quasar | 5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe
Size

359KB
MD5

c820d74f7c81a37b97c9bfc22e65c568
SHA1

76bf7b427b0c1f2fc63315d1fd1645b387860659
SHA256

5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693
SHA512

4b11ea4632c685159e6eed1113c2d7e4617e866f93615fa8fef1e6484f9b0fff7105422739ade962f37549b2b76ccf0a75a436dccbe7abbdd10dcf493d2ca9c3
SSDEEP

6144:b4up0yN90QEV9DKkTB1rF2yCnsYvAVQOtRsmkwzMf4u+bb9BDjvb:bky90DdKkTBJFrYvWQsR9kwpNbb9Vb

Score

10^/10

quasar office04 discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

maximazorreguieta.no-ip.info:3406

queenmaxima.zapto.org:3406

Mutex

QSR_MUTEX_FAc01gnRthaGJO3mEj

Attributes

encryption_key
6KdEgYSDGAflKInAE9Az
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

Processes:

5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe

flow	ioc
15	ip-api.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe
50	ip-api.com
69	ip-api.com

Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\411877848\411877848.exe	family_quasar
behavioral1/memory/3676-31-0x0000000000A70000-0x0000000000ACE000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4364 powershell.exe

pid	process
4364	powershell.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

Processes:

411877848.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
3676	411877848.exe
4696	Client.exe
2420	Client.exe
2164	Client.exe
4812	Client.exe
2924	Client.exe
4708	Client.exe
4524	Client.exe
116	Client.exe
1384	Client.exe
1836	Client.exe
3672	Client.exe
812	Client.exe
1864	Client.exe
552	Client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com
50 ip-api.com
69 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
15	ip-api.com
50	ip-api.com
69	ip-api.com

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3772	4696	WerFault.exe	Client.exe
4008	2420	WerFault.exe	Client.exe
3788	2164	WerFault.exe	Client.exe
452	4812	WerFault.exe	Client.exe
3100	2924	WerFault.exe	Client.exe
4904	4708	WerFault.exe	Client.exe
2240	4524	WerFault.exe	Client.exe
4336	116	WerFault.exe	Client.exe
4828	1384	WerFault.exe	Client.exe
1560	1836	WerFault.exe	Client.exe
4572	3672	WerFault.exe	Client.exe
2636	812	WerFault.exe	Client.exe
516	1864	WerFault.exe	Client.exe

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Client.exechcp.comPING.EXEchcp.comcmd.exePING.EXEClient.exePING.EXEcmd.execmd.exechcp.comcmd.execmd.exeClient.exeClient.exeClient.exePING.EXEcmd.exeClient.exechcp.comcmd.execmd.exechcp.comClient.exePING.EXEchcp.comClient.execmd.exechcp.comchcp.comClient.exeClient.exeClient.exechcp.comPING.EXEClient.exePING.EXEchcp.comcmd.execmd.exePING.EXEcmd.exeClient.exechcp.comchcp.comPING.EXEchcp.comPING.EXEPING.EXE411877848.exePING.EXEPING.EXEcmd.exeClient.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	411877848.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
208	PING.EXE
4936	PING.EXE
324	PING.EXE
1992	PING.EXE
4664	PING.EXE
5076	PING.EXE
2148	PING.EXE
212	PING.EXE
1692	PING.EXE
3696	PING.EXE
4468	PING.EXE
2876	PING.EXE
3492	PING.EXE

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2876	PING.EXE
2148	PING.EXE
208	PING.EXE
4936	PING.EXE
1992	PING.EXE
4664	PING.EXE
3696	PING.EXE
4468	PING.EXE
1692	PING.EXE
3492	PING.EXE
5076	PING.EXE
212	PING.EXE
324	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4364 powershell.exe
4364 powershell.exe

