quasar | d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10-20220414-en
submitted
04-05-2022 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
Size

141KB
MD5

4d28365c5342f773b394205ef9eaec69
SHA1

d6e066005bb5b69d5dbc5088f214012a7ab8b080
SHA256

d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4
SHA512

b3c4df7e68555ad04204ea798fe737ea2bc9d63400e81d02f7fdfe1b4c7e45a19436d7d3c51f355d2a1306eae1bd0912155760067e6d57b62cf98c519b70ef3e

Score

10^/10

quasar 1 evasion persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

dlldns.duckdns.org:20000

whoru222.xyz:20000

whereami3.xyz:20000

letmerat.xyz:20000

selfdestructdns.xyz:20000

wtfimrich666.xyz:20000

p2x4y.xyz:21000

howmanytimes3.xyz:21000

ceeloblack.xyz:21000

thanksfam.xyz:21000

Mutex

2e3c0776-66f3-4050-b059-b831e335e235

Attributes

encryption_key
67DFA5AFA3111DA4B8B545C503A131C3C3D1E34C
install_name
WinUpdater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WinUpdater
subdirectory
WinUpdater

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Quasar Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1152-286-0x000002C34F670000-0x000002C34F6F4000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe payload.exeicsys.icn.exeexplorer.exepayload.exe spoolsv.exeicsys.icn.exesvchost.exespoolsv.exepayload.exe payload.exe payload.exe

pid	process
3392	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
1908	payload.exe
2548	icsys.icn.exe
2204	explorer.exe
1152	payload.exe
852	spoolsv.exe
3376	icsys.icn.exe
1848	svchost.exe
3268	spoolsv.exe
2084	payload.exe
360	payload.exe
3044	payload.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\payload.exe = "C:\\Users\\Admin\\AppData\\Roaming\\payload.exe"	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exeicsys.icn.exepayload.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	payload.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

3964 PING.EXE
412 PING.EXE
160 PING.EXE

pid	process
3964	PING.EXE
412	PING.EXE
160	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exeicsys.icn.exe

pid	process
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
2548	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2204 explorer.exe
1848 svchost.exe

pid	process
2204	explorer.exe
1848	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe payload.exe payload.exe payload.exe payload.exe

description	pid	process
Token: SeDebugPrivilege	3392	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
Token: SeDebugPrivilege	1152	payload.exe
Token: SeDebugPrivilege	2084	payload.exe
Token: SeDebugPrivilege	360	payload.exe
Token: SeDebugPrivilege	3044	payload.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exeicsys.icn.exepayload.exeexplorer.exespoolsv.exeicsys.icn.exepayload.exe svchost.exespoolsv.exepayload.exe payload.exe payload.exe

pid	process
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
2548	icsys.icn.exe
2548	icsys.icn.exe
1908	payload.exe
1908	payload.exe
2204	explorer.exe
2204	explorer.exe
852	spoolsv.exe
852	spoolsv.exe
3376	icsys.icn.exe
3376	icsys.icn.exe
1152	payload.exe
1848	svchost.exe
1848	svchost.exe
3268	spoolsv.exe
3268	spoolsv.exe
2084	payload.exe
360	payload.exe
3044	payload.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exed4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe icsys.icn.exepayload.exeexplorer.exespoolsv.exesvchost.exepayload.exe cmd.exepayload.exe cmd.exepayload.exe cmd.exe

description	pid	process	target process
PID 4012 wrote to memory of 3392	4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
PID 4012 wrote to memory of 3392	4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
PID 3392 wrote to memory of 1908	3392	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe	payload.exe
PID 3392 wrote to memory of 1908	3392	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe	payload.exe
PID 3392 wrote to memory of 1908	3392	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe	payload.exe
PID 4012 wrote to memory of 2548	4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe	icsys.icn.exe
PID 4012 wrote to memory of 2548	4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe	icsys.icn.exe
PID 4012 wrote to memory of 2548	4012	d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe	icsys.icn.exe
PID 2548 wrote to memory of 2204	2548	icsys.icn.exe	explorer.exe
PID 2548 wrote to memory of 2204	2548	icsys.icn.exe	explorer.exe
PID 2548 wrote to memory of 2204	2548	icsys.icn.exe	explorer.exe
PID 1908 wrote to memory of 1152	1908	payload.exe	payload.exe
PID 1908 wrote to memory of 1152	1908	payload.exe	payload.exe
PID 2204 wrote to memory of 852	2204	explorer.exe	spoolsv.exe
PID 2204 wrote to memory of 852	2204	explorer.exe	spoolsv.exe
PID 2204 wrote to memory of 852	2204	explorer.exe	spoolsv.exe
PID 1908 wrote to memory of 3376	1908	payload.exe	icsys.icn.exe
PID 1908 wrote to memory of 3376	1908	payload.exe	icsys.icn.exe
PID 1908 wrote to memory of 3376	1908	payload.exe	icsys.icn.exe
PID 852 wrote to memory of 1848	852	spoolsv.exe	svchost.exe
PID 852 wrote to memory of 1848	852	spoolsv.exe	svchost.exe
PID 852 wrote to memory of 1848	852	spoolsv.exe	svchost.exe
PID 1848 wrote to memory of 3268	1848	svchost.exe	spoolsv.exe
PID 1848 wrote to memory of 3268	1848	svchost.exe	spoolsv.exe
PID 1848 wrote to memory of 3268	1848	svchost.exe	spoolsv.exe
PID 1152 wrote to memory of 2640	1152	payload.exe	cmd.exe
PID 1152 wrote to memory of 2640	1152	payload.exe	cmd.exe
PID 2640 wrote to memory of 3924	2640	cmd.exe	chcp.com
PID 2640 wrote to memory of 3924	2640	cmd.exe	chcp.com
PID 2640 wrote to memory of 3964	2640	cmd.exe	PING.EXE
PID 2640 wrote to memory of 3964	2640	cmd.exe	PING.EXE
PID 2640 wrote to memory of 2084	2640	cmd.exe	payload.exe
PID 2640 wrote to memory of 2084	2640	cmd.exe	payload.exe
PID 2084 wrote to memory of 3548	2084	payload.exe	cmd.exe
PID 2084 wrote to memory of 3548	2084	payload.exe	cmd.exe
PID 3548 wrote to memory of 2188	3548	cmd.exe	chcp.com
PID 3548 wrote to memory of 2188	3548	cmd.exe	chcp.com
PID 3548 wrote to memory of 412	3548	cmd.exe	PING.EXE
PID 3548 wrote to memory of 412	3548	cmd.exe	PING.EXE
PID 3548 wrote to memory of 360	3548	cmd.exe	payload.exe
PID 3548 wrote to memory of 360	3548	cmd.exe	payload.exe
PID 360 wrote to memory of 3684	360	payload.exe	cmd.exe
PID 360 wrote to memory of 3684	360	payload.exe	cmd.exe
PID 3684 wrote to memory of 2628	3684	cmd.exe	chcp.com
PID 3684 wrote to memory of 2628	3684	cmd.exe	chcp.com
PID 3684 wrote to memory of 160	3684	cmd.exe	PING.EXE
PID 3684 wrote to memory of 160	3684	cmd.exe	PING.EXE
PID 3684 wrote to memory of 3044	3684	cmd.exe	payload.exe
PID 3684 wrote to memory of 3044	3684	cmd.exe	payload.exe

C:\Users\Admin\AppData\Local\Temp\d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
"C:\Users\Admin\AppData\Local\Temp\d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4012

\??\c:\users\admin\appdata\local\temp\d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
c:\users\admin\appdata\local\temp\d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392

C:\Users\Admin\AppData\Roaming\payload.exe
"C:\Users\Admin\AppData\Roaming\payload.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908

\??\c:\users\admin\appdata\roaming\payload.exe
c:\users\admin\appdata\roaming\payload.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pLCTQWtrTJ27.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:3924

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:3964

\??\c:\users\admin\appdata\roaming\payload.exe
"c:\users\admin\appdata\roaming\payload.exe "
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cl76iqejkeNd.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:2188

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:412

\??\c:\users\admin\appdata\roaming\payload.exe
"c:\users\admin\appdata\roaming\payload.exe "
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KXYlWYfqgdHZ.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:2628

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:160

\??\c:\users\admin\appdata\roaming\payload.exe
"c:\users\admin\appdata\roaming\payload.exe "
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3376

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\payload.exe .log
Filesize
2KB

MD5
9f6dbad62162349eb8e35e07fc789014

SHA1
3c2850917daebe284c6090e09046a3fcbe9537d5

SHA256
c94e26e0f7d225aed21852998f8381d484a77ef26fb47dee7fd02186df069f67

SHA512
536f191c7540ebd599697ac515d8b63a8eb9fef026fe02bcaed190bd33a123a8e5d3b3f3925595275fabef2ad97480fc7db90101b897617c2dff723adb5baabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KXYlWYfqgdHZ.bat
Filesize
203B

MD5
847307a802b569d35937515248bcdc9e

SHA1
65a7dde85b79bd46678e9fd3685030f8fcb487d4

SHA256
55e873f13b4ea240668eafdde858fafc1acb1aef21f75a10e8ad442a1debb9a9

SHA512
2b9f58a3bc89bd5fffb52f875c914c317425717c0253659443c2cd68dcc7e91382a1afeb6c9ada5bdde8245245671a13f2777506d6e96676ccc60f0aa7913fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cl76iqejkeNd.bat
Filesize
203B

MD5
531680154015864e3bc0d8c73e229da0

SHA1
700c6abdf81fa1cc231b0b37d006b8a74863cb92

SHA256
c4b79a9b1e381ad48f6d52f8fd12c98c9e6758f9e0c077cb9a73fbc5f390d4f3

SHA512
4ccc54ecfc064319cb14cfb3d601bf601d69a01dca06ccde7392dcef7f1c8fe56ecada1c771ebe7cdef44bd7e1bab2f406eed0ee15a6858d3a5c58914287e213

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
Filesize
6KB

MD5
ac4bf48604ce9fae074ffe37f27c2335

SHA1
8e178ffe1f6cbaa2e5a61a6d45e22ab1b94379c2

SHA256
e2b4a2668dd4bc555d89ac5a30937601c2e8a44b142b3398ec2bc2c927a98a32

SHA512
e85b28082bc357f79f97039bee8151a0b90ca816e5206747fc873290771c0f8544222c41c27b3736280665b899409ba3e871fb412c23f6f283b06a613a10e0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pLCTQWtrTJ27.bat
Filesize
203B

MD5
fa003e09f0a9b815bc89c99d184c6894

SHA1
9f43a124111e1c22a67b9f33d2a8329f8d091f8f

SHA256
6fb839ba937618abd8e75caa3b1cab30f86b8c91fc2e257c887c9777478bae54

SHA512
8a3b0146c18a6e41b90169712eef1c67dd6d4b5c0b27e1ddfc8ae92165a6034c2cb1e15f0aecafe4649ead422ebef20d918a27134d928ddaa849a3dfb97c4554

Download Submit
C:\Users\Admin\AppData\Roaming\payload.exe
Filesize
141KB

MD5
4d28365c5342f773b394205ef9eaec69

SHA1
d6e066005bb5b69d5dbc5088f214012a7ab8b080

SHA256
d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4

SHA512
b3c4df7e68555ad04204ea798fe737ea2bc9d63400e81d02f7fdfe1b4c7e45a19436d7d3c51f355d2a1306eae1bd0912155760067e6d57b62cf98c519b70ef3e

Download Submit
C:\Users\Admin\AppData\Roaming\payload.exe
Filesize
141KB

MD5
4d28365c5342f773b394205ef9eaec69

SHA1
d6e066005bb5b69d5dbc5088f214012a7ab8b080

SHA256
d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4

SHA512
b3c4df7e68555ad04204ea798fe737ea2bc9d63400e81d02f7fdfe1b4c7e45a19436d7d3c51f355d2a1306eae1bd0912155760067e6d57b62cf98c519b70ef3e

Download Submit
C:\Users\Admin\AppData\Roaming\payload.exe
Filesize
6KB

MD5
ac4bf48604ce9fae074ffe37f27c2335

SHA1
8e178ffe1f6cbaa2e5a61a6d45e22ab1b94379c2

SHA256
e2b4a2668dd4bc555d89ac5a30937601c2e8a44b142b3398ec2bc2c927a98a32

SHA512
e85b28082bc357f79f97039bee8151a0b90ca816e5206747fc873290771c0f8544222c41c27b3736280665b899409ba3e871fb412c23f6f283b06a613a10e0d0

Download Submit
C:\Users\Admin\AppData\Roaming\payload.exe
Filesize
6KB

MD5
ac4bf48604ce9fae074ffe37f27c2335

SHA1
8e178ffe1f6cbaa2e5a61a6d45e22ab1b94379c2

SHA256
e2b4a2668dd4bc555d89ac5a30937601c2e8a44b142b3398ec2bc2c927a98a32

SHA512
e85b28082bc357f79f97039bee8151a0b90ca816e5206747fc873290771c0f8544222c41c27b3736280665b899409ba3e871fb412c23f6f283b06a613a10e0d0

Download Submit
C:\Users\Admin\AppData\Roaming\payload.exe
Filesize
6KB

MD5
ac4bf48604ce9fae074ffe37f27c2335

SHA1
8e178ffe1f6cbaa2e5a61a6d45e22ab1b94379c2

SHA256
e2b4a2668dd4bc555d89ac5a30937601c2e8a44b142b3398ec2bc2c927a98a32

SHA512
e85b28082bc357f79f97039bee8151a0b90ca816e5206747fc873290771c0f8544222c41c27b3736280665b899409ba3e871fb412c23f6f283b06a613a10e0d0

Download Submit
C:\Users\Admin\AppData\Roaming\payload.exe
Filesize
6KB

MD5
ac4bf48604ce9fae074ffe37f27c2335

SHA1
8e178ffe1f6cbaa2e5a61a6d45e22ab1b94379c2

SHA256
e2b4a2668dd4bc555d89ac5a30937601c2e8a44b142b3398ec2bc2c927a98a32

SHA512
e85b28082bc357f79f97039bee8151a0b90ca816e5206747fc873290771c0f8544222c41c27b3736280665b899409ba3e871fb412c23f6f283b06a613a10e0d0

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
c49b557bae585b58c66441a0f934c0d6

SHA1
06fcb85d5abdfd6161c1c45433372461d9028693

SHA256
506feef3e71e89d012d3d7fd1cf585938ab6749527f2ebf30e501afa975c6d1a

SHA512
1c080f0ea9ff0c398eb78e3d10ebdf02fe86c531688675014895f50d96013fde121696f3cd5fb249bbb64c099035ba71a9c03bd58d4c66d5c40801516e4c91dc

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
5e8729f2dd710986ee214433d203c870

SHA1
b1437dee11e4360392c722a9ca1f915b196e6497

SHA256
26fe8133baa7dff79d48dca35708b7d9b93a912c9e05d2b477da54a933ab8792

SHA512
7e64169d66e9a2332a65ca179d913fe66fe4b78d2da867b85d89ad82af3c647960b5ac0799e92f8ed3b909b081ec6106a638eaab354221bafd7ed325aaba5517

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
5e8729f2dd710986ee214433d203c870

SHA1
b1437dee11e4360392c722a9ca1f915b196e6497

SHA256
26fe8133baa7dff79d48dca35708b7d9b93a912c9e05d2b477da54a933ab8792

SHA512
7e64169d66e9a2332a65ca179d913fe66fe4b78d2da867b85d89ad82af3c647960b5ac0799e92f8ed3b909b081ec6106a638eaab354221bafd7ed325aaba5517

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
5e8729f2dd710986ee214433d203c870

SHA1
b1437dee11e4360392c722a9ca1f915b196e6497

SHA256
26fe8133baa7dff79d48dca35708b7d9b93a912c9e05d2b477da54a933ab8792

SHA512
7e64169d66e9a2332a65ca179d913fe66fe4b78d2da867b85d89ad82af3c647960b5ac0799e92f8ed3b909b081ec6106a638eaab354221bafd7ed325aaba5517

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
1624d704cfde02fe4002254a331c8a94

SHA1
01046fd4307db929a26090e2150f0bfc034a89c1

SHA256
054c4f4382cc29d18b86292990add75add53b576e3dcb91c79abd7a6bafcb551

SHA512
e2e058560dbeebc6f50885e291655479cfcccc4c636582350b4b39ea6a6a8f3792a7bf2f61edf2b0cc682af6523c5ca7a3f08318751b7873d59f9855905df334

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
1624d704cfde02fe4002254a331c8a94

SHA1
01046fd4307db929a26090e2150f0bfc034a89c1

SHA256
054c4f4382cc29d18b86292990add75add53b576e3dcb91c79abd7a6bafcb551

SHA512
e2e058560dbeebc6f50885e291655479cfcccc4c636582350b4b39ea6a6a8f3792a7bf2f61edf2b0cc682af6523c5ca7a3f08318751b7873d59f9855905df334

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
135KB

MD5
d733f8f96a714cda2da6ec9923662036

SHA1
5f311b377de5f9844f06215aec74047fdade7c30

SHA256
319666c13bb01847cf1df969f6a07a29d5b7948c47778f0fcc150224535cc1d7

SHA512
38b22d4bfe60c1a31367a4cec30784eb27c6ea09d8cf81a2ffdb93a92c7ab924ea4f9759eb6857bfa026b6ad36941e7968b94c4fa96214f711ac3e17cf48601e

Download Submit
\??\c:\users\admin\appdata\local\temp\d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4.exe
Filesize
6KB

MD5
ac4bf48604ce9fae074ffe37f27c2335

SHA1
8e178ffe1f6cbaa2e5a61a6d45e22ab1b94379c2

SHA256
e2b4a2668dd4bc555d89ac5a30937601c2e8a44b142b3398ec2bc2c927a98a32

SHA512
e85b28082bc357f79f97039bee8151a0b90ca816e5206747fc873290771c0f8544222c41c27b3736280665b899409ba3e871fb412c23f6f283b06a613a10e0d0

Download Submit
\??\c:\users\admin\appdata\roaming\payload.exe
Filesize
6KB

MD5
ac4bf48604ce9fae074ffe37f27c2335

SHA1
8e178ffe1f6cbaa2e5a61a6d45e22ab1b94379c2

SHA256
e2b4a2668dd4bc555d89ac5a30937601c2e8a44b142b3398ec2bc2c927a98a32

SHA512
e85b28082bc357f79f97039bee8151a0b90ca816e5206747fc873290771c0f8544222c41c27b3736280665b899409ba3e871fb412c23f6f283b06a613a10e0d0

Download Submit
\??\c:\windows\resources\spoolsv.exe
Filesize
135KB

MD5
1624d704cfde02fe4002254a331c8a94

SHA1
01046fd4307db929a26090e2150f0bfc034a89c1

SHA256
054c4f4382cc29d18b86292990add75add53b576e3dcb91c79abd7a6bafcb551

SHA512
e2e058560dbeebc6f50885e291655479cfcccc4c636582350b4b39ea6a6a8f3792a7bf2f61edf2b0cc682af6523c5ca7a3f08318751b7873d59f9855905df334

Download Submit
\??\c:\windows\resources\svchost.exe
Filesize
135KB

MD5
d733f8f96a714cda2da6ec9923662036

SHA1
5f311b377de5f9844f06215aec74047fdade7c30

SHA256
319666c13bb01847cf1df969f6a07a29d5b7948c47778f0fcc150224535cc1d7

SHA512
38b22d4bfe60c1a31367a4cec30784eb27c6ea09d8cf81a2ffdb93a92c7ab924ea4f9759eb6857bfa026b6ad36941e7968b94c4fa96214f711ac3e17cf48601e

Download Submit
\??\c:\windows\resources\themes\explorer.exe
Filesize
135KB

MD5
c49b557bae585b58c66441a0f934c0d6

SHA1
06fcb85d5abdfd6161c1c45433372461d9028693

SHA256
506feef3e71e89d012d3d7fd1cf585938ab6749527f2ebf30e501afa975c6d1a

SHA512
1c080f0ea9ff0c398eb78e3d10ebdf02fe86c531688675014895f50d96013fde121696f3cd5fb249bbb64c099035ba71a9c03bd58d4c66d5c40801516e4c91dc

Download Submit
memory/160-467-0x0000000000000000-mapping.dmp

Download
memory/360-461-0x0000000000000000-mapping.dmp

Download
memory/412-460-0x0000000000000000-mapping.dmp

Download
memory/852-446-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/852-287-0x0000000000000000-mapping.dmp

Download
memory/1152-286-0x000002C34F670000-0x000002C34F6F4000-memory.dmp

Filesize
528KB

Download
memory/1152-258-0x0000000000000000-mapping.dmp

Download
memory/1152-349-0x000002C351200000-0x000002C351250000-memory.dmp

Filesize
320KB

Download
memory/1152-352-0x000002C36A220000-0x000002C36A2D2000-memory.dmp

Filesize
712KB

Download
memory/1848-359-0x0000000000000000-mapping.dmp

Download
memory/1908-176-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/1908-163-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/1908-180-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/1908-173-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/1908-380-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1908-183-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/1908-160-0x0000000000000000-mapping.dmp

Download
memory/1908-168-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/1908-162-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/1908-170-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/1908-184-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/1908-164-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/1908-166-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2084-454-0x0000000000000000-mapping.dmp

Download
memory/2188-459-0x0000000000000000-mapping.dmp

Download
memory/2204-463-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2204-235-0x0000000000000000-mapping.dmp

Download
memory/2548-186-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-188-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-174-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-178-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-179-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-169-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-182-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-185-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-448-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2548-177-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-190-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-193-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-194-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-192-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-191-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-189-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-187-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-165-0x0000000000000000-mapping.dmp

Download
memory/2548-171-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2548-172-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-466-0x0000000000000000-mapping.dmp

Download
memory/2640-450-0x0000000000000000-mapping.dmp

Download
memory/3044-468-0x0000000000000000-mapping.dmp

Download
memory/3268-444-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3268-408-0x0000000000000000-mapping.dmp

Download
memory/3376-293-0x0000000000000000-mapping.dmp

Download
memory/3376-378-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3392-156-0x0000000000000000-mapping.dmp

Download
memory/3392-159-0x00000137D4C80000-0x00000137D4C88000-memory.dmp

Filesize
32KB

Download
memory/3548-457-0x0000000000000000-mapping.dmp

Download
memory/3684-464-0x0000000000000000-mapping.dmp

Download
memory/3924-452-0x0000000000000000-mapping.dmp

Download
memory/3964-453-0x0000000000000000-mapping.dmp

Download
memory/4012-150-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-139-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-148-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-131-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-138-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-137-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-136-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-135-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-143-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-134-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-144-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-133-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-145-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-132-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-147-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-449-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4012-140-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-142-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-141-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-151-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-130-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-129-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-128-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-152-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-127-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-126-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-125-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-124-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-123-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-122-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-154-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-121-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-155-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-120-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-118-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-119-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download