7c91b2c654144828215a9df140815e5d0a41bd9d2b3f001a77d7c7d598012ee5

Analysis

max time kernel
270s
max time network
181s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
09-06-2023 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mq.ps1
Size

5KB
MD5

6447dabbebc4223b06674ab995e9706c
SHA1

1ab8da12b4f2f1cb63cd5ce6e05ce9643dd5d79e
SHA256

7c91b2c654144828215a9df140815e5d0a41bd9d2b3f001a77d7c7d598012ee5
SHA512

94ba8b23b2ccbed5cec8962bee92435fbf58631c823079ef1e1018dbfd4cee4ca88e4ca158799325850ea2ca37346a939f43169a6ad30f97d1a3f4705f961935
SSDEEP

96:obSTfBLySUIeDXCKHFXms4So/nGwPcdd5uMzQZR+67mZ+6Fwa:obSDHerjHFKSUPc4M0u67Z6Fr

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeOfType.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Should.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestDrive.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeNullOrEmpty.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\Example3A.Diagnostics.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\Example3A.Diagnostics.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Context.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\PesterState.ps1	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\New-Fixture.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\PesterThrow.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Context.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\build.psake.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\Example3B.Diagnostics.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\Validator.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeGreaterThan.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Exist.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Should.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\Add-Numbers.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLikeExactly.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\InModuleScope.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\SetupTeardown.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeNullOrEmpty.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestsRunningInCleanRunspace.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\ContainExactly.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\BreakAndContinue.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestDrive.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeGreaterThan.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\InModuleScope.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\PesterThrow.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestsRunningInCleanRunspace.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\Example3B.Diagnostics.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\Add-Numbers.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLike.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\PesterState.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Set-TestInconclusive.ps1	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\PesterState.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\InModuleScope.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\Example1.Diagnostics.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Microsoft.PowerShell.Operation.Validation.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\In.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\Add-Numbers.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\GlobalMock-A.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\InModuleScope.ps1.dat	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLikeExactly.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\New-Fixture.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\BreakAndContinue.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Be.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestResults.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeGreaterThan.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Exist.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\MatchExactly.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLikeExactly.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Should.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\In.ps1.dat	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Contain.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Match.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Match.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\Simple.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLikeExactly.Tests.ps1.dat	powershell.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\New-Fixture.Tests.ps1	powershell.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Be.ps1	powershell.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\diagnostics\system\Networking\NetworkDiagnosticsVerify.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\BITS\CL_Registry.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Power\RS_ResetDisplayIdleTimeout.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Search\RS_RestoreDefaults.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\AERO\TS_WDDMDriver.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\TS_SamplingRate.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\BlueScreen\RS_ProblemServiceBlueScreen.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Device\TS_CheckDriversOnInstall.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Power\TS_DisplayIdleTimeout.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Power\TS_ScreenSaver.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\UsbCore\CL_Utility.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\AERO\TS_LowColorDepth.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Bluetooth\TS_Main.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Power\TS_Balanced.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\TS_PrinterDriverError.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\RS_SamplingRate.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Speech\CL_Utilities.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\AERO\TS_Themes.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\VF_HDAudioDriver.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\RS_Unmute.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\BlueScreen\RS_BadHardwareBlueScreen.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\MF_PrinterDiagnostic.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\UsbCore\VF_ResetOnResume.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Apps\RS_UAC.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\PCW\VF_ProgramCompatibilityWizard.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\CL_Utility.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\RS_PrinterDriver.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\VF_PrinterTurnedOff.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Speech\CL_AudioDiagnosticSnapIn.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Apps\TS_Main.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\RS_AudioServiceResponse.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Device\RS_EnableDevice.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\PCW\TS_ProgramCompatibilityWizard.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Performance\TS_MultipleUsers.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Search\TS_IndexingServiceCrashing.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Apps\RS_TemporaryProfile.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\HomeGroup\CL_Detection.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\TS_CannotConnect.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\scheduled\Maintenance\RS_MachineWERQueue.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Bluetooth\RC_OtherIssue.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\RS_WrongDefaultPrinter.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Video\VF_aud_reg_settings.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Apps\RC_ConnectedAccount.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\BlueScreen\RS_MalwareBlueScreen.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\PCW\RS_ProgramCompatibilityWizard.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Performance\TS_PIOMode.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Power\TS_MinProcessorState.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\TS_OutOfToner.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Video\CL_MutexVerifiers.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\scheduled\Maintenance\RS_UserWERQueue.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\CL_AudioDiagnosticSnapIn.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\TS_AudioService.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\HomeGroup\RS_LaunchInteraction.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\HomeGroup\RS_Service.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\scheduled\Maintenance\CL_Utility.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Apps\RC_WSReset.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Networking\NetworkDiagnosticsResolve.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Performance\RS_PowerMode.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Power\TS_IdleSleepsetting.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\RS_RestartSpoolerService.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\TS_OutOfPaper.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\DeviceCenter\CL_Utility.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\UsbCore\VF_LegacyDevice.ps1.dat	powershell.exe
File opened for modification	C:\Windows\diagnostics\system\Video\TS_Main.ps1.dat	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4128	powershell.exe
4128	powershell.exe
4128	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeRestorePrivilege	4128	powershell.exe
Token: SeSecurityPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeRestorePrivilege	4128	powershell.exe
Token: SeSecurityPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeRestorePrivilege	4128	powershell.exe
Token: SeSecurityPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeRestorePrivilege	4128	powershell.exe
Token: SeSecurityPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeRestorePrivilege	4128	powershell.exe
Token: SeSecurityPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeRestorePrivilege	4128	powershell.exe
Token: SeSecurityPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeRestorePrivilege	4128	powershell.exe
Token: SeSecurityPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeRestorePrivilege	4128	powershell.exe
Token: SeSecurityPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeRestorePrivilege	4128	powershell.exe
Token: SeSecurityPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeRestorePrivilege	4128	powershell.exe
Token: SeSecurityPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeRestorePrivilege	4128	powershell.exe
Token: SeSecurityPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeRestorePrivilege	4128	powershell.exe
Token: SeSecurityPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeRestorePrivilege	4128	powershell.exe
Token: SeSecurityPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeRestorePrivilege	4128	powershell.exe
Token: SeSecurityPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeRestorePrivilege	4128	powershell.exe
Token: SeSecurityPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	4128	powershell.exe
Token: SeRestorePrivilege	4128	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\mq.ps1
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5sbbkj5m.q2u.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/4128-124-0x0000021EF7CE0000-0x0000021EF7D02000-memory.dmp

Filesize
136KB

Download
memory/4128-127-0x0000021EF7E90000-0x0000021EF7F06000-memory.dmp

Filesize
472KB

Download
memory/4128-136-0x0000021EF7BA0000-0x0000021EF7BB0000-memory.dmp

Filesize
64KB

Download
memory/4128-137-0x0000021EF7BA0000-0x0000021EF7BB0000-memory.dmp

Filesize
64KB

Download
memory/4128-148-0x0000021EF7BA0000-0x0000021EF7BB0000-memory.dmp

Filesize
64KB

Download
memory/4128-149-0x0000021EF7BA0000-0x0000021EF7BB0000-memory.dmp

Filesize
64KB

Download
memory/4128-150-0x0000021EF7BA0000-0x0000021EF7BB0000-memory.dmp

Filesize
64KB

Download
memory/4128-151-0x0000021EF7BA0000-0x0000021EF7BB0000-memory.dmp

Filesize
64KB

Download
memory/4128-152-0x0000021EF7BA0000-0x0000021EF7BB0000-memory.dmp

Filesize
64KB

Download