pid	process
4364	powershell.exe
4364	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exe411877848.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	3676	411877848.exe
Token: SeDebugPrivilege	4696	Client.exe
Token: SeDebugPrivilege	2420	Client.exe
Token: SeDebugPrivilege	2164	Client.exe
Token: SeDebugPrivilege	4812	Client.exe
Token: SeDebugPrivilege	2924	Client.exe
Token: SeDebugPrivilege	4708	Client.exe
Token: SeDebugPrivilege	4524	Client.exe
Token: SeDebugPrivilege	116	Client.exe
Token: SeDebugPrivilege	1384	Client.exe
Token: SeDebugPrivilege	1836	Client.exe
Token: SeDebugPrivilege	3672	Client.exe
Token: SeDebugPrivilege	812	Client.exe
Token: SeDebugPrivilege	1864	Client.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
4696	Client.exe
2420	Client.exe
2164	Client.exe
4812	Client.exe
2924	Client.exe
4708	Client.exe
4524	Client.exe
116	Client.exe
1384	Client.exe
1836	Client.exe
3672	Client.exe
812	Client.exe
1864	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.execmd.exepowershell.exe411877848.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 1672 wrote to memory of 552	1672	5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe	cmd.exe
PID 1672 wrote to memory of 552	1672	5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe	cmd.exe
PID 1672 wrote to memory of 2748	1672	5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe	cmd.exe
PID 1672 wrote to memory of 2748	1672	5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe	cmd.exe
PID 2748 wrote to memory of 4364	2748	cmd.exe	powershell.exe
PID 2748 wrote to memory of 4364	2748	cmd.exe	powershell.exe
PID 4364 wrote to memory of 3676	4364	powershell.exe	411877848.exe
PID 4364 wrote to memory of 3676	4364	powershell.exe	411877848.exe
PID 4364 wrote to memory of 3676	4364	powershell.exe	411877848.exe
PID 3676 wrote to memory of 4696	3676	411877848.exe	Client.exe
PID 3676 wrote to memory of 4696	3676	411877848.exe	Client.exe
PID 3676 wrote to memory of 4696	3676	411877848.exe	Client.exe
PID 4696 wrote to memory of 3596	4696	Client.exe	cmd.exe
PID 4696 wrote to memory of 3596	4696	Client.exe	cmd.exe
PID 4696 wrote to memory of 3596	4696	Client.exe	cmd.exe
PID 3596 wrote to memory of 4660	3596	cmd.exe	chcp.com
PID 3596 wrote to memory of 4660	3596	cmd.exe	chcp.com
PID 3596 wrote to memory of 4660	3596	cmd.exe	chcp.com
PID 3596 wrote to memory of 4664	3596	cmd.exe	PING.EXE
PID 3596 wrote to memory of 4664	3596	cmd.exe	PING.EXE
PID 3596 wrote to memory of 4664	3596	cmd.exe	PING.EXE
PID 3596 wrote to memory of 2420	3596	cmd.exe	Client.exe
PID 3596 wrote to memory of 2420	3596	cmd.exe	Client.exe
PID 3596 wrote to memory of 2420	3596	cmd.exe	Client.exe
PID 2420 wrote to memory of 1192	2420	Client.exe	cmd.exe
PID 2420 wrote to memory of 1192	2420	Client.exe	cmd.exe
PID 2420 wrote to memory of 1192	2420	Client.exe	cmd.exe
PID 1192 wrote to memory of 4908	1192	cmd.exe	chcp.com
PID 1192 wrote to memory of 4908	1192	cmd.exe	chcp.com
PID 1192 wrote to memory of 4908	1192	cmd.exe	chcp.com
PID 1192 wrote to memory of 3696	1192	cmd.exe	PING.EXE
PID 1192 wrote to memory of 3696	1192	cmd.exe	PING.EXE
PID 1192 wrote to memory of 3696	1192	cmd.exe	PING.EXE
PID 1192 wrote to memory of 2164	1192	cmd.exe	Client.exe
PID 1192 wrote to memory of 2164	1192	cmd.exe	Client.exe
PID 1192 wrote to memory of 2164	1192	cmd.exe	Client.exe
PID 2164 wrote to memory of 812	2164	Client.exe	cmd.exe
PID 2164 wrote to memory of 812	2164	Client.exe	cmd.exe
PID 2164 wrote to memory of 812	2164	Client.exe	cmd.exe
PID 812 wrote to memory of 4824	812	cmd.exe	chcp.com
PID 812 wrote to memory of 4824	812	cmd.exe	chcp.com
PID 812 wrote to memory of 4824	812	cmd.exe	chcp.com
PID 812 wrote to memory of 5076	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 5076	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 5076	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 4812	812	cmd.exe	Client.exe
PID 812 wrote to memory of 4812	812	cmd.exe	Client.exe
PID 812 wrote to memory of 4812	812	cmd.exe	Client.exe
PID 4812 wrote to memory of 3592	4812	Client.exe	cmd.exe
PID 4812 wrote to memory of 3592	4812	Client.exe	cmd.exe
PID 4812 wrote to memory of 3592	4812	Client.exe	cmd.exe
PID 3592 wrote to memory of 4544	3592	cmd.exe	chcp.com
PID 3592 wrote to memory of 4544	3592	cmd.exe	chcp.com
PID 3592 wrote to memory of 4544	3592	cmd.exe	chcp.com
PID 3592 wrote to memory of 4468	3592	cmd.exe	PING.EXE
PID 3592 wrote to memory of 4468	3592	cmd.exe	PING.EXE
PID 3592 wrote to memory of 4468	3592	cmd.exe	PING.EXE
PID 3592 wrote to memory of 2924	3592	cmd.exe	Client.exe
PID 3592 wrote to memory of 2924	3592	cmd.exe	Client.exe
PID 3592 wrote to memory of 2924	3592	cmd.exe	Client.exe
PID 2924 wrote to memory of 4492	2924	Client.exe	cmd.exe
PID 2924 wrote to memory of 4492	2924	Client.exe	cmd.exe
PID 2924 wrote to memory of 4492	2924	Client.exe	cmd.exe
PID 4492 wrote to memory of 3424	4492	cmd.exe	chcp.com

C:\Users\Admin\AppData\Local\Temp\5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe
"C:\Users\Admin\AppData\Local\Temp\5343e994e398480f4d85cad6c63781a8bb6ed8c69732765852fea2cc9df6b693.exe"
1⤵
- Quasar RAT
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c echo.
  2⤵
  PID:552
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c exec.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\411877848\411877848.exe
      "C:\Users\Admin\AppData\Local\Temp\411877848\411877848.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3676
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYZSGDbYMKtK.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4664
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\95tluhMfnRMl.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3696
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1nQFFfskW8Ep.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5076
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RHoloiRP39jZ.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4468
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smCINk14aBEK.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lXUHavsujlmx.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2148
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8134MDHGkzao.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:212
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BJ7Mv44ob9PA.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:208
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lh1XhHbbnwNo.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4936
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5rmjhYAym3xA.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:324
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mXO7vd9G6Dfa.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6zAAuBOIbclX.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoNwEoRaeIHq.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3492
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 2248
        30⤵
        Program crash
        
        PID:516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 2228
        28⤵
        Program crash
        
        PID:2636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 2200
        26⤵
        Program crash
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 2224
        24⤵
        Program crash
        
        PID:1560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 2208
        22⤵
        Program crash
        
        PID:4828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 2228
        20⤵
        Program crash
        
        PID:4336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 2216
        18⤵
        Program crash
        
        PID:2240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 2248
        16⤵
        Program crash
        
        PID:4904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1932
        14⤵
        Program crash
        
        PID:3100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 2244
        12⤵
        Program crash
        
        PID:452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 1944
        10⤵
        Program crash
        
        PID:3788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 2232
        8⤵
        Program crash
        
        PID:4008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1724
        6⤵
        Program crash
        
        PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4696 -ip 4696
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2420 -ip 2420
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2164 -ip 2164
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4812 -ip 4812
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2924 -ip 2924
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4708 -ip 4708
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4524 -ip 4524
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 116 -ip 116
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1384 -ip 1384
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1836 -ip 1836
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3672 -ip 3672
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 812 -ip 812
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1864 -ip 1864
1⤵
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1nQFFfskW8Ep.bat

Filesize
207B

MD5
789c87ec58109f46197df83209eff4d9

SHA1
06071b8a280df7195d8a8354b1a07695c976d04e

SHA256
18985e545206196e777b6c292d7ae834d24587adeb3e93a737e0c5ef3bad1d05

SHA512
79ae3fa5c53b7185ced433be643bc783988203162581c7271deba5fd65a9dd335a87e2ed0f3d22f9faf6e85a46b7b5a90bad1c151f1f7819cb683096f16ba37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\411877848\411877848.exe

Filesize
348KB

MD5
774abffa512e65d0480febc6b7a36c6f

SHA1
be462048acddb3bafab2ce4701de54d34f1c651d

SHA256
fdbf14923ac9154fe7bc1d19191f2506c6004fb30478ce00e90cc684d27fd794

SHA512
5f3807d98087d113831f528712b654d6f4d1448d306ca20aa9490d6d79c40bf35a8b1aacdc04f788777e32db2505fabf43ebbf64f5d426cb798a0d20d533d83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5rmjhYAym3xA.bat

Filesize
207B

MD5
4e7504dd078fdfca7ac2941349fe035e

SHA1
10891911cf5b3e747b0223cd637f790d14b3a003

SHA256
f07fcc1bc7330dd845b9e1cd5d5335ed71f54176a4976dcb88302bce04c9727a

SHA512
ef51b378bc0eb1b0467a8585fcec0c9e67d1018c3b3449ebc4b0e771639e92e5deb6b4a3c140faeb569e1006c21d75bd8624dd06a233545dfa5eb208f52bae81

Download Submit
C:\Users\Admin\AppData\Local\Temp\6zAAuBOIbclX.bat

Filesize
207B

MD5
e5e1b5ea0b81ef8fdc3922c87d7c6c76

SHA1
909d1e4ba461b677d4e3c71a9a7977c5b1900f88

SHA256
0b07e3e946b5c749765ac48dd35d9a310201ec85f5021eafc55d4ffc7a3a0d61

SHA512
3831439110128b1b71c009671ec1d1f13369e6ac70c48a17682397dc086097aaa6902f8d5abbbdfaa2f7377b98a013cfdbb30d74d8c8f36aac6aafb1a8c6dd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\8134MDHGkzao.bat

Filesize
207B

MD5
6e7d7399960019673aeb694d5fbace69

SHA1
c5fbf42aeec77b576d869707ef83a2899902b6e3

SHA256
1ae4230874f8324a5c56c7a3cef863c590639104c90442bdbafd221c09752a92

SHA512
1c8f17f811494fca28ed922b3fec4f6508ff75c31ba85d773841dcab75fa6e98e0508c2437284aed0752e7067ed4dc9214f5b265fc612f18f677f92bcf41a5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\95tluhMfnRMl.bat

Filesize
207B

MD5
093b52e5a74c1e2d6120212b13558db0

SHA1
c23442ff4e77387e00603c3dd235530aeda0381a

SHA256
bee83f876bb6f01a52b7d9dd6c1d7058219e2c6f587b1cb911c782e96e085a73

SHA512
1413fd009e64714ec39a2bfa44ef811a23a5c840194991fa9b9d78e81befab0b22651ca38decca5cb244dc3e07df72eccf4ede50bc5e688aea83b543178299fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BJ7Mv44ob9PA.bat

Filesize
207B

MD5
819aaf716be2a493e188e613e050cecd

SHA1
cd5ebcb580da314e0e557983599015fb4cedc835

SHA256
39e88a36b88c3f6b492a9a6da5d5ba3cbdba1a9cb27b6f3d9f4969917da41fa7

SHA512
6328d296b579a3ea4dd5a2d6bd5fe4fb7dd3526f08dd1cae117a8fd8c9a5748f25c3b0d4195b09ef1f988e58d2fa3443e85e3d86bf4cd6d48c9da180755c89fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1

Filesize
464KB

MD5
8f7653307cb1e48ae70869a63abb6025

SHA1
b9cf5e61504b4dcc13d1f6b1fb7e289e13ae201c

SHA256
19a2cab7d9682eee7242a8cea36d7ffd72893cf48a314c77b5fb06820e84042e

SHA512
0981e02e7a06e6f0794e4f26388dcb7a511af2e3a1cc37eeff5c10d1af26f3fb29b78f40f89618acb7b927a425db1ade46b81c111d2d14076a611a533db28fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exec.bat

Filesize
95B

MD5
368e0f2c003376d3bdae1c71dd85ec70

SHA1
e5fa7b58cad7f5df6e3a7c2abeec16365ae17827

SHA256
84ab0b7013c706781f6839235d7d59cfad0874e4cc415aeaa4bf86a8dd99b0d9

SHA512
e3e2c9035fca632d04fd411c394301598e6b964d2ebd79db4fcf19816dd876ed23c51831382202d8f5335a0e4a8721d683c377bb1706e4faa4001387f843d553

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lh1XhHbbnwNo.bat

Filesize
207B

MD5
3ea82751e282c58756fc341fff3f1f9b

SHA1
ae5b892c0e21a0fd50e0f92e3c90d89039a2243b

SHA256
8e6b19832d0db4b0ee2c20da859d711f6c0cb300f18202f2f2c15eeae746e1bd

SHA512
7840c9f9572b19def5fae3de0786c4e0cd439b0a78d41de1d37433bb76842197df81c860ec3a6a8d739c40127045fabd9f192b2ed1c88937be706ccac060f0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RHoloiRP39jZ.bat

Filesize
207B

MD5
23e5bae58c26d45318c1c3164565e0a4

SHA1
20a57818a80f85f77e8219a1fc942d5b193da9f7

SHA256
03b9cd29ccd710963db107e9571ec0078cc64bb07172d3095b47e8d62089941f

SHA512
a447bfbe4cfca2263897dab4a398af74534d6e11ac272e5de5ee9c1009d065383ebae2aa5604f82b8a9395cd7c19077f4012cfa74430823d24b4f3cdca66c789

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ajrzp2qp.jzp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYZSGDbYMKtK.bat

Filesize
207B

MD5
a5ceb998c19e4babb189826fbd4c38ac

SHA1
c76762738f76b3de9231834a28a4a83dcd7357ff

SHA256
12ba7069526e71d296b23a660c61c461771111a109556760cbcd1113e1733040

SHA512
0c9cda9de1564b87262005ccedb28e894e6e3e9648cd4bc76353d9285c7508ce80bf9305feea0812d86a07f575fa2de584ed1ce5e1ef0677056d97e8f7592ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lXUHavsujlmx.bat

Filesize
207B

MD5
a7226bf1786817153a6144691a7f8978

SHA1
2bf8344b66091ba01819009d9969f8d9f210488d

SHA256
8321dda737714eef82eb92faa200faf76eb92794d9322c739cc75bf3df8f3537

SHA512
bc5a122feb83c738e93884541b1d8c6e8cb3333777029587fb4159f7a94c961677c382c091ee18e6f202b46c82324941a86c087ae977bef3703755a9112e928e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mXO7vd9G6Dfa.bat

Filesize
207B

MD5
71ad953c87ef4c79d9537a1b52f20ff0

SHA1
272afaf3d687e2a154474740b032a25a2e0d91d8

SHA256
355da25a904718660d1922db117e9a5b476aff9f19490301b541374780dc8cd5

SHA512
bb8793332d1798c697e59b72ae3885c2a6ce4dc9a0bc87c88b515087b46bb07efd89fffcfbd1b68e5dfd7e3edf35c857f734338a9c3a9affaf635567f396ee1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\smCINk14aBEK.bat

Filesize
207B

MD5
ab87d3911c1c22bf08bcc575d5ddc12c

SHA1
f5345ce8d7b8cf446f000ff716f72707b214abe0

SHA256
0bde6a5444abbf883872b68f90309bffc7022142f2a6c1104b572959e52349bb

SHA512
9d92def8e551891219b5b5c05580adf37a57551c314fd1a6a550d67b8fcc81dbf329274eb9ff428ee5d0e0bc96240cd7d124f32b6c1e307edb098b3d6e5d864a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoNwEoRaeIHq.bat

