quasar | 90e6021564d45d877555674a8e44ea83fdac8d4c58d50cec72f068c608c18aab

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90e6021564d45d877555674a8e44ea83fdac8d4c58d50cec72f068c608c18aab.exe
Size

3.1MB
MD5

cb9d96470528dad492231fcdf0925086
SHA1

c9c556cabeaa09e24d999fc5d597999a5e0c164d
SHA256

90e6021564d45d877555674a8e44ea83fdac8d4c58d50cec72f068c608c18aab
SHA512

121fd90e09ff59ad056bc15c8c9b90db9298c8a9606a61d20153031bd083ea9df51b8d8c6c34cfb61e8cd6e385bdbe426eeb4c6a85ca87ddea06c7bb3af15a3c
SSDEEP

49152:PvRuf2NUaNmwzPWlvdaKM7ZxTwcQJ+3lmZIXoG/PTHHB72eh2NT:Pvsf2NUaNmwzPWlvdaB7ZxTw1J+3z

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

140.238.91.110:38899

uk2.localto.net:38899:38899

Mutex

276d9dc6-b19c-4958-8ac3-89586bd3b515

Attributes

encryption_key
ABCF70C37D1A79A01712038122D1532DF20DF72A
install_name
Client.exe
log_directory
Error Logs
reconnect_delay
3000
startup_key
WOS64
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4012-0-0x0000000000130000-0x0000000000454000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\Client.exe	family_quasar

Detects Windows executables referencing non-Windows User-Agents 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4012-0-0x0000000000130000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Users\Admin\AppData\Roaming\Windows\Client.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4012-0-0x0000000000130000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
C:\Users\Admin\AppData\Roaming\Windows\Client.exe	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing common artifacts observed in infostealers 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4012-0-0x0000000000130000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
C:\Users\Admin\AppData\Roaming\Windows\Client.exe	INDICATOR_SUSPICIOUS_GENInfoStealer

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 9 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

3496 Client.exe
5116 Client.exe
392 Client.exe
4276 Client.exe
3324 Client.exe
1032 Client.exe
3036 Client.exe
940 Client.exe
3384 Client.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3496	Client.exe
5116	Client.exe
392	Client.exe
4276	Client.exe
3324	Client.exe
1032	Client.exe
3036	Client.exe
940	Client.exe
3384	Client.exe

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3656	schtasks.exe
3832	schtasks.exe
3252	schtasks.exe
1284	schtasks.exe
3484	schtasks.exe
1836	schtasks.exe
1372	schtasks.exe
2616	schtasks.exe
2376	schtasks.exe
1992	schtasks.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2356 PING.EXE
3744 PING.EXE
956 PING.EXE
224 PING.EXE
3244 PING.EXE
4444 PING.EXE
3268 PING.EXE
1792 PING.EXE

pid	process
2356	PING.EXE
3744	PING.EXE
956	PING.EXE
224	PING.EXE
3244	PING.EXE
4444	PING.EXE
3268	PING.EXE
1792	PING.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

90e6021564d45d877555674a8e44ea83fdac8d4c58d50cec72f068c608c18aab.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4012	90e6021564d45d877555674a8e44ea83fdac8d4c58d50cec72f068c608c18aab.exe
Token: SeDebugPrivilege	3496	Client.exe
Token: SeDebugPrivilege	5116	Client.exe
Token: SeDebugPrivilege	392	Client.exe
Token: SeDebugPrivilege	4276	Client.exe
Token: SeDebugPrivilege	3324	Client.exe
Token: SeDebugPrivilege	1032	Client.exe
Token: SeDebugPrivilege	3036	Client.exe
Token: SeDebugPrivilege	940	Client.exe
Token: SeDebugPrivilege	3384	Client.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

3496 Client.exe
5116 Client.exe
392 Client.exe
4276 Client.exe
3324 Client.exe
1032 Client.exe
3036 Client.exe
940 Client.exe
3384 Client.exe

pid	process
3496	Client.exe
5116	Client.exe
392	Client.exe
4276	Client.exe
3324	Client.exe
1032	Client.exe
3036	Client.exe
940	Client.exe
3384	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

90e6021564d45d877555674a8e44ea83fdac8d4c58d50cec72f068c608c18aab.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 4012 wrote to memory of 1372	4012	90e6021564d45d877555674a8e44ea83fdac8d4c58d50cec72f068c608c18aab.exe	schtasks.exe
PID 4012 wrote to memory of 1372	4012	90e6021564d45d877555674a8e44ea83fdac8d4c58d50cec72f068c608c18aab.exe	schtasks.exe
PID 4012 wrote to memory of 3496	4012	90e6021564d45d877555674a8e44ea83fdac8d4c58d50cec72f068c608c18aab.exe	Client.exe
PID 4012 wrote to memory of 3496	4012	90e6021564d45d877555674a8e44ea83fdac8d4c58d50cec72f068c608c18aab.exe	Client.exe
PID 3496 wrote to memory of 3656	3496	Client.exe	schtasks.exe
PID 3496 wrote to memory of 3656	3496	Client.exe	schtasks.exe
PID 3496 wrote to memory of 4296	3496	Client.exe	cmd.exe
PID 3496 wrote to memory of 4296	3496	Client.exe	cmd.exe
PID 4296 wrote to memory of 3240	4296	cmd.exe	chcp.com
PID 4296 wrote to memory of 3240	4296	cmd.exe	chcp.com
PID 4296 wrote to memory of 3268	4296	cmd.exe	PING.EXE
PID 4296 wrote to memory of 3268	4296	cmd.exe	PING.EXE
PID 4296 wrote to memory of 5116	4296	cmd.exe	Client.exe
PID 4296 wrote to memory of 5116	4296	cmd.exe	Client.exe
PID 5116 wrote to memory of 1992	5116	Client.exe	schtasks.exe
PID 5116 wrote to memory of 1992	5116	Client.exe	schtasks.exe
PID 5116 wrote to memory of 1512	5116	Client.exe	cmd.exe
PID 5116 wrote to memory of 1512	5116	Client.exe	cmd.exe
PID 1512 wrote to memory of 3240	1512	cmd.exe	chcp.com
PID 1512 wrote to memory of 3240	1512	cmd.exe	chcp.com
PID 1512 wrote to memory of 1792	1512	cmd.exe	PING.EXE
PID 1512 wrote to memory of 1792	1512	cmd.exe	PING.EXE
PID 1512 wrote to memory of 392	1512	cmd.exe	Client.exe
PID 1512 wrote to memory of 392	1512	cmd.exe	Client.exe
PID 392 wrote to memory of 3832	392	Client.exe	schtasks.exe
PID 392 wrote to memory of 3832	392	Client.exe	schtasks.exe
PID 392 wrote to memory of 1680	392	Client.exe	cmd.exe
PID 392 wrote to memory of 1680	392	Client.exe	cmd.exe
PID 1680 wrote to memory of 2772	1680	cmd.exe	chcp.com
PID 1680 wrote to memory of 2772	1680	cmd.exe	chcp.com
PID 1680 wrote to memory of 2356	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 2356	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 4276	1680	cmd.exe	Client.exe
PID 1680 wrote to memory of 4276	1680	cmd.exe	Client.exe
PID 4276 wrote to memory of 3252	4276	Client.exe	schtasks.exe
PID 4276 wrote to memory of 3252	4276	Client.exe	schtasks.exe
PID 4276 wrote to memory of 3676	4276	Client.exe	cmd.exe
PID 4276 wrote to memory of 3676	4276	Client.exe	cmd.exe
PID 3676 wrote to memory of 4748	3676	cmd.exe	chcp.com
PID 3676 wrote to memory of 4748	3676	cmd.exe	chcp.com
PID 3676 wrote to memory of 3744	3676	cmd.exe	PING.EXE
PID 3676 wrote to memory of 3744	3676	cmd.exe	PING.EXE
PID 3676 wrote to memory of 3324	3676	cmd.exe	Client.exe
PID 3676 wrote to memory of 3324	3676	cmd.exe	Client.exe
PID 3324 wrote to memory of 2616	3324	Client.exe	schtasks.exe
PID 3324 wrote to memory of 2616	3324	Client.exe	schtasks.exe
PID 3324 wrote to memory of 4932	3324	Client.exe	cmd.exe
PID 3324 wrote to memory of 4932	3324	Client.exe	cmd.exe
PID 4932 wrote to memory of 1048	4932	cmd.exe	chcp.com
PID 4932 wrote to memory of 1048	4932	cmd.exe	chcp.com
PID 4932 wrote to memory of 956	4932	cmd.exe	PING.EXE
PID 4932 wrote to memory of 956	4932	cmd.exe	PING.EXE
PID 4932 wrote to memory of 1032	4932	cmd.exe	Client.exe
PID 4932 wrote to memory of 1032	4932	cmd.exe	Client.exe
PID 1032 wrote to memory of 1284	1032	Client.exe	schtasks.exe
PID 1032 wrote to memory of 1284	1032	Client.exe	schtasks.exe
PID 1032 wrote to memory of 3536	1032	Client.exe	cmd.exe
PID 1032 wrote to memory of 3536	1032	Client.exe	cmd.exe
PID 3536 wrote to memory of 1496	3536	cmd.exe	chcp.com
PID 3536 wrote to memory of 1496	3536	cmd.exe	chcp.com
PID 3536 wrote to memory of 224	3536	cmd.exe	PING.EXE
PID 3536 wrote to memory of 224	3536	cmd.exe	PING.EXE
PID 3536 wrote to memory of 3036	3536	cmd.exe	Client.exe
PID 3536 wrote to memory of 3036	3536	cmd.exe	Client.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\90e6021564d45d877555674a8e44ea83fdac8d4c58d50cec72f068c608c18aab.exe
"C:\Users\Admin\AppData\Local\Temp\90e6021564d45d877555674a8e44ea83fdac8d4c58d50cec72f068c608c18aab.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1372

