quasar | 7558de63436a74c9098a73d93359b9ba95500ad1e1d6fc334e9903a20c8c11a3

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 03:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe
Size

549KB
MD5

2815d5043a92a90186c60390aae45ae8
SHA1

bd7f9872333566ae83e136c09ed3f485854d178b
SHA256

7558de63436a74c9098a73d93359b9ba95500ad1e1d6fc334e9903a20c8c11a3
SHA512

5e47f07f9a89758275fce74117b5d902d036163e9971caa74f5c6f5d7aaaad0c4c6522b0a9b0a6a1aac1e28d6675ee669da0c6a8a013bc952f1a476edc3dfcad
SSDEEP

12288:GodYzXBmawhPE64UIgElzwyYo+C+k2296qmzGP26QVmGZiNR:lWDBgoUIgEulrk2LHyQVmv

Score

10^/10

quasar rat2020 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

rat2020

rat25565.ddns.net:25565

Mutex

QSR_MUTEX_N4xtXyWxcnI1berfYb

Attributes

encryption_key
4sWRVsjsGntxPl5gXpQW
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
EpicGames Client
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/memory/2084-2-0x0000000000B50000-0x0000000000BDA000-memory.dmp	family_quasar
behavioral1/memory/2700-10-0x0000000000400000-0x000000000048A000-memory.dmp	family_quasar
behavioral1/memory/2700-12-0x0000000000400000-0x000000000048A000-memory.dmp	family_quasar
behavioral1/memory/2700-9-0x0000000000400000-0x000000000048A000-memory.dmp	family_quasar
behavioral1/memory/2700-8-0x0000000000400000-0x000000000048A000-memory.dmp	family_quasar
behavioral1/memory/2700-7-0x0000000000400000-0x000000000048A000-memory.dmp	family_quasar
behavioral1/memory/1648-61-0x0000000000400000-0x000000000048A000-memory.dmp	family_quasar
behavioral1/memory/1648-60-0x0000000000400000-0x000000000048A000-memory.dmp	family_quasar
behavioral1/memory/2444-88-0x0000000000400000-0x000000000048A000-memory.dmp	family_quasar
behavioral1/memory/2444-87-0x0000000000400000-0x000000000048A000-memory.dmp	family_quasar

Executes dropped EXE 11 IoCs

pid	Process
2188	Client.exe
2580	Client.exe
1800	Client.exe
1648	Client.exe
2268	Client.exe
2444	Client.exe
972	Client.exe
1484	Client.exe
2140	Client.exe
1624	Client.exe
2756	Client.exe

Loads dropped DLL 12 IoCs

pid	Process
2700	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe
2188	Client.exe
2724	cmd.exe
1800	Client.exe
2900	cmd.exe
2268	Client.exe
2060	cmd.exe
972	Client.exe
2844	cmd.exe
2140	Client.exe
2760	cmd.exe
2756	Client.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SubDir\Client.exe	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Client.exe	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1204	schtasks.exe
2412	schtasks.exe
2544	schtasks.exe
1576	schtasks.exe
2168	schtasks.exe
1828	schtasks.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
2808	PING.EXE
1152	PING.EXE
1924	PING.EXE
2188	PING.EXE
2792	PING.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe
Token: SeDebugPrivilege	2700	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe
Token: SeDebugPrivilege	2188	Client.exe
Token: SeDebugPrivilege	2580	Client.exe
Token: SeDebugPrivilege	1800	Client.exe
Token: SeDebugPrivilege	1648	Client.exe
Token: SeDebugPrivilege	2268	Client.exe
Token: SeDebugPrivilege	2444	Client.exe
Token: SeDebugPrivilege	972	Client.exe
Token: SeDebugPrivilege	1484	Client.exe
Token: SeDebugPrivilege	2140	Client.exe
Token: SeDebugPrivilege	1624	Client.exe
Token: SeDebugPrivilege	2756	Client.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2580	Client.exe
1648	Client.exe
2444	Client.exe
1484	Client.exe
1624	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2700	2084	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2700	2084	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2700	2084	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2700	2084	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2700	2084	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2700	2084	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2700	2084	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2700	2084	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2700	2084	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2700	2084	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2700	2084	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2700	2084	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	28
PID 2700 wrote to memory of 2544	2700	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2544	2700	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2544	2700	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2544	2700	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2188	2700	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2188	2700	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2188	2700	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2188	2700	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2188	2700	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2188	2700	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2188	2700	2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe	32
PID 2188 wrote to memory of 2580	2188	Client.exe	33
PID 2188 wrote to memory of 2580	2188	Client.exe	33
PID 2188 wrote to memory of 2580	2188	Client.exe	33
PID 2188 wrote to memory of 2580	2188	Client.exe	33
PID 2188 wrote to memory of 2580	2188	Client.exe	33
PID 2188 wrote to memory of 2580	2188	Client.exe	33
PID 2188 wrote to memory of 2580	2188	Client.exe	33
PID 2188 wrote to memory of 2580	2188	Client.exe	33
PID 2188 wrote to memory of 2580	2188	Client.exe	33
PID 2188 wrote to memory of 2580	2188	Client.exe	33
PID 2188 wrote to memory of 2580	2188	Client.exe	33
PID 2188 wrote to memory of 2580	2188	Client.exe	33
PID 2580 wrote to memory of 1576	2580	Client.exe	34
PID 2580 wrote to memory of 1576	2580	Client.exe	34
PID 2580 wrote to memory of 1576	2580	Client.exe	34
PID 2580 wrote to memory of 1576	2580	Client.exe	34
PID 2580 wrote to memory of 2724	2580	Client.exe	36
PID 2580 wrote to memory of 2724	2580	Client.exe	36
PID 2580 wrote to memory of 2724	2580	Client.exe	36
PID 2580 wrote to memory of 2724	2580	Client.exe	36
PID 2724 wrote to memory of 2776	2724	cmd.exe	38
PID 2724 wrote to memory of 2776	2724	cmd.exe	38
PID 2724 wrote to memory of 2776	2724	cmd.exe	38
PID 2724 wrote to memory of 2776	2724	cmd.exe	38
PID 2724 wrote to memory of 2792	2724	cmd.exe	39
PID 2724 wrote to memory of 2792	2724	cmd.exe	39
PID 2724 wrote to memory of 2792	2724	cmd.exe	39
PID 2724 wrote to memory of 2792	2724	cmd.exe	39
PID 2724 wrote to memory of 1800	2724	cmd.exe	40
PID 2724 wrote to memory of 1800	2724	cmd.exe	40
PID 2724 wrote to memory of 1800	2724	cmd.exe	40
PID 2724 wrote to memory of 1800	2724	cmd.exe	40
PID 2724 wrote to memory of 1800	2724	cmd.exe	40
PID 2724 wrote to memory of 1800	2724	cmd.exe	40
PID 2724 wrote to memory of 1800	2724	cmd.exe	40
PID 1800 wrote to memory of 1648	1800	Client.exe	41
PID 1800 wrote to memory of 1648	1800	Client.exe	41
PID 1800 wrote to memory of 1648	1800	Client.exe	41
PID 1800 wrote to memory of 1648	1800	Client.exe	41
PID 1800 wrote to memory of 1648	1800	Client.exe	41
PID 1800 wrote to memory of 1648	1800	Client.exe	41

C:\Users\Admin\AppData\Local\Temp\2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\2815d5043a92a90186c60390aae45ae8_JaffaCakes118.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2544
- - C:\Windows\SysWOW64\SubDir\Client.exe
    "C:\Windows\SysWOW64\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\SysWOW64\SubDir\Client.exe
      "C:\Windows\SysWOW64\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1576
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZwaH1ACoycve.bat" "
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2776
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:2792
      - C:\Windows\SysWOW64\SubDir\Client.exe
        
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\SubDir\Client.exe
        
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZY4xxyVJOwYG.bat" "
        8⤵
        Loads dropped DLL
        
