quasar | 30f2e4ca621ecdb886fba8ce596d07090d1730bfcec91112d9011bfb58270f81

Analysis

max time kernel
64s
max time network
65s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10-11-2024 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ss.exe
Size

3.1MB
MD5

78859f6e8d39f50e6470af9112d61afd
SHA1

e34aef15bfcfcd3066f90e33cecffced76422aaa
SHA256

30f2e4ca621ecdb886fba8ce596d07090d1730bfcec91112d9011bfb58270f81
SHA512

14ea0a38210bb1da5b09069b0e95e8800b24941bc4bc5f3bb957eb675ff53757eb0ae9aae53c31fa007197e9cc65cd4a183dfb36f7c96e3ab85e3daf65b25756
SSDEEP

49152:fvrhBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaHdxNESEUk/iCLoGdEPTHHB72eh2NT:fvjt2d5aKCuVPzlEmVQ0wvwf9xDM

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

gorodpro-37914.portmap.host:37914

Mutex

1c5ec883-e96d-4a3a-9035-7a940d47aeb7

Attributes

encryption_key
99E87F88E9E967A51725453CB8223ADDB8256DE2
install_name
WindowsDefender.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender
subdirectory
WindowsDefender

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/764-1-0x0000000000380000-0x00000000006A4000-memory.dmp	family_quasar
behavioral1/files/0x0028000000045132-3.dat	family_quasar

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe

Executes dropped EXE 7 IoCs

pid	Process
3996	WindowsDefender.exe
3588	WindowsDefender.exe
4056	WindowsDefender.exe
4880	WindowsDefender.exe
396	WindowsDefender.exe
2056	WindowsDefender.exe
1924	WindowsDefender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4388	PING.EXE
4456	PING.EXE
3060	PING.EXE
1876	PING.EXE
3336	PING.EXE
2476	PING.EXE
1692	PING.EXE

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
2476	PING.EXE
1692	PING.EXE
4388	PING.EXE
4456	PING.EXE
3060	PING.EXE
1876	PING.EXE
3336	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4392	schtasks.exe
3060	schtasks.exe
1912	schtasks.exe
4704	schtasks.exe
3236	schtasks.exe
3872	schtasks.exe
3448	schtasks.exe
2780	schtasks.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	ss.exe
Token: SeDebugPrivilege	3996	WindowsDefender.exe
Token: SeDebugPrivilege	3588	WindowsDefender.exe
Token: SeDebugPrivilege	4056	WindowsDefender.exe
Token: SeDebugPrivilege	4880	WindowsDefender.exe
Token: SeDebugPrivilege	396	WindowsDefender.exe
Token: SeDebugPrivilege	2056	WindowsDefender.exe
Token: SeDebugPrivilege	1924	WindowsDefender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 4392	764	ss.exe	85
PID 764 wrote to memory of 4392	764	ss.exe	85
PID 764 wrote to memory of 3996	764	ss.exe	87
PID 764 wrote to memory of 3996	764	ss.exe	87
PID 3996 wrote to memory of 3060	3996	WindowsDefender.exe	88
PID 3996 wrote to memory of 3060	3996	WindowsDefender.exe	88
PID 3996 wrote to memory of 4108	3996	WindowsDefender.exe	90
PID 3996 wrote to memory of 4108	3996	WindowsDefender.exe	90
PID 4108 wrote to memory of 5064	4108	cmd.exe	92
PID 4108 wrote to memory of 5064	4108	cmd.exe	92
PID 4108 wrote to memory of 2476	4108	cmd.exe	93
PID 4108 wrote to memory of 2476	4108	cmd.exe	93
PID 4108 wrote to memory of 3588	4108	cmd.exe	101
PID 4108 wrote to memory of 3588	4108	cmd.exe	101
PID 3588 wrote to memory of 1912	3588	WindowsDefender.exe	102
PID 3588 wrote to memory of 1912	3588	WindowsDefender.exe	102
PID 3588 wrote to memory of 4472	3588	WindowsDefender.exe	104
PID 3588 wrote to memory of 4472	3588	WindowsDefender.exe	104
PID 4472 wrote to memory of 2908	4472	cmd.exe	106
PID 4472 wrote to memory of 2908	4472	cmd.exe	106
PID 4472 wrote to memory of 1692	4472	cmd.exe	107
PID 4472 wrote to memory of 1692	4472	cmd.exe	107
PID 4472 wrote to memory of 4056	4472	cmd.exe	108
PID 4472 wrote to memory of 4056	4472	cmd.exe	108
PID 4056 wrote to memory of 4704	4056	WindowsDefender.exe	109
PID 4056 wrote to memory of 4704	4056	WindowsDefender.exe	109
PID 4056 wrote to memory of 2792	4056	WindowsDefender.exe	111
PID 4056 wrote to memory of 2792	4056	WindowsDefender.exe	111
PID 2792 wrote to memory of 3820	2792	cmd.exe	113
PID 2792 wrote to memory of 3820	2792	cmd.exe	113
PID 2792 wrote to memory of 4388	2792	cmd.exe	114
PID 2792 wrote to memory of 4388	2792	cmd.exe	114
PID 2792 wrote to memory of 4880	2792	cmd.exe	116
PID 2792 wrote to memory of 4880	2792	cmd.exe	116
PID 4880 wrote to memory of 3236	4880	WindowsDefender.exe	117
PID 4880 wrote to memory of 3236	4880	WindowsDefender.exe	117
PID 4880 wrote to memory of 3012	4880	WindowsDefender.exe	119
PID 4880 wrote to memory of 3012	4880	WindowsDefender.exe	119
PID 3012 wrote to memory of 4500	3012	cmd.exe	121
PID 3012 wrote to memory of 4500	3012	cmd.exe	121
PID 3012 wrote to memory of 4456	3012	cmd.exe	122
PID 3012 wrote to memory of 4456	3012	cmd.exe	122
PID 3012 wrote to memory of 396	3012	cmd.exe	123
PID 3012 wrote to memory of 396	3012	cmd.exe	123
PID 396 wrote to memory of 3872	396	WindowsDefender.exe	124
PID 396 wrote to memory of 3872	396	WindowsDefender.exe	124
PID 396 wrote to memory of 1460	396	WindowsDefender.exe	126
PID 396 wrote to memory of 1460	396	WindowsDefender.exe	126
PID 1460 wrote to memory of 2096	1460	cmd.exe	128
PID 1460 wrote to memory of 2096	1460	cmd.exe	128
PID 1460 wrote to memory of 3060	1460	cmd.exe	129
PID 1460 wrote to memory of 3060	1460	cmd.exe	129
PID 1460 wrote to memory of 2056	1460	cmd.exe	130
PID 1460 wrote to memory of 2056	1460	cmd.exe	130
PID 2056 wrote to memory of 3448	2056	WindowsDefender.exe	131
PID 2056 wrote to memory of 3448	2056	WindowsDefender.exe	131
PID 2056 wrote to memory of 3868	2056	WindowsDefender.exe	133
PID 2056 wrote to memory of 3868	2056	WindowsDefender.exe	133
PID 3868 wrote to memory of 2456	3868	cmd.exe	135
PID 3868 wrote to memory of 2456	3868	cmd.exe	135
PID 3868 wrote to memory of 1876	3868	cmd.exe	136
PID 3868 wrote to memory of 1876	3868	cmd.exe	136
PID 3868 wrote to memory of 1924	3868	cmd.exe	137
PID 3868 wrote to memory of 1924	3868	cmd.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ss.exe
"C:\Users\Admin\AppData\Local\Temp\ss.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4392
- C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe
  "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BG1UzWX7VqpA.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5064
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2476
  - - C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe
      "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3588
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1912
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgUrdgnsl1AG.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4472
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2908
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1692
      - C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCDKwPDB5WvK.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4388
        
        C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0q9GO3uEU0HP.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4456
        
        C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pRQdYJhdGyKr.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuprJnWOuK20.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1876
        
        C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3Warj0DIEade.bat" "
        15⤵
        
        PID:1556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsDefender.exe.log

Filesize
2KB

MD5
7787ce173dfface746f5a9cf5477883d

SHA1
4587d870e914785b3a8fb017fec0c0f1c7ec0004

SHA256
c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

SHA512
3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\0q9GO3uEU0HP.bat

Filesize
225B

MD5
66f26e275ad958bee10a8ba90a810058

SHA1
44428f5de836e7d4737243862d6527a510b1dd70

SHA256
80c1d13c9f0e3ef823874ce1ceba11eded280d8a9eb09072a293ea787655f9a7

SHA512
f11404832b6d5a4adb144bb958fe2638368dd6a961e7788338bf4bd6d25f849e570a7cddff33cc19556dd8eb701122d8940ba01da172c8414497c86ae9e3c100

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Warj0DIEade.bat

Filesize
225B

MD5
15a181b6994dce302a94ae6fb3ef3752

SHA1
418b00a6de6eaee892e0a370154695ea911ef9b5

SHA256
3d0d7a4f45107279e688182e06d31cc2171cb805d46bc9bddb924fe6290600bf

SHA512
960d44922ee5fef09e917f4d5c951ab91792b7bfb652c96c6f4eacc783ae4dc6b3c60913735476cbfe8b6a332e3747cdd93d1ca7065e6c4384f0425c72ef4737

Download Submit
C:\Users\Admin\AppData\Local\Temp\BG1UzWX7VqpA.bat

Filesize
225B

MD5
123a898e342e42f93c660ce38a416a9e

SHA1
766ad4030f4cc4fe4fb73aa8580b101ff6ff996f

SHA256
7e06526895d32602a2b4d1701ed380890160dac818fc615d6c008dc52a50195f

SHA512
2a5627851122dd08461d10a5e59269dae03151e1e9e2130c972c14006a5ec4f2d935842295a85d6e2fb9422853010a6f58718dcd8a8669546bb7410b148445e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KuprJnWOuK20.bat

Filesize
225B

MD5
b600fe13268ac442e0792885249e97ce

SHA1
57d87b97881fe2056ebcdf55b31cafff20497fe0

SHA256
51716ffcd4282161b3e148a3e52367f3dad0640c40bbedaf7860e6f9e80c5200

SHA512
46bba697867ec5153a7e04258b93a7db138346abe2527e0656e34b188d22189f2be4b35c00fe26f603c8b05d79db508d0d9dc5b6de424b500b3d4493813ffed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgUrdgnsl1AG.bat

Filesize
225B

MD5
71c95735dfca37e0386c8f16ec3c479b

SHA1
e965fe1f1cc3d61ec568e642f2b11e5e33c5ef12

SHA256
ce6c33708211892d822880aa0e9f216845b0e092c8459eb32308a61a559321c8

SHA512
c441ae713ab84a0777bf14cb8d9bcca5a0e292b61e1c0db053fbb45841bf5fbc1e89f20fbcd79e8778bd68ae447f436b84b915c9939c466d5206f3375623c911

Download Submit
C:\Users\Admin\AppData\Local\Temp\pRQdYJhdGyKr.bat

Filesize
225B

MD5
0c016d673fff4846cdfab123c2efffc4

SHA1
32f4c5095bff2a622b7d62225a2fba062c7c7d66

SHA256
c8705d9b782db6ac46dcd726f2bc302ccd39c66ddbafd2b0cbdf9e3b85a6497f

SHA512
e9eff93c3717256d1fe36d23107b367252406e572e2ccefae43d97e71651a4021eee64863dd347abc5e13025ae5f31e0d6b06e35ee5a0935ed5dfb4847ec961d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tCDKwPDB5WvK.bat

Filesize
225B

MD5
9080e23a351b343d1db4e53413c91161

SHA1
a488089c763b2eef9f3fe4d35b26726fc2b197e7

SHA256
2490f412ce61c9a071c199ee35c45ce722079c114ce2b07106b2277be5d898b3

SHA512
5c9ef931cb1c542d587cd6ca3e632358979bcb7d4a66201a04eee2bc16ac1467b6d41a95471e4cdead4d8513edfed961ee4f15b9e4c0d95f1aca63506a4a448a

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe

Filesize
3.1MB

MD5
78859f6e8d39f50e6470af9112d61afd

SHA1
e34aef15bfcfcd3066f90e33cecffced76422aaa

SHA256
30f2e4ca621ecdb886fba8ce596d07090d1730bfcec91112d9011bfb58270f81

SHA512
14ea0a38210bb1da5b09069b0e95e8800b24941bc4bc5f3bb957eb675ff53757eb0ae9aae53c31fa007197e9cc65cd4a183dfb36f7c96e3ab85e3daf65b25756

Download Submit
memory/764-5-0x00007FFB80020000-0x00007FFB80AE2000-memory.dmp

Filesize
10.8MB

Download
memory/764-0-0x00007FFB80023000-0x00007FFB80025000-memory.dmp

Filesize
8KB

Download
memory/764-2-0x00007FFB80020000-0x00007FFB80AE2000-memory.dmp

Filesize
10.8MB

Download
memory/764-1-0x0000000000380000-0x00000000006A4000-memory.dmp

Filesize
3.1MB

Download
memory/3996-17-0x00007FFB80020000-0x00007FFB80AE2000-memory.dmp

Filesize
10.8MB

Download
memory/3996-9-0x000000001CD30000-0x000000001CDE2000-memory.dmp

Filesize
712KB

Download
memory/3996-8-0x000000001BB90000-0x000000001BBE0000-memory.dmp

Filesize
320KB

Download
memory/3996-7-0x00007FFB80020000-0x00007FFB80AE2000-memory.dmp

Filesize
10.8MB

Download
memory/3996-6-0x00007FFB80020000-0x00007FFB80AE2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads