Overview

overview

10

Static

static

10

sv.exe

windows10-1703-x64

sv.exe

windows7-x64

sv.exe

windows10-2004-x64

sv.exe

windows11-21h2-x64

Analysis

  • max time kernel
    55s
  • max time network
    58s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-07-2024 10:57

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    sv.exe

  • Size

    63KB

  • MD5

    c095a62b525e62244cad230e696028cf

  • SHA1

    67232c186d3efe248b540f1f2fe3382770b5074a

  • SHA256

    a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

  • SHA512

    5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

  • SSDEEP

    1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

amount-acceptance.gl.at.ply.gg:7420

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svhost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\sv.exe
    "C:\Users\Admin\AppData\Local\Temp\sv.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1320
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:780
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3588
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4452
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/dQw4w9WgXcQ?si=L4P9OdVIObe1WQhT
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffe6b3b3cb8,0x7ffe6b3b3cc8,0x7ffe6b3b3cd8
        3⤵
          PID:820
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
          3⤵
            PID:1708
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2180
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
            3⤵
              PID:2328
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
              3⤵
                PID:4820
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
                3⤵
                  PID:2720
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
                  3⤵
                    PID:1660
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
                    3⤵
                      PID:3164
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5328 /prefetch:8
                      3⤵
                        PID:3468
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
                        3⤵
                          PID:2060
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
                          3⤵
                            PID:4872
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3108
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
                            3⤵
                              PID:2128
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
                              3⤵
                                PID:2972
                              • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6452 /prefetch:8
                                3⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:1848
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
                                3⤵
                                  PID:5016
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
                                  3⤵
                                    PID:3368
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
                                    3⤵
                                      PID:1092
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiygww.bat" "
                                    2⤵
                                      PID:4660
                                      • C:\Windows\system32\shutdown.exe
                                        shutdown -r -t 30 -c "Stop using this!"
                                        3⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4664
                                    • C:\Windows\system32\NOTEPAD.EXE
                                      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dbxcjp.txt
                                      2⤵
                                      • Opens file in notepad (likely ransom note)
                                      PID:972
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:3500
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:1304
                                      • C:\Windows\System32\PickerHost.exe
                                        C:\Windows\System32\PickerHost.exe -Embedding
                                        1⤵
                                        • Suspicious use of SetWindowsHookEx
                                        PID:2880
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:1092
                                        • C:\Windows\system32\AUDIODG.EXE
                                          C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C8
                                          1⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3004
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                                          1⤵
                                            PID:2016
                                          • C:\ProgramData\svhost.exe
                                            C:\ProgramData\svhost.exe
                                            1⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4392
                                          • C:\Windows\system32\LogonUI.exe
                                            "LogonUI.exe" /flags:0x4 /state0:0xa3a24055 /state1:0x41c64e6d
                                            1⤵
                                            • Modifies data under HKEY_USERS
                                            • Suspicious use of SetWindowsHookEx
                                            PID:4608

                                          Network

                                          MITRE ATT&CK Matrix ATT&CK v13

                                          Initial Access

                                          Execution

                                          Command and Scripting Interpreter

                                          1
                                          T1059

                                          PowerShell

                                          1
                                          T1059.001

                                          Scheduled Task/Job

                                          1
                                          T1053

                                          Scheduled Task

                                          1
                                          T1053.005

                                          Persistence

                                          Boot or Logon Autostart Execution

                                          1
                                          T1547

                                          Registry Run Keys / Startup Folder

                                          1
                                          T1547.001

                                          Scheduled Task/Job

                                          1
                                          T1053

                                          Scheduled Task

                                          1
                                          T1053.005

                                          Privilege Escalation

                                          Boot or Logon Autostart Execution

                                          1
                                          T1547

                                          Registry Run Keys / Startup Folder

                                          1
                                          T1547.001

                                          Scheduled Task/Job

                                          1
                                          T1053

                                          Scheduled Task

                                          1
                                          T1053.005

                                          Defense Evasion

                                          Modify Registry

                                          1
                                          T1112

                                          Credential Access

                                          Discovery

                                          System Information Discovery

                                          2
                                          T1082

                                          Query Registry

                                          2
                                          T1012

                                          Lateral Movement

                                          Collection

                                          Exfiltration

                                          Command and Control

                                          Impact

                                          Resource Development

                                          Reconnaissance

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\ProgramData\svhost.exe
                                            Filesize

                                            63KB

                                            MD5

                                            c095a62b525e62244cad230e696028cf

                                            SHA1

                                            67232c186d3efe248b540f1f2fe3382770b5074a

                                            SHA256

                                            a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

                                            SHA512

                                            5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                            Filesize

                                            2KB

                                            MD5

                                            437395ef86850fbff98c12dff89eb621

                                            SHA1

                                            9cec41e230fa9839de1e5c42b7dbc8b31df0d69c

                                            SHA256

                                            9c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6

                                            SHA512

                                            bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                            Filesize

                                            152B

                                            MD5

                                            d0f84c55517d34a91f12cccf1d3af583

                                            SHA1

                                            52bd01e6ab1037d31106f8bf6e2552617c201cea

                                            SHA256

                                            9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

                                            SHA512

                                            94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                            Filesize

                                            152B

                                            MD5

                                            ade01a8cdbbf61f66497f88012a684d1

                                            SHA1

                                            9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

                                            SHA256

                                            f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

                                            SHA512

                                            fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                            Filesize

                                            528B

                                            MD5

                                            d4a6da4efdf279db427efab83c477dda

                                            SHA1

                                            51d6c2b11ba5db6c9f4ada33f181b7ab625f3c01

                                            SHA256

                                            5811c896bf0c2624178d0ada35694f6956efd2856126d82aa19c3d6159d8b943

                                            SHA512

                                            9b7bb7bb1a9206f35971a3507e64fe16bc640025226f509a71bb20f1e5aabf3848d7b84e080aad9be4f05ee68bc144d2b2a223275b7bf89cdaa1d05217051c37

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                            Filesize

                                            111B

                                            MD5

                                            285252a2f6327d41eab203dc2f402c67

                                            SHA1

                                            acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                            SHA256

                                            5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                            SHA512

                                            11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                            Filesize

                                            5KB

                                            MD5

                                            56f8b893cbb10c956aefe6400c4fc9bc

                                            SHA1

                                            8f8e8d745786150de150dc831fbaf1499e287e5b

                                            SHA256

                                            392a6c3c627b48beae677726dd2401315fa594e87b51ab1f51d0a49d0d76e94e

                                            SHA512

                                            290891b0084b226ad41521b522c16da253aac1acbba02ef1f92ec30a29dacf7dd7595409a61eae51df092b9063fee1a5fffc20acff9833facf42d8143160cd6c

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                            Filesize

                                            6KB

                                            MD5

                                            7de3786c188f767d534d3081f92c2599

                                            SHA1

                                            6baa7dcd838b44f7430e2e0d9fe93b94d2008e7c

                                            SHA256

                                            0cc7fe1712cb01e2871bfe2723463f37db867ad7c6ed2caca7e5b4d490b99298

                                            SHA512

                                            e6146b7664508b7eee99d7d650f0203933596e32fe952186fcc08f30caf99691681ca31566cc0200faf69fac1d60849f40af2365e2ec8b2ed045ca9ead06b964

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
                                            Filesize

                                            89B

                                            MD5

                                            ef151689385bb7eb943076d83080d7d1

                                            SHA1

                                            3aabb62722958045ee59fb2b1efe4bcd13beb64c

                                            SHA256

                                            b60731427a4dfba783069a5eb2d6b91ef2017050a7d8e26e67338fa9a69ee994

                                            SHA512

                                            e57636f480bfa75de07abe197025fd11085c1412f2a4fb1e355afd1c503e5709f8f9e00395feb80f3795d4acb8269da40fde1313c9c8a823c3cc2cdf1e92a657

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
                                            Filesize

                                            146B

                                            MD5

                                            f3004e458bd836c8c52aba6812b7e143

                                            SHA1

                                            dde67b335dc4377babac528db43b2caa00aac2fe

                                            SHA256

                                            488c1b8ce3eec2eca2a6f0eb039bab6bee090f8b69498c807c0a58421bf632c8

                                            SHA512

                                            6c467aa272a56ee64e4e9b94c0aeaac874682b088ee9a57b889ac615ec75f73bfe01d682bfaa7b304d8bed798623398d2c1db7645febb2370b161333d08d8bd3

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
                                            Filesize

                                            82B

                                            MD5

                                            0efb7e82db1b947e0655d232cc8b98e0

                                            SHA1

                                            560f8fbbb6b0c8ca61f4361ebc2078b90ef4d4af

                                            SHA256

                                            6744e524028c24e5dce1e4b6f0f76e68c58500149c3fc573cce7e299f16b2b57

                                            SHA512

                                            307b6c9adc453b781c2d68fffe736723fad4ada0866f7c5cdcee12bcbabf98c8fe331818d3ff214dded3f8dfe839421d2f03c688b9e72df6994f73a3d9baa675

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
                                            Filesize

                                            16B

                                            MD5

                                            46295cac801e5d4857d09837238a6394

                                            SHA1

                                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                            SHA256

                                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                            SHA512

                                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                            Filesize

                                            72B

                                            MD5

                                            c4a56e058248dc22a69531f4e7a90cfd

                                            SHA1

                                            14c5585e2260ee8e31459bf5e99f82e01c722cb1

                                            SHA256

                                            c26efa985e21d4ac7d02d269f9418c245e44bcdb530abda4742a345d3cbd39bb

                                            SHA512

                                            2c50b24b0a030b9a37758a6ec6c3a55c1ef0141ba062fbf9f773855458a945d9bff96c49ed633531aa6df9dce85ea95b2254a03ef2a3527690d8c10ffeda119a

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe583a64.TMP
                                            Filesize

                                            48B

                                            MD5

                                            3db2088a1de8dd856195a9e97f48060b

                                            SHA1

                                            ff2fca281a60ed2de9b8e1d373c4935a4f47af84

                                            SHA256

                                            3340291ada8221dc1f16f00d9b7ed2c13516135cad49d5eb0e9d430ff64df037

                                            SHA512

                                            0aa6935724ff3137a5d39d555145633d13f4714c218fad8d635e97fc7769b59d18d7ffd38a7b249e63311089939a63611ac510a464a589fb225a25510f701136

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                            Filesize

                                            16B

                                            MD5

                                            206702161f94c5cd39fadd03f4014d98

                                            SHA1

                                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                            SHA256

                                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                            SHA512

                                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                            Filesize

                                            10KB

                                            MD5

                                            88f5b49db579c55c99b1cd72c59bf974

                                            SHA1

                                            48fd7a01f9e68501db9220cdd33f0fc70d0aec5e

                                            SHA256

                                            6215d5befef14938a0a9d9e4b0406b736183c4d2152adb6582bc06d3c937883c

                                            SHA512

                                            5aeaf8e4ae293d2234c859b279da3ccd813394ef37e19495575e9029cdf09dd788516d45be478155123a64c8460c2965222c54e554814d5b1a1224e869471ae2

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                            Filesize

                                            11KB

                                            MD5

                                            fd64b1186dfa97602c38e303ca8f3e61

                                            SHA1

                                            d75a22791106310f8eef2c44cd5844cef514e334

                                            SHA256

                                            9fcd3d75f400065b0f8553187db3e9ae11651f8440ef6a6aab59c1fa9c551804

                                            SHA512

                                            c105764f5ed0e3db3569b7d876c37f17da76c19e681745396bbc8960bfad5945827658ca57d99a97b42fce8053c289e0ea73a64cb1ff33fd853b68b1950d3cba

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            25fdee90fce7b0b96dc2ee97ec66834a

                                            SHA1

                                            c32a6f1e3b1033bec69a5a41de255c98944dcdc9

                                            SHA256

                                            c433a9b0345ba06be0b2acc2fcb9d689f81837ada86b6fee2fb2b4b838d1ea6c

                                            SHA512

                                            b76230cb1cee4dc3e434bc49b239525f4ea51f449b0587b828a8888c6ff54d26c5cd16219934dbe44d4f84057d8e77bbc458d71e55b10d79ef8d0eda74e7399d

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            e07eea85a8893f23fb814cf4b3ed974c

                                            SHA1

                                            8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

                                            SHA256

                                            83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

                                            SHA512

                                            9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            944B

                                            MD5

                                            050567a067ffea4eb40fe2eefebdc1ee

                                            SHA1

                                            6e1fb2c7a7976e0724c532449e97722787a00fec

                                            SHA256

                                            3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

                                            SHA512

                                            341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvbmz1ed.rdx.ps1
                                            Filesize

                                            60B

                                            MD5

                                            d17fe0a3f47be24a6453e9ef58c94641

                                            SHA1

                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                            SHA256

                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                            SHA512

                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Temp\dbxcjp.txt
                                            Filesize

                                            78B

                                            MD5

                                            86ec301953f9252687fb4a4eba9e775e

                                            SHA1

                                            e245181761cac6375cd7e0023d6ca87471c25b8b

                                            SHA256

                                            544319010bcf88498a69f1744591830db96cc3abdb3d09a1186f41f42485108b

                                            SHA512

                                            0878245bc4e023d0a2b8f0154e3289438d2990bdddc33205b00f7722eff4dd0fd801343f63e26e3db516bfb77fee2f841413b2ea694f7ebe534a04f177b46457

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Temp\qiygww.bat
                                            Filesize

                                            72B

                                            MD5

                                            5e1b8916ee329f500e51c41010a9c327

                                            SHA1

                                            6413effc04552c786894889f2b7374c42aa1b7cd

                                            SHA256

                                            72e86d40709e36d11cdb616eb1b50bdec1d86f9b5f8594422a1d3bbd7b31fd7a

                                            SHA512

                                            c15c57442a703a42b43299429ba304dde0c038775c5b5ce6cc648b59005db7aba846ee00452b9a071931a353c55cb237e960cadc36cc3955b472a8fabfb555f6

                                            Download Submit
                                          • \??\pipe\LOCAL\crashpad_1508_MHYKEQCTPUIBKDEF
                                            MD5

                                            d41d8cd98f00b204e9800998ecf8427e

                                            SHA1

                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                            SHA256

                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                            SHA512

                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                            Download Submit
                                          • memory/724-171-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp
                                            Filesize

                                            10.8MB

                                            Download
                                          • memory/724-0-0x00007FFE59E73000-0x00007FFE59E75000-memory.dmp
                                            Filesize

                                            8KB

                                            Download
                                          • memory/724-53-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp
                                            Filesize

                                            10.8MB

                                            Download
                                          • memory/724-1-0x0000000000E20000-0x0000000000E36000-memory.dmp
                                            Filesize

                                            88KB

                                            Download
                                          • memory/724-404-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp
                                            Filesize

                                            10.8MB

                                            Download
                                          • memory/1320-17-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp
                                            Filesize

                                            10.8MB

                                            Download
                                          • memory/1320-14-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp
                                            Filesize

                                            10.8MB

                                            Download
                                          • memory/1320-13-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp
                                            Filesize

                                            10.8MB

                                            Download
                                          • memory/1320-12-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp
                                            Filesize

                                            10.8MB

                                            Download
                                          • memory/1320-11-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp
                                            Filesize

                                            10.8MB

                                            Download
                                          • memory/1320-10-0x000002DFF8C40000-0x000002DFF8C62000-memory.dmp
                                            Filesize

                                            136KB

                                            Download