b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c

Analysis

max time kernel
153s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2023, 18:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe
Size

8.7MB
MD5

6fd0926a8817fede28372c309be1ec41
SHA1

ff97bf8e665fda7a9da94a92f91689a436f0c9e9
SHA256

b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c
SHA512

ef8b78da117726775a4e5e0793aa36f5218c427329eaf96be195d0931416540302585046e4a68c77668be90ed0040d073844dbaf15974a717154bd8e1acb1c59
SSDEEP

196608:HxKMARSuV2XJXf6hzsy07g1vse0yEn2iswaT+5t7xrxN:oFRSJXlf6Z8gWnyi5aT+5RxrxN

Score

10^/10

evasion

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 14 IoCs

description	pid	Process	procid_target
PID 2168 created 3192	2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe	56
PID 2168 created 3192	2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe	56
PID 2168 created 3192	2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe	56
PID 2168 created 3192	2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe	56
PID 2168 created 3192	2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe	56
PID 5004 created 3684	5004	svchost.exe	53
PID 5004 created 3564	5004	svchost.exe	54
PID 2168 created 3192	2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe	56
PID 5088 created 3192	5088	OneDrive.exe	56
PID 5088 created 3192	5088	OneDrive.exe	56
PID 5088 created 3192	5088	OneDrive.exe	56
PID 5088 created 3192	5088	OneDrive.exe	56
PID 5088 created 3192	5088	OneDrive.exe	56
PID 5088 created 3192	5088	OneDrive.exe	56

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OneDrive.exe

Executes dropped EXE 1 IoCs

pid	Process
5088	OneDrive.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\OneDrive	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2168 set thread context of 452	2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe	96
PID 5088 set thread context of 3172	5088	OneDrive.exe	126
PID 5088 set thread context of 3144	5088	OneDrive.exe	128

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4672	sc.exe
2620	sc.exe
4584	sc.exe
1936	sc.exe
1156	sc.exe
4888	sc.exe
3576	sc.exe
2276	sc.exe
3948	sc.exe
3484	sc.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1648	3684	WerFault.exe	53
4876	3564	WerFault.exe	54

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1683838123"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,41484365,39965824,7153487,17110988,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617,17110992"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={AA9B624D-ED6B-4E68-A9AE-ABC72B7CBAA2}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 11 May 2023 18:48:47 GMT"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe
2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe
1536	powershell.exe
1536	powershell.exe
2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe
2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe
2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe
2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe
2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe
2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe
2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe
2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe
4424	powershell.exe
4424	powershell.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
4424	powershell.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
4424	powershell.exe
452	dialer.exe
452	dialer.exe
4876	WerFault.exe
1648	WerFault.exe
4876	WerFault.exe
1648	WerFault.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
4424	powershell.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
452	dialer.exe
2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3192	Explorer.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
676	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeShutdownPrivilege	4800	powercfg.exe
Token: SeCreatePagefilePrivilege	4800	powercfg.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeShutdownPrivilege	3396	powercfg.exe
Token: SeCreatePagefilePrivilege	3396	powercfg.exe
Token: SeShutdownPrivilege	1912	powercfg.exe
Token: SeCreatePagefilePrivilege	1912	powercfg.exe
Token: SeDebugPrivilege	452	dialer.exe
Token: SeShutdownPrivilege	952	powercfg.exe
Token: SeCreatePagefilePrivilege	952	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4424	powershell.exe
Token: SeSecurityPrivilege	4424	powershell.exe
Token: SeTakeOwnershipPrivilege	4424	powershell.exe
Token: SeLoadDriverPrivilege	4424	powershell.exe
Token: SeSystemProfilePrivilege	4424	powershell.exe
Token: SeSystemtimePrivilege	4424	powershell.exe
Token: SeProfSingleProcessPrivilege	4424	powershell.exe
Token: SeIncBasePriorityPrivilege	4424	powershell.exe
Token: SeCreatePagefilePrivilege	4424	powershell.exe
Token: SeBackupPrivilege	4424	powershell.exe
Token: SeRestorePrivilege	4424	powershell.exe
Token: SeShutdownPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeSystemEnvironmentPrivilege	4424	powershell.exe
Token: SeRemoteShutdownPrivilege	4424	powershell.exe
Token: SeUndockPrivilege	4424	powershell.exe
Token: SeManageVolumePrivilege	4424	powershell.exe
Token: 33	4424	powershell.exe
Token: 34	4424	powershell.exe
Token: 35	4424	powershell.exe
Token: 36	4424	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2628	svchost.exe
Token: SeIncreaseQuotaPrivilege	2628	svchost.exe
Token: SeSecurityPrivilege	2628	svchost.exe
Token: SeTakeOwnershipPrivilege	2628	svchost.exe
Token: SeLoadDriverPrivilege	2628	svchost.exe
Token: SeSystemtimePrivilege	2628	svchost.exe
Token: SeBackupPrivilege	2628	svchost.exe
Token: SeRestorePrivilege	2628	svchost.exe
Token: SeShutdownPrivilege	2628	svchost.exe
Token: SeSystemEnvironmentPrivilege	2628	svchost.exe
Token: SeUndockPrivilege	2628	svchost.exe
Token: SeManageVolumePrivilege	2628	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2628	svchost.exe
Token: SeIncreaseQuotaPrivilege	2628	svchost.exe
Token: SeSecurityPrivilege	2628	svchost.exe
Token: SeTakeOwnershipPrivilege	2628	svchost.exe
Token: SeLoadDriverPrivilege	2628	svchost.exe
Token: SeSystemtimePrivilege	2628	svchost.exe
Token: SeBackupPrivilege	2628	svchost.exe
Token: SeRestorePrivilege	2628	svchost.exe
Token: SeShutdownPrivilege	2628	svchost.exe
Token: SeSystemEnvironmentPrivilege	2628	svchost.exe
