quasar | 105b3e33e393c9d0ccdaae95ffcbb9eff9a946f79683ca932a11d0fc674c64e2

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-02-2023 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
Size

2.3MB
MD5

b162ab57ef8877c9ab873932e3025039
SHA1

f7f290cf666bc4e8877a5ef09b8ed1ab8291638f
SHA256

105b3e33e393c9d0ccdaae95ffcbb9eff9a946f79683ca932a11d0fc674c64e2
SHA512

13927b2df2e9aeaf601def099b7f006383937f2984344571150a45aad034a85cd13832874c8382a76a8725600cb8439820fb8d691af90f7bf8ce859b8fe1e51d
SSDEEP

24576:EMRpqU3LsGw9tDW06PHAHHeO4ElrkWUZlDd09H7YgngNXN4dXh5nfr2Sd5+ZiTt+:lu95k+X/nT2SdQat/cM7Zcm2

Score

10^/10

quasar pure____1 persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Pure____1

sabifati.linkpc.net:4784

deli.mywire.org:4784

Mutex

3a359e52-00bd-4e3d-8201-985b53b0c176

Attributes

encryption_key
78BC50021362B61652204981B13FE17E053A03F1
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Google\\chrome.exe\","	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1476-111-0x0000000000400000-0x0000000000484000-memory.dmp	family_quasar
behavioral1/memory/1476-112-0x0000000000400000-0x0000000000484000-memory.dmp	family_quasar
behavioral1/memory/1476-114-0x000000000047E7CE-mapping.dmp	family_quasar
behavioral1/memory/1476-113-0x0000000000400000-0x0000000000484000-memory.dmp	family_quasar
behavioral1/memory/1476-117-0x0000000000400000-0x0000000000484000-memory.dmp	family_quasar
behavioral1/memory/1476-119-0x0000000000400000-0x0000000000484000-memory.dmp	family_quasar

Nirsoft 13 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Executes dropped EXE 7 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeRegAsm.exeRegAsm.exeRegAsm.exe

pid process

336 AdvancedRun.exe
912 AdvancedRun.exe
2036 AdvancedRun.exe
1600 AdvancedRun.exe
1484 RegAsm.exe
1472 RegAsm.exe
1476 RegAsm.exe

pid	process
336	AdvancedRun.exe
912	AdvancedRun.exe
2036	AdvancedRun.exe
1600	AdvancedRun.exe
1484	RegAsm.exe
1472	RegAsm.exe
1476	RegAsm.exe

Loads dropped DLL 12 IoCs

Processes:

105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exeAdvancedRun.exeAdvancedRun.exeRegAsm.exe

pid	process
2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
336	AdvancedRun.exe
336	AdvancedRun.exe
2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
2036	AdvancedRun.exe
2036	AdvancedRun.exe
2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
1476	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe

description pid process target process

PID 2040 set thread context of 1476 2040 105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

1468 ipconfig.exe
544 ipconfig.exe

description	pid	process	target process
PID 2040 set thread context of 1476	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe

pid	process
1468	ipconfig.exe
544	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe

pid	process
1320	powershell.exe
1880	powershell.exe
1432	powershell.exe
452	powershell.exe
336	AdvancedRun.exe
336	AdvancedRun.exe
912	AdvancedRun.exe
912	AdvancedRun.exe
2036	AdvancedRun.exe
2036	AdvancedRun.exe
1600	AdvancedRun.exe
1600	AdvancedRun.exe
2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	336	AdvancedRun.exe
Token: SeImpersonatePrivilege	336	AdvancedRun.exe
Token: SeDebugPrivilege	912	AdvancedRun.exe
Token: SeImpersonatePrivilege	912	AdvancedRun.exe
Token: SeDebugPrivilege	2036	AdvancedRun.exe
Token: SeImpersonatePrivilege	2036	AdvancedRun.exe
Token: SeDebugPrivilege	1600	AdvancedRun.exe
Token: SeImpersonatePrivilege	1600	AdvancedRun.exe
Token: SeDebugPrivilege	1476	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

1476 RegAsm.exe

pid	process
1476	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exe

description	pid	process	target process
PID 2040 wrote to memory of 1320	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	powershell.exe
PID 2040 wrote to memory of 1320	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	powershell.exe
PID 2040 wrote to memory of 1320	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	powershell.exe
PID 2040 wrote to memory of 1320	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	powershell.exe
PID 1320 wrote to memory of 1468	1320	powershell.exe	ipconfig.exe
PID 1320 wrote to memory of 1468	1320	powershell.exe	ipconfig.exe
PID 1320 wrote to memory of 1468	1320	powershell.exe	ipconfig.exe
PID 1320 wrote to memory of 1468	1320	powershell.exe	ipconfig.exe
PID 2040 wrote to memory of 1880	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	powershell.exe
PID 2040 wrote to memory of 1880	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	powershell.exe
PID 2040 wrote to memory of 1880	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	powershell.exe
PID 2040 wrote to memory of 1880	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	powershell.exe
PID 2040 wrote to memory of 1432	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	powershell.exe
PID 2040 wrote to memory of 1432	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	powershell.exe
PID 2040 wrote to memory of 1432	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	powershell.exe
PID 2040 wrote to memory of 1432	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	powershell.exe
PID 1432 wrote to memory of 544	1432	powershell.exe	ipconfig.exe
PID 1432 wrote to memory of 544	1432	powershell.exe	ipconfig.exe
PID 1432 wrote to memory of 544	1432	powershell.exe	ipconfig.exe
PID 1432 wrote to memory of 544	1432	powershell.exe	ipconfig.exe
PID 2040 wrote to memory of 452	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	powershell.exe
PID 2040 wrote to memory of 452	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	powershell.exe
PID 2040 wrote to memory of 452	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	powershell.exe
PID 2040 wrote to memory of 452	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	powershell.exe
PID 2040 wrote to memory of 336	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	AdvancedRun.exe
PID 2040 wrote to memory of 336	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	AdvancedRun.exe
PID 2040 wrote to memory of 336	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	AdvancedRun.exe
PID 2040 wrote to memory of 336	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	AdvancedRun.exe
PID 336 wrote to memory of 912	336	AdvancedRun.exe	AdvancedRun.exe
PID 336 wrote to memory of 912	336	AdvancedRun.exe	AdvancedRun.exe
PID 336 wrote to memory of 912	336	AdvancedRun.exe	AdvancedRun.exe
PID 336 wrote to memory of 912	336	AdvancedRun.exe	AdvancedRun.exe
PID 2040 wrote to memory of 2036	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	AdvancedRun.exe
PID 2040 wrote to memory of 2036	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	AdvancedRun.exe
PID 2040 wrote to memory of 2036	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	AdvancedRun.exe
PID 2040 wrote to memory of 2036	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	AdvancedRun.exe
PID 2036 wrote to memory of 1600	2036	AdvancedRun.exe	AdvancedRun.exe
PID 2036 wrote to memory of 1600	2036	AdvancedRun.exe	AdvancedRun.exe
PID 2036 wrote to memory of 1600	2036	AdvancedRun.exe	AdvancedRun.exe
PID 2036 wrote to memory of 1600	2036	AdvancedRun.exe	AdvancedRun.exe
PID 2040 wrote to memory of 1484	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1484	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1484	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1484	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1484	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1484	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1484	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1472	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1472	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1472	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1472	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1472	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1472	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1472	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1476	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1476	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1476	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1476	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1476	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1476	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1476	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1476	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1476	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe
PID 2040 wrote to memory of 1476	2040	105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe
"C:\Users\Admin\AppData\Local\Temp\105B3E33E393C9D0CCDAAE95FFCBB9EFF9A946F79683C.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBwAGMAbwBuAGYAaQBnACAALwByAGUAbABlAGEAcwBlAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe" /release
3⤵
- Gathers network information
PID:1468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBwAGMAbwBuAGYAaQBnACAALwByAGUAbgBlAHcA
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe" /renew
3⤵
- Gathers network information
PID:544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAuADUA
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 336
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 2036
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
PID:1484

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
PID:1472

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
2f2f2dca485987e7c75045df9f18ff13

SHA1
4cc743a6ad5c133487a907e43a659e6ad4fe62f2

SHA256
7dadcdcd0b9e5d958e04f2a24e92ada9da6906fb12523a3d54e9f2e6eac0a423

SHA512
50db11c6f13329f0601239cbbc2059bc59f3551ef70449d5c67a4f0d6873c40411674b38ee81ddbec752ec6068a8ee98fdab814e86bcd9b39c4a3e92e536a616

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
2f2f2dca485987e7c75045df9f18ff13

SHA1
4cc743a6ad5c133487a907e43a659e6ad4fe62f2

SHA256
7dadcdcd0b9e5d958e04f2a24e92ada9da6906fb12523a3d54e9f2e6eac0a423

SHA512
50db11c6f13329f0601239cbbc2059bc59f3551ef70449d5c67a4f0d6873c40411674b38ee81ddbec752ec6068a8ee98fdab814e86bcd9b39c4a3e92e536a616

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
2f2f2dca485987e7c75045df9f18ff13

SHA1
4cc743a6ad5c133487a907e43a659e6ad4fe62f2

SHA256
7dadcdcd0b9e5d958e04f2a24e92ada9da6906fb12523a3d54e9f2e6eac0a423

SHA512
50db11c6f13329f0601239cbbc2059bc59f3551ef70449d5c67a4f0d6873c40411674b38ee81ddbec752ec6068a8ee98fdab814e86bcd9b39c4a3e92e536a616

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/336-84-0x0000000000000000-mapping.dmp

Download
memory/452-80-0x0000000070E60000-0x000000007140B000-memory.dmp

Filesize
5.7MB

Download
memory/452-79-0x0000000070E60000-0x000000007140B000-memory.dmp

Filesize
5.7MB

Download
memory/452-75-0x0000000000000000-mapping.dmp

Download
memory/544-72-0x0000000000000000-mapping.dmp

Download
memory/912-90-0x0000000000000000-mapping.dmp

Download
memory/1320-57-0x0000000000000000-mapping.dmp

Download
memory/1320-61-0x0000000071410000-0x00000000719BB000-memory.dmp

Filesize
5.7MB

Download
memory/1432-74-0x0000000071410000-0x00000000719BB000-memory.dmp

Filesize
5.7MB

Download
memory/1432-68-0x0000000000000000-mapping.dmp

Download
memory/1468-59-0x0000000000000000-mapping.dmp

Download
memory/1476-108-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1476-111-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1476-119-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1476-113-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1476-117-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1476-114-0x000000000047E7CE-mapping.dmp

Download
memory/1476-112-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1476-109-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1600-100-0x0000000000000000-mapping.dmp

Download
memory/1880-65-0x0000000070E60000-0x000000007140B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-67-0x0000000070E60000-0x000000007140B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-66-0x0000000070E60000-0x000000007140B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-62-0x0000000000000000-mapping.dmp

Download
memory/2036-95-0x0000000000000000-mapping.dmp

Download
memory/2040-54-0x0000000000110000-0x000000000035E000-memory.dmp

Filesize
2.3MB

Download
memory/2040-56-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/2040-55-0x0000000002190000-0x0000000002218000-memory.dmp

Filesize
544KB

Download
memory/2040-81-0x0000000004AE0000-0x0000000004B64000-memory.dmp

Filesize
528KB

Download