        PID:2900
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:2808
        
        C:\Windows\SysWOW64\SubDir\Client.exe
        
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\SysWOW64\SubDir\Client.exe
        
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Creates scheduled task(s)
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qnBnRoUlqTbu.bat" "
        11⤵
        Loads dropped DLL
        
        PID:2060
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:444
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        Runs ping.exe
        
        PID:1152
        
        C:\Windows\SysWOW64\SubDir\Client.exe
        
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\SysWOW64\SubDir\Client.exe
        
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Creates scheduled task(s)
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qPfSNbnGGnEX.bat" "
        14⤵
        Loads dropped DLL
        
        PID:2844
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:1924
        
        C:\Windows\SysWOW64\SubDir\Client.exe
        
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\SysWOW64\SubDir\Client.exe
        
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Creates scheduled task(s)
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ImOhxzpiSp62.bat" "
        17⤵
        Loads dropped DLL
        
        PID:2760
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        Runs ping.exe
        
        PID:2188
        
        C:\Windows\SysWOW64\SubDir\Client.exe
        
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\SysWOW64\SubDir\Client.exe
        
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        19⤵
        
        PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ImOhxzpiSp62.bat

Filesize
196B

MD5
7bbee7ca49e92e1026534e562bc2112f

SHA1
3e510aecc93dfe8685f952377de19ed8821ab47e

SHA256
e8a555ec1e56cfb2498a6cd51faebe714e95a327d5b12968773f557ac3a87feb

SHA512
e1432dbcf27173fa000d1f5a34a211c151bdb0f114fe14b25ee52614027d5c85a9b89971f191a7521a64a7da3567fb153482cb902aeaddda4cb8ab11ae287366

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZY4xxyVJOwYG.bat

Filesize
196B

MD5
86a893f5eb722ccf2768e2b7391cf46d

SHA1
39c6c4b9c464dacde1a5efa518859aa194270096

SHA256
b36f5724005d4349cdfcb1c8181414b11bcc00e85fca616d6d9e29acb83fe82f

SHA512
d8d377c6b8bf38bf06395597ad744ab591351b990e847b4e2f3207af99f4e289127b0918cd9b72b461b53ee5a6840c234dd53d6902cd65236f83940fdb25bb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwaH1ACoycve.bat

Filesize
196B

MD5
ca72eefcb4193bfa9bc6e5a6e3b81a46

SHA1
a5f37635cf8eb2fe4cadcbd510554d2b9e2bc688

SHA256
f57e399118b43c589cdc3e0326c6ae0bb67537a063f61eea5b1da02974bed6a1

SHA512
a1192dfc26fd33f897aeece5645f9d2d1d110e58bd5efaf202439d053a26fecdb472d4f8af9b03d7a92d546fc0b123ab7477f7c4e28a5bd8e7a05affbecec3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qPfSNbnGGnEX.bat

Filesize
196B

MD5
581f07bf7932ec1177d3f6a944bc3b94

SHA1
069c7bef19708d067848eff24da6cfd5442431ee

SHA256
4b5d12d37e6b11b94bf264e465ac692af3f075efadcdd99e0f3f475a34628be7

SHA512
a3066959045f9af4241c8a0a9c63640e90b481b375374ebf52084906563f5cc13a24b4003a9255ac01fdf13c8fc7c373fa4f992b0f41761def9df8139a905aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnBnRoUlqTbu.bat

Filesize
196B

MD5
473f60d0f6618a59dc48c4ed22cada29

SHA1
0eabea23e93fa25af047da8228fb4e96e67d97af

SHA256
21ee393f1821c9f1eaade1f722fe6a81db5ac7e3f9a830e9c9559bb82785e9bd

SHA512
53ffe64e6621575d290faca7545451be0f8ec4827f4846026c808be43e199a7162e3b45901129ba90005d08f71ea4f39f031e60b076bc2c1622ab00fc44a00a2

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-09-2024

Filesize
224B

MD5
e04306a44d2acdfedad43e86cff2171f

SHA1
82ebd74922f6dcffe977ca0e73f977349f053f8d

SHA256
f8f807fb75fbe6645b58ef9de13622802eaf2057e7094ae23ea234ae5fc5bb9d

SHA512
cd812ca1579456aa3467442d018b5d697d9f677cf0253ae2e354460403a41e14b5807c683d34a8db71b2b85581beb1ff6731770a59051fa68628d10a48b50d64

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-09-2024

Filesize
224B

MD5
197ec8acffca8222059ed17ba99cd899

SHA1
bdc89ac3a6d99db248bab6b92e199da62e57c87b

SHA256
c95bc8f8c0e4ea8bc0e6721b8798f2f80913e014be774292cb98e7419d8c7d1f

SHA512
8b11752606bd4cad60f3c332a696a02d4465c582abf532a293daa40cae9da8dad0d8133a3a9af76d64c02491585e49de55dfaeba816a8c63ed86c438c4cb8c5c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-09-2024

Filesize
224B

MD5
eef42a0f2344411ec4ba7c5d0676e5f8

SHA1
3709c92eb8ec183971740460c3eeae0ec52e45e4

SHA256
f203fc3d12ba7098fa36d52cbaa9a63c845ca93bd0c19b69c1d9b55881e922bd

SHA512
dcc2e2501fcf2a0c3485a73a11b730140b157ad46944f66139a7248719467110a5dacd6cafa344f615786fa8556d26089374af8b2cacd21f0269c374a2e4ed2d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-09-2024

Filesize
224B

MD5
44e37fe92e80e356f0ec448eb1d4ea0a

SHA1
a8b2a3eb7dc23d5de6fae49cf8ed01456642ee56

SHA256
d5663b70eace227e8fb8164e65d32c6a7f54ec3ecb3277776a33bf970d2aa94e

SHA512
f47abcae326d38fdd8582f6fe502f733bdf863bc881289b5ab265b097202ad0a5f179863d8c4d7c6cd34a1bfc35c9bcd2a28680ba38b6a7c3481c31c40e931e1

Download Submit
\Windows\SysWOW64\SubDir\Client.exe

Filesize
549KB

MD5
2815d5043a92a90186c60390aae45ae8

SHA1
bd7f9872333566ae83e136c09ed3f485854d178b

SHA256
7558de63436a74c9098a73d93359b9ba95500ad1e1d6fc334e9903a20c8c11a3

SHA512
5e47f07f9a89758275fce74117b5d902d036163e9971caa74f5c6f5d7aaaad0c4c6522b0a9b0a6a1aac1e28d6675ee669da0c6a8a013bc952f1a476edc3dfcad

Download Submit
memory/972-102-0x0000000000F10000-0x0000000000F1C000-memory.dmp

Filesize
48KB

Download
memory/1624-131-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1648-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1648-61-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1648-60-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1800-48-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/2084-0-0x000000007490E000-0x000000007490F000-memory.dmp

Filesize
4KB

Download
memory/2084-2-0x0000000000B50000-0x0000000000BDA000-memory.dmp

Filesize
552KB

Download
memory/2084-1-0x0000000000F70000-0x0000000000F7C000-memory.dmp

Filesize
48KB

Download
memory/2140-129-0x0000000001030000-0x000000000103C000-memory.dmp

Filesize
48KB

Download
memory/2188-21-0x0000000000E70000-0x0000000000E7C000-memory.dmp

Filesize
48KB

Download
memory/2268-75-0x0000000000F10000-0x0000000000F1C000-memory.dmp

Filesize
48KB

Download
memory/2444-87-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2444-88-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2444-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2700-6-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2700-14-0x0000000074210000-0x00000000748FE000-memory.dmp

Filesize
6.9MB

Download
memory/2700-5-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2700-22-0x0000000074210000-0x00000000748FE000-memory.dmp

Filesize
6.9MB

Download
memory/2700-7-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2700-8-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2700-13-0x000000007421E000-0x000000007421F000-memory.dmp

Filesize
4KB

Download
memory/2700-9-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2700-12-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2700-10-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2700-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2756-156-0x0000000001030000-0x000000000103C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads