quasar | 3641770670faf667b289df978513c46c31b2074cd5504cbd73dccc510e394ace

Analysis

max time kernel
151s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-03-2023 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orcuido.exe
Size

3.1MB
MD5

00535440a40587b5b08ba0b98dfeb4b3
SHA1

7ca280a1dc7102c3f371b748b8e9b6a13cf09b29
SHA256

3641770670faf667b289df978513c46c31b2074cd5504cbd73dccc510e394ace
SHA512

0ba4d4630ffdab08a9a6849b88321a6eba7b4233ff09c2373520ac98632509cbbb9f4939e2bfaa1021b04c2c8a13f172fa6bf4fed2363f195dadf2d4b8175868
SSDEEP

49152:DvCI22SsaNYfdPBldt698dBcjHqxDE/Avk/JxPoGdIfhTHHB72eh2NT:DvP22SsaNYfdPBldt6+dBcjHqxQNi

Score

10^/10

quasar orcus spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Orcus

Rares14023-51676.portmap.host:51676

Mutex

eabc7ac9-6a8c-4e27-bfcf-1cbc46331ce7

Attributes

encryption_key
1A1B74C3A45D7286503C40C19ECC5088F044534B
install_name
OrcusRat.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 9 IoCs

resource	yara_rule
behavioral1/memory/1376-54-0x00000000009E0000-0x0000000000D04000-memory.dmp	family_quasar
behavioral1/memory/1768-65-0x0000000000130000-0x0000000000454000-memory.dmp	family_quasar
behavioral1/memory/1664-76-0x00000000012A0000-0x00000000015C4000-memory.dmp	family_quasar
behavioral1/memory/1572-88-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar
behavioral1/memory/844-99-0x0000000001060000-0x0000000001384000-memory.dmp	family_quasar
behavioral1/memory/1324-111-0x00000000000A0000-0x00000000003C4000-memory.dmp	family_quasar
behavioral1/memory/1116-122-0x0000000000100000-0x0000000000424000-memory.dmp	family_quasar
behavioral1/memory/1168-134-0x00000000011E0000-0x0000000001504000-memory.dmp	family_quasar
behavioral1/memory/1332-145-0x00000000002A0000-0x00000000005C4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1992	schtasks.exe
1652	schtasks.exe
992	schtasks.exe
540	schtasks.exe
656	schtasks.exe
1952	schtasks.exe
1280	schtasks.exe
1284	schtasks.exe
1048	schtasks.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
1688	PING.EXE
1704	PING.EXE
1712	PING.EXE
1928	PING.EXE
1972	PING.EXE
1752	PING.EXE
1312	PING.EXE
1548	PING.EXE
268	PING.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	Orcuido.exe
Token: SeDebugPrivilege	1768	Orcuido.exe
Token: SeDebugPrivilege	1664	Orcuido.exe
Token: SeDebugPrivilege	1572	Orcuido.exe
Token: SeDebugPrivilege	844	Orcuido.exe
Token: SeDebugPrivilege	1324	Orcuido.exe
Token: SeDebugPrivilege	1116	Orcuido.exe
Token: SeDebugPrivilege	1168	Orcuido.exe
Token: SeDebugPrivilege	1332	Orcuido.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1376	Orcuido.exe
1768	Orcuido.exe
1572	Orcuido.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1992	1376	Orcuido.exe	28
PID 1376 wrote to memory of 1992	1376	Orcuido.exe	28
PID 1376 wrote to memory of 1992	1376	Orcuido.exe	28
PID 1376 wrote to memory of 1008	1376	Orcuido.exe	29
PID 1376 wrote to memory of 1008	1376	Orcuido.exe	29
PID 1376 wrote to memory of 1008	1376	Orcuido.exe	29
PID 1008 wrote to memory of 1740	1008	cmd.exe	31
PID 1008 wrote to memory of 1740	1008	cmd.exe	31
PID 1008 wrote to memory of 1740	1008	cmd.exe	31
PID 1008 wrote to memory of 1704	1008	cmd.exe	32
PID 1008 wrote to memory of 1704	1008	cmd.exe	32
PID 1008 wrote to memory of 1704	1008	cmd.exe	32
PID 1008 wrote to memory of 1768	1008	cmd.exe	33
PID 1008 wrote to memory of 1768	1008	cmd.exe	33
PID 1008 wrote to memory of 1768	1008	cmd.exe	33
PID 1768 wrote to memory of 992	1768	Orcuido.exe	34
PID 1768 wrote to memory of 992	1768	Orcuido.exe	34
PID 1768 wrote to memory of 992	1768	Orcuido.exe	34
PID 1768 wrote to memory of 1916	1768	Orcuido.exe	36
PID 1768 wrote to memory of 1916	1768	Orcuido.exe	36
PID 1768 wrote to memory of 1916	1768	Orcuido.exe	36
PID 1916 wrote to memory of 1848	1916	cmd.exe	38
PID 1916 wrote to memory of 1848	1916	cmd.exe	38
PID 1916 wrote to memory of 1848	1916	cmd.exe	38
PID 1916 wrote to memory of 1752	1916	cmd.exe	39
PID 1916 wrote to memory of 1752	1916	cmd.exe	39
PID 1916 wrote to memory of 1752	1916	cmd.exe	39
PID 1916 wrote to memory of 1664	1916	cmd.exe	40
PID 1916 wrote to memory of 1664	1916	cmd.exe	40
PID 1916 wrote to memory of 1664	1916	cmd.exe	40
PID 1664 wrote to memory of 540	1664	Orcuido.exe	41
PID 1664 wrote to memory of 540	1664	Orcuido.exe	41
PID 1664 wrote to memory of 540	1664	Orcuido.exe	41
PID 1664 wrote to memory of 2016	1664	Orcuido.exe	43
PID 1664 wrote to memory of 2016	1664	Orcuido.exe	43
PID 1664 wrote to memory of 2016	1664	Orcuido.exe	43
PID 2016 wrote to memory of 1276	2016	cmd.exe	45
PID 2016 wrote to memory of 1276	2016	cmd.exe	45
PID 2016 wrote to memory of 1276	2016	cmd.exe	45
PID 2016 wrote to memory of 1712	2016	cmd.exe	46
PID 2016 wrote to memory of 1712	2016	cmd.exe	46
PID 2016 wrote to memory of 1712	2016	cmd.exe	46
PID 2016 wrote to memory of 1572	2016	cmd.exe	47
PID 2016 wrote to memory of 1572	2016	cmd.exe	47
PID 2016 wrote to memory of 1572	2016	cmd.exe	47
PID 1572 wrote to memory of 1652	1572	Orcuido.exe	48
PID 1572 wrote to memory of 1652	1572	Orcuido.exe	48
PID 1572 wrote to memory of 1652	1572	Orcuido.exe	48
PID 1572 wrote to memory of 1740	1572	Orcuido.exe	50
PID 1572 wrote to memory of 1740	1572	Orcuido.exe	50
PID 1572 wrote to memory of 1740	1572	Orcuido.exe	50
PID 1740 wrote to memory of 952	1740	cmd.exe	52
PID 1740 wrote to memory of 952	1740	cmd.exe	52
PID 1740 wrote to memory of 952	1740	cmd.exe	52
PID 1740 wrote to memory of 1928	1740	cmd.exe	53
PID 1740 wrote to memory of 1928	1740	cmd.exe	53
PID 1740 wrote to memory of 1928	1740	cmd.exe	53
PID 1740 wrote to memory of 844	1740	cmd.exe	54
PID 1740 wrote to memory of 844	1740	cmd.exe	54
PID 1740 wrote to memory of 844	1740	cmd.exe	54
PID 844 wrote to memory of 656	844	Orcuido.exe	55
PID 844 wrote to memory of 656	844	Orcuido.exe	55
PID 844 wrote to memory of 656	844	Orcuido.exe	55
PID 844 wrote to memory of 836	844	Orcuido.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
"C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1992
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5Ay9HwP1hpg3.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1740
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
    "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:992
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\9X0wnbwHCfM2.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1848
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:1752
    - - C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:540
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\q6PiV3tTSc12.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:1652
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CBtMZQVvCy9Q.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        10⤵
        Creates scheduled task(s)
        
        PID:656
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BA29rNLuzmzP.bat" "
        10⤵
        
        PID:836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        12⤵
        Creates scheduled task(s)
        
        PID:1952
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\y8NBwgVrJJsV.bat" "
        12⤵
        
        PID:1656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        14⤵
        Creates scheduled task(s)
        
        PID:1280
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOxjbccn3dP2.bat" "
        14⤵
        
        PID:868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        16⤵
        Creates scheduled task(s)
        
        PID:1284
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5qWo4cqR69bT.bat" "
        16⤵
        
        PID:1792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        18⤵
        Creates scheduled task(s)
        
        PID:1048
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lLltQPdlGKe4.bat" "
        18⤵
        
        PID:1492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        19⤵
        
        PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5Ay9HwP1hpg3.bat

Filesize
204B

MD5
e14a62224cf03a7615a7565d37170151

SHA1
2bd05ac97559da4cf4ced3e4ea5363005f6cfca0

SHA256
7a1d621cc616814ddd3ae5708d859bb22bf27b8777a2d87654cb7aadd181dd41

SHA512
fc9fb1731efdbf03a5e5331955685c250e9a2a941aca7908823ff289cc631b349fb4c73c044d43be9b6bd44bf16e5d473fb4f04a66c87cee86303ade29c49846

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Ay9HwP1hpg3.bat

Filesize
204B

MD5
e14a62224cf03a7615a7565d37170151

SHA1
2bd05ac97559da4cf4ced3e4ea5363005f6cfca0

SHA256
7a1d621cc616814ddd3ae5708d859bb22bf27b8777a2d87654cb7aadd181dd41

SHA512
fc9fb1731efdbf03a5e5331955685c250e9a2a941aca7908823ff289cc631b349fb4c73c044d43be9b6bd44bf16e5d473fb4f04a66c87cee86303ade29c49846

Download Submit
C:\Users\Admin\AppData\Local\Temp\5qWo4cqR69bT.bat

Filesize
204B

MD5
c028f79f77a9480a4378e84c57c16e81

SHA1
a0bbb3ac63cabe183826684d27ac6c9e5ae32590

SHA256
8e11a0108d32a218baf991c2c3784e63b836e2145392b37a182397cc69d2a340

SHA512
d861fca456fe3aebc51ee27183a6ec0a1835f2e0d91dcbf1aa09fbd1d374e6ccebfa1d8b970b40f89fcb852b1e6c060445c70d43e1b371ea5f3950dd1ce14424

Download Submit
C:\Users\Admin\AppData\Local\Temp\5qWo4cqR69bT.bat

Filesize
204B

MD5
c028f79f77a9480a4378e84c57c16e81

SHA1
a0bbb3ac63cabe183826684d27ac6c9e5ae32590

SHA256
8e11a0108d32a218baf991c2c3784e63b836e2145392b37a182397cc69d2a340

SHA512
d861fca456fe3aebc51ee27183a6ec0a1835f2e0d91dcbf1aa09fbd1d374e6ccebfa1d8b970b40f89fcb852b1e6c060445c70d43e1b371ea5f3950dd1ce14424

Download Submit
C:\Users\Admin\AppData\Local\Temp\9X0wnbwHCfM2.bat

Filesize
204B

MD5
e24404f84e913247e0f9d4f3173bf6d4

SHA1
2f51e1a59ffa90199ca088edac7afe9cd470c728

SHA256
86d295a96462ee481f9c79bde2d0f2c62ad16d25a45a12d421ccbdcfd12c1903

SHA512
ab92c5ec9cb732dcf8a23ad74471ac0ce5a2cfa43d7a71b8f835161bb8b565132bdd42aa95561c35a2fbf317e1d4081394f8c80ec925b96f59da4c02b206e5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\9X0wnbwHCfM2.bat

Filesize
204B

MD5
e24404f84e913247e0f9d4f3173bf6d4

SHA1
2f51e1a59ffa90199ca088edac7afe9cd470c728

SHA256
86d295a96462ee481f9c79bde2d0f2c62ad16d25a45a12d421ccbdcfd12c1903

SHA512
ab92c5ec9cb732dcf8a23ad74471ac0ce5a2cfa43d7a71b8f835161bb8b565132bdd42aa95561c35a2fbf317e1d4081394f8c80ec925b96f59da4c02b206e5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA29rNLuzmzP.bat

Filesize
204B

MD5
26d97bd5bd34e1946b9cf3e312431a47

SHA1
cc3f0e0d454230a3a0ab2426e9d3f202274a2a5f

SHA256
f43039a1af509f0ae68e6619b978e184bfd86c04372160b250f931bebe6c74f0

SHA512
84fa83ac562bec9fa1050642cb9caa01fde59e2af8728a28ed9e358a7b3bba139b82d3b3093ecef7d68f3091114bcfce99ed68e8c9904af5b7743ab04ce3b781

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA29rNLuzmzP.bat

Filesize
204B

MD5
26d97bd5bd34e1946b9cf3e312431a47

SHA1
cc3f0e0d454230a3a0ab2426e9d3f202274a2a5f

SHA256
f43039a1af509f0ae68e6619b978e184bfd86c04372160b250f931bebe6c74f0

SHA512
84fa83ac562bec9fa1050642cb9caa01fde59e2af8728a28ed9e358a7b3bba139b82d3b3093ecef7d68f3091114bcfce99ed68e8c9904af5b7743ab04ce3b781

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBtMZQVvCy9Q.bat

Filesize
204B

MD5
77f0db1c8d9586ee33bdde11250e6915

SHA1
bba4deb3d2807924d1640b170d30ebb885eaf22a

SHA256
58dec39d2b8bd570aebc631bd520c7a4e1c7e06d67fc5f30dcd48f0ae9313233

SHA512
6643595854896e40b66315ff92c961490a7c94493d00c2890709844f59b9dc70128b2c55cbf87fcbdefa7f18bd2eea9929815f30be9ad1b37192dc23cdd64f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBtMZQVvCy9Q.bat

Filesize
204B

MD5
77f0db1c8d9586ee33bdde11250e6915

SHA1
bba4deb3d2807924d1640b170d30ebb885eaf22a

SHA256
58dec39d2b8bd570aebc631bd520c7a4e1c7e06d67fc5f30dcd48f0ae9313233

SHA512
6643595854896e40b66315ff92c961490a7c94493d00c2890709844f59b9dc70128b2c55cbf87fcbdefa7f18bd2eea9929815f30be9ad1b37192dc23cdd64f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZOxjbccn3dP2.bat

Filesize
204B

MD5
658b6f0126b05ab768ae78e7a35a4db9

SHA1
799df5d7239a850f0052682ef4dd209a26cf8f56

SHA256
8e11377077f05960958cf13fa64bf4837f277bd7dc1a7151e13ae64dfb53a5aa

SHA512
f6a5d64494a070e14348dadc87fb1319332891bd3226ca4ede5e7e14d9936a0c1923f3259965dc81f5f33cf3e63319832a785f23a48445d2e0c8f290e57c47df

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZOxjbccn3dP2.bat

Filesize
204B

MD5
658b6f0126b05ab768ae78e7a35a4db9

SHA1
799df5d7239a850f0052682ef4dd209a26cf8f56

SHA256
8e11377077f05960958cf13fa64bf4837f277bd7dc1a7151e13ae64dfb53a5aa

SHA512
f6a5d64494a070e14348dadc87fb1319332891bd3226ca4ede5e7e14d9936a0c1923f3259965dc81f5f33cf3e63319832a785f23a48445d2e0c8f290e57c47df

Download Submit
C:\Users\Admin\AppData\Local\Temp\lLltQPdlGKe4.bat

Filesize
204B

MD5
d3146efd1f0b4034798c5f5a5aa38e86

SHA1
e6bf06dae8bb80da5f546f781a59ad6657ebbbe0

SHA256
26b8ad169cc696c8a7cebdaf8c5e57aaf538a4321f27db8f644c94884d935c91

SHA512
aaa0fd889e8d6dceb111b84f253ae04a1e7c2cefeb5951b79a824a4d2b8966b9ffcccbfb3e69d0c14bb4f33ba9bcb528a079eab1a572a25347b72d9018c87cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\lLltQPdlGKe4.bat

Filesize
204B

MD5
d3146efd1f0b4034798c5f5a5aa38e86

SHA1
e6bf06dae8bb80da5f546f781a59ad6657ebbbe0

SHA256
26b8ad169cc696c8a7cebdaf8c5e57aaf538a4321f27db8f644c94884d935c91

SHA512
aaa0fd889e8d6dceb111b84f253ae04a1e7c2cefeb5951b79a824a4d2b8966b9ffcccbfb3e69d0c14bb4f33ba9bcb528a079eab1a572a25347b72d9018c87cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\q6PiV3tTSc12.bat

Filesize
204B

MD5
a233faff2c1dbae4545abd93cad39bef

SHA1
68cba1d896c5391b873950de34a6ce5080c1b571

SHA256
8e31aba380254ae323b6edd23f7e1940b3d39725f96bc0d9f43c7e74d3113421

SHA512
8fda4e0b13f4c75a2c1a987aa57f5273f0c82348c6ec66662afc08a7887994d3886a020641b0e7e872d05eefdf49d2e0389d55d48b98a188a44319c7b5a79c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\q6PiV3tTSc12.bat

Filesize
204B

MD5
a233faff2c1dbae4545abd93cad39bef

SHA1
68cba1d896c5391b873950de34a6ce5080c1b571

SHA256
8e31aba380254ae323b6edd23f7e1940b3d39725f96bc0d9f43c7e74d3113421

SHA512
8fda4e0b13f4c75a2c1a987aa57f5273f0c82348c6ec66662afc08a7887994d3886a020641b0e7e872d05eefdf49d2e0389d55d48b98a188a44319c7b5a79c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\y8NBwgVrJJsV.bat

Filesize
204B

MD5
76b69855dd5ec73d29ab7ebc5de24f76

SHA1
c61811eabec4afc9450b06fe2cbc7448c62a268a

SHA256
d4d8f33b0e9ced18e22278c1c21e5a134c407040d77805d8bc331ab2bebe02ef

SHA512
1efc3c1a56dd7a2e9ece545c9326b91189ffb1a37a94740ead3568bee5043e55dbbc55733ae206ec76ddd2b386cfc66a4d28940369d224e2f503fc8c2cec0538

Download Submit
C:\Users\Admin\AppData\Local\Temp\y8NBwgVrJJsV.bat

Filesize
204B

MD5
76b69855dd5ec73d29ab7ebc5de24f76

SHA1
c61811eabec4afc9450b06fe2cbc7448c62a268a

SHA256
d4d8f33b0e9ced18e22278c1c21e5a134c407040d77805d8bc331ab2bebe02ef

SHA512
1efc3c1a56dd7a2e9ece545c9326b91189ffb1a37a94740ead3568bee5043e55dbbc55733ae206ec76ddd2b386cfc66a4d28940369d224e2f503fc8c2cec0538

Download Submit
memory/844-99-0x0000000001060000-0x0000000001384000-memory.dmp

Filesize
3.1MB

Download
memory/844-101-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/1116-122-0x0000000000100000-0x0000000000424000-memory.dmp

Filesize
3.1MB

Download
memory/1116-123-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/1144-157-0x0000000000E80000-0x00000000011A4000-memory.dmp

Filesize
3.1MB

Download
memory/1168-134-0x00000000011E0000-0x0000000001504000-memory.dmp

Filesize
3.1MB

Download
memory/1168-135-0x000000001B1D0000-0x000000001B250000-memory.dmp

Filesize
512KB

Download
memory/1324-111-0x00000000000A0000-0x00000000003C4000-memory.dmp

Filesize
3.1MB

Download
memory/1324-112-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download
memory/1332-146-0x000000001B3D0000-0x000000001B450000-memory.dmp

Filesize
512KB

Download
memory/1332-145-0x00000000002A0000-0x00000000005C4000-memory.dmp

Filesize
3.1MB

Download
memory/1376-55-0x000000001B050000-0x000000001B0D0000-memory.dmp

Filesize
512KB

Download
memory/1376-54-0x00000000009E0000-0x0000000000D04000-memory.dmp

Filesize
3.1MB

Download
memory/1572-88-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/1572-89-0x000000001B010000-0x000000001B090000-memory.dmp

Filesize
512KB

Download
memory/1664-76-0x00000000012A0000-0x00000000015C4000-memory.dmp

Filesize
3.1MB

Download
memory/1664-77-0x000000001B0E0000-0x000000001B160000-memory.dmp

Filesize
512KB

Download
memory/1768-66-0x000000001B340000-0x000000001B3C0000-memory.dmp

Filesize
512KB

Download
memory/1768-65-0x0000000000130000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads