Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2023 11:56
Static task
static1
Behavioral task
behavioral1
Sample
484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe
Resource
win7-20231023-en
General
-
Target
484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe
-
Size
1.3MB
-
MD5
ef06d812abe0ff2861061f6a26511873
-
SHA1
03d1777b12c7064c5e42103526da3c2655cc022e
-
SHA256
484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b
-
SHA512
84a819cab165b3f1f65dd7c4063c2b994e7422ef1d86788fcdb0481f8ff116e1a6cf5ccbcfdf4215c8b3779f4e24bbf06a6d1ee2bdb8841feae3bc83fd762550
-
SSDEEP
12288:yNnfN08nbtPii3uu6VrkdwWX4dVpjhISG9GIWin3lu3V6GwRZR3aUSC9ZZWYXh:Al0mboWIdVpjhTGodi3xRT3aU5h
Malware Config
Signatures
-
Detects HZRAT backdoor 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1800-1-0x0000000002A40000-0x0000000002A73000-memory.dmp family_hzrat -
Suspicious behavior: EnumeratesProcesses 59 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1176 powershell.exe 1176 powershell.exe 1176 powershell.exe 2756 powershell.exe 2756 powershell.exe 4548 powershell.exe 4548 powershell.exe 4920 powershell.exe 4920 powershell.exe 3872 powershell.exe 3872 powershell.exe 392 powershell.exe 392 powershell.exe 4284 powershell.exe 4284 powershell.exe 4860 powershell.exe 4860 powershell.exe 3472 powershell.exe 3472 powershell.exe 5000 powershell.exe 5000 powershell.exe 1000 powershell.exe 1000 powershell.exe 4740 powershell.exe 4740 powershell.exe 3176 powershell.exe 3176 powershell.exe 952 powershell.exe 952 powershell.exe 2140 powershell.exe 2140 powershell.exe 4172 powershell.exe 4172 powershell.exe 1880 powershell.exe 1880 powershell.exe 3156 powershell.exe 3156 powershell.exe 1120 powershell.exe 1120 powershell.exe 1584 powershell.exe 1584 powershell.exe 3840 powershell.exe 3840 powershell.exe 3036 powershell.exe 3036 powershell.exe 4460 powershell.exe 4460 powershell.exe 928 powershell.exe 928 powershell.exe 5052 powershell.exe 5052 powershell.exe 4748 powershell.exe 4748 powershell.exe 2176 powershell.exe 2176 powershell.exe 1356 powershell.exe 1356 powershell.exe 3564 powershell.exe 3564 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeWMIC.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1176 powershell.exe Token: SeIncreaseQuotaPrivilege 4672 WMIC.exe Token: SeSecurityPrivilege 4672 WMIC.exe Token: SeTakeOwnershipPrivilege 4672 WMIC.exe Token: SeLoadDriverPrivilege 4672 WMIC.exe Token: SeSystemProfilePrivilege 4672 WMIC.exe Token: SeSystemtimePrivilege 4672 WMIC.exe Token: SeProfSingleProcessPrivilege 4672 WMIC.exe Token: SeIncBasePriorityPrivilege 4672 WMIC.exe Token: SeCreatePagefilePrivilege 4672 WMIC.exe Token: SeBackupPrivilege 4672 WMIC.exe Token: SeRestorePrivilege 4672 WMIC.exe Token: SeShutdownPrivilege 4672 WMIC.exe Token: SeDebugPrivilege 4672 WMIC.exe Token: SeSystemEnvironmentPrivilege 4672 WMIC.exe Token: SeRemoteShutdownPrivilege 4672 WMIC.exe Token: SeUndockPrivilege 4672 WMIC.exe Token: SeManageVolumePrivilege 4672 WMIC.exe Token: 33 4672 WMIC.exe Token: 34 4672 WMIC.exe Token: 35 4672 WMIC.exe Token: 36 4672 WMIC.exe Token: SeIncreaseQuotaPrivilege 4672 WMIC.exe Token: SeSecurityPrivilege 4672 WMIC.exe Token: SeTakeOwnershipPrivilege 4672 WMIC.exe Token: SeLoadDriverPrivilege 4672 WMIC.exe Token: SeSystemProfilePrivilege 4672 WMIC.exe Token: SeSystemtimePrivilege 4672 WMIC.exe Token: SeProfSingleProcessPrivilege 4672 WMIC.exe Token: SeIncBasePriorityPrivilege 4672 WMIC.exe Token: SeCreatePagefilePrivilege 4672 WMIC.exe Token: SeBackupPrivilege 4672 WMIC.exe Token: SeRestorePrivilege 4672 WMIC.exe Token: SeShutdownPrivilege 4672 WMIC.exe Token: SeDebugPrivilege 4672 WMIC.exe Token: SeSystemEnvironmentPrivilege 4672 WMIC.exe Token: SeRemoteShutdownPrivilege 4672 WMIC.exe Token: SeUndockPrivilege 4672 WMIC.exe Token: SeManageVolumePrivilege 4672 WMIC.exe Token: 33 4672 WMIC.exe Token: 34 4672 WMIC.exe Token: 35 4672 WMIC.exe Token: 36 4672 WMIC.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeIncreaseQuotaPrivilege 1816 WMIC.exe Token: SeSecurityPrivilege 1816 WMIC.exe Token: SeTakeOwnershipPrivilege 1816 WMIC.exe Token: SeLoadDriverPrivilege 1816 WMIC.exe Token: SeSystemProfilePrivilege 1816 WMIC.exe Token: SeSystemtimePrivilege 1816 WMIC.exe Token: SeProfSingleProcessPrivilege 1816 WMIC.exe Token: SeIncBasePriorityPrivilege 1816 WMIC.exe Token: SeCreatePagefilePrivilege 1816 WMIC.exe Token: SeBackupPrivilege 1816 WMIC.exe Token: SeRestorePrivilege 1816 WMIC.exe Token: SeShutdownPrivilege 1816 WMIC.exe Token: SeDebugPrivilege 1816 WMIC.exe Token: SeSystemEnvironmentPrivilege 1816 WMIC.exe Token: SeRemoteShutdownPrivilege 1816 WMIC.exe Token: SeUndockPrivilege 1816 WMIC.exe Token: SeManageVolumePrivilege 1816 WMIC.exe Token: 33 1816 WMIC.exe Token: 34 1816 WMIC.exe Token: 35 1816 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 1800 wrote to memory of 1176 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 1176 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 1176 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1176 wrote to memory of 4672 1176 powershell.exe WMIC.exe PID 1176 wrote to memory of 4672 1176 powershell.exe WMIC.exe PID 1176 wrote to memory of 4672 1176 powershell.exe WMIC.exe PID 1800 wrote to memory of 2756 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 2756 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 2756 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 2756 wrote to memory of 1816 2756 powershell.exe WMIC.exe PID 2756 wrote to memory of 1816 2756 powershell.exe WMIC.exe PID 2756 wrote to memory of 1816 2756 powershell.exe WMIC.exe PID 1800 wrote to memory of 4548 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 4548 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 4548 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 4548 wrote to memory of 2196 4548 powershell.exe WMIC.exe PID 4548 wrote to memory of 2196 4548 powershell.exe WMIC.exe PID 4548 wrote to memory of 2196 4548 powershell.exe WMIC.exe PID 1800 wrote to memory of 4920 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 4920 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 4920 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 4920 wrote to memory of 1648 4920 powershell.exe WMIC.exe PID 4920 wrote to memory of 1648 4920 powershell.exe WMIC.exe PID 4920 wrote to memory of 1648 4920 powershell.exe WMIC.exe PID 1800 wrote to memory of 3872 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 3872 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 3872 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 3872 wrote to memory of 1092 3872 powershell.exe WMIC.exe PID 3872 wrote to memory of 1092 3872 powershell.exe WMIC.exe PID 3872 wrote to memory of 1092 3872 powershell.exe WMIC.exe PID 1800 wrote to memory of 392 