ef6c8a51411f35865be131eeaca7a88f3c92c2ffcc2c252e2add253fa1c69323

Analysis

max time kernel
173s
max time network
263s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2023, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RSS-Automatic.bat
Size

59KB
MD5

bcbf0323a696a543284529e0d7b960a1
SHA1

f633a0b3451f8f5d341ea020e6db38bf0a1bd1a4
SHA256

ef6c8a51411f35865be131eeaca7a88f3c92c2ffcc2c252e2add253fa1c69323
SHA512

2d0b7fbefe70ffd879b8c20deeb69392b452e831f293e5746cb14d7676baaa9f000daab35b4e37809e891c766b1d97737920f93d83de319109d03af2e5f469d9
SSDEEP

768:aUG6gMeILenoN3iY6wMPd8AJJeydBTsEswLOqzZHdVf+lPy2u8:DGhIBCJeyvTsuTd+9yS

Score

1^/10

Malware Config

Signatures

Enumerates processes with tasklist 1 TTPs 16 IoCs

Process Discovery

T1057

pid	Process
4992	tasklist.exe
4552	tasklist.exe
3236	tasklist.exe
3052	tasklist.exe
4696	tasklist.exe
2280	tasklist.exe
4388	tasklist.exe
3672	tasklist.exe
1156	tasklist.exe
3752	tasklist.exe
4036	tasklist.exe
876	tasklist.exe
1444	tasklist.exe
1724	tasklist.exe
1708	tasklist.exe
4504	tasklist.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	powershell.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3764	PING.EXE
4704	PING.EXE

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
4280	powershell.exe
4280	powershell.exe
4880	powershell.exe
4880	powershell.exe
4308	powershell.exe
4308	powershell.exe
1996	powershell.exe
1996	powershell.exe
3992	powershell.exe
3992	powershell.exe
3992	powershell.exe
1684	powershell.exe
1684	powershell.exe
1684	powershell.exe
1916	powershell.exe
1916	powershell.exe
1916	powershell.exe
4756	powershell.exe
4756	powershell.exe
4756	powershell.exe
3596	powershell.exe
3596	powershell.exe
1860	powershell.exe
1860	powershell.exe
1584	powershell.exe
1584	powershell.exe
2736	powershell.exe
2736	powershell.exe
2736	powershell.exe
4076	powershell.exe
4076	powershell.exe
4076	powershell.exe
3128	powershell.exe
3128	powershell.exe
3128	powershell.exe
2404	powershell.exe
2404	powershell.exe
2404	powershell.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	1724	tasklist.exe
Token: SeDebugPrivilege	1156	tasklist.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	1708	tasklist.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	3052	tasklist.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	4992	tasklist.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	4504	tasklist.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	4552	tasklist.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	3752	tasklist.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	3236	tasklist.exe
Token: SeDebugPrivilege	4036	tasklist.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	4696	tasklist.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2280	tasklist.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	4388	tasklist.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	876	tasklist.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	1444	tasklist.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	3672	tasklist.exe
Token: SeDebugPrivilege	804	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 4280	4492	cmd.exe	84
PID 4492 wrote to memory of 4280	4492	cmd.exe	84
PID 4280 wrote to memory of 3880	4280	powershell.exe	85
PID 4280 wrote to memory of 3880	4280	powershell.exe	85
PID 3880 wrote to memory of 2180	3880	cmd.exe	88
PID 3880 wrote to memory of 2180	3880	cmd.exe	88
PID 3880 wrote to memory of 1724	3880	cmd.exe	89
PID 3880 wrote to memory of 1724	3880	cmd.exe	89
PID 3880 wrote to memory of 3112	3880	cmd.exe	90
PID 3880 wrote to memory of 3112	3880	cmd.exe	90
PID 3880 wrote to memory of 4704	3880	cmd.exe	92
PID 3880 wrote to memory of 4704	3880	cmd.exe	92
PID 3880 wrote to memory of 4048	3880	cmd.exe	106
PID 3880 wrote to memory of 4048	3880	cmd.exe	106
PID 3880 wrote to memory of 1860	3880	cmd.exe	107
PID 3880 wrote to memory of 1860	3880	cmd.exe	107
PID 3880 wrote to memory of 1640	3880	cmd.exe	108
PID 3880 wrote to memory of 1640	3880	cmd.exe	108
PID 3880 wrote to memory of 1984	3880	cmd.exe	109
PID 3880 wrote to memory of 1984	3880	cmd.exe	109
PID 1984 wrote to memory of 1156	1984	cmd.exe	110
PID 1984 wrote to memory of 1156	1984	cmd.exe	110
PID 1984 wrote to memory of 224	1984	cmd.exe	111
PID 1984 wrote to memory of 224	1984	cmd.exe	111
PID 3880 wrote to memory of 4880	3880	cmd.exe	112
PID 3880 wrote to memory of 4880	3880	cmd.exe	112
PID 3880 wrote to memory of 4668	3880	cmd.exe	113
PID 3880 wrote to memory of 4668	3880	cmd.exe	113
PID 4668 wrote to memory of 1708	4668	cmd.exe	114
PID 4668 wrote to memory of 1708	4668	cmd.exe	114
PID 4668 wrote to memory of 2180	4668	cmd.exe	115
PID 4668 wrote to memory of 2180	4668	cmd.exe	115
PID 3880 wrote to memory of 4308	3880	cmd.exe	116
PID 3880 wrote to memory of 4308	3880	cmd.exe	116
PID 3880 wrote to memory of 3540	3880	cmd.exe	117
PID 3880 wrote to memory of 3540	3880	cmd.exe	117
PID 3540 wrote to memory of 3052	3540	cmd.exe	118
PID 3540 wrote to memory of 3052	3540	cmd.exe	118
PID 3540 wrote to memory of 868	3540	cmd.exe	119
PID 3540 wrote to memory of 868	3540	cmd.exe	119
PID 3880 wrote to memory of 1996	3880	cmd.exe	120
PID 3880 wrote to memory of 1996	3880	cmd.exe	120
PID 3880 wrote to memory of 2788	3880	cmd.exe	121
PID 3880 wrote to memory of 2788	3880	cmd.exe	121
PID 2788 wrote to memory of 4992	2788	cmd.exe	123
PID 2788 wrote to memory of 4992	2788	cmd.exe	123
PID 2788 wrote to memory of 4772	2788	cmd.exe	122
PID 2788 wrote to memory of 4772	2788	cmd.exe	122
PID 3880 wrote to memory of 3992	3880	cmd.exe	124
PID 3880 wrote to memory of 3992	3880	cmd.exe	124
PID 3880 wrote to memory of 3560	3880	cmd.exe	125
PID 3880 wrote to memory of 3560	3880	cmd.exe	125
PID 3560 wrote to memory of 4504	3560	cmd.exe	126
PID 3560 wrote to memory of 4504	3560	cmd.exe	126
PID 3560 wrote to memory of 3552	3560	cmd.exe	127
PID 3560 wrote to memory of 3552	3560	cmd.exe	127
PID 3880 wrote to memory of 1684	3880	cmd.exe	128
PID 3880 wrote to memory of 1684	3880	cmd.exe	128
PID 3880 wrote to memory of 1408	3880	cmd.exe	129
PID 3880 wrote to memory of 1408	3880	cmd.exe	129
PID 1408 wrote to memory of 4552	1408	cmd.exe	130
PID 1408 wrote to memory of 4552	1408	cmd.exe	130
PID 1408 wrote to memory of 2032	1408	cmd.exe	131
PID 1408 wrote to memory of 2032	1408	cmd.exe	131

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RSS-Automatic.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell start -verb runas 'C:\Users\Admin\AppData\Local\Temp\RSS-Automatic.bat' am_admin
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RSS-Automatic.bat" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2180
  - - C:\Windows\system32\tasklist.exe
      tasklist /fi "ImageName eq Javaw.exe" /fo csv
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1724
  - - C:\Windows\system32\find.exe
      find /I "Javaw"
      4⤵
      PID:3112
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:4704
  - - C:\Windows\system32\curl.exe
      curl -o "C:\Users\Admin\AppData\Roaming\SS\AutomaticTools\Paladin.exe" "https://dl.paladin.ac"
      4⤵
      PID:4048
  - - C:\Windows\system32\chcp.com
      chcp 850
      4⤵
      PID:1860
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:1640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq dps" /fi "services eq dps" | findstr /i "svchost.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc /fi "services eq dps" /fi "services eq dps"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "svchost.exe"
        5⤵
        
        PID:224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$result = 'Process Not Running: DPS'; Write-Host $result
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq Sysmain" /fi "services eq Sysmain" | findstr /i "svchost.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc /fi "services eq Sysmain" /fi "services eq Sysmain"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "svchost.exe"
        5⤵
        
        PID:2180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$result = 'Process Not Running: Sysmain'; Write-Host $result
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq PcaSvc" /fi "services eq PcaSvc" | findstr /i "svchost.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3540
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc /fi "services eq PcaSvc" /fi "services eq PcaSvc"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "svchost.exe"
        5⤵
        
        PID:868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$result = 'Process Not Running: PcaSvc'; Write-Host $result
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq Dusmsvc" /fi "services eq Dusmsvc" | findstr /i "svchost.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "svchost.exe"
        5⤵
        
        PID:4772
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc /fi "services eq Dusmsvc" /fi "services eq Dusmsvc"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 1904}; if ($process) { $result = 'Process Name: Dusmsvc ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq Eventlog" /fi "services eq Eventlog" | findstr /i "svchost.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc /fi "services eq Eventlog" /fi "services eq Eventlog"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "svchost.exe"
        5⤵
        
        PID:3552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 1300}; if ($process) { $result = 'Process Name: Eventlog ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq Appinfo" /fi "services eq Appinfo" | findstr /i "svchost.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc /fi "services eq Appinfo" /fi "services eq Appinfo"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "svchost.exe"
        5⤵
        
        PID:2032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 3108}; if ($process) { $result = 'Process Name: Appinfo ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq DcomLaunch" /fi "services eq DcomLaunch" | findstr /i "svchost.exe"
      4⤵
      PID:4688
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc /fi "services eq DcomLaunch" /fi "services eq DcomLaunch"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3752
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "svchost.exe"
        5⤵
        
        PID:3576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 796}; if ($process) { $result = 'Process Name: BAM ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4756

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSS-Automatic.bat" "
1⤵
PID:3740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell start -verb runas '"C:\Users\Admin\AppData\Local\Temp\RSS-Automatic.bat"' am_admin
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RSS-Automatic.bat" am_admin
    3⤵
    PID:4204
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2900
  - - C:\Windows\system32\tasklist.exe
      tasklist /fi "ImageName eq Javaw.exe" /fo csv
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3236
  - - C:\Windows\system32\find.exe
      find /I "Javaw"
      4⤵
      PID:4236
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:3764
  - - C:\Windows\system32\chcp.com
      chcp 850
      4⤵
      PID:4312
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:2220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq dps" /fi "services eq dps" | findstr /i "svchost.exe"
      4⤵
      PID:2420
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc /fi "services eq dps" /fi "services eq dps"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "svchost.exe"
        5⤵
        
        PID:3956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$result = 'Process Not Running: DPS'; Write-Host $result
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq Sysmain" /fi "services eq Sysmain" | findstr /i "svchost.exe"
      4⤵
      PID:3716
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc /fi "services eq Sysmain" /fi "services eq Sysmain"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "svchost.exe"
        5⤵
        
        PID:2852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$result = 'Process Not Running: Sysmain'; Write-Host $result
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq PcaSvc" /fi "services eq PcaSvc" | findstr /i "svchost.exe"
      4⤵
      PID:3288
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc /fi "services eq PcaSvc" /fi "services eq PcaSvc"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "svchost.exe"
        5⤵
        
        PID:4484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 2476}; if ($process) { $result = 'Process Name: PcaSvc ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq Dusmsvc" /fi "services eq Dusmsvc" | findstr /i "svchost.exe"
      4⤵
      PID:2604
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc /fi "services eq Dusmsvc" /fi "services eq Dusmsvc"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "svchost.exe"
        5⤵
        
        PID:4840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 1904}; if ($process) { $result = 'Process Name: Dusmsvc ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq Eventlog" /fi "services eq Eventlog" | findstr /i "svchost.exe"
      4⤵
      PID:3116
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc /fi "services eq Eventlog" /fi "services eq Eventlog"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "svchost.exe"
        5⤵
        
        PID:3840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 1300}; if ($process) { $result = 'Process Name: Eventlog ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq Appinfo" /fi "services eq Appinfo" | findstr /i "svchost.exe"
      4⤵
      PID:3492
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc /fi "services eq Appinfo" /fi "services eq Appinfo"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "svchost.exe"
        5⤵
        
        PID:1464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 3108}; if ($process) { $result = 'Process Name: Appinfo ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq DcomLaunch" /fi "services eq DcomLaunch" | findstr /i "svchost.exe"
      4⤵
      PID:4236
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "svchost.exe"
        5⤵
        
        PID:3088
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc /fi "services eq DcomLaunch" /fi "services eq DcomLaunch"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 796}; if ($process) { $result = 'Process Name: BAM ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
91a39b91c2b22ff00c12e56878baa09b

SHA1
e19e669a9c2c8fec9fb699c4c76384a105471bda

SHA256
931a2eaa61178581995773a9da78f4bfd76ad27c29b44442fa1329b384a0cd96

SHA512
59df651f9cab1c7b960e22d8207766cef07393b33d42f2b759bf4043cd63f2abaf08f9e1b419c6a126fb51a98468d15d34ba09caac46dfbc1a1b658c513aa2b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1c6fde2dec167fbabaa0168aebc5e3ef

SHA1
ee72f321c123219f5c411cca491333af848512e1

SHA256
35076ea62c75739f2f1434d3cdde5f975e332a13210ffab2ab63a975f300fbc9

SHA512
59221096ca0c2311844e5a845bddc0e1050224f1c094592216654342aa90cfd4f15e72927f63412b3b1d3b1960df960dbd6a371fb3d5a113998c7bda72eb07d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
91a39b91c2b22ff00c12e56878baa09b

SHA1
e19e669a9c2c8fec9fb699c4c76384a105471bda

SHA256
931a2eaa61178581995773a9da78f4bfd76ad27c29b44442fa1329b384a0cd96

SHA512
59df651f9cab1c7b960e22d8207766cef07393b33d42f2b759bf4043cd63f2abaf08f9e1b419c6a126fb51a98468d15d34ba09caac46dfbc1a1b658c513aa2b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
f635ff85489c6a33ce5fec6d950b7de1

SHA1
2248fc36e2205873fe8eb0770760c5a9e818ef68

SHA256
86fe05491a248fe13867acd2679e919e148b936c7774e240191438031963d3d3

SHA512
e392d2de377a9a1cec64d8b83183189612609af42b214f741807ce85f68e225fd4a1e10579bf782d2ddb7430e01b0e3a2d69c7934ef34aba1f55cdd90230c923

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c8ec8592e51b12e0530cfdb1401c5c4e

SHA1
9fca163abda1047dd3b02766ba2e98c1ee401a4b

SHA256
c111a4b222164232daa8d725cfade5b95cf90a316a974f09ebd95a13953e65e0

SHA512
b675a9b7a1b16dcc0f0e42d8a1def3f5d232c8d20322a52649d2beb82ae4fcc0eb94e59e60ddf22810e79f083baf372289fc8c92e2acf330e070f40a2aefcf94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e2b74f17e7a64857f2fd10d8400cf1cb

SHA1
38ac71a4337158a10b429b749cd2e1e123910c59

SHA256
2d5e9335b7b72d168238c1b8a61501db4ace2c916b66ee0e1d982b2868e04600

SHA512
4a382921a8846af227b2d76b3296df30772f0a1926bc3f5ece34b063d345755003dc01da1cd5e19702aadb913a3fab1c95c68a37041af0b89013441eaed3a0b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f2485420dbf4dae87e7ee16ce390432

SHA1
53efb489759d89974d5a107d6111a748ce465917

SHA256
41d86cd7da461064e79a7df628d2e556c50cd48a938b4d7ad32154949c2e64ab

SHA512
57f4dac261fa43673e0ba732da35cac1f4b6da4efb258e6109c16b0c92adb137b8b4d989024c61cee13e84c47105d85000eb9f612277182f9613767b6cd9fd4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf3dcec964b0d1a9864ab2188050c7ea

SHA1
e79641ad44523a0174525e5c929b9e4af8a456fd

SHA256
cc0fe5f7025b37af1283a6b4709f1309293285786c1f67f19135e10077521530

SHA512
1bbdf6546666ea766708002747b5d298fbd7e9af457cf77436b6458bb21e585344146f5d96e6ea2560f5afb15e3e221ab68b4a66729609741b0cc27df435f14f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e95a9b0c3e66170df349f2f4758771b5

SHA1
c8e38bdb3d02d17ca9856be112dd003ef094089f

SHA256
f6b29c545d3813ff4c9d4f7ce6ee3f2e4af2cbc0b11b86a464832011b412f877

SHA512
53a349d092e3f5d4b9bcd44c5a82a2da1315acc7cd950b19b6ec767095f1ad9df0955863c504bcac0d0a89609c6ce7863156d84c2fd6940527ceea4de48b0fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e3d23c68f4da40db7fd0f82123e98b16

SHA1
d84df60ccfe3fecdad6a2b551d077840a07cc3bb

SHA256
1d9ad2468abcb3e2a2b3150f0d60c032cbc9c859fca1ee784cb22154aabbef3e

SHA512
13e69db186ace2f1d72106d699c1805f7ea166744ddb02b4e4ee6a9090b1d58f3fda7ffd6020e3e45df5989a991fcda16ee0ba860dda5afc4f2d33990efcf250

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0dbae7bd4b2586dcdd9b815408750a98

SHA1
c90f9be1442b1159f35b9ad7d0e5bc7891ae4598

SHA256
8259212c64f10d1b2d2f4c9322efa9a0dcc982eaa1f92a4cf9859b6b67bc01db

SHA512
6acce90bdd9aa982826d4b1c915d61a39a4bb72480c2b86e7bc76f700541832897d95fb5b9c181f9a74f2da14b0a655244d653c429e1fe3038e03d2714ecf4c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d910cf73795a458561f955775a11281a

SHA1
beb94de06b1b3cebcd2932a1c6164720c83d1662

SHA256
1376f0377beb680b9cea0223c387c37487efde87027ae42c485d34b627e0f5b7

SHA512
429a346f91d865b60cb1ae108579d2e9602dd78e6c67f31b4cb271fcda008333b1ca43e5989f91d0a353255adabef4c353198069b21d93f80c129516d94c08ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hrmrbvzv.a2x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\SS\AutomaticTools\Paladin.exe

Filesize
11KB

MD5
91ab1f5e3d2e2cbfccb50c6d32de8c10

SHA1
4b31fad41372f637ece3a1ce2d8e14ea7e92fbad

SHA256
5b973ca7abef755863bcf303f97cf885f675c23fbc022c0d47ce82606c98ec97

SHA512
4a9f6ed998f4f2127127f5bd552d3897f626f9a21d5e3d3cc7e0c10cb3d00e5b9e554af59ba6b7b7cbefd14671767b23db0ba374915ea370b0c3141603d5d793

Download Submit
memory/1584-164-0x00007FFDE0300000-0x00007FFDE0DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1584-165-0x00000274F59E0000-0x00000274F59F0000-memory.dmp

Filesize
64KB

Download
memory/1584-171-0x00000274F59E0000-0x00000274F59F0000-memory.dmp

Filesize
64KB

Download
memory/1584-173-0x00007FFDE0300000-0x00007FFDE0DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1684-96-0x00007FFDE1310000-0x00007FFDE1DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1684-93-0x00000205BDC40000-0x00000205BDC50000-memory.dmp

Filesize
64KB

Download
memory/1684-89-0x00007FFDE1310000-0x00007FFDE1DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1860-155-0x000001EC53ED0000-0x000001EC53EE0000-memory.dmp

Filesize
64KB

Download
memory/1860-149-0x00007FFDE0300000-0x00007FFDE0DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1860-156-0x000001EC53ED0000-0x000001EC53EE0000-memory.dmp

Filesize
64KB

Download
memory/1860-158-0x00007FFDE0300000-0x00007FFDE0DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1916-110-0x000002607D840000-0x000002607D850000-memory.dmp

Filesize
64KB

Download
memory/1916-109-0x000002607D840000-0x000002607D850000-memory.dmp

Filesize
64KB

Download
memory/1916-112-0x00007FFDE1310000-0x00007FFDE1DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1916-108-0x000002607D840000-0x000002607D850000-memory.dmp

Filesize
64KB

Download
memory/1916-107-0x00007FFDE1310000-0x00007FFDE1DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1996-67-0x00007FFDE1310000-0x00007FFDE1DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1996-65-0x00000240FDAB0000-0x00000240FDAC0000-memory.dmp

Filesize
64KB

Download
memory/1996-63-0x00000240FDAB0000-0x00000240FDAC0000-memory.dmp

Filesize
64KB

Download
memory/1996-62-0x00000240FDAB0000-0x00000240FDAC0000-memory.dmp

Filesize
64KB

Download
memory/1996-57-0x00007FFDE1310000-0x00007FFDE1DD1000-memory.dmp

Filesize
10.8MB

Download
memory/2404-230-0x0000018CCA420000-0x0000018CCA430000-memory.dmp

Filesize
64KB

Download
memory/2404-229-0x00007FFDE0300000-0x00007FFDE0DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2736-179-0x00007FFDE0300000-0x00007FFDE0DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2736-180-0x000001B9AC160000-0x000001B9AC170000-memory.dmp

Filesize
64KB

Download
memory/2736-187-0x00007FFDE0300000-0x00007FFDE0DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-213-0x00007FFDE0300000-0x00007FFDE0DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-215-0x000001E9613C0000-0x000001E9613D0000-memory.dmp

Filesize
64KB

Download
memory/3128-214-0x000001E9613C0000-0x000001E9613D0000-memory.dmp

Filesize
64KB

Download
memory/3128-218-0x00007FFDE0300000-0x00007FFDE0DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3596-139-0x0000029065490000-0x00000290654A0000-memory.dmp

Filesize
64KB

Download
memory/3596-138-0x0000029065490000-0x00000290654A0000-memory.dmp

Filesize
64KB

Download
memory/3596-137-0x00007FFDE0300000-0x00007FFDE0DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3596-141-0x0000029065490000-0x00000290654A0000-memory.dmp

Filesize
64KB

Download
memory/3596-143-0x00007FFDE0300000-0x00007FFDE0DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3992-82-0x00007FFDE1310000-0x00007FFDE1DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3992-78-0x000001FE79F00000-0x000001FE79F10000-memory.dmp

Filesize
64KB

Download
memory/3992-77-0x00007FFDE1310000-0x00007FFDE1DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3992-80-0x000001FE79F00000-0x000001FE79F10000-memory.dmp

Filesize
64KB

Download
memory/4076-203-0x00007FFDE0300000-0x00007FFDE0DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-199-0x000001D46D8B0000-0x000001D46D8C0000-memory.dmp

Filesize
64KB

Download
memory/4076-201-0x000001D46D8B0000-0x000001D46D8C0000-memory.dmp

Filesize
64KB

Download
memory/4076-196-0x000001D46D8B0000-0x000001D46D8C0000-memory.dmp

Filesize
64KB

Download
memory/4076-193-0x00007FFDE0300000-0x00007FFDE0DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4280-12-0x0000020149D10000-0x0000020149D20000-memory.dmp

Filesize
64KB

Download
memory/4280-16-0x00007FFDE2430000-0x00007FFDE2EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4280-9-0x00000201626E0000-0x0000020162702000-memory.dmp

Filesize
136KB

Download
memory/4280-10-0x00007FFDE2430000-0x00007FFDE2EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4280-13-0x0000020149D10000-0x0000020149D20000-memory.dmp

Filesize
64KB

Download
memory/4280-11-0x0000020149D10000-0x0000020149D20000-memory.dmp

Filesize
64KB

Download
memory/4308-45-0x00007FFDE1310000-0x00007FFDE1DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4308-48-0x00000214FB390000-0x00000214FB3A0000-memory.dmp

Filesize
64KB

Download
memory/4308-51-0x00007FFDE1310000-0x00007FFDE1DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4308-46-0x00000214FB390000-0x00000214FB3A0000-memory.dmp

Filesize
64KB

Download
memory/4308-49-0x00000214FB390000-0x00000214FB3A0000-memory.dmp

Filesize
64KB

Download
memory/4756-127-0x00007FFDE1310000-0x00007FFDE1DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4756-125-0x00000210BF580000-0x00000210BF590000-memory.dmp

Filesize
64KB

Download
memory/4756-118-0x00007FFDE1310000-0x00007FFDE1DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4756-124-0x00000210BF580000-0x00000210BF590000-memory.dmp

Filesize
64KB

Download
memory/4880-35-0x00007FFDE1310000-0x00007FFDE1DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4880-33-0x000001CE6BE70000-0x000001CE6BE80000-memory.dmp

Filesize
64KB

Download
memory/4880-32-0x000001CE6BE70000-0x000001CE6BE80000-memory.dmp

Filesize
64KB

Download
memory/4880-31-0x000001CE6BE70000-0x000001CE6BE80000-memory.dmp

Filesize
64KB

Download
memory/4880-30-0x00007FFDE1310000-0x00007FFDE1DD1000-memory.dmp

Filesize
10.8MB

Download