5c83ef5c137cd2ad8d898b27acbac09a5f218a105aaecf39dc364df837f11d6d

Analysis

max time kernel
69s
max time network
70s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uhard.exe
Size

14.0MB
MD5

1ab2548e89e865f83bce578b8aff8512
SHA1

1b451945f85137e38afcc183b26bb65aa2079b93
SHA256

5c83ef5c137cd2ad8d898b27acbac09a5f218a105aaecf39dc364df837f11d6d
SHA512

f34fa46b08f90b9c5bc3a1b46d20f28118d19f1cfc26847f08a42d28046dadf407d2d04bacc0ffd49ea222eb64123cb360d63b68083a42fab6a8755939cd14b4
SSDEEP

393216:OPsdXtBcda7nzo7Vd7Qv1CPwDvt3uFRCONTQP76Nuudq+/XSdEVB3:OITkl

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2028	powershell.exe
5072	powershell.exe
2916	powershell.exe
6120	powershell.exe
3196	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\x372311\Parameters\ServiceDll = "C:\\Windows\\System32\\x372311.dat"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
5224	printui.exe
3816	console_zero.exe

Loads dropped DLL 13 IoCs

pid	Process
5224	printui.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
3816	console_zero.exe
3816	console_zero.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\System32\libwinpthread-1.dll	printui.exe
File created	C:\Windows\System32\zlib1.dll	printui.exe
File created	C:\Windows\System32\libcrypto-3-x64.dll	printui.exe
File created	C:\Windows\System32\libiconv-2.dll	printui.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\System32\libintl-9.dll	printui.exe
File created	C:\Windows\System32\ucrtbased.dll	printui.exe
File created	C:\Windows\System32\x372311.dat	printui.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\System32\winsvcf\winlogsvc	printui.exe
File created	C:\Windows\System32\libssl-3-x64.dll	printui.exe
File created	C:\Windows\System32\console_zero.exe	printui.exe
File created	C:\Windows\System32\libpq.dll	printui.exe
File created	C:\Windows\System32\vcruntime140d.dll	printui.exe
File created	C:\Windows\System32\libcurl.dll	printui.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3948	sc.exe
4852	sc.exe

Embeds OpenSSL 2 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x001900000002b25a-36.dat	embeds_openssl
behavioral1/files/0x001900000002b265-77.dat	embeds_openssl

Delays execution with timeout.exe 3 IoCs

defense_evasion

pid	Process
2692	timeout.exe
2404	timeout.exe
1508	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
896	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2916	powershell.exe
2916	powershell.exe
6120	powershell.exe
6120	powershell.exe
4472	uhard.exe
4472	uhard.exe
3196	powershell.exe
3196	powershell.exe
2028	powershell.exe
2028	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	6120	powershell.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 5028	4472	uhard.exe	81
PID 4472 wrote to memory of 5028	4472	uhard.exe	81
PID 5028 wrote to memory of 2916	5028	cmd.exe	83
PID 5028 wrote to memory of 2916	5028	cmd.exe	83
PID 4472 wrote to memory of 4508	4472	uhard.exe	85
PID 4472 wrote to memory of 4508	4472	uhard.exe	85
PID 4508 wrote to memory of 6120	4508	cmd.exe	87
PID 4508 wrote to memory of 6120	4508	cmd.exe	87
PID 4472 wrote to memory of 2760	4472	uhard.exe	90
PID 4472 wrote to memory of 2760	4472	uhard.exe	90
PID 4472 wrote to memory of 5812	4472	uhard.exe	92
PID 4472 wrote to memory of 5812	4472	uhard.exe	92
PID 5812 wrote to memory of 5224	5812	cmd.exe	94
PID 5812 wrote to memory of 5224	5812	cmd.exe	94
PID 4472 wrote to memory of 2824	4472	uhard.exe	95
PID 4472 wrote to memory of 2824	4472	uhard.exe	95
PID 5224 wrote to memory of 5284	5224	printui.exe	97
PID 5224 wrote to memory of 5284	5224	printui.exe	97
PID 5284 wrote to memory of 3196	5284	cmd.exe	99
PID 5284 wrote to memory of 3196	5284	cmd.exe	99
PID 2824 wrote to memory of 2692	2824	cmd.exe	100
PID 2824 wrote to memory of 2692	2824	cmd.exe	100
PID 5224 wrote to memory of 5268	5224	printui.exe	104
PID 5224 wrote to memory of 5268	5224	printui.exe	104
PID 5268 wrote to memory of 3948	5268	cmd.exe	106
PID 5268 wrote to memory of 3948	5268	cmd.exe	106
PID 5268 wrote to memory of 896	5268	cmd.exe	107
PID 5268 wrote to memory of 896	5268	cmd.exe	107
PID 5268 wrote to memory of 4852	5268	cmd.exe	108
PID 5268 wrote to memory of 4852	5268	cmd.exe	108
PID 5224 wrote to memory of 1680	5224	printui.exe	110
PID 5224 wrote to memory of 1680	5224	printui.exe	110
PID 1680 wrote to memory of 3816	1680	cmd.exe	112
PID 1680 wrote to memory of 3816	1680	cmd.exe	112
PID 5224 wrote to memory of 1532	5224	printui.exe	113
PID 5224 wrote to memory of 1532	5224	printui.exe	113
PID 5224 wrote to memory of 3160	5224	printui.exe	114
PID 5224 wrote to memory of 3160	5224	printui.exe	114
PID 1532 wrote to memory of 1508	1532	cmd.exe	117
PID 1532 wrote to memory of 1508	1532	cmd.exe	117
PID 3160 wrote to memory of 2404	3160	cmd.exe	118
PID 3160 wrote to memory of 2404	3160	cmd.exe	118
PID 3816 wrote to memory of 4300	3816	console_zero.exe	125
PID 3816 wrote to memory of 4300	3816	console_zero.exe	125
PID 4300 wrote to memory of 5212	4300	cmd.exe	127
PID 4300 wrote to memory of 5212	4300	cmd.exe	127
PID 1896 wrote to memory of 1372	1896	svchost.exe	128
PID 1896 wrote to memory of 1372	1896	svchost.exe	128
PID 1372 wrote to memory of 2028	1372	cmd.exe	130
PID 1372 wrote to memory of 2028	1372	cmd.exe	130
PID 1896 wrote to memory of 4596	1896	svchost.exe	132
PID 1896 wrote to memory of 4596	1896	svchost.exe	132
PID 4596 wrote to memory of 5072	4596	cmd.exe	134
PID 4596 wrote to memory of 5072	4596	cmd.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\uhard.exe
"C:\Users\Admin\AppData\Local\Temp\uhard.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6120
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c mkdir "\\?\C:\Windows \System32"
  2⤵
  PID:2760
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c start "" "C:\Windows \System32\printui.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5812
- - C:\Windows \System32\printui.exe
    "C:\Windows \System32\printui.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5224
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c sc create x372311 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x372311\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x372311.dat" /f && sc start x372311
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5268
    - - C:\Windows\System32\sc.exe
        
        sc create x372311 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
        5⤵
        Launches sc.exe
        
        PID:3948
    - - C:\Windows\System32\reg.exe
        
        reg add HKLM\SYSTEM\CurrentControlSet\services\x372311\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x372311.dat" /f
        5⤵
        Server Software Component: Terminal Services DLL
        Modifies registry key
        
        PID:896
    - - C:\Windows\System32\sc.exe
        
        sc start x372311
        5⤵
        Launches sc.exe
        
        PID:4852
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Windows\System32\console_zero.exe
        
        "C:\Windows\System32\console_zero.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3816
      - C:\Windows\System32\cmd.exe
        
        cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\System32\schtasks.exe
        
        schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5212
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c timeout /t 14 /nobreak && rmdir /s /q "C:\Windows \"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Windows\System32\timeout.exe
        
        timeout /t 14 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1508
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c timeout /t 16 /nobreak && del /q "C:\Windows \System32\printui.dll"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3160
    - - C:\Windows\System32\timeout.exe
        
        timeout /t 16 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2404
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\uhard.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\system32\timeout.exe
    timeout /t 10 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k DcomLaunch
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\System32\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- C:\Windows\System32\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gwzyidef.xfa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows \System32\printui.dll

Filesize
13.5MB

MD5
b9535d1ddea89186bdf5d3c81efc99d7

SHA1
6275c56c0f017dd189ba328687f8251c18615177

SHA256
10f37f41afa5a98b04c8fc73c99cc531cd1605751b82602a8e4e23531c3110c6

SHA512
2428f8498dd4ceaec55f8fe02f37fcc9b0e5b8d852d5e8eb23b814a77a43dfad9baecb20770f040afa5b95cf4dd35265c038edf774f91ff5d059032a92cb41e2

Download Submit
C:\Windows \System32\printui.exe

Filesize
80KB

MD5
d7df792fe20b1daf6447e814d6bf401f

SHA1
8f5bf1cd4d392af15269c3fbb0b9b21ada9e48f1

SHA256
d364449b387afc0a4345cb0f85f9f1c6d967dd2c4c37881d39f5d45b549b0db5

SHA512
d27d0710cb2da039c89ce151c54c11fefbeec0ac9ee48e80937e415373c78526a9d925b17df01acd6cf9751140f806e1fc71bb10542366d86f935d105be4492c

Download Submit
C:\Windows\System32\console_zero.exe

Filesize
652KB

MD5
9de430ab142b87e55e31a628c0225c96

SHA1
0acee5fcc1722b754a0cb31c031a12f5ace98f91

SHA256
4ffb3c0c7b38105183fb06d1084ab943c6e87f9644f783014684c5cb8db32e32

SHA512
104662303588ccc20c1e2f2599ce9974c1d5c03d30d3a60986dd1a623479d0a67d7249e4899c0d261614ffdabd02c3d6e40939f0e41427bfeb4ecea8ca229780

Download Submit
C:\Windows\System32\libcrypto-3-x64.dll

Filesize
4.5MB

MD5
158f0e7c4529e3867e07545c6d1174a9

SHA1
9ff0cccb271f0215ad24427b7254832549565154

SHA256
dcc1fa1a341597ddb1476e3b5b3952456f07870a26fc30b0c6e6312764baa1fc

SHA512
51e79d8d0ab183046f87aa659973b45147bb1e1ae8883f688c615ccb18bf9fccb8779dd872b01748bacd56e141bc096c2bb4ccf32ebd7a49adc76363355e40fe

Download Submit
C:\Windows\System32\libcurl.dll

Filesize
575KB

MD5
18ce47f58b4c1a9cfc1edf7c8bf49b7c

SHA1
e74d08ab06ed8200d7e674d8031d6df8250de8cb

SHA256
36d97f1c254832cee9698cea2f1a63ea98d231641fd29715ef581be103ace602

SHA512
19b2d6968095c4e8f08c66ab73e7ec5e0439712bcb2777266602ef2ad123a779395a3d44bc0c7c9945376998fb2165bc60e6bf682863a55a0cff40c720594bdd

Download Submit
C:\Windows\System32\libiconv-2.dll

Filesize
1.8MB

MD5
158bc77453d382cf6679ce35df740cc5

SHA1
9a3c123ce4b6f6592ed50d6614387d059bfb842f

SHA256
cf131738f4b5fe3f42e9108e24595fc3e6573347d78e4e69ec42106c1eebe42c

SHA512
6eb1455537cb4e62e9432032372fae9ce824a48346e00baf38ef2f840e0ed3f55acaee2656da656db00ae0bdef808f8da291dd10d7453815152eda0ccfc73147

Download Submit
C:\Windows\System32\libpq.dll

Filesize
319KB

MD5
ef060e5c414b7be5875437ff2fb8ec54

SHA1
6dcf04dff9b25be556ec97660f95acf708c0c870

SHA256
e6aced8d30471f35b37abbf172ce357b6a8f18af5feb342b6cffc01d3378f2b4

SHA512
67bff321ba901a0b0dc0f6c4a723d7df35418f593e16e6193673cce5190d76355409f676c1ea5d0cb46493f5735209089a3a52d3d716eb8187bf6e846792e2e8

Download Submit
C:\Windows\System32\libssl-3-x64.dll

Filesize
799KB

MD5
69d0fee0cc47c3b255c317f08ce8d274

SHA1
782bc8f64b47a9dcedc95895154dca60346f5dd7

SHA256
ba979c2dbfb35d205d9d28d97d177f33d501d954c7187330f6893bb7d0858713

SHA512
4955252c7220810ed2eaca002e57d25fbc17862f4878983c4351c917cf7873eb84ae00e5651583004f15a08789be64bdb34ff20cb0e172c9c1376706deb4aa1a

Download Submit
C:\Windows\System32\libwinpthread-1.dll

Filesize
51KB

MD5
9dc829c2c8962347bc9adf891c51ac05

SHA1
bf9251a7165bb2981e613ac5d9051f19edb68463

SHA256
ffe2d56375bb4e8bdee9037df6befc5016ddd8871d0d85027314dd5792f8fdc9

SHA512
fd7e6f50a21cb59075dfa08c5e6275fd20723b01a23c3e24fb369f2d95a379b5ac6ae9f509aa42861d9c5114be47cce9ff886f0a03758bfdc3a2a9c4d75fab56

Download Submit
C:\Windows\System32\zlib1.dll

Filesize
88KB

MD5
f53d1efea4855da42da07de49d80ba68

SHA1
920349f4bd5a5b8e77195c81e261dfa2177eb1ee

SHA256
7e9f43688189578042d791e3e5301165316edc7c1ed739e0669c033a3ca08037

SHA512
5d72f64b8e5c42a3c9a7bcbbe8a1598a85402ade4f312ab9e26869f8b39952a3aa037f2cf7da89e686c5bc3fcb221feeae077b9ffd2eef98dac0e307637fe7bd

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
dbbd2d4458d7e8094846420da595dfc3

SHA1
267cb47b904f14a519d2bd73abfdb30e1a06e1a6

SHA256
e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4

SHA512
480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f2dd68ab8e611f0143c6ad176f223ae9

SHA1
30f580175773f251a9572fe757de6eaef6844abc

SHA256
f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7

SHA512
f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04

Download Submit
\??\c:\windows\system32\libintl-9.dll

Filesize
464KB

MD5
e79e7c9d547ddbee5c8c1796bd092326

SHA1
8e50b296f4630f6173fc77d07eea36433e62178a

SHA256
1125ac8dc0c4f5c3ed4712e0d8ad29474099fcb55bb0e563a352ce9d03ef1d78

SHA512
dba65731b7ada0ac90b4122c7b633cd8d9a54b92b2241170c6f09828554a0bc1b0f3edf6289b6141d3441ab11af90d6f8210a73f01964276d050e57fb94248e2

Download Submit
\??\c:\windows\system32\x372311.dat

Filesize
1.9MB

MD5
235ae0729d8c0f7b214d8c6ae232d9ef

SHA1
9d31b62b1cce50f3fe2160220c7520d2bc5b5f81

SHA256
a63d52678f467ac13da19c4b0e5ad265e44fb91070fd85c8daf22fddac004cb7

SHA512
cbd35195229726d711faa75a25a4eb38df51af631a5c22917f6f23308492c6637d38edab854e62f6801521422bc2876694371fa38eedc9cc2016ef3401a0ed8b

Download Submit
memory/1896-86-0x0000000064940000-0x0000000064955000-memory.dmp

Filesize
84KB

Download
memory/1896-87-0x0000000066000000-0x00000000661BD000-memory.dmp

Filesize
1.7MB

Download
memory/1896-85-0x0000000068280000-0x00000000682F0000-memory.dmp

Filesize
448KB

Download
memory/2028-120-0x0000019E9DA70000-0x0000019E9DA8C000-memory.dmp

Filesize
112KB

Download
memory/2028-121-0x0000019E9DA90000-0x0000019E9DB43000-memory.dmp

Filesize
716KB

Download
memory/2028-128-0x0000019E9DE20000-0x0000019E9DE2A000-memory.dmp

Filesize
40KB

Download
memory/2028-127-0x0000019E9DDD0000-0x0000019E9DDD6000-memory.dmp

Filesize
24KB

Download
memory/2028-126-0x0000019E9DDC0000-0x0000019E9DDC8000-memory.dmp

Filesize
32KB

Download
memory/2028-125-0x0000019E9DE00000-0x0000019E9DE1A000-memory.dmp

Filesize
104KB

Download
memory/2028-124-0x0000019E9DB60000-0x0000019E9DB6A000-memory.dmp

Filesize
40KB

Download
memory/2028-123-0x0000019E9DDE0000-0x0000019E9DDFC000-memory.dmp

Filesize
112KB

Download
memory/2028-122-0x0000019E9DB50000-0x0000019E9DB5A000-memory.dmp

Filesize
40KB

Download
memory/2916-16-0x00007FFA15740000-0x00007FFA16202000-memory.dmp

Filesize
10.8MB

Download
memory/2916-0-0x00007FFA15743000-0x00007FFA15745000-memory.dmp

Filesize
8KB

Download
memory/2916-11-0x00007FFA15740000-0x00007FFA16202000-memory.dmp

Filesize
10.8MB

Download
memory/2916-12-0x00007FFA15740000-0x00007FFA16202000-memory.dmp

Filesize
10.8MB

Download
memory/2916-15-0x00007FFA15740000-0x00007FFA16202000-memory.dmp

Filesize
10.8MB

Download
memory/2916-10-0x00007FFA15740000-0x00007FFA16202000-memory.dmp

Filesize
10.8MB

Download
memory/2916-1-0x0000017E85310000-0x0000017E85332000-memory.dmp

Filesize
136KB

Download
memory/6120-31-0x00007FFA155B0000-0x00007FFA16072000-memory.dmp

Filesize
10.8MB

Download
memory/6120-18-0x00007FFA155B0000-0x00007FFA16072000-memory.dmp

Filesize
10.8MB

Download
memory/6120-19-0x00007FFA155B0000-0x00007FFA16072000-memory.dmp

Filesize
10.8MB

Download
memory/6120-20-0x00007FFA155B0000-0x00007FFA16072000-memory.dmp

Filesize
10.8MB

Download