quasar | 8cbf4bc37d1cdcd9448ee1b1e0ccd78e1c086c4f3204fb416eb5ef54cd560dd1

Analysis

max time kernel
94s
max time network
102s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10-11-2024 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

64883e389e15c6d937ec877f70be133b
SHA1

9db3db888d02b722eb884d4420ac8c87333d4c35
SHA256

8cbf4bc37d1cdcd9448ee1b1e0ccd78e1c086c4f3204fb416eb5ef54cd560dd1
SHA512

e9b88f75c978110d8867451f717d1d8cc7778f35895e445f712440913ddbc63cfa795eff36b82ca9b399d02d1577495b2f863cc6d12337482278d5e616418858
SSDEEP

49152:/vrhBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkabuNkSgLoGVrFcTHHB72eh2NT:/vjt2d5aKCuVPzlEmVQ0wvwfbuNkS+

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

gorodpro-37914.portmap.host:37914

Mutex

1c5ec883-e96d-4a3a-9035-7a940d47aeb7

Attributes

encryption_key
99E87F88E9E967A51725453CB8223ADDB8256DE2
install_name
WindowsDefender.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender
subdirectory
WindowsDefender

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3704-1-0x0000000000650000-0x0000000000974000-memory.dmp	family_quasar
behavioral1/files/0x00280000000450b1-3.dat	family_quasar

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe

Executes dropped EXE 9 IoCs

pid	Process
3232	WindowsDefender.exe
3052	WindowsDefender.exe
1128	WindowsDefender.exe
2276	WindowsDefender.exe
1540	WindowsDefender.exe
1644	WindowsDefender.exe
1784	WindowsDefender.exe
3256	WindowsDefender.exe
4300	WindowsDefender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4344	PING.EXE
1160	PING.EXE
3668	PING.EXE
3792	PING.EXE
736	PING.EXE
2152	PING.EXE
4512	PING.EXE
1516	PING.EXE
3884	PING.EXE

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
2152	PING.EXE
1160	PING.EXE
1516	PING.EXE
3884	PING.EXE
3792	PING.EXE
4344	PING.EXE
736	PING.EXE
4512	PING.EXE
3668	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3628	schtasks.exe
3608	schtasks.exe
3172	schtasks.exe
2444	schtasks.exe
3992	schtasks.exe
472	schtasks.exe
4796	schtasks.exe
3436	schtasks.exe
2144	schtasks.exe
3472	schtasks.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3704	Client-built.exe
Token: SeDebugPrivilege	3232	WindowsDefender.exe
Token: SeDebugPrivilege	3052	WindowsDefender.exe
Token: SeDebugPrivilege	1128	WindowsDefender.exe
Token: SeDebugPrivilege	2276	WindowsDefender.exe
Token: SeDebugPrivilege	1540	WindowsDefender.exe
Token: SeDebugPrivilege	1644	WindowsDefender.exe
Token: SeDebugPrivilege	1784	WindowsDefender.exe
Token: SeDebugPrivilege	3256	WindowsDefender.exe
Token: SeDebugPrivilege	4300	WindowsDefender.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1128	WindowsDefender.exe
1540	WindowsDefender.exe
4300	WindowsDefender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 3172	3704	Client-built.exe	85
PID 3704 wrote to memory of 3172	3704	Client-built.exe	85
PID 3704 wrote to memory of 3232	3704	Client-built.exe	87
PID 3704 wrote to memory of 3232	3704	Client-built.exe	87
PID 3232 wrote to memory of 3472	3232	WindowsDefender.exe	90
PID 3232 wrote to memory of 3472	3232	WindowsDefender.exe	90
PID 3232 wrote to memory of 852	3232	WindowsDefender.exe	92
PID 3232 wrote to memory of 852	3232	WindowsDefender.exe	92
PID 852 wrote to memory of 4160	852	cmd.exe	94
PID 852 wrote to memory of 4160	852	cmd.exe	94
PID 852 wrote to memory of 3668	852	cmd.exe	96
PID 852 wrote to memory of 3668	852	cmd.exe	96
PID 852 wrote to memory of 3052	852	cmd.exe	101
PID 852 wrote to memory of 3052	852	cmd.exe	101
PID 3052 wrote to memory of 2444	3052	WindowsDefender.exe	102
PID 3052 wrote to memory of 2444	3052	WindowsDefender.exe	102
PID 3052 wrote to memory of 2100	3052	WindowsDefender.exe	104
PID 3052 wrote to memory of 2100	3052	WindowsDefender.exe	104
PID 2100 wrote to memory of 4296	2100	cmd.exe	106
PID 2100 wrote to memory of 4296	2100	cmd.exe	106
PID 2100 wrote to memory of 4344	2100	cmd.exe	107
PID 2100 wrote to memory of 4344	2100	cmd.exe	107
PID 2100 wrote to memory of 1128	2100	cmd.exe	108
PID 2100 wrote to memory of 1128	2100	cmd.exe	108
PID 1128 wrote to memory of 3992	1128	WindowsDefender.exe	109
PID 1128 wrote to memory of 3992	1128	WindowsDefender.exe	109
PID 1128 wrote to memory of 4784	1128	WindowsDefender.exe	111
PID 1128 wrote to memory of 4784	1128	WindowsDefender.exe	111
PID 4784 wrote to memory of 2984	4784	cmd.exe	113
PID 4784 wrote to memory of 2984	4784	cmd.exe	113
PID 4784 wrote to memory of 3792	4784	cmd.exe	114
PID 4784 wrote to memory of 3792	4784	cmd.exe	114
PID 4784 wrote to memory of 2276	4784	cmd.exe	116
PID 4784 wrote to memory of 2276	4784	cmd.exe	116
PID 2276 wrote to memory of 472	2276	WindowsDefender.exe	117
PID 2276 wrote to memory of 472	2276	WindowsDefender.exe	117
PID 2276 wrote to memory of 5112	2276	WindowsDefender.exe	119
PID 2276 wrote to memory of 5112	2276	WindowsDefender.exe	119
PID 5112 wrote to memory of 4136	5112	cmd.exe	121
PID 5112 wrote to memory of 4136	5112	cmd.exe	121
PID 5112 wrote to memory of 736	5112	cmd.exe	122
PID 5112 wrote to memory of 736	5112	cmd.exe	122
PID 5112 wrote to memory of 1540	5112	cmd.exe	123
PID 5112 wrote to memory of 1540	5112	cmd.exe	123
PID 1540 wrote to memory of 3628	1540	WindowsDefender.exe	124
PID 1540 wrote to memory of 3628	1540	WindowsDefender.exe	124
PID 1540 wrote to memory of 620	1540	WindowsDefender.exe	126
PID 1540 wrote to memory of 620	1540	WindowsDefender.exe	126
PID 620 wrote to memory of 2648	620	cmd.exe	128
PID 620 wrote to memory of 2648	620	cmd.exe	128
PID 620 wrote to memory of 2152	620	cmd.exe	129
PID 620 wrote to memory of 2152	620	cmd.exe	129
PID 620 wrote to memory of 1644	620	cmd.exe	130
PID 620 wrote to memory of 1644	620	cmd.exe	130
PID 1644 wrote to memory of 4796	1644	WindowsDefender.exe	131
PID 1644 wrote to memory of 4796	1644	WindowsDefender.exe	131
PID 1644 wrote to memory of 4304	1644	WindowsDefender.exe	133
PID 1644 wrote to memory of 4304	1644	WindowsDefender.exe	133
PID 4304 wrote to memory of 2252	4304	cmd.exe	135
PID 4304 wrote to memory of 2252	4304	cmd.exe	135
PID 4304 wrote to memory of 4512	4304	cmd.exe	136
PID 4304 wrote to memory of 4512	4304	cmd.exe	136
PID 4304 wrote to memory of 1784	4304	cmd.exe	137
PID 4304 wrote to memory of 1784	4304	cmd.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3172
- C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe
  "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g4tvYXYHxTAz.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4160
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3668
  - - C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe
      "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOnP3p7KhjHL.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2100
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4296
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4344
      - C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ywfEaZH7GGG.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3792
        
        C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2gtQ9qcBXPvQ.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:736
        
        C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cJV6axp6tOyU.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EFDs1wZop4y1.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXNPtXcLhdEH.bat" "
        15⤵
        
        PID:4240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1160
        
        C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYBw94QAfZsF.bat" "
        17⤵
        
        PID:2972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3152
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4300
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGRwJKKEwQU9.bat" "
        19⤵
        
        PID:4368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsDefender.exe.log

Filesize
2KB

MD5
7787ce173dfface746f5a9cf5477883d

SHA1
4587d870e914785b3a8fb017fec0c0f1c7ec0004

SHA256
c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

SHA512
3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gtQ9qcBXPvQ.bat

Filesize
225B

MD5
e5c3165a0e0127304e2f1d2a1e80611c

SHA1
d0d28a611a794f457d2e48a0b6efd1ef9d994174

SHA256
6d88ca7c93a227034f8daa68aa129c48532211c2254e2ac068bca93f8d647ce1

SHA512
f4da7c5fc2accb27f7ec8cc8bf9befd529527322fc578af6532aca9520ef9f0225e6e1a752053817880b7d17ddb3fdc8553f79a2ef6bfe1c71efcb6d4610210a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ywfEaZH7GGG.bat

Filesize
225B

MD5
974108e7b4539d89e36adc1acef17b1a

SHA1
aff310677d7f19097c52da82dbf5be0db7ed6c03

SHA256
faf8a2ec86ac0fb552a3682dbd486abf213fb1de4ca9c38451a6ae16f08e377a

SHA512
f49269bb3df8f0a4f720105e1ba5488674804fec4b6c361a4c1b08b71ccc69628819a67392627c789660a40711ed125b248eed5fed8e16df0cafb59c58dfc847

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFDs1wZop4y1.bat

Filesize
225B

MD5
72583f8f6fed4b8904da0ef02605ed5a

SHA1
b33461ded50739456a9c3327d507ab05aa1b7d72

SHA256
3b1869f40faa37c9924fe1d22b2c76e1250bd3a842a23c6a7b7af57b9b268ab2

SHA512
9e5d97d843189a0e0d0d2e4954e6348de53a42ce5decb3c4365286df7ea1b5448d7abd7b018dda1e8a1b28b9119bb39a0f0bcb8c18fc5380f29d80b1a0aca87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXNPtXcLhdEH.bat

Filesize
225B

MD5
9c54a9eb4ac1414dd6401cf95aeddf0d

SHA1
5e364b1010d96170b132a025d95be89a4509a574

SHA256
7f4ff2ba39848ad88148bc86306fe9dcf5fbbbcf6734270ad309637dd58f1a21

SHA512
27e24dc4f01f9fab59b9f6d6e82b476a94452137cf0e9131bb1d7dbafa484770e0c3cf95373ad554cfa841b96b48e74d73419fbc9abf2923ae22fb24e81b4a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGRwJKKEwQU9.bat

Filesize
225B

MD5
fea8cf9c6da5fe2415088a55205480b6

SHA1
7ce1030c1bba9657e245db2e31b4904dc83335df

SHA256
0462a429a27069526649e25258595902524cbe2d7f2f3be9a886caf613105ed1

SHA512
40fa19bf1610f96ac39272ba0645c493cd35dc6772e34b3adc502044c99f152530d456246d8d506629f4327e425c12ecf9b2f52c9e3d9a05ef802f6ad227e883

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZOnP3p7KhjHL.bat

Filesize
225B

MD5
67377f88b45084725c17541f57be18cc

SHA1
b5693b9119c51ae1e82e87e06ac60cf63ef23f06

SHA256
b55291d2cdaae4f5ff85c011e20df0fdf2268a8f7b8999a5fa1637ec0a5f089c

SHA512
a9896449e1dd14e36159528ae5322d892208459b3af3b0e9cc046f1011d6b713fc0c6055abc8f8761aeca7043c11ae35fd2f66bc55847e178fd2cb656d71a17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cJV6axp6tOyU.bat

Filesize
225B

MD5
e09206c9c3856158a2038f3da80a3748

SHA1
a57c4c093403dcf2b430a178ca1bdef60ba82ecd

SHA256
b1e1d69c4ab9a6503e56a646b7866f77556541f04502090114799f025ea72b21

SHA512
6593f019460cf84d84c4a888797ef4ebb7e69e376b24667a4bc11988fac3a8c9f3c025955061e52361637c8e9697b1701ac280ba339568cf414c7374234b5357

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYBw94QAfZsF.bat

Filesize
225B

MD5
43be6a59f22cf89c045b02f5ea59e8b0

SHA1
6866fb5156f203b9ec187a22e0629f14f047000c

SHA256
9182852b78329dc246c6b4d814e1c841b2bebcf9013a8de0437b49fbbf2ac49f

SHA512
e326f5690e277f1998613cbe5fa3332c9869707b3d8c906e8d1d667e443adbbd6a851a761b473bf4ddc23740506dddc39f02b210b2a8d014b684e9a0ef840a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\g4tvYXYHxTAz.bat

Filesize
225B

MD5
077807f3e19e83cfa8e533e54d02b44c

SHA1
4f21b2fcf1b2af8c5671d152ae2f249da84dc1dc

SHA256
f83dd6c58ff6b694a7a18328e2e61ca1d4f6a90b793571dfd9cc22e943a605fc

SHA512
095fbc89fba4fdd035520657ecbf66d53cf15d322b5cafbeeb058c96df013a76a7ebcd2bd668a6079b658c07ac0b5909f50bed82ccef2b5ed3a9e6c2d5850370

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe

Filesize
3.1MB

MD5
64883e389e15c6d937ec877f70be133b

SHA1
9db3db888d02b722eb884d4420ac8c87333d4c35

SHA256
8cbf4bc37d1cdcd9448ee1b1e0ccd78e1c086c4f3204fb416eb5ef54cd560dd1

SHA512
e9b88f75c978110d8867451f717d1d8cc7778f35895e445f712440913ddbc63cfa795eff36b82ca9b399d02d1577495b2f863cc6d12337482278d5e616418858

Download Submit
memory/3232-6-0x00007FFA54640000-0x00007FFA55102000-memory.dmp

Filesize
10.8MB

Download
memory/3232-17-0x00007FFA54640000-0x00007FFA55102000-memory.dmp

Filesize
10.8MB

Download
memory/3232-9-0x000000001CA30000-0x000000001CAE2000-memory.dmp

Filesize
712KB

Download
memory/3232-8-0x000000001B350000-0x000000001B3A0000-memory.dmp

Filesize
320KB

Download
memory/3232-7-0x00007FFA54640000-0x00007FFA55102000-memory.dmp

Filesize
10.8MB

Download
memory/3704-0-0x00007FFA54643000-0x00007FFA54645000-memory.dmp

Filesize
8KB

Download
memory/3704-5-0x00007FFA54640000-0x00007FFA55102000-memory.dmp

Filesize
10.8MB

Download
memory/3704-2-0x00007FFA54640000-0x00007FFA55102000-memory.dmp

Filesize
10.8MB

Download
memory/3704-1-0x0000000000650000-0x0000000000974000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads