quasar | 282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd

Analysis

max time kernel
76s
max time network
94s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-11-2024 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kreo q zi.7z
Size

922KB
MD5

ec516db688f94e98d5141f4bade557e9
SHA1

198ffbae5eed415ac673f5e371774759f1a53de1
SHA256

282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd
SHA512

ecc34ad7d15fbedbbc4e62b469f5e6e5e71099e19831574da61dc9f751ed5b2faad1676b8b3dbf0911c4dac628c7a15e9d07d953692c5ab1b700ea07f6396985
SSDEEP

24576:yScP7qLl4iGQATiKL0aywxTodSrUF+nVZLLymvgDoSAWcNtMXqWOU:07qLl4KATiJUo0UEnLmmvqiWcNtMXDOU

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hola435-24858.portmap.host:24858

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000045059-2.dat	family_quasar
behavioral1/memory/4060-5-0x0000000000680000-0x00000000009A4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 2 IoCs

pid	Process
4060	kreo q zi.exe
3176	Client.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings	Client.exe
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3100	notepad.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2000	regedit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2784	schtasks.exe
4820	schtasks.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	1212	7zFM.exe
Token: 35	1212	7zFM.exe
Token: SeSecurityPrivilege	1212	7zFM.exe
Token: SeDebugPrivilege	4060	kreo q zi.exe
Token: SeDebugPrivilege	3176	Client.exe
Token: SeShutdownPrivilege	232	unregmp2.exe
Token: SeCreatePagefilePrivilege	232	unregmp2.exe
Token: SeShutdownPrivilege	2548	wmplayer.exe
Token: SeCreatePagefilePrivilege	2548	wmplayer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1212	7zFM.exe
1212	7zFM.exe
2548	wmplayer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3176	Client.exe
724	OpenWith.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 2784	4060	kreo q zi.exe	94
PID 4060 wrote to memory of 2784	4060	kreo q zi.exe	94
PID 4060 wrote to memory of 3176	4060	kreo q zi.exe	96
PID 4060 wrote to memory of 3176	4060	kreo q zi.exe	96
PID 3176 wrote to memory of 4820	3176	Client.exe	97
PID 3176 wrote to memory of 4820	3176	Client.exe	97
PID 3176 wrote to memory of 2000	3176	Client.exe	103
PID 3176 wrote to memory of 2000	3176	Client.exe	103
PID 2548 wrote to memory of 1692	2548	wmplayer.exe	105
PID 2548 wrote to memory of 1692	2548	wmplayer.exe	105
PID 2548 wrote to memory of 1692	2548	wmplayer.exe	105
PID 1692 wrote to memory of 232	1692	unregmp2.exe	119
PID 1692 wrote to memory of 232	1692	unregmp2.exe	119
PID 3176 wrote to memory of 3832	3176	Client.exe	109
PID 3176 wrote to memory of 3832	3176	Client.exe	109
PID 3176 wrote to memory of 3100	3176	Client.exe	110
PID 3176 wrote to memory of 3100	3176	Client.exe	110
PID 3176 wrote to memory of 4952	3176	Client.exe	111
PID 3176 wrote to memory of 4952	3176	Client.exe	111
PID 3176 wrote to memory of 4952	3176	Client.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kreo q zi.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1212

C:\Users\Admin\Desktop\kreo q zi.exe
"C:\Users\Admin\Desktop\kreo q zi.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2784
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4820
- - C:\Windows\regedit.exe
    "regedit.exe" "C:\Users\Admin\AppData\Roaming\BackupEnable.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2000
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\AppData\Roaming\CheckpointDebug.dot"
    3⤵
    PID:3832
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Roaming\CheckpointRegister.ps1"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3100
- - C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\AppData\Roaming\CompleteUnprotect.potm"
    3⤵
    PID:4952
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\ConvertToOptimize.snd"
    3⤵
    PID:1168
- - C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\DebugUnblock.jpeg"
    3⤵
    PID:4524
- - C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\DenyUninstall.dib"
    3⤵
    PID:1848
- - C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\DisableResize.wmf"
    3⤵
    PID:3892
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\EnterGrant.rtf" /o ""
    3⤵
    PID:3068
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\GetBackup.xht
    3⤵
    PID:2816
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:17410 /prefetch:2
      4⤵
      PID:2088
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:82946 /prefetch:2
      4⤵
      PID:5536
- - C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Roaming\GetWait.pptx" /ou ""
    3⤵
    PID:3628
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OptimizeInitialize.vbe"
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\PublishUnregister.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    PID:3800
- - C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Roaming\PushResolve.ppt" /ou ""
    3⤵
    PID:5144
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\RepairConvertFrom.ogg"
    3⤵
    PID:5364
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\StopImport.docm" /o ""
    3⤵
    PID:5612
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\UpdateRedo.rm"
    3⤵
    PID:5728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:724

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:1008

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k imgsvc
1⤵
PID:232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4640

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2784

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
c9096a3a8322c339f2e1621fc58f4141

SHA1
a7bd1868a0ea748fc599a02ec3d9f40161cf64d4

SHA256
8ae34c17a26b80612aa7104e687df28a6bdc58d13e46e68ea4e8a4045e6fe292

SHA512
ddf83ea35bc2fceaea73969e1594193dca52bc8433ba323fcf59c320001f208775521874934611da5ecd4c3162fe902cec5ac56042e7d4c1703265985d48ca59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
eb0d73b1e777c9bc35a7d9b595b59464

SHA1
a32bfacbbe9500136f49e28201f16e750698e197

SHA256
78e106185461cfaa31709e845b38cd1b210795ae0db3ab815d6b2304e73992c8

SHA512
47280485ce9876be89a1663398da1077c40932493dda65ec83a922ff1b463fa0250102e7560ba55b6b292aa2451d30ea8136044341e81f758eae6c5874ab305b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
063793e4ba784832026ec8bc3528f7f1

SHA1
687d03823d7ab8954826f753a645426cff3c5db4

SHA256
cb153cb703aea1ba1afe2614cffb086fa781646a285c5ac37354ee933a29cedd

SHA512
225910c24052dfdf7fca574b12ecef4eb68e990167010f80d7136f03ac6e7faa33233685cbf37b38ee626bb22ff3afeee39e597080e429be3ec241fb30af40c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
e7132f71ecf7ea9fab033110456a05f4

SHA1
809b82216fec80158374e8136dcd00bd50a3aac7

SHA256
2e138d7cec285b6fc7aa2b88cabc4d7e78a0d5e460d143d3fd0d8141107c09ba

SHA512
8ecfdd2e05a53c9b192447f1234d50aefecfb97a90c477ddc86769f47e31e59b544191ce26266a677b86dcfa5c7a1cdfcdb2fff4e21d963a5f53ee73dc7b3c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\123E55DE-39AB-4C7F-BDC4-969D5E2720F8

Filesize
174KB

MD5
7b3bcd1d1837ea746df46da53d67f438

SHA1
e8d20d4fb5428530251279f2ebd2f4db4f60e7a6

SHA256
d9440d3707ffb261b6308c97cbc0c61d60db257b42fef3fa84982a8199bf829f

SHA512
58a486da5eb8e734717b5908ed7701102f8f28e918349a08e5bbb5aef36d72ccec82411db1514c97db8c44d4435ce4cf8dc4873148739226df9a7ed31e44f2fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
aee2d3158a7baa52f69411611617dc3b

SHA1
7a60217dbccff3dff46e43f698f3c5d3d56de66f

SHA256
738d591bc40aa4f963d966081c716ced24a4b21268ad8635b865539e641f1952

SHA512
7ac9fbcb1b69ec9fe5473f459b6b815e45a2f79a5ddafe496c013cfc89365b5dd4698448423a54f2b2252467cbac9418a49b3b34a5487efbef436117d33c1d27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
e159bc14b53c6ffe6f19bc945b761f7d

SHA1
6b1f7b3d672db0a2fb2121dfab03693d1b584b82

SHA256
14caaa286d387dd5af513b6de00bad58a976ad6361d1fe6048238752c8d4c56b

SHA512
318fc83e14aa5bea699ef5ce2e7f86595918e94fb658fb16ce56aedc226129ee718f79de78d69aab9e6b37a794a31bf8870947d6f6ece18c52f3989ea0eccc82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
f2f0df5cae6f21421ee57789c8c0ee72

SHA1
9852b848f9cb918095af147bbd30d2669131a408

SHA256
1f389c64c1f6d76821706cd934f8c789160fb5117d5379d78db6837a31732ad1

SHA512
ca5aab54661badc71e8ac307bd4dfd273889917ef599c90f659f0fdfe1bd7aa6c3059a119e2fa644e0daf406de3cc32e3a332d733851e91355332e7d840ffac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

Filesize
4KB

MD5
c3477a5a43abe199cc778e27a4917dfb

SHA1
008b602d4f5a3521dec30c597094eb6bef009526

SHA256
54c641540eaa5e11dedd19100fcfa91bac13688e4ab290938a15cd5fc084897e

SHA512
f2c9a96444a8a700ee40986fca362b1c5ebe3a047c5f791bd18122d5ad084858e427c43979a2477f326ef61906286d618b1dc797b216369ec1bb4752af28f775

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\418A1AA.tmp

Filesize
84B

MD5
2bad8348212f13eca7e4e00b2bc6cfcc

SHA1
aca3f2f7369c965d4cd08dd977909aa9666599f2

SHA256
dca775aa831d9957543115733f2f0592e025ef636760b582073135dff3f47679

SHA512
278a576a46b5ae69c3ef4d14d8472a13e53931053b566ce0ef471900ad9ffdcb2c2ab49000e6e901df7d8cab0de82dbb393198d336dc2c279dd96fbe652ec594

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2C98C0.tmp

Filesize
81B

MD5
986cb4fd8dd3ccb55ebfceaf4f1815b5

SHA1
d4cc40229fbe56163f27dd0a7b4532869e5c9941

SHA256
e03fb43b1f0d498a197d49142ec366845368094bb8372877fbf448a28c452c61

SHA512
5cbd243ef651b407257b046d6ebfa7b00c7a8ba0f904afe446ddf3dd7a5ecbc8dc04101e09aa61d99fa91565af8fe53f1010014fb15db5e4e1728b68ec65a149

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
2404ef6636fb0c0bd01d28a3e2a07ced

SHA1
990735f87cffcc8910ffc277935d6aa8046e22f2

SHA256
532f9ad5d62794594db3bc4e88ce3e3957da41fb9213f6e0206978db6b1b64b9

SHA512
ba5e28316152e09e61402340994384457fa1561ba52ce658f7655c50abc3687b24582207e765a3b0d03f684c96a547c022a19054335ffc00919b08310fe87ddb

Download Submit
C:\Users\Admin\Desktop\kreo q zi.exe

Filesize
3.1MB

MD5
28ac02fc40c8f1c2a8989ee3c09a1372

SHA1
b182758b62a1482142c0fce4be78c786e08b7025

SHA256
0fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b

SHA512
2cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
3KB

MD5
073ba9ff5d2ec4c0ac2df4bdd0c9dcf8

SHA1
443330cb51fa55af74cde126baf058d4f1b13082

SHA256
70ba4de9a992589f59b5b0720c911718141cbcb14a348b78c4bdc04776c3aec4

SHA512
ed5148765115979cd8543974a6b845b0b6544ff4e8f0bb6ef2080bdc0592376fc8db7b573894525c005203c161779ac7c96a0776f9412ad119b90938ecc50f1d

Download Submit
memory/2548-102-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/2548-88-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/2548-77-0x0000000005C20000-0x0000000005C30000-memory.dmp

Filesize
64KB

Download
memory/2548-103-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/2548-99-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/2548-100-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/2548-101-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/2548-95-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/2548-91-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/2548-92-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/2548-93-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/2548-98-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/2548-87-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/2548-68-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2548-69-0x0000000008670000-0x0000000008680000-memory.dmp

Filesize
64KB

Download
memory/2548-78-0x0000000005C20000-0x0000000005C30000-memory.dmp

Filesize
64KB

Download
memory/2548-79-0x0000000005C20000-0x0000000005C30000-memory.dmp

Filesize
64KB

Download
memory/2548-81-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/2548-80-0x0000000005C20000-0x0000000005C30000-memory.dmp

Filesize
64KB

Download
memory/2548-97-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/2548-76-0x0000000005C20000-0x0000000005C30000-memory.dmp

Filesize
64KB

Download
memory/3176-54-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3176-60-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3176-10-0x000000001B390000-0x000000001B3E0000-memory.dmp

Filesize
320KB

Download
memory/3176-11-0x000000001C510000-0x000000001C5C2000-memory.dmp

Filesize
712KB

Download
memory/3176-14-0x000000001C490000-0x000000001C4A2000-memory.dmp

Filesize
72KB

Download
memory/3176-15-0x000000001D110000-0x000000001D14C000-memory.dmp

Filesize
240KB

Download
memory/3176-50-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3176-65-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3176-64-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3176-51-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3176-62-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3176-63-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3176-58-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3176-59-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3176-61-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3176-52-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3176-57-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3176-56-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3176-53-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3176-55-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/3628-134-0x00007FFF83CB0000-0x00007FFF83CC0000-memory.dmp

Filesize
64KB

Download
memory/3832-74-0x00007FFF83CB0000-0x00007FFF83CC0000-memory.dmp

Filesize
64KB

Download
memory/3832-90-0x00007FFF814A0000-0x00007FFF814B0000-memory.dmp

Filesize
64KB

Download
memory/3832-70-0x00007FFF83CB0000-0x00007FFF83CC0000-memory.dmp

Filesize
64KB

Download
memory/3832-71-0x00007FFF83CB0000-0x00007FFF83CC0000-memory.dmp

Filesize
64KB

Download
memory/3832-82-0x00007FFF814A0000-0x00007FFF814B0000-memory.dmp

Filesize
64KB

Download
memory/3832-72-0x00007FFF83CB0000-0x00007FFF83CC0000-memory.dmp

Filesize
64KB

Download
memory/3832-73-0x00007FFF83CB0000-0x00007FFF83CC0000-memory.dmp

Filesize
64KB

Download
memory/4060-9-0x00007FFFA4110000-0x00007FFFA4BD2000-memory.dmp

Filesize
10.8MB

Download
memory/4060-6-0x00007FFFA4110000-0x00007FFFA4BD2000-memory.dmp

Filesize
10.8MB

Download
memory/4060-5-0x0000000000680000-0x00000000009A4000-memory.dmp

Filesize
3.1MB

Download
memory/4060-4-0x00007FFFA4113000-0x00007FFFA4115000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads