Malware Analysis Report

2025-08-10 20:48

Sample ID 250502-m87pnazwgw
Target 250502-m7emgssrs4.bin
SHA256 beb15b54dc5b31d30e4a950db36dcc33b8fe1f29c6567c5cf9ca93bee7c17fce
Tags
xworm stormkitty discovery execution persistence rat spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

beb15b54dc5b31d30e4a950db36dcc33b8fe1f29c6567c5cf9ca93bee7c17fce

Threat Level: Known bad

The file 250502-m7emgssrs4.bin was found to be: Known bad.

Malicious Activity Summary

xworm stormkitty discovery execution persistence rat spyware stealer trojan ransomware

Xworm family

StormKitty

Contains code to disable Windows Defender

Stormkitty family

Xworm

Detect Xworm Payload

StormKitty payload

Command and Scripting Interpreter: PowerShell

Drops startup file

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Sets desktop wallpaper using registry

Enumerates physical storage devices

Browser Information Discovery

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-02 11:09

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-02 11:09

Reported

2025-05-02 11:11

Platform

win10v2004-20250410-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Xworm

trojan rat xworm

Xworm family

xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3200 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 5596 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 5596 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\schtasks.exe
PID 3200 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\schtasks.exe
PID 3116 wrote to memory of 3744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3116 wrote to memory of 3744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe

"C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '250502-m7emgssrs4.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.22.69.199:443 pastebin.com tcp
EG 102.41.53.11:5505 tcp
EG 102.41.53.11:5505 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
EG 102.41.53.11:5505 tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.185.131:80 c.pki.goog tcp
EG 102.41.53.11:5505 tcp
EG 102.41.53.11:5505 tcp
EG 102.41.53.11:5505 tcp

Files

memory/3200-0-0x00007FF8E9313000-0x00007FF8E9315000-memory.dmp

memory/3200-1-0x0000000000B10000-0x0000000000B2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ek2zqgkz.4gh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4792-7-0x0000017FAC9B0000-0x0000017FAC9D2000-memory.dmp

memory/4792-12-0x00007FF8E9310000-0x00007FF8E9DD1000-memory.dmp

memory/4792-13-0x00007FF8E9310000-0x00007FF8E9DD1000-memory.dmp

memory/4792-14-0x00007FF8E9310000-0x00007FF8E9DD1000-memory.dmp

memory/4792-17-0x00007FF8E9310000-0x00007FF8E9DD1000-memory.dmp

memory/4792-18-0x00007FF8E9310000-0x00007FF8E9DD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4f3a771041a5f0acbc6074eaa3e256fa
SHA1 fdf40d5cd659f3708d88442c5140c1f463b3cb9c
SHA256 cb5d3000eae0d7837ed7076c75dbd0eb445858a5861946fc960aa43fef5af17e
SHA512 2f22c66a620e8939f19bbfcab94a228084c7c54eeaacd6c1bc0f8ce05ca2bc57f0ab886543faeb36fca6a4b347285fd5d1eb1d2ad128d999be8865a5cff04d73

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22310ad6749d8cc38284aa616efcd100
SHA1 440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA256 55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA512 2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ba169f4dcbbf147fe78ef0061a95e83b
SHA1 92a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA256 5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA512 8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

memory/3200-57-0x00007FF8E9310000-0x00007FF8E9DD1000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 9703ca1aa7b76a5cbcbc44f1e88ab0da
SHA1 527a3bea16ca6cbd11daafa04478274878660d3f
SHA256 beb15b54dc5b31d30e4a950db36dcc33b8fe1f29c6567c5cf9ca93bee7c17fce
SHA512 0d8add3c5c56e9a56112f7283aee201d77d0336963dca561cc7ff041f970da410c21d2d099c4e30bded52da85093f37e681bf3d57f461c32208bd92277763e20

memory/3200-61-0x00007FF8E9313000-0x00007FF8E9315000-memory.dmp

memory/3200-63-0x00007FF8E9310000-0x00007FF8E9DD1000-memory.dmp

memory/3200-64-0x000000001D310000-0x000000001D430000-memory.dmp

memory/3200-100-0x000000001D7A0000-0x000000001DAF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/3200-103-0x0000000001440000-0x000000000144E000-memory.dmp

memory/3200-113-0x000000001CC60000-0x000000001CC6C000-memory.dmp

memory/3200-115-0x000000001BE40000-0x000000001BE4C000-memory.dmp

memory/3200-117-0x000000001EAC0000-0x000000001EB4E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-02 11:09

Reported

2025-05-02 11:11

Platform

win11-20250410-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Xworm

trojan rat xworm

Xworm family

xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\schtasks.exe
PID 1680 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Windows\System32\schtasks.exe
PID 4444 wrote to memory of 1892 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4444 wrote to memory of 1892 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1680 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1680 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3140 wrote to memory of 2156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3140 wrote to memory of 2156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe

"C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\250502-m7emgssrs4.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '250502-m7emgssrs4.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2e4,0x2c0,0x7fff16b9f208,0x7fff16b9f214,0x7fff16b9f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2396,i,17018170877463122208,17441542760907747160,262144 --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1824,i,17018170877463122208,17441542760907747160,262144 --variations-seed-version --mojo-platform-channel-handle=2440 /prefetch:11

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2448,i,17018170877463122208,17441542760907747160,262144 --variations-seed-version --mojo-platform-channel-handle=2776 /prefetch:13

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3396,i,17018170877463122208,17441542760907747160,262144 --variations-seed-version --mojo-platform-channel-handle=3444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3420,i,17018170877463122208,17441542760907747160,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.25.94:443 pastebin.com tcp
EG 102.41.53.11:5505 tcp
EG 102.41.53.11:5505 tcp
EG 102.41.53.11:5505 tcp
EG 102.41.53.11:5505 tcp
EG 102.41.53.11:5505 tcp
EG 102.41.53.11:5505 tcp
EG 102.41.53.11:5505 tcp
EG 102.41.53.11:5505 tcp
EG 102.41.53.11:5505 tcp
EG 102.41.53.11:5505 tcp
EG 102.41.53.11:5505 tcp
EG 102.41.53.11:5505 tcp

Files

memory/1680-0-0x00007FFF1F833000-0x00007FFF1F835000-memory.dmp

memory/1680-1-0x0000000000370000-0x000000000038C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a1zghhqq.qtk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1080-5-0x000001F630E80000-0x000001F630EA2000-memory.dmp

memory/1080-11-0x00007FFF1F830000-0x00007FFF202F2000-memory.dmp

memory/1080-12-0x00007FFF1F830000-0x00007FFF202F2000-memory.dmp

memory/1080-15-0x00007FFF1F830000-0x00007FFF202F2000-memory.dmp

memory/1080-16-0x00007FFF1F830000-0x00007FFF202F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e3840d9bcedfe7017e49ee5d05bd1c46
SHA1 272620fb2605bd196df471d62db4b2d280a363c6
SHA256 3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f
SHA512 76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e62cbb0b8541e4911f2a3cb671abda88
SHA1 eff5320b981d6068e277270f02e7194d7c21bc37
SHA256 9248c96a06934dc65557e6dfeecce2f95263053276c21f3c69bedf7322a0bbee
SHA512 5a7c6f00c08f709601175ac27122611175ea9501cf397fedd809c8701bb32d2f1ed8591d9046a24f51082403038c2384a752be809df8a221bd2f5c6b3003de9e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 052b734e3d0b49bccde40def527c10df
SHA1 2ac7c9bd7dc7bd54699fd06252a89a963e1c1ec0
SHA256 d51b94b595a5bee567d89011dc8d97f6210a7911828e5a24172708d5a177f65f
SHA512 bbe94350f51a4029f44631e5bb6658d9583d46011db3ca3159a21b179ab7dc7b200a27ccdf34897fdcba890acec2cdb84a2c1ba0cd95360478e38e911f56f4ba

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 9703ca1aa7b76a5cbcbc44f1e88ab0da
SHA1 527a3bea16ca6cbd11daafa04478274878660d3f
SHA256 beb15b54dc5b31d30e4a950db36dcc33b8fe1f29c6567c5cf9ca93bee7c17fce
SHA512 0d8add3c5c56e9a56112f7283aee201d77d0336963dca561cc7ff041f970da410c21d2d099c4e30bded52da85093f37e681bf3d57f461c32208bd92277763e20

memory/1680-55-0x00007FFF1F830000-0x00007FFF202F2000-memory.dmp

memory/1680-56-0x00007FFF1F833000-0x00007FFF1F835000-memory.dmp

memory/1680-58-0x00007FFF1F830000-0x00007FFF202F2000-memory.dmp

memory/1680-59-0x000000001CDC0000-0x000000001CEE0000-memory.dmp

memory/1680-95-0x000000001DA60000-0x000000001DDB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

memory/1680-98-0x00000000025C0000-0x00000000025CE000-memory.dmp

memory/1680-99-0x000000001EBB0000-0x000000001EBBE000-memory.dmp

memory/1680-108-0x000000001C7F0000-0x000000001C7FC000-memory.dmp

memory/1680-109-0x000000001C900000-0x000000001C98E000-memory.dmp

memory/1680-111-0x00000000009F0000-0x00000000009FC000-memory.dmp

C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC

MD5 513a0bb8032eb3630af0d95eca2a559b
SHA1 4737718496ce3e521e7c33d5244dbbbd862f1cf0
SHA256 e50637eadc7a6b38fb593766fc10ce6d7a830c0f1d125196c4b886c78ca55942
SHA512 fcf107b2190626389bb549caaa36a7dc15f891fc0d9b985147228ad39e93b84b2283ada37ed97bcdeada9fb34fe5e7d10ed5f3d105ac104b2616fec800b747b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a063c8bfa731eae7358972026ce1f729
SHA1 2e396b76a9125d61963bc86667e2369a1b63a808
SHA256 26e5a7143fa7b0addc7b4c3fc93f738869ffe19538d3c8c9f2ada6ad7f797ac3
SHA512 1728b791447af365dcac3a7418085c8f19ed6eaf7cf0b42c2490b03fc3aacf37f2e2325ffb727709a9da2a57e510ada229213196327f0bc6f70b3d097d77d73d

\??\pipe\crashpad_3140_RZPSRVISNGEXIJMC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 34d09b852bf4a5ef1d936591501926ca
SHA1 88ff0b1c2a5664765e11e47843a5ac8e1782ed0c
SHA256 52bd897dfdfca849d627b36a49b976eef861b1a7af075527c8f247adb862dc20
SHA512 dc63eebf94384dc9580f5e3c9291047e8d410f8fc1f746d180673f445a9bbe746608c01cbf10a38f2f935cfa5c8bb89864f87cabd8fece809dcaa1fa137f71d3

C:\Users\Admin\Desktop\How To Decrypt My Files.html

MD5 5bb9a9c59168ad061f927e89523b1fa9
SHA1 ad70db9f329376ff1fa02dd420bf3c3b40626081
SHA256 6beb9e0af938e4200f50bcd5b65c29555a63d251cd7bc8f1ac216b333717169d
SHA512 035885de328f917ca6f0d603aa414e6e9accbe6dcd21c22835802a8c9eb8d93d863c213abfbf7b0ddc8e8f1fae01cdb04e8155ca4e9d2ae35bd53ea9f8c7738e