quasar | b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd

General

Target

b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
Size

539KB
MD5

c05d4bfb1c0e89db58fa981980938b76
SHA1

12801b26c7b68224c8540ad08ad9387110d0fd46
SHA256

b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd
SHA512

926f6d48a44b7b56667e5b74dc3f7cff513f6ae02edd07df0ca2e5bc21690e5cdef77213307d8595a9a4127b582f5fc50aab0b97350e08b7486c33e4ada651c5
SSDEEP

12288:unm5pMGjw5LSk0zWbzGsoYFAY7NvlDmmM:um5GGjw5LSk0zWbzRoYbvlSH

Score

10^/10

quasar controlhost spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Controlhost

C2

121.43.158.106:4782

yc01h.11ychos.xyz:4782

Mutex

QSR_MUTEX_GFWuzMTNQOijYUKopR

Attributes

encryption_key
Xym3BhtshKCyrit7obQT8XbWGz4i7Yw4
install_name
Controlhost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Controlhost
subdirectory
Controlhost

Signatures

Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

PING.EXE

flow ioc

12 ip-api.com
2484 PING.EXE
56 ip-api.com
83 ip-api.com

flow	ioc
12	ip-api.com
2484	PING.EXE
56	ip-api.com
83	ip-api.com

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4400-1-0x0000000000C00000-0x0000000000C8C000-memory.dmp	family_quasar

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4400-1-0x0000000000C00000-0x0000000000C8C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables containing common artifacts observed in infostealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4400-1-0x0000000000C00000-0x0000000000C8C000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exeb923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exeb923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exeb923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com
56 ip-api.com
83 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
12	ip-api.com
56	ip-api.com
83	ip-api.com

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1644	4400	WerFault.exe	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
2320	2468	WerFault.exe	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
1668	452	WerFault.exe	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
3836	1380	WerFault.exe	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

2484 PING.EXE
1108 PING.EXE
4556 PING.EXE
4444 PING.EXE

pid	process
2484	PING.EXE
1108	PING.EXE
4556	PING.EXE
4444	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exeb923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exeb923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exeb923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exeb923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe

description	pid	process
Token: SeDebugPrivilege	4400	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
Token: SeDebugPrivilege	2468	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
Token: SeDebugPrivilege	452	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
Token: SeDebugPrivilege	1380	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
Token: SeDebugPrivilege	2528	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exeb923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exeb923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exeb923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exeb923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe

pid	process
4400	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
2468	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
452	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
1380	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
2528	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.execmd.exeb923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.execmd.exeb923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.execmd.exeb923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.execmd.exe

description	pid	process	target process
PID 4400 wrote to memory of 4604	4400	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe	cmd.exe
PID 4400 wrote to memory of 4604	4400	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe	cmd.exe
PID 4400 wrote to memory of 4604	4400	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe	cmd.exe
PID 4604 wrote to memory of 3156	4604	cmd.exe	chcp.com
PID 4604 wrote to memory of 3156	4604	cmd.exe	chcp.com
PID 4604 wrote to memory of 3156	4604	cmd.exe	chcp.com
PID 4604 wrote to memory of 2484	4604	cmd.exe	PING.EXE
PID 4604 wrote to memory of 2484	4604	cmd.exe	PING.EXE
PID 4604 wrote to memory of 2484	4604	cmd.exe	PING.EXE
PID 4604 wrote to memory of 2468	4604	cmd.exe	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
PID 4604 wrote to memory of 2468	4604	cmd.exe	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
PID 4604 wrote to memory of 2468	4604	cmd.exe	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
PID 2468 wrote to memory of 4412	2468	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe	cmd.exe
PID 2468 wrote to memory of 4412	2468	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe	cmd.exe
PID 2468 wrote to memory of 4412	2468	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe	cmd.exe
PID 4412 wrote to memory of 4500	4412	cmd.exe	chcp.com
PID 4412 wrote to memory of 4500	4412	cmd.exe	chcp.com
PID 4412 wrote to memory of 4500	4412	cmd.exe	chcp.com
PID 4412 wrote to memory of 1108	4412	cmd.exe	PING.EXE
PID 4412 wrote to memory of 1108	4412	cmd.exe	PING.EXE
PID 4412 wrote to memory of 1108	4412	cmd.exe	PING.EXE
PID 4412 wrote to memory of 452	4412	cmd.exe	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
PID 4412 wrote to memory of 452	4412	cmd.exe	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
PID 4412 wrote to memory of 452	4412	cmd.exe	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
PID 452 wrote to memory of 4576	452	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe	cmd.exe
PID 452 wrote to memory of 4576	452	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe	cmd.exe
PID 452 wrote to memory of 4576	452	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe	cmd.exe
PID 4576 wrote to memory of 2444	4576	cmd.exe	chcp.com
PID 4576 wrote to memory of 2444	4576	cmd.exe	chcp.com
PID 4576 wrote to memory of 2444	4576	cmd.exe	chcp.com
PID 4576 wrote to memory of 4556	4576	cmd.exe	PING.EXE
PID 4576 wrote to memory of 4556	4576	cmd.exe	PING.EXE
PID 4576 wrote to memory of 4556	4576	cmd.exe	PING.EXE
PID 4576 wrote to memory of 1380	4576	cmd.exe	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
PID 4576 wrote to memory of 1380	4576	cmd.exe	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
PID 4576 wrote to memory of 1380	4576	cmd.exe	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
PID 1380 wrote to memory of 2064	1380	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe	cmd.exe
PID 1380 wrote to memory of 2064	1380	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe	cmd.exe
PID 1380 wrote to memory of 2064	1380	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe	cmd.exe
PID 2064 wrote to memory of 4992	2064	cmd.exe	chcp.com
PID 2064 wrote to memory of 4992	2064	cmd.exe	chcp.com
PID 2064 wrote to memory of 4992	2064	cmd.exe	chcp.com
PID 2064 wrote to memory of 4444	2064	cmd.exe	PING.EXE
PID 2064 wrote to memory of 4444	2064	cmd.exe	PING.EXE
PID 2064 wrote to memory of 4444	2064	cmd.exe	PING.EXE
PID 2064 wrote to memory of 2528	2064	cmd.exe	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
PID 2064 wrote to memory of 2528	2064	cmd.exe	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
PID 2064 wrote to memory of 2528	2064	cmd.exe	b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe

C:\Users\Admin\AppData\Local\Temp\b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
"C:\Users\Admin\AppData\Local\Temp\b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EHh1Q4esfuPG.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:3156

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
3⤵
- Quasar RAT
- Runs ping.exe
PID:2484

C:\Users\Admin\AppData\Local\Temp\b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
"C:\Users\Admin\AppData\Local\Temp\b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe"
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UVRbVt1O94sx.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:4500

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:1108

C:\Users\Admin\AppData\Local\Temp\b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
"C:\Users\Admin\AppData\Local\Temp\b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe"
5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DH6w4DvF07f7.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:2444

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:4556

C:\Users\Admin\AppData\Local\Temp\b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
"C:\Users\Admin\AppData\Local\Temp\b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe"
7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKjbqxzRbT0w.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\chcp.com
chcp 65001
9⤵
PID:4992

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
9⤵
- Runs ping.exe
PID:4444

C:\Users\Admin\AppData\Local\Temp\b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe
"C:\Users\Admin\AppData\Local\Temp\b923f253757397be0e1b86c92a0854d0eef612fcc3c99fd5be8f96e309d8d5fd.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 2308
8⤵
- Program crash
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 2316
6⤵
- Program crash
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 2088
4⤵
- Program crash
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 2116
2⤵
- Program crash
PID:1644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=1268 /prefetch:8
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4400 -ip 4400
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2468 -ip 2468
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 452 -ip 452
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1380 -ip 1380
1⤵
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DH6w4DvF07f7.bat
Filesize
261B

MD5
9285bb39cc34c39435f48165ceb668aa

SHA1
7f7eea270489ce558bc4c8aa5207ba4f90322780

SHA256
b2b2504f8e06369a84d9d4ffe68dc0838f7198b0d95ce4dc2463c1fbf48c5572

SHA512
bbeba74c7bd6ecdceed289ca6c727f1152de01356011127b19411caed0dab7d29cf7f3c77b1eade19e55adb46c413ff1a6832889863d81812a6ea8012cc202c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EHh1Q4esfuPG.bat
Filesize
261B

MD5
5156073719ee8d89bb1f9dae1f69d665

SHA1
d843de8b844ece33ca02a487a968d69cd5ad12fd

SHA256
bad92167a1161d9bd4eb9a87c55f8ca74b9a0fece7f91f007f09a1a37351f489

SHA512
a278b23afc497909d61942f8ba743eac7815c3942b61d4549e7b85c04269d4c2cfb9b76aeb95f70a28d76bd516bb63c208db31c9fdecdedeccc2f070ec3ff621

Download Submit
C:\Users\Admin\AppData\Local\Temp\UVRbVt1O94sx.bat
Filesize
261B

MD5
b0e70bf44be90f9fddfe7c1943217b00

SHA1
d9a39368b3402d415c7f3fef19149ab15e2ed403

SHA256
6b19b9a3e373010accf4cd66906da98bc8a2c9d9b0a5611ddf0df5982c80daf3

SHA512
8581e00a77ab18b2c97b976265cf317b19f82ec8a51011ffdaaac933aeae49139c4c95c75a6399fd7aefd5663f03874eedf08d5fec46a480e538df4de580dcbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sKjbqxzRbT0w.bat
Filesize
261B

MD5
9e92ca615a3e11cd51c58330f82c35db

SHA1
7166c2498f91a914f0b6b2304bda349ab8fac1c0

SHA256
9b86a6f4ff914906de83e819cace55c47f27482cd47153c2d67374e7907f5288

SHA512
3d872676a7b4fc4ac39b4e78e9eaf8a0f4a848213f2707c94352f654668b6dbdb28e26be576503607380f8715da82ed949441e1997e841f9709b2b7bf938b975

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-27-2024
Filesize
224B

MD5
e16591a18c3fe3e815e34e769f800474

SHA1
f91521a294b8864bc7442eadb7dbe5b59592a748

SHA256
2a6c089e0bc141f993ffa1cffcdcb70703b46a15c9b6277e077181d69183455a

SHA512
65b555975dbecc2a028bbf75cecc450dbd39ce7d0329c0af7b1aaa684fa74085533347cfaa49d7e7be086366f6a7735daa851e94e4223b43c2a1050c6ccbc7d6

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-27-2024
Filesize
224B

MD5
3962498ccfc3fc205f9a3c0bd4b138a6

SHA1
79595531b0a3bf4a2dd4ef83998cfa536e02e082

SHA256
1f6eaaf1ae9440fafbbdc292178dfdf5fdf31be07c7cb9ee2a5bc9113a14a43b

SHA512
65e15d306786909b6d84f72a62fe2d91345a3629b73fc29c0c643527bc7a9ce79b02ee666ee77d04fffdd69310d37c04f82c3ac214c86b85c8979332d32995a1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-27-2024
Filesize
224B

MD5
ff8c82f07f523e5841fa29bdc135ddf5

SHA1
18e9adc5191af43d0709a6452c435511b2539d74

SHA256
039f8261c299769ea234eb54306d2c2137266071caa4a669f9fca946f7bd6b9e

SHA512
d361bce22a102d583b5ea4787cff955b2d5c5f7e784a196055066c5c20c52a5d11a5bcba7f396895fba2536f651eafd97e1bc4b5f88c23a38c60613aee5738ae

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\05-27-2024
Filesize
224B

MD5
c08cfba081e1420da4894cff7a847c4b

SHA1
dee944abe812697c5a7aa307b12ce8fbc0b561f2

SHA256
b1e83ed8d369d9110a4bffb93c96c23b33855ab95bfea2290640d39cfacc6f35

SHA512
0ba8b3070af4b1f5c28e42b6f5c0adb33593f6a2ca62fa9f94769c29d74247b5c7e4cbdc042502fa1e28b818bce3b5216525020523e5a5c9da2dfd66cd900779

Download Submit
memory/2468-29-0x0000000074550000-0x00000000745FB000-memory.dmp

Filesize
684KB

Download
memory/2468-24-0x0000000074550000-0x00000000745FB000-memory.dmp

Filesize
684KB

Download
memory/2468-21-0x0000000074550000-0x00000000745FB000-memory.dmp

Filesize
684KB

Download
memory/4400-6-0x00000000064F0000-0x0000000006502000-memory.dmp

Filesize
72KB

Download
memory/4400-9-0x0000000006F20000-0x0000000006F70000-memory.dmp

Filesize
320KB

Download
memory/4400-14-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download
memory/4400-15-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/4400-11-0x0000000007320000-0x000000000733A000-memory.dmp

Filesize
104KB

Download
memory/4400-20-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/4400-10-0x0000000006EF0000-0x0000000006EFA000-memory.dmp

Filesize
40KB

Download
memory/4400-12-0x0000000007AA0000-0x0000000007B52000-memory.dmp

Filesize
712KB

Download
memory/4400-8-0x0000000007480000-0x0000000007A98000-memory.dmp

Filesize
6.1MB

Download
memory/4400-7-0x0000000006B70000-0x0000000006BAC000-memory.dmp

Filesize
240KB

Download
memory/4400-0-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download
memory/4400-5-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/4400-4-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/4400-3-0x00000000056B0000-0x0000000005742000-memory.dmp

Filesize
584KB

Download
memory/4400-2-0x0000000005D40000-0x00000000062E4000-memory.dmp

Filesize
5.6MB

Download
memory/4400-1-0x0000000000C00000-0x0000000000C8C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads