Malware Analysis Report

2025-01-18 04:44

Sample ID 230609-nlkr2scg7s
Target file.exe
SHA256 2d24effcdf6f620d368752b0bba8f2b96b01b82d95c36b6d5b34ddbe7740362d
Tags
quasar revengerat office04 persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d24effcdf6f620d368752b0bba8f2b96b01b82d95c36b6d5b34ddbe7740362d

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

quasar revengerat office04 persistence spyware trojan

Quasar payload

RevengeRAT

Quasar RAT

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Gathers network information

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-09 11:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-09 11:29

Reported

2023-06-09 11:31

Platform

win7-20230220-en

Max time kernel

69s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RevengeRAT

trojan revengerat

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\serviceupdate = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\serviceupdate.exe\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1264 set thread context of 1908 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1080 wrote to memory of 592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1080 wrote to memory of 592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1080 wrote to memory of 592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1264 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1484 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1484 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1484 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1264 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1264 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1264 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1264 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1264 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1264 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1264 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1264 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1264 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /release

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /release

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAyAA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /renew

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /renew

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 hostmeta.duckdns.org udp
US 194.59.31.19:3400 hostmeta.duckdns.org tcp

Files

memory/1264-54-0x0000000000DD0000-0x00000000011AC000-memory.dmp

memory/1264-55-0x0000000000970000-0x00000000009B0000-memory.dmp

memory/1264-56-0x0000000005990000-0x0000000005C46000-memory.dmp

memory/1264-57-0x0000000000A40000-0x0000000000A64000-memory.dmp

memory/1264-58-0x0000000004880000-0x0000000004912000-memory.dmp

memory/1444-61-0x0000000000320000-0x0000000000360000-memory.dmp

memory/1444-62-0x0000000000320000-0x0000000000360000-memory.dmp

memory/1444-63-0x0000000000320000-0x0000000000360000-memory.dmp

memory/1264-64-0x0000000000970000-0x00000000009B0000-memory.dmp

memory/1444-65-0x0000000000320000-0x0000000000360000-memory.dmp

memory/1444-66-0x0000000000320000-0x0000000000360000-memory.dmp

memory/1444-67-0x0000000000320000-0x0000000000360000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 bd948ad37e15f4cbdd9077285d5f8563
SHA1 4dddffeb5524f32c11ecc8612dd398647062b5d8
SHA256 1f38cfb1d964bb66ba1148e11364fa8de35de59aedf6e79ca4cc72272c954fce
SHA512 bd48170c588bbdcd960dc4ad75ad727fde4a570274898004d3f49a478d371e8d498c801047dde78613d430f8d019295beb0108a2989436be2d18ffeec5cdd250

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JTM05I0OIA8YM4WTF9EA.temp

MD5 bd948ad37e15f4cbdd9077285d5f8563
SHA1 4dddffeb5524f32c11ecc8612dd398647062b5d8
SHA256 1f38cfb1d964bb66ba1148e11364fa8de35de59aedf6e79ca4cc72272c954fce
SHA512 bd48170c588bbdcd960dc4ad75ad727fde4a570274898004d3f49a478d371e8d498c801047dde78613d430f8d019295beb0108a2989436be2d18ffeec5cdd250

memory/1560-74-0x00000000025F0000-0x0000000002630000-memory.dmp

memory/1908-76-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1908-78-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1908-77-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1908-81-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1908-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1908-79-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1908-83-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1908-85-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1908-86-0x0000000004A90000-0x0000000004AD0000-memory.dmp

memory/1908-87-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-09 11:29

Reported

2023-06-09 11:31

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\serviceupdate = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\serviceupdate.exe\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2196 set thread context of 1328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 3436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3188 wrote to memory of 3436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3188 wrote to memory of 3436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2196 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 996 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 996 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 4668 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4668 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4668 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2196 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2196 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2196 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2196 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2196 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2196 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2196 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2196 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2196 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2196 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2196 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /release

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /release

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAyAA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /renew

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /renew

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 20.189.173.5:443 tcp
NL 88.221.25.155:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 hostmeta.duckdns.org udp
US 194.59.31.19:3400 hostmeta.duckdns.org tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 19.31.59.194.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
NL 178.79.208.1:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp

Files

memory/2196-133-0x0000000000650000-0x0000000000A2C000-memory.dmp

memory/2196-134-0x0000000005900000-0x0000000005EA4000-memory.dmp

memory/2196-135-0x00000000053F0000-0x0000000005482000-memory.dmp

memory/2196-136-0x00000000053E0000-0x00000000053EA000-memory.dmp

memory/2196-137-0x0000000005510000-0x0000000005520000-memory.dmp

memory/2196-138-0x00000000082A0000-0x00000000082C2000-memory.dmp

memory/1832-139-0x0000000002FB0000-0x0000000002FE6000-memory.dmp

memory/1832-140-0x0000000005760000-0x0000000005D88000-memory.dmp

memory/1832-141-0x0000000005660000-0x00000000056C6000-memory.dmp

memory/1832-142-0x00000000030B0000-0x00000000030C0000-memory.dmp

memory/1832-143-0x00000000030B0000-0x00000000030C0000-memory.dmp

memory/1832-144-0x0000000005F40000-0x0000000005FA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0fnvzkxk.b2c.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1832-154-0x00000000065A0000-0x00000000065BE000-memory.dmp

memory/1832-155-0x00000000030B0000-0x00000000030C0000-memory.dmp

memory/1832-156-0x0000000007E00000-0x000000000847A000-memory.dmp

memory/1832-157-0x0000000006AA0000-0x0000000006ABA000-memory.dmp

memory/2196-158-0x0000000005510000-0x0000000005520000-memory.dmp

memory/1832-159-0x00000000030B0000-0x00000000030C0000-memory.dmp

memory/1832-160-0x00000000030B0000-0x00000000030C0000-memory.dmp

memory/1832-161-0x00000000030B0000-0x00000000030C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

memory/4780-167-0x0000000003090000-0x00000000030A0000-memory.dmp

memory/4780-168-0x0000000003090000-0x00000000030A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a99462049eb87294fb8fcb7fc0df1622
SHA1 f7d45096a04130f6ef74550db93f375a53d6b6eb
SHA256 4b2360b3f4f59ede4fe3d5f397d795763df0989d855d463f955702c4b5cddcbc
SHA512 b12ab0a970f8df582d3b8eea6b7265e6016d5c14ad22667c59edf1d406196126ee4c7e035a0c311e0e01c268c7a75a309bee23ebb79346e4cfe0678339a470cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/4780-180-0x0000000006C60000-0x0000000006C92000-memory.dmp

memory/4780-181-0x000000006F560000-0x000000006F5AC000-memory.dmp

memory/1328-182-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4780-193-0x0000000006C30000-0x0000000006C4E000-memory.dmp

memory/4780-194-0x0000000007A50000-0x0000000007A5A000-memory.dmp

memory/4780-196-0x000000007FC70000-0x000000007FC80000-memory.dmp

memory/1328-195-0x0000000005720000-0x0000000005730000-memory.dmp

memory/4780-197-0x0000000007C90000-0x0000000007D26000-memory.dmp

memory/4780-198-0x0000000006520000-0x000000000652E000-memory.dmp

memory/4780-199-0x0000000007BF0000-0x0000000007C0A000-memory.dmp

memory/4780-200-0x0000000007BD0000-0x0000000007BD8000-memory.dmp

memory/1328-201-0x0000000006720000-0x0000000006732000-memory.dmp

memory/1328-202-0x0000000006B50000-0x0000000006B8C000-memory.dmp

memory/1328-204-0x0000000005720000-0x0000000005730000-memory.dmp