210ef8b793ce5b345f08f7f5
SHA512f4e8e21b91ee33879a2295215cba91e12851891165fe3f9f98913022280ef8192fd3f5def06aa8ac1fbe6d43d09034b0bb8e29e8703366a012e1fde6ff2828db
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FRFMJ7YG\rs=AGKMywHRsn6N1PzL9qt2Miw8LXsmp_TMww[1].cssFilesize
2.8MB
MD56dd24f55997dc1fe2a82f12127600938
SHA187887b446bc8833f06dc22049a3303127d49cbd9
SHA256b9795325180907758d88efb5b18bb78437f01338a047d0f5940f443461107e63
SHA512822a90e7dad2114ff12964a64d00bf0cc370fc2ff167437b01719a32560eb9059726ac133e2ef97bb6e7c0b4c7947a7a6ce59d99c3ae12d673fd78e42f8f28cf
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FRFMJ7YG\www-main-desktop-player-skeleton[1].cssFilesize
2KB
MD5bc588241af4924efd9dc6e3e76c0ea4a
SHA11d24b3fb1f653b08999657bce3e4ce37edcf29d1
SHA256e855dcb4953fc7357621b64ac3958176b51b59e830a30430d7ade498e99a200d
SHA5123ed41d10ed476a2a7347bf2d798efac48eef8b5223e3633b225719e32224a5b4337697ab64259fed8b64319cc453376cc207a02975b981152ead5e06b79f0573
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FRFMJ7YG\www-main-desktop-watch-page-skeleton[1].cssFilesize
8KB
MD564c8e3b11cfffc8ebf2240e4f46ab492
SHA171276680811731f983502e477a87e87cfe72d75f
SHA2563acc199c41eb3c884ee9884c15e6b78975499be2255aa203dba38ef24440181c
SHA512497a48233bb198e05517e2cba003c2c5ba25183e1654b5b8252b9823f0859497ccab66a77e243238b27ea6eb826ae4fc72efb2f32b2b378edee7f9dfb87f4756
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\MD490CXK\scheduler[1].jsFilesize
9KB
MD5becb09242ada686cc0548c341c887fea
SHA17fc1116c1131afdb1cc41bcb0a4456582a25e4f2
SHA256dd3586e5cd0042daabc1530380ad77232b204b1d87280aee384eddd3b5894228
SHA512a4aee486daf473d07d4ecbbd8afa776fe0117523a88487375198e46e2b8fc9605ab4b4e9e8e309bf119114ebdd097eb02a1fc0c2afe53c92f65f1f1801c4bba1
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\MD490CXK\www-i18n-constants[1].jsFilesize
5KB
MD5877a2b1590385d79323ef992abe9e961
SHA1f2f65882785537d6f3eeba7f02ea233f9e55672f
SHA256ff474db3ea4409f034cbae6ae738bc80fb18734ccd38f87fcde90d02e11cfac3
SHA512c7b9bda266c59a19476d7eaa3f6bc10d8d916345ff4195ee5932f5d5d884a487407552a29d576a9dd53dfd2588069c7376f660800f5ab7f8e1bea78cdd146e14
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\MD490CXK\www-player[1].cssFilesize
371KB
MD5bbaf46f97cc646ee2bdc881bb3b30ba0
SHA1325f242a94e5a3fe4b5bd54bf7cd3d8080258bda
SHA256ec7c2db8eb1bd50b3cd2d8ece15e832fe9bb05d2a62b7b58d6ccfac399ec703f
SHA51233f3d843a3d00d5da32f7d18a99e667c86e5c3d6f4505b2df1eed559db02e9bda587f6843de956c873a902cd5e5aae2fb4c2e73560d27516e6891421a38211cf
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\HO75E5SA.cookieFilesize
230B
MD5b796095eef07b0a6d3e7e686c26cc0fc
SHA171eb28cb02fec156577b33794380334b34ad45e3
SHA256621159d051b255ef1aa91f6c04f66f5bf14b5c16a42fc07a6fc8bf6bea1bf1b0
SHA512ed060f2d329d620688d1f10b6e5ccacb623bc6fe176e7776d3b5d22d748e546fb444cc74a02b163969ef69e869069e64ee9f8cbbb8d5b1f9a1c9be17b118cdd3
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\YCXXSINH.cookieFilesize
232B
MD5961246a74e0ee3dd7989b177e6bce7ba
SHA1d024b1c445eddebb175de0e354bc8d9daf697457
SHA25610faf801a6d378441439671bb7c0f0bd86f9a47b06f521a90bff6648a8135a99
SHA512f45d07867b5f33cd337df974f33b67101b22c7de210c1ac6f183f5f621bd0f46ce32b219fe9a981a6f0f9374e0126700ffef88c357874c0a0968926d8f339a16
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199Filesize
854B
MD58d1040b12a663ca4ec7277cfc1ce44f0
SHA1b27fd6bbde79ebdaee158211a71493e21838756b
SHA2563086094d4198a5bbd12938b0d2d5f696c4dfc77e1eae820added346a59aa8727
SHA512610c72970856ef7a316152253f7025ac11635078f1aea7b84641715813792374d2447b1002f1967d62b24073ee291b3e4f3da777b71216a30488a5d7b6103ac1
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD525e25ce89e6314217a90ce2ccca52f01
SHA1b700ae160c8693d3d09cd7fe6167eecfb59fe091
SHA2569d3856c55b78249597f0799305393e02816d164dd2e97f6ff42684c8049ef89a
SHA512e5bce059149da7674d88569e265a1bd23605dade1e1787ce151e52ef8cd0a3fe05d7fe2ca23bb2a016fbaa5fd4ee95ce56f6394d791d19c75bba90ad39e3992e
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_AF3BDC9312865949D5159FC0DE013AA0Filesize
472B
MD583675e7ecc9cd2e6a41d7ed8528d45b8
SHA155f9cdfb00433cdef9e48625660f50df96034ab5
SHA25686013e0cd2692ae4090b97b65512151042b828d422a5b6febef5f65b4138b5b4
SHA512d518c0cd5f1bdf7c852b7dceb4e8bd10f75712437811a81b1057c367e98639b919cb6adf1aa0ce2c505e9ffcab0b43f81136e01ed391de2b8dc81e366538f3a0
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9Filesize
472B
MD51532f8bec1d945aefd54070b34d8e527
SHA137a614eb7824d404ed5e33f0a8d8228eedca6a4f
SHA25628dc23c37335697644190de2ed80e7322cd872db5fb9bdf4bf140ba1580275cc
SHA5127439ab5c76dcad67ff7b4f35b5a0dca3984a3be72f271afb98fd006f966039a76934979f45c2a0711220e40e11c97ccd44283c5f2fef307d05b1a6d4ed7a9e45
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199Filesize
170B
MD50087383934337d882cbfcfa8647a19d6
SHA19c32ab6db613a6528a5484144c6685e92974e363
SHA2566bbc950d665a243c746bc618b9be97440ef001ba8c463dc78f053bc5a5bba28f
SHA5128d1b8edf369b38f1c4abbf7ed1c1aee8a91f3f04be450dc0d128676d33b6aee148cdc9dc515c28b0bd46609d86860e88b2af61892e00cd6b8d8e4beb53f71b17
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD583f57cfec39194450053673eb6a32346
SHA157156821f0a39fad5ba083e184d1a21e9585a955
SHA256b06aa7e6e4dc64be62bfca894502c3c070487cc5b7dfd235a126395b38a53b86
SHA512024d04b35463d9104718518bd6d645a41e5612a8cdff9ff732cc5b0a5e050136b3a73be81c3816d2da503afc3b3f715093b34d8b86bdb3565b7858800b45b4df
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_AF3BDC9312865949D5159FC0DE013AA0Filesize
398B
MD5d17b29d9ad534ff8402252e9e7139c9c
SHA1906eeea95fa5ef0010f21cce2bd0e9eaa63932b3
SHA2568082429402a7a5cb56e4e1f707e03d79d0652f34510c98646879dadf8a5b3747
SHA51238fe693895dd76264abc9217e621fd21d575547f22b5b795837832d1e4bc8e0b0adc192d04f10aab779ad1d2a1e74052a3f658a853f430b81a99f05ba69fff39
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9Filesize
402B
MD57883096e30fb00a6e54c0fc32ecd6f5f
SHA13ecb2a3a7744a427c336bfe5a234bf0ed84f0e1c
SHA256fdc5780a132624ede9bac5ba7db0b6b304e36f73620cf3f32739ea4649652098
SHA512854f4314c4942e0aea1efc20d765bfccc0029d1f184ba4cdde72e6c722f70d2fb9c7cf7ea31fad835ce37a34e8486c4a145537395d6adf66e3260d9c0fb231d2
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ke4syjye.sox.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\rxofcx.batFilesize
72B
MD55e1b8916ee329f500e51c41010a9c327
SHA16413effc04552c786894889f2b7374c42aa1b7cd
SHA25672e86d40709e36d11cdb616eb1b50bdec1d86f9b5f8594422a1d3bbd7b31fd7a
SHA512c15c57442a703a42b43299429ba304dde0c038775c5b5ce6cc648b59005db7aba846ee00452b9a071931a353c55cb237e960cadc36cc3955b472a8fabfb555f6
-
C:\Users\Admin\AppData\Local\Temp\uhzfiy.txtFilesize
78B
MD586ec301953f9252687fb4a4eba9e775e
SHA1e245181761cac6375cd7e0023d6ca87471c25b8b
SHA256544319010bcf88498a69f1744591830db96cc3abdb3d09a1186f41f42485108b
SHA5120878245bc4e023d0a2b8f0154e3289438d2990bdddc33205b00f7722eff4dd0fd801343f63e26e3db516bfb77fee2f841413b2ea694f7ebe534a04f177b46457
-
memory/1348-225-0x000001FB505F0000-0x000001FB505F2000-memory.dmpFilesize
8KB
-
memory/1348-190-0x000001FB51320000-0x000001FB51330000-memory.dmpFilesize
64KB
-
memory/1348-206-0x000001FB51420000-0x000001FB51430000-memory.dmpFilesize
64KB
-
memory/2044-296-0x0000022A0DA00000-0x0000022A0DB00000-memory.dmpFilesize
1024KB
-
memory/2044-269-0x00000232218A0000-0x00000232218A2000-memory.dmpFilesize
8KB
-
memory/2044-261-0x0000023211600000-0x0000023211700000-memory.dmpFilesize
1024KB
-
memory/2044-297-0x00000232224F0000-0x0000023222510000-memory.dmpFilesize
128KB
-
memory/2044-265-0x0000023221860000-0x0000023221862000-memory.dmpFilesize
8KB
-
memory/2044-262-0x0000023211600000-0x0000023211700000-memory.dmpFilesize
1024KB
-
memory/2044-267-0x0000023221880000-0x0000023221882000-memory.dmpFilesize
8KB
-
memory/2876-48-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmpFilesize
9.9MB
-
memory/2876-11-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmpFilesize
9.9MB
-
memory/2876-6-0x0000021DEA900000-0x0000021DEA922000-memory.dmpFilesize
136KB
-
memory/2876-7-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmpFilesize
9.9MB
-
memory/2876-9-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmpFilesize
9.9MB
-
memory/2876-52-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmpFilesize
9.9MB
-
memory/2876-12-0x0000021DEAAB0000-0x0000021DEAB26000-memory.dmpFilesize
472KB
-
memory/2876-41-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmpFilesize
9.9MB
-
memory/3684-353-0x0000022A4CC00000-0x0000022A4CD00000-memory.dmpFilesize
1024KB
-
memory/3684-375-0x0000022A5D480000-0x0000022A5D4A0000-memory.dmpFilesize
128KB
-
memory/4036-397-0x0000023445AC0000-0x0000023445BC0000-memory.dmpFilesize
1024KB
-
memory/4036-403-0x00000234562B0000-0x00000234562B2000-memory.dmpFilesize
8KB
-
memory/4036-401-0x0000023456290000-0x0000023456292000-memory.dmpFilesize
8KB
-
memory/4036-399-0x0000023456270000-0x0000023456272000-memory.dmpFilesize
8KB
-
memory/5052-339-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmpFilesize
9.9MB
-
memory/5052-186-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmpFilesize
9.9MB
-
memory/5052-187-0x00007FFF8B983000-0x00007FFF8B984000-memory.dmpFilesize
4KB
-
memory/5052-0-0x00007FFF8B983000-0x00007FFF8B984000-memory.dmpFilesize
4KB
-
memory/5052-1-0x0000000000230000-0x0000000000246000-memory.dmpFilesize
88KB
-
memory/5052-415-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmpFilesize
9.9MB