xworm | 48991778a4ecb77556b3c2110c63c5bc242c79a20ec6205fcff4198118dcf78f

Analysis

max time kernel
125s
max time network
129s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
16/11/2024, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Api-AutoUpdater.exe
Size

84KB
MD5

e7d61465db5a82ededa06183a6c3f665
SHA1

0267f3612ef089422c817864858ee705b40ad0d4
SHA256

48991778a4ecb77556b3c2110c63c5bc242c79a20ec6205fcff4198118dcf78f
SHA512

6ac7e0892dd1a2cfca163957cfa54b10615f53ff96abc029f7ff7627d2a4dff530fba6078d0a9b4e31b6f9c9f89ef158797e97b2d7d60210dc79b6e7a8225375
SSDEEP

1536:aoJMQoKDp9/NSDM39HKboubUfGdDndBgJdIcMH6rVV/dKFObUPwckjdiz:aoKCD/cA3dMbUfkMdIcM6r/doObWwcZz

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

where-reverse.gl.at.ply.gg:18649

Attributes

Install_directory
%ProgramData%
install_file
Helper.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/4880-1-0x0000000000AB0000-0x0000000000ACC000-memory.dmp	family_xworm
behavioral1/files/0x000a00000002a86a-56.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
952	powershell.exe
1264	powershell.exe
4824	powershell.exe
2336	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.lnk	Api-AutoUpdater.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.lnk	Api-AutoUpdater.exe

Executes dropped EXE 2 IoCs

pid	Process
2024	WindowsDefender
2440	WindowsDefender

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\ProgramData\\WindowsDefender"	Api-AutoUpdater.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
952	powershell.exe
952	powershell.exe
1264	powershell.exe
1264	powershell.exe
4824	powershell.exe
4824	powershell.exe
2336	powershell.exe
2336	powershell.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe
4880	Api-AutoUpdater.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
700	msedge.exe
700	msedge.exe
700	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4880	Api-AutoUpdater.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	4880	Api-AutoUpdater.exe
Token: SeDebugPrivilege	2024	WindowsDefender
Token: SeDebugPrivilege	2440	WindowsDefender

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4880	Api-AutoUpdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 952	4880	Api-AutoUpdater.exe	81
PID 4880 wrote to memory of 952	4880	Api-AutoUpdater.exe	81
PID 4880 wrote to memory of 1264	4880	Api-AutoUpdater.exe	83
PID 4880 wrote to memory of 1264	4880	Api-AutoUpdater.exe	83
PID 4880 wrote to memory of 4824	4880	Api-AutoUpdater.exe	85
PID 4880 wrote to memory of 4824	4880	Api-AutoUpdater.exe	85
PID 4880 wrote to memory of 2336	4880	Api-AutoUpdater.exe	87
PID 4880 wrote to memory of 2336	4880	Api-AutoUpdater.exe	87
PID 4880 wrote to memory of 4544	4880	Api-AutoUpdater.exe	89
PID 4880 wrote to memory of 4544	4880	Api-AutoUpdater.exe	89
PID 700 wrote to memory of 1372	700	msedge.exe	97
PID 700 wrote to memory of 1372	700	msedge.exe	97
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 3844	700	msedge.exe	98
PID 700 wrote to memory of 2120	700	msedge.exe	99
PID 700 wrote to memory of 2120	700	msedge.exe	99
PID 700 wrote to memory of 2448	700	msedge.exe	100
PID 700 wrote to memory of 2448	700	msedge.exe	100
PID 700 wrote to memory of 2448	700	msedge.exe	100
PID 700 wrote to memory of 2448	700	msedge.exe	100
PID 700 wrote to memory of 2448	700	msedge.exe	100
PID 700 wrote to memory of 2448	700	msedge.exe	100
PID 700 wrote to memory of 2448	700	msedge.exe	100
PID 700 wrote to memory of 2448	700	msedge.exe	100
PID 700 wrote to memory of 2448	700	msedge.exe	100
PID 700 wrote to memory of 2448	700	msedge.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdater.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdater.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Api-AutoUpdater.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4544

C:\ProgramData\WindowsDefender
C:\ProgramData\WindowsDefender
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\ProgramData\WindowsDefender
C:\ProgramData\WindowsDefender
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://java.com/
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffc3a83cb8,0x7fffc3a83cc8,0x7fffc3a83cd8
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,17782200460555514527,17605035924429888452,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,17782200460555514527,17605035924429888452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,17782200460555514527,17605035924429888452,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17782200460555514527,17605035924429888452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17782200460555514527,17605035924429888452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17782200460555514527,17605035924429888452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:4760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3164

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsDefender

Filesize
84KB

MD5
e7d61465db5a82ededa06183a6c3f665

SHA1
0267f3612ef089422c817864858ee705b40ad0d4

SHA256
48991778a4ecb77556b3c2110c63c5bc242c79a20ec6205fcff4198118dcf78f

SHA512
6ac7e0892dd1a2cfca163957cfa54b10615f53ff96abc029f7ff7627d2a4dff530fba6078d0a9b4e31b6f9c9f89ef158797e97b2d7d60210dc79b6e7a8225375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsDefender.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
11c8e88001e739eef8ce7029389f0fa4

SHA1
31d818d29201c9a60cd769fdbe51048b03b81316

SHA256
7263e811138d819f06d7bae05eef774f63f06f7de24b742f4c1a03d8535e4a5c

SHA512
f66ca46854a27efdd8d3eaa369ff1ac3e23c8680a4993f6547428808c25097491cf88ffef1d29ce1320d972bfe780c5a31ac258061c07698aeea6241ed80bfc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
723B

MD5
dd52b996a7f3bb61ac7505a48c7ec075

SHA1
7fee53aa0fe2eb2995231d9ecb70ad57407333ef

SHA256
44b12f04f6c3ebec233452656976f108003945e93a5aba1d896cadfa1043e8aa

SHA512
12c248d7e461a3605fb90d2a4e7b570be7aa4bffb9bb880bfce895d4f3c5d633ebb64f7fccef5d95f2b1172a1977df21486bdeb8d5e8e327f2fa37a57887d926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3ee5415b0a6f2ea607d6e8064cf44728

SHA1
d297e540b27aea5a393893c2a6546fd219ecbd22

SHA256
d52de1ff60871ae0a2aad0189717c7c040a45213255f019b3163f0a0e8a31c82

SHA512
81623f8a0d5d7ff170fc9713c0c138f3e44ec1e48876b0d586f8bac90d92f2aae0c59401582d61783e07932d824758183361004aa4796ea0b4694cf09916097d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b7983f60feaf2693511312e5d7a7ba74

SHA1
ea7dcedf14d4e38b02673e4109a961926a752b7d

SHA256
03123c87324c11f6c4bf1c8b60824ce8720380eb72a1b3a961cb2701f9c54a2e

SHA512
d1eada69904de9ca72cdeaa7b978b6b032f475f6d048f727c74d36a4096cf716fc4718fe883e1bf783b0dc69b7675caccf1249510907d7c7873110d6f12190ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f632606fa5d0c083bb0a1b0b8802969a

SHA1
e88b0c8a80929b3289866ac9c482cd4628004a74

SHA256
18e0eef343a366ab32ef664aa54c17e6b275943e4050bd126de9194e591dbf1c

SHA512
ae55500780537b115df37b2f6b146ed88d73c0f5f8862b1b3f5651ef3a34033920a2efb5adba456a37f3e56968a88b15d57a760d8590ab1f8c468a378b220aae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d760ca2472bcb9fe9310090d91318ce

SHA1
cb316b8560b38ea16a17626e685d5a501cd31c4a

SHA256
5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4

SHA512
141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f28832ecd9829ee81bb32f98f0747445

SHA1
ac0dc6c286da7b0b7b1b595aaf4f8877e1304125

SHA256
d44590cb55e999c1e0abdd9932e00ddde1bc637ac3eb7d02374ace88479f2f50

SHA512
3b72129f951df7d4b2437ed761ff00ea9dc046a284665a3036b9c86fd20626435f775ec2bb9665435b7d8ec6a211e6c54d1debae75b5ae8778797b3485a163fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e0391d00f5bfbc34be70790f14d5edf

SHA1
fcb04d8599c23967de4f154a101be480933ab0d0

SHA256
1c0c0c86d7c736fc9fb148ac7cd6e67565dc5b76fa116ae3b000a79e91855136

SHA512
231b9cc6efb928f0748cef04f287d9204c4f7d2eb4bc27f345e9a1afc6d0675057978ca44d1a95334ee2380709aa6dbe74015fedff8f17611a64efcfb9f64d2a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\0483406c-0f4b-4f3d-ba86-9d89d8b32c01.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_co1dbtd2.o1l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/952-4-0x00007FFFC93D0000-0x00007FFFC9E92000-memory.dmp

Filesize
10.8MB

Download
memory/952-16-0x00007FFFC93D0000-0x00007FFFC9E92000-memory.dmp

Filesize
10.8MB

Download
memory/952-15-0x00007FFFC93D0000-0x00007FFFC9E92000-memory.dmp

Filesize
10.8MB

Download
memory/952-14-0x00007FFFC93D0000-0x00007FFFC9E92000-memory.dmp

Filesize
10.8MB

Download
memory/952-13-0x000001FAD2740000-0x000001FAD2762000-memory.dmp

Filesize
136KB

Download
memory/952-19-0x00007FFFC93D0000-0x00007FFFC9E92000-memory.dmp

Filesize
10.8MB

Download
memory/952-3-0x00007FFFC93D0000-0x00007FFFC9E92000-memory.dmp

Filesize
10.8MB

Download
memory/4880-55-0x00007FFFC93D0000-0x00007FFFC9E92000-memory.dmp

Filesize
10.8MB

Download
memory/4880-0-0x00007FFFC93D3000-0x00007FFFC93D5000-memory.dmp

Filesize
8KB

Download
memory/4880-20-0x00007FFFC93D3000-0x00007FFFC93D5000-memory.dmp

Filesize
8KB

Download
memory/4880-2-0x00007FFFC93D0000-0x00007FFFC9E92000-memory.dmp

Filesize
10.8MB

Download
memory/4880-1-0x0000000000AB0000-0x0000000000ACC000-memory.dmp

Filesize
112KB

Download