Filesize
207B

MD5
abc813694225b2a5c950cc351b481e0a

SHA1
97a78870bb08ebec25b47b4929ffbf631790af8e

SHA256
b6b62064c19af4c628f5e5cd343884998ac514c8ef0875388cc7b3e1ef62cf20

SHA512
f74dec0fc209bc3ef45ae465dd628df289b4ba145cfbf2817f26e7b5e4030259e6f3ee4d8e33a760efeea758ccaf7f35919543db9bd4fa1102e1aa7249e18081

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
51319ea771af0bb02e2d3a0ebfd3b021

SHA1
e0f458163641b3c941018a9a5912df6d91039931

SHA256
21c890a9e305e63fa52a52bd92b08493d01359b2b6679b0b1ec738fbac265eb2

SHA512
6d9ec1a30095f3cdd174dac39017498116750acacc37b831f9773554ad3186bf1a63a0e6b6237acd793959b273ed4c8229282365d0a571be039f31b00c06aba3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
06cd974c5401132d1f9bc48b908173f4

SHA1
0403e3a2e7b8ec9a43f67805ca3e95023fdf240a

SHA256
00b31ee257b586fbd11d059b9804a97ca6a5ae40e9db6a27d0a7e2bd6491f1b5

SHA512
a0b4907e44f373c58b92fb7441a632a672ff91c66ffd68590b071a8bc1c785c883e3d34f7e625e02be6db5d6fa4fcb5d8eb88dc98d674d57cdef2bf7b07be1c0

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
3d51032079a4dd66510a8befbe7f53c3

SHA1
13c97f94feee3e41093479f6742cd285f2fe9344

SHA256
be432905450dd0ca36fafea6757ea1005ddc0f8f77423194ef8c6efe9f1b57f7

SHA512
67103c485a8861f194e38f5ce9144633a9621e6ad2f141410283ed56b40b74bafa16b9a3c30cfea7dc941312d9a485b4ffea0b98e1db5586c8a0d029f432ac67

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
b3a02cdb2ebe07d23a6695e1bb68d2d3

SHA1
a640327e67435cc933ecf582288c7d4b309d7dfa

SHA256
4b622f7462c5da195bb5812678971303fa064884660e04298f7c2462dd81ab9f

SHA512
2248ee99f0654bad101f57c90a3aa198dbbff81a78bc1221dc8162c15d9595c0a440a6e709879dca5519a72d6eee0bd4fea6ee89d653d288d398e65d4c73ab44

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
dc02a8667f39ec129bd58eadf7f2dad0

SHA1
26d2b0e8073f8113d3aa8f57867db43d2c565dae

SHA256
2d460cca3df17deb22f442811ed638fcd62ff2bc0b0ff9f7f38899ed8f87f02e

SHA512
0d1a7fa2b9571009b0a61370ace55c0acb225869f90549a68cf033f6db351d742f0f39416b6f071a664cc3e9013ff2519e7fa8a5f6944111cb5b1044d7dc65d8

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
d6affee5b58a40d49d3c8c17d5e67100

SHA1
6da2d98d12f80fe0b133a52e573e988290adeaef

SHA256
416e1335602f9f7f5832c7380b3284b60edd1d9750f7b497f57eb1ab72e76ef1

SHA512
5a3d89fe76f0f423279dea873cc4af66d1dbeed6ad2718c627d6720b00503bcf0f1722c62a533c01a4c5d2c7fed3afb2acb9d4ee6aaa3a3991b796612e96db23

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
b216020f2b914a664f6cddeba4997628

SHA1
6780336d1803fc0471e9c3c0255d904dd92e9502

SHA256
532826a75e4859ac96d7844c00a4a00ccd6de6fb89f31153fb811c0a46224f64

SHA512
1b15b45dbb156d6cf98e5b666953839d5edc91c4d441416bc7385be18ccad4e7b32e8aea36ccb19f0bc1483216711a97f5d3a1e98699441d225ce659a65bd8c0

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
cdace8e38f6c5f6e9637d3b5e997da5f

SHA1
1532626b56c9ae01578b5b5fc975c64e3da9bb66

SHA256
0437b5fcb224797e4b9b8ebf3b8b4c040407c2942df17ea827f37cfa689e1210

SHA512
3fa7dd3ef1ec96fe64c3ba5c4bf0a514e69ae4ca9c92a899d91dc777caf6eb4214c37176b897d7816129509085fdf67b67519b9ef5fa0080057566ab6f209e22

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
c21883d64b7f22372b416caf6bc028b7

SHA1
21437834b4eb7cd6060d1d80c8a0151f9d9096b1

SHA256
ca6c7fd963fad87079abef7803f7c2428eb0b49a9507885c5bc95071cd26b34b

SHA512
17490b51bc6910714f84c6025777b36b9b5d64f1173e6597d18f60d568b65483462c3ab474691df10bf8df4822d25c307a9afbaf99fec0e80e45b6e87a23a9b3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
ad74ee781a11b6c7104156bc7b7647d6

SHA1
ef75c503a995b0a0aeb90a4935eb4aaea85a998a

SHA256
3aab11c50e1c1eba7f32650817cd092d488fbe3b582f5031582865ca374dc7e1

SHA512
f6c0b2c51600ed95e61fbfad6471e0d31cc506be2ab3bb466d12463e463e55f6a48354d01103a19d29a67837b04f7b2ba7965627cb82d9117a51646203da74c5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
42c72207f137de0071e6125f26491ae2

SHA1
cd7b1d312e7f862f49f04ce7181dcf9b22b13089

SHA256
82a6762c13392019c768b24377234568cd06745724572a8af1a106909c5c929c

SHA512
52e4a13ce87d5ec08161b3fc2a29715cc780b351a7cd55997e2b09ec2c09f3f462a5cc8da511880399dafc313314cdcda4dd67bd386023907bff599d48f87d6e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\11-19-2024

Filesize
224B

MD5
6a743682dba78c00d316ba2dea1210a7

SHA1
8934d7826ff53b6be5237398825ec526ba43fbee

SHA256
7afb48987ca709ad4034809763751bc5391989745a74c39d0fceca04a6d53024

SHA512
91939a928d8e10d2ed2cfa9d83c62845a399d62fcea006fedf17372cf0b17f0b5f0a863cca90f1350901869a4e437eeba50b4f03b86c83b0f72baaba58c6c64a

Download Submit
memory/3676-36-0x00000000753E0000-0x0000000075B90000-memory.dmp

Filesize
7.7MB

Download
memory/3676-34-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/3676-38-0x00000000060C0000-0x00000000060D2000-memory.dmp

Filesize
72KB

Download
memory/3676-45-0x00000000753E0000-0x0000000075B90000-memory.dmp

Filesize
7.7MB

Download
memory/3676-37-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/3676-29-0x00000000753EE000-0x00000000753EF000-memory.dmp

Filesize
4KB

Download
memory/3676-35-0x00000000053E0000-0x0000000005472000-memory.dmp

Filesize
584KB

Download
memory/3676-39-0x0000000006600000-0x000000000663C000-memory.dmp

Filesize
240KB

Download
memory/3676-31-0x0000000000A70000-0x0000000000ACE000-memory.dmp

Filesize
376KB

Download
memory/4364-30-0x00007FFF30AC0000-0x00007FFF31581000-memory.dmp

Filesize
10.8MB

Download
memory/4364-19-0x00007FFF30AC0000-0x00007FFF31581000-memory.dmp

Filesize
10.8MB

Download
memory/4364-18-0x00007FFF30AC0000-0x00007FFF31581000-memory.dmp

Filesize
10.8MB

Download
memory/4364-8-0x000001D643BD0000-0x000001D643BF2000-memory.dmp

Filesize
136KB

Download
memory/4364-7-0x00007FFF30AC3000-0x00007FFF30AC5000-memory.dmp

Filesize
8KB

Download
memory/4696-47-0x0000000006EB0000-0x0000000006EBA000-memory.dmp

Filesize
40KB

Download