Analysis
-
max time kernel
474s -
max time network
471s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
20-04-2024 14:41
General
-
Target
https://necrocracked.sell.app/invoice/1530332/deliverable?signature=faf2a849ce78cae616f381cea417cf99a53b4581d99e8931297cac3d7696f947
Malware Config
Extracted
xworm
-
Install_directory
%Public%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/UWpQULMP
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Executes dropped EXE 3 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
AutoIT Executable 33 IoCs
AutoIT scripts compiled to PE executables.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 9 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://necrocracked.sell.app/invoice/1530332/deliverable?signature=faf2a849ce78cae616f381cea417cf99a53b4581d99e8931297cac3d7696f9471⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc83c046f8,0x7ffc83c04708,0x7ffc83c047182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5924 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5248 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=4876 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4232 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2128,1255364068036578343,3138301837232311137,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5844 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8.zip\Ro-exec\READ ME (ro-exec).txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault72761a25hb81bh47c0h9821hab1216ac8fef1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc83c046f8,0x7ffc83c04708,0x7ffc83c047182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,1393579155700213185,6079593191075133997,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,1393579155700213185,6079593191075133997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultc6daa8f3h19c5h4736h8385h3e63fe399e001⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc83c046f8,0x7ffc83c04708,0x7ffc83c047182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,9487224788955888846,5221348235504653659,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,9487224788955888846,5221348235504653659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8.zip\Ro-exec\READ ME (ro-exec).txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\Downloads\LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8\Ro-exec\defcon.exe"C:\Users\Admin\Downloads\LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8\Ro-exec\defcon.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8\Ro-exec\defcon.exeC:\Users\Admin\Downloads\LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8\Ro-exec\defcon.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8\Ro-exec\defcon.exe"C:\Users\Admin\Downloads\LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8\Ro-exec\defcon.exe" /TI3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\Downloads\LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8\Ro-exec\loader-upd.exe"C:\Users\Admin\Downloads\LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8\Ro-exec\loader-upd.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8\Ro-exec\loader-upd.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loader-upd.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svchost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Downloads\LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8\Ro-exec\loader-upd.exe"C:\Users\Admin\Downloads\LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8\Ro-exec\loader-upd.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8\Ro-exec\loader-upd.exe"C:\Users\Admin\Downloads\LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8\Ro-exec\loader-upd.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8\Ro-exec\loader-upd.exe"C:\Users\Admin\Downloads\LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8\Ro-exec\loader-upd.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loader-upd.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5cff358b013d6f9f633bc1587f6f54ffa
SHA16cb7852e096be24695ff1bc213abde42d35bb376
SHA25639205cdf989e3a86822b3f473c5fc223d7290b98c2a3fb7f75e366fc8e3ecbe9
SHA5128831c223a1f0cf5f71fa851cdd82f4a9f03e5f267513e05b936756c116997f749ffa563623b4724de921d049de34a8f277cc539f58997cda4d178ea205be2259
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5dc629a750e345390344524fe0ea7dcd7
SHA15f9f00a358caaef0321707c4f6f38d52bd7e0399
SHA25638b634f3fedcf2a9dc3280aa76bd1ea93e192200b8a48904664fac5c9944636a
SHA5122a941fe90b748d0326e011258fa9b494dc2f47ac047767455ed16a41d523f04370f818316503a5bad0ff5c5699e92a0aaf3952748b09287c5328354bfa6cc902
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58ba3b4a97d7d2e35e1f738dad9682d8b
SHA15871fb31c57cb2d7a9b3e23e29cfaa4ab584ccae
SHA256ebcbded4b54769af0c683030258eb09c317b25e7778612d8d7c977cc48a42340
SHA51258f734bafdfa2ef3c287556786070d2c5df1e8d90aa33659d78ec9b866e4eea1a1c4314b2cabfb2cb097dc2e9a4d48dd77e3956cdf59734474d277d5e2ff7d91
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD527d8e834fea5a6d5738bded5df914aba
SHA1dc57839efc2c69fc28b9609fe5c7ebc1e12e2ebb
SHA2562807b610ba351e992e116f2dfb35e8419b2198241957d9e2a5efdfe0099b306e
SHA5121d9bd906b2b9dd7239b2875480353045229ee2a83233595927d372fa72e4b30ce6daf3a8d168fda1780c95ec3f283f797de35345ad1336a2e2366af893333b26
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
120B
MD567c044a051da9a69ef7c437c6ab814af
SHA1a7fd85da7b632eb1b7bbb332c2c95d630e96fad1
SHA25693b0ca4837845365e96b0df7bff5ae0b7d2eb22131dc2774783ea1c98bb5003a
SHA512659364aaea2e5d8b85119358108cd28deb4a370dfd5fa543c278d54026bb9a484668f5e616efc178429141417c2e73b16465a7b6ab908365f7ce7084b526b15c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD53fd8103a2c71e66e4707ac7d723f4610
SHA12477ae884b23b86e0c23aeb926d2d009c8ecefd9
SHA256e402c767b31dd165b545d03c6a1e05135645db4740d37f5ad9dc08f782b8377d
SHA512c54cbd423bb687ff80bea9fb02019b4131f220da04ad2a8d432edc90ca3f653425bc6503be7e3c224f41b07b02124017e3c4cab82c26fdf2783fa4113fc7191a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5e6fd951364dbeea65e0d4eb8aeca070c
SHA19b18f4d18ed6b0523a36c75b86c2ede57482d7f0
SHA256a881822439afc6c375fc18800dc2ad11e533fdcddffdf4220fb62330ea8bb105
SHA512faed9f34fac654016675eb7b9c48a845c3add4965dd28c69829904112a4da9d11f7d4600631d0047afd0288c0dda518138a4d3f66765c8815a2c3914c13f287a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD512846968289e9f0d39c25d6c234384ab
SHA15f0748a37af1528c45b701029b6dea4a551d1e49
SHA25658f2a4af7b9ed22cd5cec9f9e3eeb452b81b7cb296f2965657febe4515c3cd6a
SHA51218b6c2467a21580ff97e699b2f5762df722991688082a7d5f47b5eb4863d6ad8d3a984690db620427b351b18d79b7829d37d6d5ea1540ed9150b0e24d0ec1d06
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
869B
MD5093925a5d7c28c089fed71275d478776
SHA1074bdf9558e24b83436aee966a361d7f555a05cc
SHA25632044e51ee375ac10c510aa66e8e8ebf283dcca936b6d29e1bcc4610d17fa3d8
SHA512370fc3d41757018026b2f8796d8b30331ebf55ddb1c27648a7cc0bd408713c254540d9afe6dead1f61e9e0797a7b55eba3bb0f939f383d4c87d010f1df277319
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
869B
MD50360bd79956b6f0947ee73fcf5c58a16
SHA1c456ff34d7081941c11e57648f27694819d49fc4
SHA2566cfa73d6d29cca46a494c6d888cc921c3f40b3fc5b1a8f24a747cd530f63df65
SHA512d3472f5c787b911f43e97e3970dff59fbce4a275f2b3ea887a8e470e063affd626f7985b423b14cc4440e416e5f3e300c62da4b4977d6adb94e8bb475afc5989
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD521badc3e27b0c7e7fc0dbc160ef1485f
SHA1ac7c75fb05231adbd5c09d1702a821f2dab5dde8
SHA25695da68b20199815a4e7649743bc4c639615116baf59b405653663c6fe8608094
SHA512e23e7f2994217e0c812dbd3cecd42007fb91ddf3d0673a883074839b8da6340c016df72f6a58fb05c9081b862a2dfbbbf6bc22d41ddedb456d740717d6fe1539
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD54fd59a3b7906ff44baff87e01fd1e005
SHA1912f83259bf86b0f58ac9eab11f2b8678e56122b
SHA25612aaffeef797ef6010606e44c98f1a9472dd4cfe210a3484f3ff102843803171
SHA512a70cfe07b7e0647135e833bd8f6d205c9abf57042f48ef06515f6a713318999e7b50a6bd73fcb33ca53a72cecc16a7291a3541aa4fa0c35ad0c752f910aa6d3d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e3e390cb5e392fc9bc0b15b412e7d160
SHA1a0cbb03895f256326a1e83e406e333bbc9590170
SHA2561cb85e97046d6bbe13ec2f92981732b3ee8eda3b83729e93cd0bb163a4871e4d
SHA5125e734cdcf01111f3f29276a2227fd8370ce8c15c31575402e8c9263927bf375cd5a70b7e6ab24163bc3fb1416184f8d9dfd56a047fca9a7204a113ca9fb3a6bb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5469f8b2b6e438810d31ed3a49d51f937
SHA1c8ef4c3bca471b5bb316de50a9602c4c6acd6fc7
SHA25607d6e0221f8680edbaacf501081c4d5e63fc9bd3b311376da1f3f8fafc4d3876
SHA5128102f49798f073ee9abc0256b8fead33fcf71fb70b87e492ca697923c8d9bcc70fbc306bbe61444bc20c7a84d406f442528142f840d1dab222dd85ad2b091509
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5259230805672fe232c933c3eb581ee8e
SHA1f1a652839009e329157ebbb10c3ad732e19d514a
SHA25628104c6e6e01d924fdcfe16cf5c699acb48dc2b07eddfb2a500f1a8067d5ed63
SHA51252ab6539ad80e1cde0c770f3bff0c390145db4973bc614552ac9e6afba4b92f153cc742ded283bf5558a16d4b829622f797f7615b3360b48750faad600d44794
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD50b7efe1ff6fda5adfc7bca167e632d76
SHA1f1000c49e13a15d19c7e5e56df72d55d36349c41
SHA25681d069493ed8c8ff348921027f3e6931c39229b7b6ee6a4c0f0f00899e971d28
SHA51299b969855eadd9831dcd2ac28be8c2fd30461129ddc71fc2e3ffe0eb0ed18e78c63ecf0e8923338e2b4b6aac12ee5a7121b1b317c6c5bf65a47521a2e65d99ee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5893c5ccaafc39ddfb93136ad2cb13cba
SHA1dda4d10d8c8a4fb558afb35ab6243582918c951c
SHA25622373dd7dd93dabb209756a25fd7080742dc73ace46672447a9bcb82babc76d1
SHA512d83f7400c999aa8a8b6481feb60a586a6be8934f95a3244df78cc62dd98f8df5fbdca70f9945e2e3a516789ee6913e6b8b606b3c3410f41af04f003e07c4cee1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD51c884183ecaf27c249ca7ab0f9953b53
SHA1c874e85c79f5f85abccc1f1768f3035b8c5f1a3a
SHA2567faad92e7a6b7cb9f79ad9f6a480ebfa52e3eff2e82838117596ab7a86ad63f2
SHA512b524a6f77bbfe33c87ad5044ff4831f85c072db64600a63a0d94565ed53db9512c4d1d60706f83c701d590986bd7357c0495b4fd404aed9639826f292bd0430e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5349ec55b44325173f8cc9ce285be9179
SHA19fd967d756ef29182ad5600f6cf81d4a40649ed3
SHA25647b1dc560940f51045df26c92d59fbc11ec53f24d32dd045ef456103472b9e46
SHA5129f0928e5e726f05711187644b2c04e9a3d5da347ea2066e2d4d398a269d6753c2186c8496618b5c36e3888faa990273899f183be3929a5548de8b936ed0c358f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD51af97e72e8aae4b7f17301a6148d477d
SHA1b71d2dbc106fe6ca0977f2f3c554478dfddd53ed
SHA2566cb026cd10e5bd31d823858161b9691d69db150e8987a00ffe4816df414518fd
SHA5124eb447f9902cfb1cd585d128ecee7a3f629079a2e1024fb16749431cda0088e34205ffbc4f0817f6973010b054508fb928840ff497181a30f588522758867163
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5f5948a94377a3a6a40323d91617df632
SHA100a9e1b91b1baf08be71cb9233ee9144b4e84955
SHA2566623f6e31b33441f85120b7b303fa8368377aafa61a5286fb5138599de45f792
SHA5126e1f0b72848debe675548f1f0028c6f147605db3c94b17e659c8c3b3eed041ab60622eb450b3c9f410fcc5e1eb8bacc4aeca5b0df3b05efbdd5d2f0f09eca15b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD517cdaa7b82f0f0ce68998d067753a93d
SHA14b38cee2997ad589d0395def5835e791b0d753b7
SHA256623a2d694c464e09f0bade62e25809a9d207c9fdc5f6d534d558c9e99956d2a7
SHA512d45a284158263c5dfaff45662d681b257700bb3384dc0b702559d841307df385867373e2f6e1deb2788213ed2d4612fc8419d4f02b5c87463606fe8ab095e3bf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD539d5c3d50826f153ab020ec6003e1ecf
SHA1053bca03cd9673902b2523b96a19d3aff539e77e
SHA25694d67c6df53b45e97e1b0428917a034d2be5ea789082efa56dbedfbbda875bf1
SHA512e069965d3ebd86ae893c55359f3280e4c4813942bb9691ea3d56a783dadb7f8925e207ad71b40dbb5dd51d9868b9818479161aeb314d8ec4d42d86a813ea29cf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5eab1d4c79d77da477a720d6c225efd72
SHA1b31a2c5d662643926451fb2c58f4a617b6b56296
SHA25620aa6028ac32fd91c4242f7e829046a744f70c4d49ad5d1c4cf5a06bdefefb2e
SHA5126c25f797a84c25d1551e6b7eb043de3e201485d2fc2aabf7ec5db506a486f1604aaf9a52951f1f9e6e5ca9fce46bdd72ad212046c6225e2a034c2dd681435ccc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5c49496654ee5ecf3034d364c2b4b1f50
SHA10a0125c391b4068c17d3a87168cbd0c5fbfd5683
SHA2565f70f1b89b29afa422dccb4e1f2cea5bfec79eb57d04bb1d21b660382e250121
SHA5123a0843441eb0afc08800bc8d946fa3af612b1632e98442fc40d54c687f05faab2188caad597cd5d3591e4b2db1b0475e4df5b359ed8f8be85f9879d268e0732e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5515388f167695c1634e538e98619a540
SHA1ab591a77c6a2551400b1f68df2af2d9fd3d71f72
SHA25666fe9e9d73c235fa5d305b936876790399efabb2d8b3ab49bf0fe6d6509e8120
SHA512042b1a380d50df865ee925188b43c8ef7dce7fd68ed9782a2d36b310214ffe3b37d402df747d2ac93c69dd7bc762ae4da23bca623f4dec96079edc4647fc6bd5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a2b3.TMPFilesize
203B
MD5f2406b149a914a80545a29e378d7a34e
SHA11bbb84252acd98d5cb3f969ec32c69df259ee10c
SHA256a6164b774777692a1d5193bca6a12f2e179578f60d0b5db1e34c414a9b3a5ac4
SHA5126a350af9aa0aacda4db06676a9193d659ec0c6efccf1ddd1d4756eda59a6e7403f369e846bb2c167b7e4b3e84b4794acd391b2cada9d3ec84c2b31375de50fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD51d193673e8838f8c4268222b53bd55dc
SHA114382db8d36c8fbda9a44e1081b06c6eb01af370
SHA256ada0e21a425c16a6857eaa36945fe7ccf539099dfd1467fcd49515bbcad3b5d8
SHA5121c98d42ff89832b96126fb8eab6b1768de17ade1192471fd3d278d7297d6ba108d9290b474c2eacd4e5d4e3edf3892acd831f4e222b64e08587ece5b9cd2a9ea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5e3877e3c73fed7b926190d46aa5f68cd
SHA12ed3e1249fa22118dc9591a90f0d6378bb4aa1f0
SHA256c1daa21944df843db43574509d927869628c1b4a3483ef396657cdbaf75d5fe0
SHA5126db543f400ca6baa1a3d3c9088e523aa8fbf1b5f93251f98cad58184a9adc5dafcda003ab231c2d017be8ee807ba448ca330f719dec427c8a63b36a8e3e7db44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5972777cdbc91053a215af59a98a7498d
SHA1c295ff678d5009d3daeb3b24856133b1f0364d96
SHA2560d7619affea512152312f4d4462189151950cfc71e26dfe942e8479c2c16ae9b
SHA512bae4d6e805bd96797ef6597015f9f19fcb677fc6a3d6083ebe52189a3a5046cb058a36a366aa33e8c192048784e3f07634e2843c927f40fa75536968701b6274
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5196f4b431642eeac49432a9cb5ce1e99
SHA18611009d63322cc0042fb193a18fb808c0aa7ee2
SHA25661cef238b19affb4987cd325354b1db46faf81e9bf3cb56d941b117167eff242
SHA51247d5475422c349fac6ce2c5ffd49635d45c07b0e83090c2f31b1ad132acf2e766f7f1ff1898612f9079807378db4e8522257d77c3f5b62b45481bdeaa490d041
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5d6ade76b48b21d71c2b1e82c1de14917
SHA12af8e8b85c4e27617f8330b0cb7e47444b14a567
SHA25621643386d23e194f9c02b328650324261abe99d8e9a4e46249bedf28a8937009
SHA512881b2cb03cd6da5b26ecd3ce783621458e227343a7d133175a824b903d04b57fa4995778673e6ddd274ab9bd90ca06da202511d3e1a456d440f5a0c3edac1fcf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD595b875498e2d06336fb3e0faf69cd1ab
SHA17e2664f34ae3a13cfea2ce0c501d88e170e8451b
SHA256f18c86c10a4ddc97b5adc2ef382726a69d27cc526240ca423cb529efe704c1a5
SHA5125deafb0609ddc6512ca475a738b87f66b6b817b2de730a3c3f901907057cc0b37eb96cd3909c49e023c98f5c98922a70a63d6c69c7c1ce5d460cc6657d7ecd3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5943e65b06fdc6f4865d19f6bc45fa139
SHA1c7be84ce0ca57e77264aedbb9b29778713b83902
SHA256e5b300d9b4e2b69a1f51f97a2b2c82693200165a02229ba818be6f9d53cfcabc
SHA512894c882b40b7b25587ed83fb219ea3544049903b49b852df21da3c4ed3f0bd45f0ec4acb08da1a2d90c9833febeefe6ded1796d5536dbc9d9112564a37b35757
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD535f7db66657bfc526f7d5d9ba14c659a
SHA116647f3245c798195a32f7274ddaefd409e16ae2
SHA256260800d22eb361d9dad421bc8de367379857c8d052be74aa008b7b5186f164a5
SHA5121115c47124f514a6eb90b3367130ea09bdd58a00306e9949f45c55d07dd3d44009e34a2f56ef7b7a7355bb318417623eae08fdac8c39f7b8bd72fa218a6b9213
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5cac20b598d6df1d1e2fb4924eb948938
SHA1ca846a499544228cc1c60a5a98f9c98a15fbeef0
SHA25635eeb0fa1a310813daecf96bc0810c2f5648d866b207b26c52ef42367300cd87
SHA512dca824e709353f19bb174c7fe053172fe7c32240447295c8f7a158ac345daba606e3571c0b978518254907b48129c37d27fe415deb19770441a1543a87915270
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD519e1e2a79d89d1a806d9f998551c82a8
SHA13ea8c6b09bcaa874efc3a220f6f61eed4be85ebd
SHA256210f353fbdf0ed0f95aec9d76a455c1e92f96000551a875c5de55cfa712f4adc
SHA512da427ad972596f8f795ae978337e943cb07f9c5a2ed1c8d1f1cad27c07dcec2f4d4ffe9424db2b90fcba3c2f301524f52931a863efae38fca2bef1def53567b8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mjf0tqcz.am5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dicFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\Downloads\LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8.zipFilesize
535KB
MD511e7644c95387c1860ce7e936c749f74
SHA1a483dfec45aa156c31e5600b88ef043f23fbaaf1
SHA2568641f88b89c9076ece3ee571baa4b3c93ba3ac3883e90fe5f894dc41e3b7bdc7
SHA512d9ffbf735346887b7c4922fa6fb5a2c08d73cd8874cca3c36211b87138134ae718ecb16d593e7ca9aceb634ae7655cf61b2fd1d255be5f3b9f580aa072aef0f5
-
C:\Users\Admin\Downloads\LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8\Ro-exec\defcon.iniFilesize
2KB
MD54d82f8a7f9ccbd9f78185363d0acf025
SHA1053181a1657bf8fa2f65ac5170ea67ad036d9b61
SHA256e6b7566ad290cbcd31df1514dce13141ebbe7eaec59aef6751f57dba12edc00f
SHA512f6d1946bf57f396b6a440576aec4c2fee1f8d71ca0a746ec08f5b924558dd28d84160f4b2a369946f2582badaaa199fa309756e439606a8577e9e786d80a5a94
-
C:\Users\Public\svchost.exeFilesize
70KB
MD5573bd20fc8382d92a7ae9eae51e738e3
SHA155006093429df791f27e91a66e5ee63a81382b28
SHA25609036ffa342f9e5bb1e31a867dcc3b60db011baba8c0d202aff1d33195cbe729
SHA512d38736acff4128d6ce9ea17ee609ca33a37ac88f2c994cf4caf7f0eb62406a8963c33531b9f3cd020974d892c2751f3a4f67ce13ed6ba6080f97c406ccbb4aca
-
C:\Windows\Temp\3a1o6m4h.tmpFilesize
37KB
MD5e00dcc76e4dcd90994587375125de04b
SHA16677d2d6bd096ec1c0a12349540b636088da0e34
SHA256c8709f5a8b971d136e2273d66e65449791ca8eba1f47dd767733ea52ee635447
SHA5128df7bc46ef0b2e2d4da6d8f31b102ff4813c6544cb751eb700b79fa0fae780814551b58ec8d19ff29cbf8547709add7eef637a52a217714d1a18b450f6755ec8
-
C:\Windows\Temp\3a1o6m4h.tmpFilesize
37KB
MD5f156a4a8ffd8c440348d52ef8498231c
SHA14d2f5e731a0cc9155220b560eb6560f24b623032
SHA2567c3ca3161b9061c9b1ff70f401d9f02b2d01267bc76cbfcbc397a5aec60d4842
SHA51248f3c273f072a8c3c73a1b835ed320a6b8962c2f8b5037a3b6c1bea5431b17d9c03e8d771cc205bbc067975c78307f2306c55dbc4c72e0a7c15c6b17b3afa170
-
C:\Windows\Temp\3a1o6m4h.tmpFilesize
37KB
MD51f8c95b97229e09286b8a531f690c661
SHA1b15b21c4912267b41861fb351f192849cca68a12
SHA256557a903f0f2177e3e62b1a534dee554cf2eff3dd3991bc2310f064bf9c7d2152
SHA5120f0e5b85b6ef73ecebcd70ca90ce54c019eec1ea99966c469f357dd3393d0067f591b3690fe0b7922d7ba4aa25ebefd76a092d28c3377e6035720f8630a1a186
-
C:\Windows\Temp\4a3o1m6h.tmpFilesize
37KB
MD53bc9acd9c4b8384fb7ce6c08db87df6d
SHA1936c93e3a01d5ae30d05711a97bbf3dfa5e0921f
SHA256a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79
SHA512f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375
-
C:\Windows\Temp\aut8F27.tmpFilesize
14KB
MD59d5a0ef18cc4bb492930582064c5330f
SHA12ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8
SHA2568f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3
SHA5121dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4
-
C:\Windows\Temp\aut8F28.tmpFilesize
12KB
MD5efe44d9f6e4426a05e39f99ad407d3e7
SHA1637c531222ee6a56780a7fdcd2b5078467b6e036
SHA2565ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366
SHA5128014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63
-
C:\Windows\Temp\aut8F38.tmpFilesize
7KB
MD5ecffd3e81c5f2e3c62bcdc122442b5f2
SHA1d41567acbbb0107361c6ee1715fe41b416663f40
SHA2569874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5
SHA5127f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76
-
\??\pipe\LOCAL\crashpad_4300_URDZYOHTVQFTEWTBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1536-958-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/1536-936-0x000002001C7E0000-0x000002001C7F0000-memory.dmpFilesize
64KB
-
memory/1536-937-0x000002001C7E0000-0x000002001C7F0000-memory.dmpFilesize
64KB
-
memory/1536-935-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/2876-974-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/2876-976-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/3164-605-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/3184-1016-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/3184-1017-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/4316-835-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-1012-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-1029-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-1025-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-1051-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-1023-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-1022-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-1052-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-1021-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-983-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-1019-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-1018-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-1030-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-876-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-1015-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-1028-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-860-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-1010-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-857-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-845-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-604-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-656-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-823-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-960-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-802-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-1008-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-792-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-741-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-729-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-979-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-988-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4316-701-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4812-900-0x000001C5AB910000-0x000001C5AB920000-memory.dmpFilesize
64KB
-
memory/4812-903-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/4812-896-0x000001C5ABA70000-0x000001C5ABA92000-memory.dmpFilesize
136KB
-
memory/4812-898-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/4812-899-0x000001C5AB910000-0x000001C5AB920000-memory.dmpFilesize
64KB
-
memory/5288-1027-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/5288-1026-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/5292-562-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/5292-583-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/5304-986-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/5304-987-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/5476-982-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/5476-980-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/5520-1002-0x000001E63CCF0000-0x000001E63CCF1000-memory.dmpFilesize
4KB
-
memory/5520-1005-0x000001E63CCF0000-0x000001E63CCF1000-memory.dmpFilesize
4KB
-
memory/5520-1006-0x000001E63CCF0000-0x000001E63CCF1000-memory.dmpFilesize
4KB
-
memory/5520-994-0x000001E63CCF0000-0x000001E63CCF1000-memory.dmpFilesize
4KB
-
memory/5520-995-0x000001E63CCF0000-0x000001E63CCF1000-memory.dmpFilesize
4KB
-
memory/5520-996-0x000001E63CCF0000-0x000001E63CCF1000-memory.dmpFilesize
4KB
-
memory/5520-1003-0x000001E63CCF0000-0x000001E63CCF1000-memory.dmpFilesize
4KB
-
memory/5520-1004-0x000001E63CCF0000-0x000001E63CCF1000-memory.dmpFilesize
4KB
-
memory/5520-1001-0x000001E63CCF0000-0x000001E63CCF1000-memory.dmpFilesize
4KB
-
memory/5520-1000-0x000001E63CCF0000-0x000001E63CCF1000-memory.dmpFilesize
4KB
-
memory/5524-920-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/5524-922-0x000001ABA86B0000-0x000001ABA86C0000-memory.dmpFilesize
64KB
-
memory/5524-921-0x000001ABA86B0000-0x000001ABA86C0000-memory.dmpFilesize
64KB
-
memory/5524-934-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/5744-1011-0x00000000009E0000-0x00000000009EC000-memory.dmpFilesize
48KB
-
memory/5744-1040-0x0000000000970000-0x0000000000980000-memory.dmpFilesize
64KB
-
memory/5744-1053-0x0000000000970000-0x0000000000980000-memory.dmpFilesize
64KB
-
memory/5744-984-0x0000000000970000-0x0000000000980000-memory.dmpFilesize
64KB
-
memory/5744-973-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/5744-1037-0x0000000000970000-0x0000000000980000-memory.dmpFilesize
64KB
-
memory/5744-877-0x00000000000B0000-0x00000000000C8000-memory.dmpFilesize
96KB
-
memory/5744-878-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/5996-919-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/5996-914-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/5996-917-0x00000255BD230000-0x00000255BD240000-memory.dmpFilesize
64KB
-
memory/5996-915-0x00000255BD230000-0x00000255BD240000-memory.dmpFilesize
64KB
-
memory/6052-1009-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB
-
memory/6052-1007-0x00007FFC5F740000-0x00007FFC60201000-memory.dmpFilesize
10.8MB