Analysis Overview
SHA256
68ec522a65cedca986bb71fde901364ce07d4a763ed75c4d5fd96a4ea60543f9
Threat Level: Known bad
The file Electron.bin.zip was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar payload
Quasar RAT
Enumerates physical storage devices
Unsigned PE
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-02 18:10
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-02 18:10
Reported
2023-12-02 18:11
Platform
win7-20231130-en
Max time kernel
57s
Max time network
53s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hpO5htDnpGk2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IoHqLxysdlFf.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\blBgpvBxu9wo.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | limehag920-33288.portmap.host | udp |
| US | 8.8.8.8:53 | limehag920-33288.portmap.host | udp |
| US | 8.8.8.8:53 | limehag920-33288.portmap.host | udp |
Files
memory/2148-0-0x0000000000E90000-0x00000000011C4000-memory.dmp
memory/2148-1-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp
memory/2148-2-0x000000001B2E0000-0x000000001B360000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hpO5htDnpGk2.bat
| MD5 | 42a6b84a629f43ba0b6975630c4e1b9a |
| SHA1 | afebd750aa592dd37510ef0f43a73112b182156b |
| SHA256 | 335dc0a008c51c136d84dc5fdfd9528fb91a4dac5268c934745227383aeb36ae |
| SHA512 | 7432bf9cb418e67296064192f3e3ad6168a7406c519bea3435e55034af0d7d3465dad09ed092be89a3eb5982adb85086ac563655d80c1af53091f82575be21bb |
C:\Users\Admin\AppData\Local\Temp\hpO5htDnpGk2.bat
| MD5 | 42a6b84a629f43ba0b6975630c4e1b9a |
| SHA1 | afebd750aa592dd37510ef0f43a73112b182156b |
| SHA256 | 335dc0a008c51c136d84dc5fdfd9528fb91a4dac5268c934745227383aeb36ae |
| SHA512 | 7432bf9cb418e67296064192f3e3ad6168a7406c519bea3435e55034af0d7d3465dad09ed092be89a3eb5982adb85086ac563655d80c1af53091f82575be21bb |
memory/2148-12-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp
memory/2452-14-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp
memory/2452-13-0x0000000000360000-0x0000000000694000-memory.dmp
memory/2452-15-0x000000001B340000-0x000000001B3C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IoHqLxysdlFf.bat
| MD5 | bd23869efcf526ba54b33e6e09f36e39 |
| SHA1 | ee4f301b3acc73fe01f9662f7f1d3b2618e90ad4 |
| SHA256 | 0dc22cf7eb9f0763d13c4f99af839b9a56e8462edf20ce4aec55b37f14c30872 |
| SHA512 | 1b29637d210281d1a44a51bb79f977b3aaa3db0ea62a75236e7801a632d602fc42ae301736059ba234526e89d244be5eacaf72c08c8494761a4fb4503adc45c0 |
C:\Users\Admin\AppData\Local\Temp\IoHqLxysdlFf.bat
| MD5 | bd23869efcf526ba54b33e6e09f36e39 |
| SHA1 | ee4f301b3acc73fe01f9662f7f1d3b2618e90ad4 |
| SHA256 | 0dc22cf7eb9f0763d13c4f99af839b9a56e8462edf20ce4aec55b37f14c30872 |
| SHA512 | 1b29637d210281d1a44a51bb79f977b3aaa3db0ea62a75236e7801a632d602fc42ae301736059ba234526e89d244be5eacaf72c08c8494761a4fb4503adc45c0 |
memory/2452-25-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp
memory/2908-26-0x0000000001050000-0x0000000001384000-memory.dmp
memory/2908-28-0x0000000000C90000-0x0000000000D10000-memory.dmp
memory/2908-27-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\blBgpvBxu9wo.bat
| MD5 | 1b36941dbe83917e59a7c1ac67ec137b |
| SHA1 | 3c299e1211b72f2691b909593c52f3f0adb5c227 |
| SHA256 | 80cd1cceae84f67bdb1c6e05c94bb605e9ae3d8a0f32c9d2d6ea86d75feb8194 |
| SHA512 | 32e7dd8676cb20d0fce9df70025ad2dbbfac6acf854f42cf57d97ab8e805b0bdde1c4751f757d37506d4707f03832d041a8762178a061f2b30ede5ac9dac096d |
C:\Users\Admin\AppData\Local\Temp\blBgpvBxu9wo.bat
| MD5 | 1b36941dbe83917e59a7c1ac67ec137b |
| SHA1 | 3c299e1211b72f2691b909593c52f3f0adb5c227 |
| SHA256 | 80cd1cceae84f67bdb1c6e05c94bb605e9ae3d8a0f32c9d2d6ea86d75feb8194 |
| SHA512 | 32e7dd8676cb20d0fce9df70025ad2dbbfac6acf854f42cf57d97ab8e805b0bdde1c4751f757d37506d4707f03832d041a8762178a061f2b30ede5ac9dac096d |
memory/2908-38-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-02 18:10
Reported
2023-12-02 18:11
Platform
win10-20231129-en
Max time kernel
57s
Max time network
54s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ibwSTP4WYaLg.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6U0YYLN4nnIN.bat" "
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jl6l5CSnegqR.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | limehag920-33288.portmap.host | udp |
| US | 8.8.8.8:53 | limehag920-33288.portmap.host | udp |
| US | 8.8.8.8:53 | limehag920-33288.portmap.host | udp |
Files
memory/4724-0-0x0000000000E30000-0x0000000001164000-memory.dmp
memory/4724-1-0x00007FFED4FE0000-0x00007FFED59CC000-memory.dmp
memory/4724-2-0x000000001BDB0000-0x000000001BDC0000-memory.dmp
memory/4724-3-0x000000001C3E0000-0x000000001C430000-memory.dmp
memory/4724-4-0x000000001C4F0000-0x000000001C5A2000-memory.dmp
memory/4724-10-0x00007FFED4FE0000-0x00007FFED59CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ibwSTP4WYaLg.bat
| MD5 | 9e6ef90e3dbace5bdc11be4d4085662f |
| SHA1 | f68cb4e3afa64f353f9517297009efcdc96a7355 |
| SHA256 | 75df2c23291ed6f3aed9aed6bc18b02a466465d4fda8f6973b7591fb1dac3136 |
| SHA512 | fa2fa0dff8707107fcae584ce52f71ec21e47d143ea4c516a451a4efa7c79d9573390bbb6d0ae7e79e3978f7f4ddd4deae826722dbb3f10a773390f3cbf8b40e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Electron.exe.log
| MD5 | 1dcda70572487b230bb9e47148a0946d |
| SHA1 | 06f9b414b54eb9a816d9b37a2b54c82a94197a05 |
| SHA256 | 9e6e954e3f620c078e96da9f741090719a3b6b282704a1e54942b683223de4ed |
| SHA512 | 7de9c424f82129e049ca6830c6ae1f23489738d487999e773f1593494f1caddc9dd9c77f85c3a01e05ee37653de3ab17da8c3fdf75adc0c0c2fb38a938246179 |
memory/5084-12-0x00007FFED4FE0000-0x00007FFED59CC000-memory.dmp
memory/5084-13-0x000000001BE40000-0x000000001BE50000-memory.dmp
memory/5084-17-0x00007FFED4FE0000-0x00007FFED59CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6U0YYLN4nnIN.bat
| MD5 | 95e9bbc0b27dba76e402d0a2a154c9c0 |
| SHA1 | 0ff0ab71e1d8127ed783375132fdd99f123a0219 |
| SHA256 | 89a8dded3f920654ba78d80f1027fe685d3f7305192f486287952413c6602012 |
| SHA512 | e880fbd82033c1516028b17370094ba3a545d70ab03e00b78307d35623e9e65fc9d61483738be39cea8c08f54501d72c1f37468ea46acd32c60dd23271b24fb3 |
memory/4660-20-0x000000001BCC0000-0x000000001BCD0000-memory.dmp
memory/4660-19-0x00007FFED4FE0000-0x00007FFED59CC000-memory.dmp
memory/4660-24-0x00007FFED4FE0000-0x00007FFED59CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jl6l5CSnegqR.bat
| MD5 | 68fa1fd4d5152108ab7b3700a3db0606 |
| SHA1 | 7da764c3e81d963da50e0b8ebfa0152d879b1e36 |
| SHA256 | 2a76f1b13bfdd7be065ab72c506710c258457d1cb8892a2a6225e60eb1cf833d |
| SHA512 | c29b160e3b9ee21cafcb9e3d86cd1d5b7f21cec61ad54c65627551be8d7113ededd69480cd48ec17c60e1276454b8ea247ca79cab007bed405c1d030c0063177 |
Analysis: behavioral3
Detonation Overview
Submitted
2023-12-02 18:10
Reported
2023-12-02 18:11
Platform
win10v2004-20231127-en
Max time kernel
46s
Max time network
62s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | limehag920-33288.portmap.host | udp |
| DE | 193.161.193.99:33288 | limehag920-33288.portmap.host | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.252.72.23.in-addr.arpa | udp |
Files
memory/2328-0-0x00000000005A0000-0x00000000008D4000-memory.dmp
memory/2328-1-0x00007FF8F3590000-0x00007FF8F4051000-memory.dmp
memory/2328-2-0x0000000000F80000-0x0000000000F90000-memory.dmp
memory/2328-3-0x000000001BC90000-0x000000001BCE0000-memory.dmp
memory/2328-4-0x000000001BDA0000-0x000000001BE52000-memory.dmp
memory/2328-5-0x000000001BD20000-0x000000001BD32000-memory.dmp
memory/2328-6-0x000000001C6A0000-0x000000001C6DC000-memory.dmp
memory/2328-7-0x00007FF8F3590000-0x00007FF8F4051000-memory.dmp
memory/2328-8-0x0000000000F80000-0x0000000000F90000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-12-02 18:10
Reported
2023-12-02 18:11
Platform
win11-20231129-en
Max time kernel
55s
Max time network
58s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZzVEk7errOBs.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DruAiIwLoJnF.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOMuJkUC57IK.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMj2XCyT9gOr.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | limehag920-33288.portmap.host | udp |
| US | 8.8.8.8:53 | limehag920-33288.portmap.host | udp |
| US | 8.8.8.8:53 | limehag920-33288.portmap.host | udp |
Files
memory/4240-0-0x00000000009D0000-0x0000000000D04000-memory.dmp
memory/4240-1-0x00007FFB7ECF0000-0x00007FFB7F7B2000-memory.dmp
memory/4240-2-0x000000001B7D0000-0x000000001B7E0000-memory.dmp
memory/4240-3-0x000000001C310000-0x000000001C360000-memory.dmp
memory/4240-4-0x000000001C420000-0x000000001C4D2000-memory.dmp
memory/4240-9-0x00007FFB7ECF0000-0x00007FFB7F7B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZzVEk7errOBs.bat
| MD5 | 16c9a78f013914e91d55b55cc267d881 |
| SHA1 | 27c165ae5eb3c9415aa4aee60c597b110ce273c1 |
| SHA256 | f27851dd08dfef1a9276344f3bbe9c8bc9e0e90497d62155f26657e0239039a6 |
| SHA512 | 68a60868653de6c46a854aba1c364fc842c84ba58368ed41fbd1ecad8403e520afc7290016114ba9903cf22aa8003b98f2faed20c303b7facfde74ff880fd68a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Electron.exe.log
| MD5 | 15eab799098760706ed95d314e75449d |
| SHA1 | 273fb07e40148d5c267ca53f958c5075d24c4444 |
| SHA256 | 45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778 |
| SHA512 | 50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c |
memory/4768-12-0x00007FFB7ECF0000-0x00007FFB7F7B2000-memory.dmp
memory/4768-13-0x000000001BA40000-0x000000001BA50000-memory.dmp
memory/4768-17-0x00007FFB7ECF0000-0x00007FFB7F7B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DruAiIwLoJnF.bat
| MD5 | 93f04da3f17e7166ee5c0aeca4cfa941 |
| SHA1 | 673f93468c92b4f4fd2b046215b61d305ba8416a |
| SHA256 | 4f88d7effa3e6bb34a20ed313878a27ed3196708c29eb0c73894ab018980d3c7 |
| SHA512 | e49701ac8c9a2b21a09eb3b6c3498a75bbac4c884e8ca625e456e0967d2a6973291e07219056deebeaf76e8e25d698513bd388d4374aeee19f9f266b715375bf |
memory/3668-19-0x00007FFB7ECF0000-0x00007FFB7F7B2000-memory.dmp
memory/3668-20-0x000000001B850000-0x000000001B860000-memory.dmp
memory/3668-24-0x00007FFB7ECF0000-0x00007FFB7F7B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XOMuJkUC57IK.bat
| MD5 | 37dfc29baa5d52c8169b71d0db2c819f |
| SHA1 | e0a8e9144d3d44790ec8085a79b3d1c912afdbfa |
| SHA256 | ba0104c96c583f065e4dcb10febafa71d744acb8f4708822cf5214ebc626ad81 |
| SHA512 | 7bd9ed4d0ac01407e5984c48a327e4c2f134e77ea8503cbd9afe5c676df5ae16ee1abc07e09cba7dd38d9831bf43f0caee506542b013b4760456b7b979476df4 |
memory/2024-26-0x00007FFB7ECF0000-0x00007FFB7F7B2000-memory.dmp
memory/2024-30-0x00007FFB7ECF0000-0x00007FFB7F7B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YMj2XCyT9gOr.bat
| MD5 | 3b4653f66e2928d54902ce4aa25cd639 |
| SHA1 | 6ecb9edcaf7e8ce89f94679ae08de0a3ccc6b4e0 |
| SHA256 | 91c6cd6075c69cf49eca8e01b479a358d14c89a48560335899718703b74c8ca1 |
| SHA512 | d2c451ef94154e8c9243850449aa9614dd979d25e3d3cca4c3fc454d94788eab0c24fed3ad3059a16dde0a171f59f6555bbb83a3370d53011937d0cf19a6efa8 |
memory/1636-32-0x00007FFB7ECF0000-0x00007FFB7F7B2000-memory.dmp