xenorat | 1316e22fe1e9b3d4a9c42362c21bca74598cdc11eae27282a29871fb98ab0b38

Resubmissions

11-05-2024 19:51

240511-ykvkzahc78 10

11-05-2024 19:45

240511-ygfmmsec3y 10

11-05-2024 18:50

240511-xhabksfa93 10

Analysis

max time kernel
149s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
11-05-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AudinoBuilder.exe
Size

5.6MB
MD5

c4cb065184458a9e05b7c893642f9b3c
SHA1

36327e2e82c26c3d39dcc51569c08c624c90ae20
SHA256

1316e22fe1e9b3d4a9c42362c21bca74598cdc11eae27282a29871fb98ab0b38
SHA512

2e9809bce89db2566c7aa9143afc5c818cc2765ea6c0ab2e8d583aac7a7b1cca5d601b5ecb8cc676221118ab2b8b333eea7fad614f5150ae95c76b979388faa4
SSDEEP

98304:lKAVWycWWgSj67/ngnLqAABRvCrnVAo3tH/Gfz7H7YzA4AzRP2HjdgW0NaBFV:8TylWgSj6DnDvRKrnVAoBQHHkERPPW0K

Score

10^/10

xenorat zgrat evasion execution persistence rat trojan

Malware Config

Extracted

Family

xenorat

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
45010
startup_name
ErrorManager

Signatures

Detect ZGRat V1 29 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2512-48-0x0000000005660000-0x00000000056CC000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-50-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-52-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-86-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-102-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-100-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-98-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-96-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-94-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-92-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-88-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-84-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-82-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-80-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-78-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-76-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-74-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-72-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-70-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-67-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-63-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-61-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-104-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-90-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-56-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-54-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-49-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-65-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-59-0x0000000005660000-0x00000000056C5000-memory.dmp	family_zgrat_v1

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4256 powershell.exe
5488 powershell.exe
4916 powershell.exe
3684 powershell.exe
5160 powershell.exe
5500 powershell.exe
2176 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
4256	powershell.exe
5488	powershell.exe
4916	powershell.exe
3684	powershell.exe
5160	powershell.exe
5500	powershell.exe
2176	powershell.exe

Executes dropped EXE 7 IoCs

Processes:

Ilkdt.exeWinHostMgr.exeWindowsSubsystem.exeWindowsSubsystem.exebauwrdgwodhv.exebauwrdgwodhv.exebauwrdgwodhv.exe

pid	process
2512	Ilkdt.exe
1080	WinHostMgr.exe
2520	WindowsSubsystem.exe
2412	WindowsSubsystem.exe
5612	bauwrdgwodhv.exe
2980	bauwrdgwodhv.exe
2252	bauwrdgwodhv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

18 pastebin.com
28 pastebin.com

flow	ioc
18	pastebin.com
28	pastebin.com

Drops file in System32 directory 10 IoCs

Processes:

powershell.exepowershell.exebauwrdgwodhv.exepowershell.exebauwrdgwodhv.exepowershell.exeWinHostMgr.exepowershell.exebauwrdgwodhv.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	WinHostMgr.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bauwrdgwodhv.exe

description	pid	process	target process
PID 5612 set thread context of 5428	5612	bauwrdgwodhv.exe	conhost.exe
PID 5612 set thread context of 2848	5612	bauwrdgwodhv.exe	explorer.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1628	sc.exe
5608	sc.exe
4524	sc.exe
1120	sc.exe
2016	sc.exe
5812	sc.exe
5288	sc.exe
5460	sc.exe
5772	sc.exe
5848	sc.exe
2236	sc.exe
1440	sc.exe
2212	sc.exe
5708	sc.exe
5380	sc.exe
5332	sc.exe
4636	sc.exe
3592	sc.exe
5588	sc.exe
3232	sc.exe
5284	sc.exe
3860	sc.exe
5880	sc.exe
5380	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5628 schtasks.exe

pid	process
5628	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Modifies registry class 1 IoCs

Processes:

taskmgr.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings taskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exepowershell.exeWinHostMgr.exepowershell.exebauwrdgwodhv.exepowershell.exe

pid	process
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
4256	powershell.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
4256	powershell.exe
4256	powershell.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
1080	WinHostMgr.exe
908	taskmgr.exe
5488	powershell.exe
5488	powershell.exe
1080	WinHostMgr.exe
1080	WinHostMgr.exe
1080	WinHostMgr.exe
1080	WinHostMgr.exe
1080	WinHostMgr.exe
1080	WinHostMgr.exe
1080	WinHostMgr.exe
1080	WinHostMgr.exe
1080	WinHostMgr.exe
1080	WinHostMgr.exe
1080	WinHostMgr.exe
1080	WinHostMgr.exe
1080	WinHostMgr.exe
1080	WinHostMgr.exe
5612	bauwrdgwodhv.exe
908	taskmgr.exe
4916	powershell.exe
4916	powershell.exe
908	taskmgr.exe
5612	bauwrdgwodhv.exe
5612	bauwrdgwodhv.exe
5612	bauwrdgwodhv.exe
5612	bauwrdgwodhv.exe
5612	bauwrdgwodhv.exe
908	taskmgr.exe
5612	bauwrdgwodhv.exe
5612	bauwrdgwodhv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

908 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

taskmgr.exeIlkdt.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	908	taskmgr.exe
Token: SeSystemProfilePrivilege	908	taskmgr.exe
Token: SeCreateGlobalPrivilege	908	taskmgr.exe
Token: SeDebugPrivilege	2512	Ilkdt.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	5488	powershell.exe
Token: SeShutdownPrivilege	3640	powercfg.exe
Token: SeCreatePagefilePrivilege	3640	powercfg.exe
Token: SeShutdownPrivilege	2348	powercfg.exe
Token: SeCreatePagefilePrivilege	2348	powercfg.exe
Token: SeShutdownPrivilege	5000	powercfg.exe
Token: SeCreatePagefilePrivilege	5000	powercfg.exe
Token: SeShutdownPrivilege	4328	powercfg.exe
Token: SeCreatePagefilePrivilege	4328	powercfg.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeShutdownPrivilege	1748	powercfg.exe
Token: SeCreatePagefilePrivilege	1748	powercfg.exe
Token: SeShutdownPrivilege	5632	powercfg.exe
Token: SeCreatePagefilePrivilege	5632	powercfg.exe
Token: SeShutdownPrivilege	1132	powercfg.exe
Token: SeCreatePagefilePrivilege	1132	powercfg.exe
Token: SeShutdownPrivilege	4020	powercfg.exe
Token: SeCreatePagefilePrivilege	4020	powercfg.exe
Token: SeLockMemoryPrivilege	2848	explorer.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	5160	powershell.exe
Token: SeShutdownPrivilege	5700	powercfg.exe
Token: SeCreatePagefilePrivilege	5700	powercfg.exe
Token: SeShutdownPrivilege	5744	powercfg.exe
Token: SeCreatePagefilePrivilege	5744	powercfg.exe
Token: SeShutdownPrivilege	5984	powercfg.exe
Token: SeCreatePagefilePrivilege	5984	powercfg.exe
Token: SeShutdownPrivilege	5932	powercfg.exe
Token: SeCreatePagefilePrivilege	5932	powercfg.exe
Token: SeDebugPrivilege	5500	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeShutdownPrivilege	2416	powercfg.exe
Token: SeCreatePagefilePrivilege	2416	powercfg.exe
Token: SeShutdownPrivilege	852	powercfg.exe
Token: SeCreatePagefilePrivilege	852	powercfg.exe
Token: SeShutdownPrivilege	1956	powercfg.exe
Token: SeCreatePagefilePrivilege	1956	powercfg.exe
Token: SeShutdownPrivilege	4316	powercfg.exe
Token: SeCreatePagefilePrivilege	4316	powercfg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe
908	taskmgr.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

AudinoBuilder.exeWindowsSubsystem.exeWindowsSubsystem.execmd.execmd.exebauwrdgwodhv.execmd.execmd.exe

description	pid	process	target process
PID 4372 wrote to memory of 4256	4372	AudinoBuilder.exe	powershell.exe
PID 4372 wrote to memory of 4256	4372	AudinoBuilder.exe	powershell.exe
PID 4372 wrote to memory of 4256	4372	AudinoBuilder.exe	powershell.exe
PID 4372 wrote to memory of 2512	4372	AudinoBuilder.exe	Ilkdt.exe
PID 4372 wrote to memory of 2512	4372	AudinoBuilder.exe	Ilkdt.exe
PID 4372 wrote to memory of 2512	4372	AudinoBuilder.exe	Ilkdt.exe
PID 4372 wrote to memory of 1080	4372	AudinoBuilder.exe	WinHostMgr.exe
PID 4372 wrote to memory of 1080	4372	AudinoBuilder.exe	WinHostMgr.exe
PID 4372 wrote to memory of 2520	4372	AudinoBuilder.exe	WindowsSubsystem.exe
PID 4372 wrote to memory of 2520	4372	AudinoBuilder.exe	WindowsSubsystem.exe
PID 4372 wrote to memory of 2520	4372	AudinoBuilder.exe	WindowsSubsystem.exe
PID 2520 wrote to memory of 2412	2520	WindowsSubsystem.exe	WindowsSubsystem.exe
PID 2520 wrote to memory of 2412	2520	WindowsSubsystem.exe	WindowsSubsystem.exe
PID 2520 wrote to memory of 2412	2520	WindowsSubsystem.exe	WindowsSubsystem.exe
PID 2412 wrote to memory of 5628	2412	WindowsSubsystem.exe	schtasks.exe
PID 2412 wrote to memory of 5628	2412	WindowsSubsystem.exe	schtasks.exe
PID 2412 wrote to memory of 5628	2412	WindowsSubsystem.exe	schtasks.exe
PID 5728 wrote to memory of 5584	5728	cmd.exe	wusa.exe
PID 5728 wrote to memory of 5584	5728	cmd.exe	wusa.exe
PID 4132 wrote to memory of 8	4132	cmd.exe	wusa.exe
PID 4132 wrote to memory of 8	4132	cmd.exe	wusa.exe
PID 5612 wrote to memory of 5428	5612	bauwrdgwodhv.exe	conhost.exe
PID 5612 wrote to memory of 5428	5612	bauwrdgwodhv.exe	conhost.exe
PID 5612 wrote to memory of 5428	5612	bauwrdgwodhv.exe	conhost.exe
PID 5612 wrote to memory of 5428	5612	bauwrdgwodhv.exe	conhost.exe
PID 5612 wrote to memory of 5428	5612	bauwrdgwodhv.exe	conhost.exe
PID 5612 wrote to memory of 5428	5612	bauwrdgwodhv.exe	conhost.exe
PID 5612 wrote to memory of 5428	5612	bauwrdgwodhv.exe	conhost.exe
PID 5612 wrote to memory of 5428	5612	bauwrdgwodhv.exe	conhost.exe
PID 5612 wrote to memory of 5428	5612	bauwrdgwodhv.exe	conhost.exe
PID 5612 wrote to memory of 2848	5612	bauwrdgwodhv.exe	explorer.exe
PID 5612 wrote to memory of 2848	5612	bauwrdgwodhv.exe	explorer.exe
PID 5612 wrote to memory of 2848	5612	bauwrdgwodhv.exe	explorer.exe
PID 5612 wrote to memory of 2848	5612	bauwrdgwodhv.exe	explorer.exe
PID 5612 wrote to memory of 2848	5612	bauwrdgwodhv.exe	explorer.exe
PID 4188 wrote to memory of 3552	4188	cmd.exe	wusa.exe
PID 4188 wrote to memory of 3552	4188	cmd.exe	wusa.exe
PID 6136 wrote to memory of 740	6136	cmd.exe	wusa.exe
PID 6136 wrote to memory of 740	6136	cmd.exe	wusa.exe

C:\Users\Admin\AppData\Local\Temp\AudinoBuilder.exe
"C:\Users\Admin\AppData\Local\Temp\AudinoBuilder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAYwBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAaAB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAbgB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAeQB0ACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
"C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
"C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1080

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:5728

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:5584

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
3⤵
- Launches sc.exe
PID:5588

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:3232

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
3⤵
- Launches sc.exe
PID:5284

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
3⤵
- Launches sc.exe
PID:1628

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
3⤵
- Launches sc.exe
PID:2212

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GMDTJRUT"
3⤵
- Launches sc.exe
PID:5708

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"
3⤵
- Launches sc.exe
PID:5288

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:5380

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GMDTJRUT"
3⤵
- Launches sc.exe
PID:5460

C:\Users\Admin\AppData\Local\Temp\WindowsSubsystem.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsSubsystem.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520

C:\Users\Admin\AppData\Roaming\XenoManager\WindowsSubsystem.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\WindowsSubsystem.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "ErrorManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2BAF.tmp" /F
4⤵
- Creates scheduled task(s)
PID:5628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1576

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:908

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3036

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5612

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:8

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:5332

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:3860

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:5608

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:5772

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:5848

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5632

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:5428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
"C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2980

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:3552

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
4⤵
- Launches sc.exe
PID:4636

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:5880

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
4⤵
- Launches sc.exe
PID:4524

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
4⤵
- Launches sc.exe
PID:2236

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
4⤵
- Launches sc.exe
PID:5380

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5744

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5700

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5932

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5500

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
"C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2252

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Suspicious use of WriteProcessMemory
PID:6136

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:740

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
4⤵
- Launches sc.exe
PID:1120

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:2016

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
4⤵
- Launches sc.exe
PID:3592

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
4⤵
- Launches sc.exe
PID:1440

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
4⤵
- Launches sc.exe
PID:5812

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e5a0fb5855ba19da7329e5feaa7aac49

SHA1
ad0b5ae1b42961404bb18980a206abc9b086ecc9

SHA256
a80beb1bb8dd659a2af25db4092b5487f327e38e2d75c939bdaaf3b3f6c7d456

SHA512
fb632526e40b7ded5d1ac3e11b855c84baa716bdb12122303fc503f65d4577cb4c6beeeee5265fa8fe7fd9a6a15b0d0ac4c74bb9ba5a456d4472716d9aa0a6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
Filesize
191KB

MD5
e004a568b841c74855f1a8a5d43096c7

SHA1
b90fd74593ae9b5a48cb165b6d7602507e1aeca4

SHA256
d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db

SHA512
402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
Filesize
5.0MB

MD5
e222309197c5e633aa8e294ba4bdcd29

SHA1
52b3f89a3d2262bf603628093f6d1e71d9cc3820

SHA256
047a7ca1b8848c1c0e3c0fcc6ece056390760b24580f27f6966b86b0c2a1042b

SHA512
9eb37686e0cee9ec18d12a4edd37c8334d26650c74eae5b30231c2b0db1628d52848123c9348c3da306ec950b827ec0a56cdf43ee325a9e280022c68193d8503

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2jd3aky0.ife.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BAF.tmp
Filesize
1KB

MD5
0cd3da1799bc79141a8e8b219f395b48

SHA1
53d117d84f3ba1066b59720965e25a84792439a5

SHA256
8bb355c414170a13cc47f16128844bac5089e9c845f7d07d4d098579b7c152d6

SHA512
686ef43213a06ba50e3b78c1f84782cbc2e8a87f97c297addf8bea5d78346420fd143dd7d4aa7f95a7827c2db4fd27c15cfec44fef6e700351cff887afc8e536

Download Submit
C:\Windows\TEMP\qdvyclnkfmuh.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
dbbd2d4458d7e8094846420da595dfc3

SHA1
267cb47b904f14a519d2bd73abfdb30e1a06e1a6

SHA256
e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4

SHA512
480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f2dd68ab8e611f0143c6ad176f223ae9

SHA1
30f580175773f251a9572fe757de6eaef6844abc

SHA256
f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7

SHA512
f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5f2ee01ec612bd9f5bbdbe2cb2364edb

SHA1
46d22b155f8c92c4416577cfff3e105d9ae4f96e

SHA256
bf99889c6909a04834949a53dbafedd037db3a7903425f21f695d3301eafe37a

SHA512
cf688c50f0cdaca2ba3ef8d8eb145c7410a1c5db6d0ddfa3f995b9b6c82ad5caa4fea928093431ccea08ecd46c623494635a09527ceb319b6c969ba0335f4f20

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b53a6b227547a15255ef16a2040f856d

SHA1
56f9d2052a7a718cc821ce3a6651978ebfe99197

SHA256
6808e5418d756190eff5353ff86c6a1ded314a09a494fd37e0d321e5902ae201

SHA512
b82cb7f6c1a545a87053b6dbe8c32f47bdbd24022c9b067ddabdf482d784bae75078cf6eaefb79ade64250c1947bb35f36ea1011bbea5949ddf04dfc6cf5f49e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a72576d788e89ddbf37b8f157a7b5465

SHA1
0d6cc1ed08a31083520485c48f429c1f5da6c93a

SHA256
585c9ec0c139e75c7639b29685933fa6f2b50b688d069ea6b3a9f1011494f24b

SHA512
ba3792cb1756a71c63831ef8db05b4317c798687764c0eaa7e748b612b333233c4686634e3034dd7b2b5473b777338256a3b203ceb463e68f979cdeeadb5c3de

Download Submit
\??\c:\users\admin\appdata\local\temp\windowssubsystem.exe
Filesize
43KB

MD5
6b44f7785d4ce45ede1b02681227d987

SHA1
444d76fb81d4fbeb9c1a2011d2de8f2b8ff0084a

SHA256
2c85b511ff201346d1e6c2ab300445ad263ed40192c1748ec10fa02f6aa05186

SHA512
83f96b49bf619aa8fd89a7fb7be282d7a06e6ae0dd8f42ef8ad9e1832a889d9dc3b8920989cea5fbecfec63dd894f49d5ad1d2d25894de7b523add0539d1de55

Download Submit
memory/908-1-0x000001588D020000-0x000001588D021000-memory.dmp

Filesize
4KB

Download
memory/908-11-0x000001588D020000-0x000001588D021000-memory.dmp

Filesize
4KB

Download
memory/908-6-0x000001588D020000-0x000001588D021000-memory.dmp

Filesize
4KB

Download
memory/908-7-0x000001588D020000-0x000001588D021000-memory.dmp

Filesize
4KB

Download
memory/908-8-0x000001588D020000-0x000001588D021000-memory.dmp

Filesize
4KB

Download
memory/908-9-0x000001588D020000-0x000001588D021000-memory.dmp

Filesize
4KB

Download
memory/908-10-0x000001588D020000-0x000001588D021000-memory.dmp

Filesize
4KB

Download
memory/908-12-0x000001588D020000-0x000001588D021000-memory.dmp

Filesize
4KB

Download
memory/908-2-0x000001588D020000-0x000001588D021000-memory.dmp

Filesize
4KB

Download
memory/908-0-0x000001588D020000-0x000001588D021000-memory.dmp

Filesize
4KB

Download
memory/2512-61-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-72-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-43-0x0000000000D70000-0x0000000000DA6000-memory.dmp

Filesize
216KB

Download
memory/2512-98-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-48-0x0000000005660000-0x00000000056CC000-memory.dmp

Filesize
432KB

Download
memory/2512-96-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-94-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-92-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-88-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-84-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-82-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-80-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-78-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-76-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-74-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-102-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-50-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-70-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-67-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-63-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-100-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-104-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-90-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-86-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-56-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-54-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-49-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-65-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-59-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2512-52-0x0000000005660000-0x00000000056C5000-memory.dmp

Filesize
404KB

Download
memory/2520-44-0x00000000001F0000-0x0000000000202000-memory.dmp

Filesize
72KB

Download
memory/3684-1775-0x000001CBC2640000-0x000001CBC26F3000-memory.dmp

Filesize
716KB

Download
memory/4256-1667-0x0000000006D60000-0x0000000006D94000-memory.dmp

Filesize
208KB

Download
memory/4256-1687-0x0000000007440000-0x0000000007448000-memory.dmp

Filesize
32KB

Download
memory/4256-1678-0x0000000006FA0000-0x0000000007044000-memory.dmp

Filesize
656KB

Download
memory/4256-1679-0x0000000007740000-0x0000000007DBA000-memory.dmp

Filesize
6.5MB

Download
memory/4256-1680-0x0000000007100000-0x000000000711A000-memory.dmp

Filesize
104KB

Download
memory/4256-1681-0x0000000007190000-0x000000000719A000-memory.dmp

Filesize
40KB

Download
memory/4256-1682-0x0000000007390000-0x0000000007426000-memory.dmp

Filesize
600KB

Download
memory/4256-1683-0x0000000007310000-0x0000000007321000-memory.dmp

Filesize
68KB

Download
memory/4256-1684-0x0000000007350000-0x000000000735E000-memory.dmp

Filesize
56KB

Download
memory/4256-1685-0x0000000007360000-0x0000000007375000-memory.dmp

Filesize
84KB

Download
memory/4256-1686-0x0000000007450000-0x000000000746A000-memory.dmp

Filesize
104KB

Download
memory/4256-1666-0x0000000005E20000-0x0000000005E6C000-memory.dmp

Filesize
304KB

Download
memory/4256-45-0x00000000028E0000-0x0000000002916000-memory.dmp

Filesize
216KB

Download
memory/4256-165-0x00000000058D0000-0x0000000005C27000-memory.dmp

Filesize
3.3MB

Download
memory/4256-1668-0x0000000075190000-0x00000000751DC000-memory.dmp

Filesize
304KB

Download
memory/4256-1677-0x0000000006370000-0x000000000638E000-memory.dmp

Filesize
120KB

Download
memory/4256-136-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/4256-73-0x00000000057D0000-0x0000000005836000-memory.dmp

Filesize
408KB

Download
memory/4256-47-0x00000000050A0000-0x00000000056CA000-memory.dmp

Filesize
6.2MB

Download
memory/4256-58-0x0000000004FF0000-0x0000000005012000-memory.dmp

Filesize
136KB

Download
memory/4256-1665-0x0000000005D90000-0x0000000005DAE000-memory.dmp

Filesize
120KB

Download
memory/4916-1723-0x000001677DE10000-0x000001677DE2C000-memory.dmp

Filesize
112KB

Download
memory/4916-1730-0x000001677DF40000-0x000001677DF46000-memory.dmp

Filesize
24KB

Download
memory/4916-1731-0x000001677DF50000-0x000001677DF5A000-memory.dmp

Filesize
40KB

Download
memory/4916-1729-0x000001677DF10000-0x000001677DF18000-memory.dmp

Filesize
32KB

Download
memory/4916-1728-0x000001677DF60000-0x000001677DF7A000-memory.dmp

Filesize
104KB

Download
memory/4916-1727-0x000001677DF00000-0x000001677DF0A000-memory.dmp

Filesize
40KB

Download
memory/4916-1726-0x000001677DF20000-0x000001677DF3C000-memory.dmp

Filesize
112KB

Download
memory/4916-1725-0x000001677DEF0000-0x000001677DEFA000-memory.dmp

Filesize
40KB

Download
memory/4916-1724-0x000001677DE30000-0x000001677DEE3000-memory.dmp

Filesize
716KB

Download
memory/5488-1692-0x000001B55A230000-0x000001B55A252000-memory.dmp

Filesize
136KB

Download
memory/5500-1817-0x0000027069890000-0x0000027069943000-memory.dmp

Filesize
716KB

Download