C:\Users\Admin\AppData\Roaming\Windows\Client.exe
"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyFDE1yJOP8B.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:3240

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3268

C:\Users\Admin\AppData\Roaming\Windows\Client.exe
"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8DLvyYFzbyKa.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:3240

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1792

C:\Users\Admin\AppData\Roaming\Windows\Client.exe
"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wG66mxrQwUic.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:2772

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2356

C:\Users\Admin\AppData\Roaming\Windows\Client.exe
"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oN3iAeGOI7Yi.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:4748

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:3744

C:\Users\Admin\AppData\Roaming\Windows\Client.exe
"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NDKGWNv3vYmA.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:1048

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:956

C:\Users\Admin\AppData\Roaming\Windows\Client.exe
"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uvgbIOfypDxm.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:1496

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:224

C:\Users\Admin\AppData\Roaming\Windows\Client.exe
"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3036

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y7XkkE7YWdPE.bat" "
15⤵
PID:4416

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:5080

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3244

C:\Users\Admin\AppData\Roaming\Windows\Client.exe
"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:940

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMpnCfBdO6Tq.bat" "
17⤵
PID:2856

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:1496

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4444

C:\Users\Admin\AppData\Roaming\Windows\Client.exe
"C:\Users\Admin\AppData\Roaming\Windows\Client.exe"
18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3384

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2228,i,8155065313278028490,17854605419281052753,262144 --variations-seed-version /prefetch:8
1⤵
PID:5116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8DLvyYFzbyKa.bat
Filesize
208B

MD5
ab939847ac194e0f603ec7c7d0cc69a4

SHA1
a8888a1779e746427d92f71d251c45f9a540fe34

SHA256
13bab8297ec3bc0d98c23f5276efbad4fab7a9245fa13ce5f25a401efad436c4

SHA512
592f9fe042fcd5ace0828855ebf44e90f3bdd2436556c995740d063ea8e1e9171d3f11228981c63bfba00b737850a2f4e49cfd37508f79fdf2012b7a67e4bb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDKGWNv3vYmA.bat
Filesize
208B

MD5
2cb24a1ccf565ba13712a4a884d94a0b

SHA1
8f18e019eb0bd724b0d6506c474548bbfee35bcd

SHA256
68255ed4c355591e580042a7eac3f316acd6cf4ae110e4572b9f24337f7e7f42

SHA512
579e9fea4844660348624f802c1a595428f698f34b91754f10fb74d82ddaa057f8e89ef0ab22a530998bdcaefe6c32e834115add6df19ae3282a01f2b668d969

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMpnCfBdO6Tq.bat
Filesize
208B

MD5
7924985276427559afc81e6892696299

SHA1
9e4a42c63eaf7b4561374bca813d5d4ce2a6f9c3

SHA256
e72c3bf470c34a0781d682be897b487949166f6426faae4bf7b7379a42da21bd

SHA512
a6f4e12c12b80e96a3d1d2b3e4fd81c23ca519a9d5ecd5ee39f9053a1ac2e9def9a4b050e99f2966f0d7ad945f84fc7c137261427004f3f16d3d4f86e33a907d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyFDE1yJOP8B.bat
Filesize
208B

MD5
6f44cec6085a3f86a0e767c4a4cbeb7c

SHA1
daa5568bc58958d0a9ac385e771bc7c5c04b2b2d

SHA256
e4d23647dd8b946de3237b3b79fd4fcdc0e94dcdabd4c0ed36b64cee66f7db61

SHA512
0516be177ad8621001788b3456fa2e1461f642bbfe78629c36a631a54a221e33a7885ce375e592635e03994542c1f0d6e46b264a8bc236e3c34e8cfa0988f45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oN3iAeGOI7Yi.bat
Filesize
208B

MD5
0b58732d2aea578c111fd138a9e4cbd9

SHA1
acea42c97d5af1a0b5050a30a834520dfc89403e

SHA256
8c035d4cfb522d87762d748954d5804e996335591fb64dbbbf48996032673f6e

SHA512
75ba3d227af046015a0e949015743402268325fa30f5a5e2461f7cbe376d0c0068443d01c1a44b4536305bf9ddb755e4f858aeb927c2c539dce129d82d0d9769

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvgbIOfypDxm.bat
Filesize
208B

MD5
80dfe9ca7a9284700f8fd40d3968b4e3

SHA1
1d871940ce067567328eba6eca125743bb2a5acd

SHA256
94a347066efcbd485e3009dd9509e491dfe2801a188dc8746678c982c464a659

SHA512
ff1d1c940ca0a09ccfcafc4d76d128404f13a2044b200630b798e5869d0d5b990976c479960faf6033281724fcf76d56249c2944ed96e3d6ece690855484d567

Download Submit
C:\Users\Admin\AppData\Local\Temp\wG66mxrQwUic.bat
Filesize
208B

MD5
cf8ac7d72ac09ced592ef94dd57857c0

SHA1
bfabcce04d9c5df97a0946b9e512070a0a087791

SHA256
1f85859f6194b9f55dcdb1fe916b213fd9acb5c13ffaff3cf1300236565d032b

SHA512
e7af7752e240f25c63ae0c276561967cb9d95b971b37d920f3ab23f29af3cf2fe499d868c8f472dcce711701073d9aa22afb90a5a4de57b91e703efb8465159c

Download Submit
C:\Users\Admin\AppData\Local\Temp\y7XkkE7YWdPE.bat
Filesize
208B

MD5
a45e400642885cd8e13ec196a9c74db2

SHA1
6eb3d75a318db73e382f8ff195d02331e3b5e3c7

SHA256
a240fc14dd03cdeeda0a7c2be34fa6da65bb0ee1a2315241a46bcdc9f8960d16

SHA512
42a01c85d394ce9cdb2c7787674aad07ce6fb726fcbb5aee8aa921a001ce78ca454aa680dc9975b5025bc2723361e0378c1493ae12205ebe1d912a9632d84d54

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Client.exe
Filesize
3.1MB

MD5
cb9d96470528dad492231fcdf0925086

SHA1
c9c556cabeaa09e24d999fc5d597999a5e0c164d

SHA256
90e6021564d45d877555674a8e44ea83fdac8d4c58d50cec72f068c608c18aab

SHA512
121fd90e09ff59ad056bc15c8c9b90db9298c8a9606a61d20153031bd083ea9df51b8d8c6c34cfb61e8cd6e385bdbe426eeb4c6a85ca87ddea06c7bb3af15a3c

Download Submit
memory/392-30-0x00007FFC412D0000-0x00007FFC41D91000-memory.dmp

Filesize
10.8MB

Download
memory/392-35-0x00007FFC412D0000-0x00007FFC41D91000-memory.dmp

Filesize
10.8MB

Download
memory/392-31-0x00000000030B0000-0x00000000030C0000-memory.dmp

Filesize
64KB

Download
memory/940-70-0x00007FFC41340000-0x00007FFC41E01000-memory.dmp

Filesize
10.8MB

Download
memory/940-71-0x000000001B090000-0x000000001B0A0000-memory.dmp

Filesize
64KB

Download
memory/940-75-0x00007FFC41340000-0x00007FFC41E01000-memory.dmp

Filesize
10.8MB

Download
memory/1032-59-0x00007FFC41340000-0x00007FFC41E01000-memory.dmp

Filesize
10.8MB

Download
memory/1032-54-0x00007FFC41340000-0x00007FFC41E01000-memory.dmp

Filesize
10.8MB

Download
memory/1032-55-0x000000001B120000-0x000000001B130000-memory.dmp

Filesize
64KB

Download
memory/3036-67-0x00007FFC41340000-0x00007FFC41E01000-memory.dmp

Filesize
10.8MB

Download
memory/3036-63-0x000000001B660000-0x000000001B670000-memory.dmp

Filesize
64KB

Download
memory/3036-62-0x00007FFC41340000-0x00007FFC41E01000-memory.dmp

Filesize
10.8MB

Download
memory/3324-46-0x00007FFC412D0000-0x00007FFC41D91000-memory.dmp

Filesize
10.8MB

Download
memory/3324-47-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3324-51-0x00007FFC412D0000-0x00007FFC41D91000-memory.dmp

Filesize
10.8MB

Download
memory/3384-79-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

Filesize
64KB

Download
memory/3384-78-0x00007FFC40D70000-0x00007FFC41831000-memory.dmp

Filesize
10.8MB

Download
memory/3496-11-0x000000001B330000-0x000000001B340000-memory.dmp

Filesize
64KB

Download
memory/3496-18-0x00007FFC41290000-0x00007FFC41D51000-memory.dmp

Filesize
10.8MB

Download
memory/3496-13-0x000000001BC70000-0x000000001BD22000-memory.dmp

Filesize
712KB

Download
memory/3496-9-0x00007FFC41290000-0x00007FFC41D51000-memory.dmp

Filesize
10.8MB

Download
memory/3496-12-0x000000001B260000-0x000000001B2B0000-memory.dmp

Filesize
320KB

Download
memory/4012-10-0x00007FFC41290000-0x00007FFC41D51000-memory.dmp

Filesize
10.8MB

Download
memory/4012-0-0x0000000000130000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/4012-2-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/4012-1-0x00007FFC41290000-0x00007FFC41D51000-memory.dmp

Filesize
10.8MB

Download
memory/4276-39-0x000000001BD60000-0x000000001BD70000-memory.dmp

Filesize
64KB

Download
memory/4276-38-0x00007FFC412D0000-0x00007FFC41D91000-memory.dmp

Filesize
10.8MB

Download
memory/4276-44-0x00007FFC412D0000-0x00007FFC41D91000-memory.dmp

Filesize
10.8MB

Download
memory/5116-27-0x00007FFC412D0000-0x00007FFC41D91000-memory.dmp

Filesize
10.8MB

Download
memory/5116-22-0x00007FFC412D0000-0x00007FFC41D91000-memory.dmp

Filesize
10.8MB

Download
memory/5116-23-0x000000001B230000-0x000000001B240000-memory.dmp

Filesize
64KB

Download