Token: SeUndockPrivilege	2628	svchost.exe
Token: SeManageVolumePrivilege	2628	svchost.exe
Token: SeIncreaseQuotaPrivilege	4424	powershell.exe
Token: SeSecurityPrivilege	4424	powershell.exe
Token: SeTakeOwnershipPrivilege	4424	powershell.exe
Token: SeLoadDriverPrivilege	4424	powershell.exe
Token: SeSystemProfilePrivilege	4424	powershell.exe
Token: SeSystemtimePrivilege	4424	powershell.exe
Token: SeProfSingleProcessPrivilege	4424	powershell.exe
Token: SeIncBasePriorityPrivilege	4424	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 2620	852	cmd.exe	94
PID 852 wrote to memory of 2620	852	cmd.exe	94
PID 852 wrote to memory of 1156	852	cmd.exe	88
PID 852 wrote to memory of 1156	852	cmd.exe	88
PID 852 wrote to memory of 4888	852	cmd.exe	93
PID 852 wrote to memory of 4888	852	cmd.exe	93
PID 852 wrote to memory of 3484	852	cmd.exe	89
PID 852 wrote to memory of 3484	852	cmd.exe	89
PID 852 wrote to memory of 4672	852	cmd.exe	90
PID 852 wrote to memory of 4672	852	cmd.exe	90
PID 4752 wrote to memory of 4800	4752	cmd.exe	95
PID 4752 wrote to memory of 4800	4752	cmd.exe	95
PID 2168 wrote to memory of 452	2168	b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe	96
PID 4752 wrote to memory of 3396	4752	cmd.exe	99
PID 4752 wrote to memory of 3396	4752	cmd.exe	99
PID 4752 wrote to memory of 1912	4752	cmd.exe	100
PID 4752 wrote to memory of 1912	4752	cmd.exe	100
PID 4752 wrote to memory of 952	4752	cmd.exe	101
PID 4752 wrote to memory of 952	4752	cmd.exe	101
PID 452 wrote to memory of 632	452	dialer.exe	6
PID 452 wrote to memory of 688	452	dialer.exe	4
PID 452 wrote to memory of 960	452	dialer.exe	12
PID 452 wrote to memory of 392	452	dialer.exe	10
PID 452 wrote to memory of 748	452	dialer.exe	11
PID 452 wrote to memory of 708	452	dialer.exe	13
PID 452 wrote to memory of 956	452	dialer.exe	14
PID 452 wrote to memory of 1048	452	dialer.exe	16
PID 452 wrote to memory of 1144	452	dialer.exe	17
PID 452 wrote to memory of 1184	452	dialer.exe	19
PID 452 wrote to memory of 1280	452	dialer.exe	20
PID 452 wrote to memory of 1324	452	dialer.exe	81
PID 452 wrote to memory of 1352	452	dialer.exe	80
PID 452 wrote to memory of 1364	452	dialer.exe	79
PID 452 wrote to memory of 1404	452	dialer.exe	21
PID 452 wrote to memory of 1416	452	dialer.exe	78
PID 452 wrote to memory of 1552	452	dialer.exe	77
PID 452 wrote to memory of 1584	452	dialer.exe	76
PID 452 wrote to memory of 1672	452	dialer.exe	75
PID 452 wrote to memory of 1712	452	dialer.exe	74
PID 452 wrote to memory of 1752	452	dialer.exe	22
PID 452 wrote to memory of 1820	452	dialer.exe	73
PID 452 wrote to memory of 1884	452	dialer.exe	72
PID 452 wrote to memory of 1896	452	dialer.exe	71
PID 452 wrote to memory of 1980	452	dialer.exe	70
PID 452 wrote to memory of 2024	452	dialer.exe	23
PID 452 wrote to memory of 1020	452	dialer.exe	69
PID 452 wrote to memory of 2104	452	dialer.exe	67
PID 452 wrote to memory of 2140	452	dialer.exe	66
PID 452 wrote to memory of 2316	452	dialer.exe	65
PID 452 wrote to memory of 2324	452	dialer.exe	24
PID 452 wrote to memory of 2448	452	dialer.exe	64
PID 452 wrote to memory of 2460	452	dialer.exe	63
PID 452 wrote to memory of 2500	452	dialer.exe	62
PID 452 wrote to memory of 2524	452	dialer.exe	61
PID 452 wrote to memory of 2592	452	dialer.exe	60
PID 452 wrote to memory of 2612	452	dialer.exe	28
PID 452 wrote to memory of 2628	452	dialer.exe	26
PID 452 wrote to memory of 2636	452	dialer.exe	25
PID 452 wrote to memory of 2648	452	dialer.exe	27
PID 452 wrote to memory of 2716	452	dialer.exe	59
PID 452 wrote to memory of 2132	452	dialer.exe	58
PID 452 wrote to memory of 3192	452	dialer.exe	56
PID 452 wrote to memory of 3352	452	dialer.exe	55
PID 452 wrote to memory of 3564	452	dialer.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1144
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2716
- C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
  C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1404
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2612

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3840

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:4516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5004
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 468 -p 3564 -ip 3564
  2⤵
  PID:1572
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 424 -p 3684 -ip 3684
  2⤵
  PID:1192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4164

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3232

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3684
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3684 -s 840
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1648

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3564
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3564 -s 464
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3352

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3192
- C:\Users\Admin\AppData\Local\Temp\b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe
  "C:\Users\Admin\AppData\Local\Temp\b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Checks BIOS information in registry
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1156
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3484
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4672
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4888
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2620
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4800
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3396
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:952
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yramilr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4336
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "OneDrive"
  2⤵
  PID:4156
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:3700
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4692
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:4504
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3576
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4584
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2276
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3948
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1936
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:696
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4192
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2684
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:3220
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:1232
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yramilr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
  2⤵
  PID:456
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4828
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:3172
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3144

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2132

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2524

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2104

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8D5.tmp.csv

Filesize
36KB

MD5
6cc1279ec4b5c86cffe0a9793055c109

SHA1
56a947f8b0d7a9e0d81f78a04bc56cdddcbe690f

SHA256
dc2a7ebb412c36b61d34a435d93492cb8753ff60abd30ca3453eed97c2f362b4

SHA512
69453a0250f63d04e91f0efd73b9d5be200a8504b1955146a5520d7383cf466fc760723d7a2706afd8bb5827e8b97658708bab356bf8ab49c5a00038c986a354

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8F5.tmp.csv

Filesize
36KB

MD5
272423d3db0306fc4060322dc4c91c53

SHA1
9dcb7c3552b8d75942d64c2a40f2936b4f43bf8f

SHA256
506add14a4223078307a670dc512885c93abac569d754685c959ba11104b624c

SHA512
c2038216f5caa965d874190b8785396107c7c6cf29fd3a49c0acf234703b0cfd2ced81048ca6ca0ea671778ff1eb301fbe06cf70d4113161704eff8f15a1df71

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA954.tmp.txt

Filesize
13KB

MD5
46aaf19e3ddd2708072808b2396ea653

SHA1
43687bb98dfcf3bfba4e86463758e9b39a6bb4b5

SHA256
4fdbea9c3864797e3e2b2bf955ac3c6951f3555d516f519f683406acb45a9ecb

SHA512
0985fc4d57f1057f6b1144025001ab01daa80c52c49b5705f4ab799cb4a6a37de38623230e45c9f2a20d287edebfed6757261ad5ac33f4600ed02b57f53d75b0

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA955.tmp.txt

Filesize
13KB

MD5
d3e22625c8f9038e0250930b50649da8

SHA1
f40dbc9bc0e98cb287f32d0817fe7bbc9cd6ff88

SHA256
2356e5a3207d135acd54f0bf937a4e2c3d3afc2dc3035d63c80ab8d8d306b6a5

SHA512
63c81da6364efc1664ee6ca691c074c0978328c12d29e85334fb86f172d291aac64b7a23ac2565f43a547b61bfa5eac6adb3979b2093f647550d31dd9ac7777a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9781dfc710f1e862604e7a333123b1fe

SHA1
99e45f1ccc19bde0ac759878ef00a991358c6c5a

SHA256
aaa0aa078b568e54fe72c7a5a2f1b0bbcf550767a8be986a5a3e87664b208743

SHA512
9f2693cfe3ff21ab6e06edeb824f9a51ce672ca8b6ec4c6765c42eae07dc626d73da448912498239ff4ccd1617f160fa018c15d74831bf786d5281d4282f9ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3juetljv.ddr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
8.7MB

MD5
6fd0926a8817fede28372c309be1ec41

SHA1
ff97bf8e665fda7a9da94a92f91689a436f0c9e9

SHA256
b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c

SHA512
ef8b78da117726775a4e5e0793aa36f5218c427329eaf96be195d0931416540302585046e4a68c77668be90ed0040d073844dbaf15974a717154bd8e1acb1c59

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe

Filesize
8.7MB

MD5
6fd0926a8817fede28372c309be1ec41

SHA1
ff97bf8e665fda7a9da94a92f91689a436f0c9e9

SHA256
b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c

SHA512
ef8b78da117726775a4e5e0793aa36f5218c427329eaf96be195d0931416540302585046e4a68c77668be90ed0040d073844dbaf15974a717154bd8e1acb1c59

Download Submit
memory/392-179-0x000001EA54EB0000-0x000001EA54ED7000-memory.dmp

Filesize
156KB

Download
memory/392-208-0x000001EA54EB0000-0x000001EA54ED7000-memory.dmp

Filesize
156KB

Download
memory/392-182-0x00007FFA3E110000-0x00007FFA3E120000-memory.dmp

Filesize
64KB

Download
memory/452-186-0x00007FF7A2480000-0x00007FF7A24A9000-memory.dmp

Filesize
164KB

Download
memory/452-151-0x00007FFA7E090000-0x00007FFA7E285000-memory.dmp

Filesize
2.0MB

Download
memory/452-163-0x00007FFA7DEE0000-0x00007FFA7DF9E000-memory.dmp

Filesize
760KB

Download
memory/632-169-0x000001F911ED0000-0x000001F911EF7000-memory.dmp

Filesize
156KB

Download
memory/632-170-0x00007FFA3E110000-0x00007FFA3E120000-memory.dmp

Filesize
64KB

Download
memory/632-167-0x000001F911E30000-0x000001F911E51000-memory.dmp

Filesize
132KB

Download
memory/632-200-0x000001F911ED0000-0x000001F911EF7000-memory.dmp

Filesize
156KB

Download
memory/688-174-0x00007FFA3E110000-0x00007FFA3E120000-memory.dmp

Filesize
64KB

Download
memory/688-171-0x0000022FC7AF0000-0x0000022FC7B17000-memory.dmp

Filesize
156KB

Download
memory/688-203-0x0000022FC7AF0000-0x0000022FC7B17000-memory.dmp

Filesize
156KB

Download
memory/708-194-0x00007FFA3E110000-0x00007FFA3E120000-memory.dmp

Filesize
64KB

Download
memory/708-192-0x000001C4029D0000-0x000001C4029F7000-memory.dmp

Filesize
156KB

Download
memory/708-211-0x000001C4029D0000-0x000001C4029F7000-memory.dmp

Filesize
156KB

Download
memory/748-187-0x00007FFA3E110000-0x00007FFA3E120000-memory.dmp

Filesize
64KB

Download
memory/748-185-0x00000252098A0000-0x00000252098C7000-memory.dmp

Filesize
156KB

Download
memory/748-210-0x00000252098A0000-0x00000252098C7000-memory.dmp

Filesize
156KB

Download
memory/956-195-0x00000249A5D40000-0x00000249A5D67000-memory.dmp

Filesize
156KB

Download
memory/956-198-0x00007FFA3E110000-0x00007FFA3E120000-memory.dmp

Filesize
64KB

Download
memory/956-213-0x00000249A5D40000-0x00000249A5D67000-memory.dmp

Filesize
156KB

Download
memory/960-206-0x000001FA8A7B0000-0x000001FA8A7D7000-memory.dmp

Filesize
156KB

Download
memory/960-181-0x00007FFA3E110000-0x00007FFA3E120000-memory.dmp

Filesize
64KB

Download
memory/960-178-0x000001FA8A7B0000-0x000001FA8A7D7000-memory.dmp

Filesize
156KB

Download
memory/1020-321-0x0000000001AF0000-0x0000000001B17000-memory.dmp

Filesize
156KB

Download
memory/1048-215-0x000002D1E7660000-0x000002D1E7687000-memory.dmp

Filesize
156KB

Download
memory/1048-199-0x000002D1E7660000-0x000002D1E7687000-memory.dmp

Filesize
156KB

Download
memory/1048-202-0x00007FFA3E110000-0x00007FFA3E120000-memory.dmp

Filesize
64KB

Download
memory/1124-468-0x000001F801D80000-0x000001F801DA7000-memory.dmp

Filesize
156KB

Download
memory/1144-262-0x0000020C799B0000-0x0000020C799D7000-memory.dmp

Filesize
156KB

Download
memory/1144-207-0x00007FFA3E110000-0x00007FFA3E120000-memory.dmp

Filesize
64KB

Download
memory/1144-205-0x0000020C799B0000-0x0000020C799D7000-memory.dmp

Filesize
156KB

Download
memory/1176-458-0x0000021096300000-0x0000021096327000-memory.dmp

Filesize
156KB

Download
memory/1184-217-0x000001E6FBA80000-0x000001E6FBAA7000-memory.dmp

Filesize
156KB

Download
memory/1184-218-0x00007FFA3E110000-0x00007FFA3E120000-memory.dmp

Filesize
64KB

Download
memory/1280-219-0x0000021EAA720000-0x0000021EAA747000-memory.dmp

Filesize
156KB

Download
memory/1280-221-0x00007FFA3E110000-0x00007FFA3E120000-memory.dmp

Filesize
64KB

Download
memory/1280-266-0x0000021EAA720000-0x0000021EAA747000-memory.dmp

Filesize
156KB

Download
memory/1324-225-0x00000147F5970000-0x00000147F5997000-memory.dmp

Filesize
156KB

Download
memory/1324-226-0x00007FFA3E110000-0x00007FFA3E120000-memory.dmp

Filesize
64KB

Download
memory/1324-271-0x00000147F5970000-0x00000147F5997000-memory.dmp

Filesize
156KB

Download
memory/1352-229-0x0000020CB9BB0000-0x0000020CB9BD7000-memory.dmp

Filesize
156KB

Download
memory/1352-231-0x00007FFA3E110000-0x00007FFA3E120000-memory.dmp

Filesize
64KB

Download
memory/1352-276-0x0000020CB9BB0000-0x0000020CB9BD7000-memory.dmp

Filesize
156KB

Download
memory/1364-237-0x00007FFA3E110000-0x00007FFA3E120000-memory.dmp

Filesize
64KB

Download
memory/1364-282-0x00000275B2D90000-0x00000275B2DB7000-memory.dmp

Filesize
156KB

Download
memory/1364-234-0x00000275B2D90000-0x00000275B2DB7000-memory.dmp

Filesize
156KB

Download
memory/1404-235-0x0000026B3A500000-0x0000026B3A527000-memory.dmp

Filesize
156KB

Download
memory/1404-287-0x0000026B3A500000-0x0000026B3A527000-memory.dmp

Filesize
156KB

Download
memory/1416-292-0x00000237CFED0000-0x00000237CFEF7000-memory.dmp

Filesize
156KB

Download
memory/1536-134-0x00000193AC150000-0x00000193AC160000-memory.dmp

Filesize
64KB

Download
memory/1536-147-0x00000193AC150000-0x00000193AC160000-memory.dmp

Filesize
64KB

Download
memory/1536-135-0x00000193AC150000-0x00000193AC160000-memory.dmp

Filesize
64KB

Download
memory/1536-146-0x00000193AC150000-0x00000193AC160000-memory.dmp

Filesize
64KB

Download
memory/1536-136-0x00000193AE340000-0x00000193AE362000-memory.dmp

Filesize
136KB

Download
memory/1552-297-0x000001FEA8930000-0x000001FEA8957000-memory.dmp

Filesize
156KB

Download
memory/1584-300-0x000001C69C140000-0x000001C69C167000-memory.dmp

Filesize
156KB

Download
memory/1672-306-0x000001EB259D0000-0x000001EB259F7000-memory.dmp

Filesize
156KB

Download
memory/1712-366-0x000001DA64060000-0x000001DA64087000-memory.dmp

Filesize
156KB

Download
memory/1752-371-0x000001658EA30000-0x000001658EA57000-memory.dmp

Filesize
156KB

Download
memory/1816-469-0x000001B8679B0000-0x000001B8679D7000-memory.dmp

Filesize
156KB

Download
memory/1820-376-0x000001A420340000-0x000001A420367000-memory.dmp

Filesize
156KB

Download
memory/1884-311-0x00000251191A0000-0x00000251191C7000-memory.dmp

Filesize
156KB

Download
memory/1896-379-0x000001F084400000-0x000001F084427000-memory.dmp

Filesize
156KB

Download
memory/1980-316-0x0000022D74B40000-0x0000022D74B67000-memory.dmp

Filesize
156KB

Download
memory/2024-319-0x000001CD0A1C0000-0x000001CD0A1E7000-memory.dmp

Filesize
156KB

Download
memory/2104-383-0x000001B477190000-0x000001B4771B7000-memory.dmp

Filesize
156KB

Download
memory/2132-437-0x000002B138C70000-0x000002B138C97000-memory.dmp

Filesize
156KB

Download
memory/2140-388-0x000002297ED70000-0x000002297ED97000-memory.dmp

Filesize
156KB

Download
memory/2168-472-0x00000292CFD30000-0x00000292CFD57000-memory.dmp

Filesize
156KB

Download
memory/2168-133-0x00007FF69AE40000-0x00007FF69BD9B000-memory.dmp

Filesize
15.4MB

Download
memory/2168-175-0x00007FF69AE40000-0x00007FF69BD9B000-memory.dmp

Filesize
15.4MB

Download
memory/2168-190-0x00007FF69AE40000-0x00007FF69BD9B000-memory.dmp

Filesize
15.4MB

Download
memory/2316-322-0x000001F63BD60000-0x000001F63BD87000-memory.dmp

Filesize
156KB

Download
memory/2324-323-0x00000226A5500000-0x00000226A5527000-memory.dmp

Filesize
156KB

Download
memory/2448-324-0x00000236C92A0000-0x00000236C92C7000-memory.dmp

Filesize
156KB

Download
memory/2460-397-0x0000028D59930000-0x0000028D59957000-memory.dmp

Filesize
156KB

Download
memory/2500-401-0x000001BB45750000-0x000001BB45777000-memory.dmp

Filesize
156KB

Download
memory/2524-404-0x000001F6C6030000-0x000001F6C6057000-memory.dmp

Filesize
156KB

Download
memory/2592-409-0x00000234FAA40000-0x00000234FAA67000-memory.dmp

Filesize
156KB

Download
memory/2612-413-0x000001D96D780000-0x000001D96D7A7000-memory.dmp

Filesize
156KB

Download
memory/2628-417-0x000001ED36560000-0x000001ED36587000-memory.dmp

Filesize
156KB

Download
memory/2636-422-0x00000272F4770000-0x00000272F4797000-memory.dmp

Filesize
156KB

Download
memory/2648-426-0x000001B72B960000-0x000001B72B987000-memory.dmp

Filesize
156KB

Download
memory/2716-432-0x0000025278690000-0x00000252786B7000-memory.dmp

Filesize
156KB

Download
memory/3192-442-0x0000000000D60000-0x0000000000D87000-memory.dmp

Filesize
156KB

Download
memory/3232-447-0x0000025DF7C90000-0x0000025DF7CB7000-memory.dmp

Filesize
156KB

Download
memory/3840-444-0x000002404C070000-0x000002404C097000-memory.dmp

Filesize
156KB

Download
memory/4336-473-0x00000218C34C0000-0x00000218C34E7000-memory.dmp

Filesize
156KB

Download
memory/4424-166-0x00000250D0F20000-0x00000250D0F30000-memory.dmp

Filesize
64KB

Download
memory/4424-164-0x00000250D0F20000-0x00000250D0F30000-memory.dmp

Filesize
64KB

Download
memory/4424-165-0x00000250D0F20000-0x00000250D0F30000-memory.dmp

Filesize
64KB

Download
memory/4516-465-0x000002B1A3960000-0x000002B1A3987000-memory.dmp

Filesize
156KB

Download
memory/4816-462-0x000001B2D4520000-0x000001B2D4547000-memory.dmp

Filesize
156KB

Download
memory/4880-450-0x0000022393820000-0x0000022393847000-memory.dmp

Filesize
156KB

Download
memory/5004-471-0x0000019B7C3A0000-0x0000019B7C3C7000-memory.dmp

Filesize
156KB

Download
memory/5020-454-0x000002C248E30000-0x000002C248E57000-memory.dmp

Filesize
156KB

Download