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 392 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 392 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 392 wrote to memory of 804 392 powershell.exe WMIC.exe PID 392 wrote to memory of 804 392 powershell.exe WMIC.exe PID 392 wrote to memory of 804 392 powershell.exe WMIC.exe PID 1800 wrote to memory of 4284 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 4284 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 4284 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 4284 wrote to memory of 2888 4284 powershell.exe WMIC.exe PID 4284 wrote to memory of 2888 4284 powershell.exe WMIC.exe PID 4284 wrote to memory of 2888 4284 powershell.exe WMIC.exe PID 1800 wrote to memory of 4860 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 4860 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 4860 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 4860 wrote to memory of 1476 4860 powershell.exe WMIC.exe PID 4860 wrote to memory of 1476 4860 powershell.exe WMIC.exe PID 4860 wrote to memory of 1476 4860 powershell.exe WMIC.exe PID 1800 wrote to memory of 3472 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 3472 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 3472 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 5000 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 5000 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 5000 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 5000 wrote to memory of 4208 5000 powershell.exe WMIC.exe PID 5000 wrote to memory of 4208 5000 powershell.exe WMIC.exe PID 5000 wrote to memory of 4208 5000 powershell.exe WMIC.exe PID 1800 wrote to memory of 1000 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 1000 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1800 wrote to memory of 1000 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe PID 1000 wrote to memory of 1988 1000 powershell.exe WMIC.exe PID 1000 wrote to memory of 1988 1000 powershell.exe WMIC.exe PID 1000 wrote to memory of 1988 1000 powershell.exe WMIC.exe PID 1800 wrote to memory of 4740 1800 484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe"C:\Users\Admin\AppData\Local\Temp\484d76db8fb4f2df2effad00c79fb2c1823a7b418adff4abc1329a4d9ba1ae0b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {wmic bios get Manufacturer,name,ReleaseDate,SerialNumber /value}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" bios get Manufacturer,name,ReleaseDate,SerialNumber /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4672 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {wmic BASEBOARD get manufacturer,product,version,SerialNumber /value}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" BASEBOARD get manufacturer,product,version,SerialNumber /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {wmic computersystem get systemfamily,systemskunumber,model /value}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" computersystem get systemfamily,systemskunumber,model /value3⤵PID:2196
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {wmic DESKTOPMONITOR get Caption,PNPDeviceID /value}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" DESKTOPMONITOR get Caption,PNPDeviceID /value3⤵PID:1648
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {wmic IDECONTROLLER get name,DeviceID /value}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" IDECONTROLLER get name,DeviceID /value3⤵PID:1092
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {wmic MEMORYCHIP get capacity,manufacturer,partnumber,SerialNumber /value}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" MEMORYCHIP get capacity,manufacturer,partnumber,SerialNumber /value3⤵PID:804
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {wmic PORTCONNECTOR get externalreferencedesignator /value}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" PORTCONNECTOR get externalreferencedesignator /value3⤵PID:2888
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {wmic SOUNDDEV get Name,Description,DeviceID /value}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" SOUNDDEV get Name,Description,DeviceID /value3⤵PID:1476
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {Get-WmiObject -Class Win32_videocontroller | select-object description}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3472 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {wmic cpu get name,processorid /value}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" cpu get name,processorid /value3⤵PID:4208
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {wmic DISKDRIVE get serialnumber /value}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" DISKDRIVE get serialnumber /value3⤵PID:1988
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {wmic bios get SerialNumber /value}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4740 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" bios get SerialNumber /value3⤵PID:808
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {wmic DISKDRIVE get caption,deviceid,firmwarerevision,interfacetype,model,pnpdeviceid,serialnumber /value}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3176 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" DISKDRIVE get caption,deviceid,firmwarerevision,interfacetype,model,pnpdeviceid,serialnumber /value3⤵PID:1180
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {$env:temp}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:952 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {echo $env:userprofile}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2140 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {reg export HKEY_CURRENT_USER\Software\PremiumSoft C:\Users\Admin\AppData\Local\Temp\6027097068028388406.reg}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4172 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" export HKEY_CURRENT_USER\Software\PremiumSoft C:\Users\Admin\AppData\Local\Temp\6027097068028388406.reg3⤵PID:3588
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {whoami /user /nh}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880 -
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /user /nh3⤵PID:3464
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {Get-ChildItem -Recurse $env:userprofile'\Documents\NetSarang Computer\7\Xshell\Sessions' | Where-Object {$_.Name -like '*.xsh'} | Foreach-Object Name}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3156 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {gwmi -query 'select caption from win32_operatingsystem' | Select-Object -ExpandProperty caption}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1120 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {gwmi -query 'select model from win32_computersystem' | Select-Object -ExpandProperty model}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1584 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {pwd | select-object -expandproperty path}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3840 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {[System.Security.Principal.WindowsIdentity]::GetCurrent().Name}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {gwmi -query 'select * from win32_networkadapterconfiguration' | Select-Object -Property ipaddress,servicename,description}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4460 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {gwmi -query 'select macaddress,name from win32_networkadapter' | Select-Object -Property macaddress,name}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:928 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {gwmi -query 'select caption,name from win32_useraccount' | Select-Object -Property caption,name}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {gwmi -query 'select name,sessionid,processid from win32_process' | Select-Object -Property name,sessionid,processid}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4748 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {gwmi -query 'select * from win32_computersystem'}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {dir C:\Users\$([Environment]::UserName)\Desktop; dir C:\Users\Public\Desktop}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1356 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "& {wmic SYSDRIVER get name,caption /value}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3564 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" SYSDRIVER get name,caption /value3⤵PID:4940
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
Filesize
11KB
MD54550f17cc184b83e4898b47abdc4d502
SHA1cea16d5f5382b04e3996eb6488a77308a234c656
SHA2569951db546a173fb0414558dc3fdf0f755181ec1d53c2457f11713ed565aa3a4a
SHA5124da69c8a60f8024eda2e5538e98b259558fc4e32f52499361b7c64e01f95f937010dd45a71d83124faf2e8f4b7e8ae188880cccccafc382e8af7f1fb50c580e0
-
Filesize
11KB
MD5a537fc0f2cf88915167b4159fbb1edc8
SHA129d145cff3be72800b6db24d5532bdc85739bf32
SHA256691c172eb2632daa0eab35f4f02797f646b4bc1ef6194da878062b81aedf12d3
SHA512e25269bf2497699274293fdfe0673e802058ac94fb953e4c4886c225c8d664e4a398e4dfe0c1bc6699b31b42aa58c4ea970b376e03cc3fd1ed23b8b592f55921
-
Filesize
11KB
MD5b59afabcc20aefe6861a7e394425fa8c
SHA1d2b40942bbaef199398905692220e31a2ba00d1b
SHA256324a3e9ff8415443d789c8d21638ebe0166f03933b2f52ae7acfb9976e141fe9
SHA512cc1d1e40399044a26aed7cc76b757092734789aac72440cafeff4aeb367f5796484c2aec8062c33ddae7cc7fcc8b9c4d7a560868cf4c7396e5afc45c6b7509ba
-
Filesize
11KB
MD558d91b822ee6d70f4f08db8f18115dcb
SHA15530b206a224038756c0818f0596a6c4d1c294fc
SHA256534b4e9d439f934995d37d0fa3c5ddd95a5478076dde15960633b8800cadeebf
SHA512871b859916587c9eef81e1fe87638e08d86a45042ff3ffe312ad9805966796ec59cdd6134709ae566d9f505d0d761db4769183c1924f74dd522691a7cd58e819
-
Filesize
18KB
MD5d03939957515b72d8f724a773e7718ca
SHA117dc7773d431c821d4dab7f4e10f23efacc2a770
SHA2566105fbcb5e004d4017215dc21095467f0e94bb3bacfe5bee0e11a54922e3736e
SHA512232eeb5af30305077cec739de8566146bf1c7ab0f846c57de874d512d24a0b854f8978891b60da4ee09d04b3b4a56d84b0fbb1c3e996af4a16404bf9a904d101
-
Filesize
11KB
MD5bd547797db56df2196992c4f2ec4f58a
SHA1c83c74d0f8a8b7fe24d961eee6f4b5fc4bbcd1b7
SHA256b2007bb211c44542d45fc0c7f8daa8469fc8c8387d1b9ac91bd89564e4eed6fd
SHA51246db1588abec24fe6eb4197ef50df529bab6dee86379df4e1ff920bb2d4dead801859ec7b03ab7b9010571063ce3127d43e1cc7bcfd04e5a113034f0e3f7f3eb
-
Filesize
11KB
MD519aad62a5a1b35b635188fbf30a95611
SHA1d3d6e8a658c059d2b42b6748ef320d0790462852
SHA256da25188e26c313bb3a322ec07c458ba6bcfeca849971847802c17d77e584860f
SHA512fb1ccdca2e84d41fa421d4f1b21b8787e174cf2cb3d44510b8c5f187cfdabf4487fa09f153e5a800b683384a5deada171b2d5e00fe725128f14d680ad566aefe
-
Filesize
11KB
MD54680f7ca641e9915eaaf88cb46ba1e5e
SHA1a7908f8fabc55e6cd00e214087cc45a8630e1c49
SHA25681245b841d2b9cf06c5a45b7b43f7cadbdfa62d3b59482ad848c5401b493bd2a
SHA512d069ce5f80739050fde1df9afacfc87946c0e5d41f6c1afaf319e8f64bb51e29d911bfe2913fa0e9795ad1d413e295a26f3ac85f1c4976d8e0c14f2ca4d41205
-
Filesize
11KB
MD5fbc845dc26213ae557e1cd8adbcc6c60
SHA173e97520ca31087c58006afab2f45f8b1a0dcd93
SHA2568306bc53b46e26abba8bdd61d5a283117f2531bf8618bfd6158522431c990578
SHA5128056243518ef410e650a25f90e296481d9a4a5aa2e0ddc655309f689f9d7f272b593e34f1fae91bdb6302cee14b8ab802f85c2728fbd20a1098b3e2896709275
-
Filesize
11KB
MD5be766817c1752772ee0a6e126f93c059
SHA16b2617edbfe80f4cf0084d4dad614632980098cf
SHA256f7247500baba07774271f5b63a27010667a8b89f705453982e5f4acc66144ee7
SHA512663462548e130c3f2f01b459c3c97acfc60bb86a98f8d8a6e42ec6c79761207a801cc25f37c3643ff0e247e6b62146d046b050d69859828446492407b1ffe4d7
-
Filesize
16KB
MD5dd709c988a1b97838859d9d028c3b098
SHA17f30dbf692537e330f7c5b56e9c786a94ade9879
SHA25668f79f81142776de1c2d17da7f92db4449c3193b906983b136b24741654e5b61
SHA512100aed2ca0e62aa21bf05cf936983a9db6be3506cee757cb3b81b24af129c85accd7a525bec49cfefa3bef8aa80be50c478f8e879fc2f4ff1d9db3c8cd5e51a2
-
Filesize
11KB
MD5f3c988403fe4946970824ac9e4aa4da6
SHA16b1c096a8fad48352f8dee14d8ad84d1bc921171
SHA256d3e3b3f43a7f6253f946e9bd7245078116ed3b2624e3addfeaa7032a5ce96466
SHA5121f9f83e6540f976cbdbb106322fe592ebc2e0ed8472dd291a89249309b0d9c60d5c3e4c7ac16967b3ef1f56d462fd71320202477b087eb6c17dd581a538ec0ae
-
Filesize
11KB
MD555be8d780300efa22d6d07109cd56161
SHA12460fe40a6914fa0eee8e41319032ce6511c2d55
SHA256960de777825810fb5ed2ab81755cb0cc4e885374de155213dc44d557602ac9c9
SHA5126f02541154f0be75d97ee780aae7187c7db9a78a2d9b9c32059555868d2bafe5baee8a0b43c0d9273912587d199ca7b4f8f184fc89b7fe8f6f21694cda709a37
-
Filesize
18KB
MD53f2495ada7ecb947fa66008ffd1e1c84
SHA1c36d03540b7c5992efc0b46fdd86d124a391b0a3
SHA256952d9d871af874bd328f713cd7e3593abac9a2debd3c930d3774e4c2dca1c5dc
SHA512699c46af6a4f884c01ac36fd57775435cff4a71b752f5b7553032f9721185ea3898058abb229ba2c8c70b899c3464d5f670bc1e0eb936bed85c0cf449f387919
-
Filesize
17KB
MD5ae455afce1974fec805e782867977911
SHA1410091ce427de68de61bc403ab102c9e74550141
SHA256afcead94e06036ba75905765d98dd583d845e104d53c7c2ddf8aa58bf2568b7e
SHA512ea62db9af4eb9b9ab0cf200b56a348d2a2e78de1be15ae48eff802846de3f996cb7b38e837e075b50d6d4c2a2d519ce0f3d17728292cb98e5d2c864ac5100e8d
-
Filesize
17KB
MD5d2292ad5bdce6943a284244d6eacdedb
SHA1a2d3c7e5cb8b8b75e1b4efbf9938c11950bf74d6
SHA25687e808be444be73c9d0d6c77ff19b0adbfa00f99e555806ba49a7358ca9fcb09
SHA5128fdcde02724e3614fa7cea249f05c6a01c618b25efa94bdf8ff9d230e745ab084f8f088e51b0157f0612b59d96b7ef95b668232cf931b222e2235acf0d1fddc3
-
Filesize
16KB
MD52a3f3249ff93284db512918dfa7b2a60
SHA1d9a66a7042d04c47167fd01a5d8d016c700235d7
SHA256c09d0773bdcdc5f6ded3d3d7dd4f54cff2e0eb77fe263c24acb96af4a92a59b7
SHA51288c3297a69aa7623487fd315509cd8fdaffe38111f6679445d329c69e75d0e8e5dffe26bed51e2105c4ffe79f30988a2f608c34c8acf1a28de471bd3b7775aee
-
Filesize
12KB
MD54caf60651e2e7ca7d19a8f8ee688ab04
SHA1409b8681a9787fc8b74c1f8bff66a00e3eba062b
SHA256ae75465e234dd0e76164558bf387bbab66ca006de646ec906bae29cb572730f3
SHA512d3cb97e41659096a621735225518cd9f374fb97023cfd04e3c7d189a9813ae5bcf6db0a24a19aa0afc957c53630f407c9be9d4cf7464710cfa8fac5b2338067c
-
Filesize
18KB
MD5c2d2e4045d1ac2813a5e00814cc6a22c
SHA1405cf3fbaf4d7725a155fcc0d1e3e8a9dba0f98d
SHA2568bc827b6c990276c034fab1835c07706c86fc9405f136dc81127c013537335e6
SHA512808766f810d1588142453044f31f293cb20654d61dd15219a326823ecb097a850c7d7f9b2cc62e9223013e02299f2c670a86a9b6fbfcbb3083d42907645749a3
-
Filesize
18KB
MD5262656f9ae644078b3aee059238f0c2b
SHA1b062410add6b463bbce893acba38199cb66962e0
SHA2569dd9b495e55d431644be0bfac36f41d1729f0331fdc77a50e03fa7d18fcb0b16
SHA512b7d3bf6ddad9e3a1a31ca4888832dddd273dc871d24e9527b2ed6f35ef29dccf3743c0e2651f3da99a751f40d4f4db4ca97e2dab94b23e015f2bb1eb874c529d
-
Filesize
18KB
MD5a4d487f4cc09cec76a5e16039f5d6253
SHA16bd520f9f1224631c4cf55f28519f8a8c67e1f21
SHA256d68bf847e1756de83ce7de9b9f85244a41e5a74c17def76fdb00f078018f4290
SHA51251c760352361069dd816a86e6ab615c672e7707876a67239f707c78bb8134de13331405c1b7dbce6719a79e46039fce73305bce14a6b44bc363d39c316de101b
-
Filesize
11KB
MD504e2e659d69fdef012a9ec9f45f7c59f
SHA140f917020b1aa6b6a0bdc9b694bc4919207b9a4e
SHA2564c300e3e2d33b2c89ec9cd2375131cb8002950b62f5c2ff90a79586e4920676d
SHA512ec39a23f72a575bc796c1adc90e0495e4505aaae4379220d28a0f19eb8b76f2edb41acb219286c04969e7c4f548ea0eee77f1be9d9990492676fd6024ebaf369
-
Filesize
18KB
MD55001a62db4bae6f9a8f62b5bac2ea568
SHA11d3d1e9b5c91ddc3cb2f44c4c494c6f7991e7e12
SHA2569913914f4dc31e4a2af68eb1a372ac61624806f6e76c5a9f5517384717bf3452
SHA512fa742bfe076e487391d21ac7d3c892451d89c2a099f06b0187462e87e231810d2276b46147f9bfe8a5d51ee63e9f92ed732cf27a0e27cf0d5bf4f771f8af0fc2
-
Filesize
17KB
MD550ea1ad79e90d0080c3cf060479746e9
SHA16552e9431135747590589866cfc4d9f7a6ee0211
SHA256e0fd8f9a894593e0f3f29e7b74981dd8868c6ea91c11a490d8898542448c7137
SHA5122088f32cccbff135ec7437b40954f26329d05e7bdb425917e856a2adcde4fc81fac45f10109932a5fc9da8391b29896f669905164f5541a0e70b300ac39dd335
-
Filesize
17KB
MD50c6bc7823d33a82b0cdd18bf91f71d95
SHA1449b6806ae136b8052627f40963f45f0f4e158ef
SHA2560bda584e6c3191184c0c7e7f77588e173ba93add2e939df9288c60faef571247
SHA5122855b0895ffc9709ff66f9ff560cfd04c0b4fa207b1b3fbe4d877cd96e76bf18e952e28a4491f28c9e94213a7799403124afb3e6bd61d38cde36717e97647754
-
Filesize
11KB
MD5c3a358751b4d8e802cebe7a1dfca4ea6
SHA19cc135ad7ba31b87e0e291c0c6d0efc4c682506c
SHA256a3a2baedc6063ebc07897e6215413455b7d356dcdcc886edd162f0e784f87307
SHA5126f9e0ae070da6c6409ebccdf641cd3754bec129404f51c13b7b445d7bc6c10d360aee2aba53f9aff20ed8e99091aecb585445599c8b1b490a3c10bccab861b10
-
Filesize
11KB
MD50fb98fec27ebd0fc416f324b0618cdb9
SHA1534bdb9a93be47095f2e653008aa44c8ded71045
SHA256f5dfb1b64747f5eea12713f0d5f9632acdd1a46e99cbc66194e54c42155772a5
SHA5120eb236a7b289989654255a0b20fc34a4b8c8f386452c4e487722cd256b8f7e5dffcba2e252a4aad379521b80416972191c0728fdeb8e5cab696c63b4f94e461d
-
Filesize
11KB
MD5593dbcb69692d4cec583d274ecc39d82
SHA152ebcf7cccc1dce2020fb59b93e976595b804717
SHA2561c9158ff9eadaf02f00698ddb3ee453b0233cbc2336737add592cfeda6c9b7f4
SHA5120540885e89bf55dee893530eff7ba4fa165eae19078898d290eae6f502fdf37276c4236ccb344ca5efecfce24f6748d88e845a821c44275f563271e753b3479c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82