quasar | 5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6

Analysis

max time kernel
117s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 09:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe
Size

3.7MB
MD5

cd765738ca380479232b3742bec4681a
SHA1

72183452d01eabefa4a1dc4e4702df04aca6da4e
SHA256

5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6
SHA512

047266f5d2f30661857c501c705a18128082551498351eee28600bfb051e276535e00abfa0dd30acbcdb01e9238958f06ca934abb094ee03666cae51475ed6f5
SSDEEP

49152:sBe/wR+kPCndafDZ7MTpxKQ4vWcucxZIp6/Y6HhxVetUw5WxGea2rkoVAAVsK5Iw:/namVxrcxys/XhxsuwEUeFzyRM

Score

10^/10

quasar code discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

CODE

twart.myfirewall.org:9792

rency.ydns.eu:5287

wqo9.firewall-gateway.de:8841

Mutex

02351e291-5d041-4fa37-932c7-869aeiQec514992

Attributes

encryption_key
3145298725BA5E0DD56E87FFE3F8898EA81E6EDA
install_name
workbook.exe
log_directory
Logs
reconnect_delay
6000
startup_key
workbook
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2920-48-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4104	powershell.exe
3128	powershell.exe
4812	powershell.exe
1020	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exeworkbook.exeworkbook.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	workbook.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	workbook.exe

Executes dropped EXE 3 IoCs

Processes:

workbook.exeworkbook.exeworkbook.exe

pid	Process
3340	workbook.exe
4824	workbook.exe
4296	workbook.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exeworkbook.exe

description	pid	Process	procid_target
PID 2360 set thread context of 2920	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	95
PID 3340 set thread context of 4296	3340	workbook.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exepowershell.exe5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exeworkbook.exepowershell.exepowershell.exeschtasks.exeschtasks.exeshutdown.exe5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exeschtasks.exeschtasks.exeworkbook.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	workbook.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	workbook.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
3892	schtasks.exe
932	schtasks.exe
2788	schtasks.exe
3168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeworkbook.exe

pid	Process
4104	powershell.exe
3128	powershell.exe
4104	powershell.exe
3128	powershell.exe
1020	powershell.exe
4812	powershell.exe
3340	workbook.exe
3340	workbook.exe
4812	powershell.exe
1020	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exe5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exepowershell.exepowershell.exeworkbook.exeworkbook.exeshutdown.exe

description	pid	Process
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	2920	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	3340	workbook.exe
Token: SeDebugPrivilege	4296	workbook.exe
Token: SeShutdownPrivilege	3240	shutdown.exe
Token: SeRemoteShutdownPrivilege	3240	shutdown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

workbook.exeLogonUI.exe

pid	Process
4296	workbook.exe
4932	LogonUI.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exeworkbook.exeworkbook.exe

description	pid	Process	procid_target
PID 2360 wrote to memory of 4104	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	89
PID 2360 wrote to memory of 4104	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	89
PID 2360 wrote to memory of 4104	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	89
PID 2360 wrote to memory of 3128	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	91
PID 2360 wrote to memory of 3128	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	91
PID 2360 wrote to memory of 3128	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	91
PID 2360 wrote to memory of 3892	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	93
PID 2360 wrote to memory of 3892	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	93
PID 2360 wrote to memory of 3892	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	93
PID 2360 wrote to memory of 2920	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	95
PID 2360 wrote to memory of 2920	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	95
PID 2360 wrote to memory of 2920	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	95
PID 2360 wrote to memory of 2920	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	95
PID 2360 wrote to memory of 2920	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	95
PID 2360 wrote to memory of 2920	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	95
PID 2360 wrote to memory of 2920	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	95
PID 2360 wrote to memory of 2920	2360	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	95
PID 2920 wrote to memory of 932	2920	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	96
PID 2920 wrote to memory of 932	2920	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	96
PID 2920 wrote to memory of 932	2920	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	96
PID 2920 wrote to memory of 3340	2920	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	98
PID 2920 wrote to memory of 3340	2920	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	98
PID 2920 wrote to memory of 3340	2920	5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe	98
PID 3340 wrote to memory of 4812	3340	workbook.exe	100
PID 3340 wrote to memory of 4812	3340	workbook.exe	100
PID 3340 wrote to memory of 4812	3340	workbook.exe	100
PID 3340 wrote to memory of 1020	3340	workbook.exe	102
PID 3340 wrote to memory of 1020	3340	workbook.exe	102
PID 3340 wrote to memory of 1020	3340	workbook.exe	102
PID 3340 wrote to memory of 2788	3340	workbook.exe	104
PID 3340 wrote to memory of 2788	3340	workbook.exe	104
PID 3340 wrote to memory of 2788	3340	workbook.exe	104
PID 3340 wrote to memory of 4824	3340	workbook.exe	106
PID 3340 wrote to memory of 4824	3340	workbook.exe	106
PID 3340 wrote to memory of 4824	3340	workbook.exe	106
PID 3340 wrote to memory of 4296	3340	workbook.exe	107
PID 3340 wrote to memory of 4296	3340	workbook.exe	107
PID 3340 wrote to memory of 4296	3340	workbook.exe	107
PID 3340 wrote to memory of 4296	3340	workbook.exe	107
PID 3340 wrote to memory of 4296	3340	workbook.exe	107
PID 3340 wrote to memory of 4296	3340	workbook.exe	107
PID 3340 wrote to memory of 4296	3340	workbook.exe	107
PID 3340 wrote to memory of 4296	3340	workbook.exe	107
PID 4296 wrote to memory of 3168	4296	workbook.exe	108
PID 4296 wrote to memory of 3168	4296	workbook.exe	108
PID 4296 wrote to memory of 3168	4296	workbook.exe	108
PID 4296 wrote to memory of 3240	4296	workbook.exe	111
PID 4296 wrote to memory of 3240	4296	workbook.exe	111
PID 4296 wrote to memory of 3240	4296	workbook.exe	111

C:\Users\Admin\AppData\Local\Temp\5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe
"C:\Users\Admin\AppData\Local\Temp\5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IoOrGePEOIrHFn.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IoOrGePEOIrHFn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE72.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3892
- C:\Users\Admin\AppData\Local\Temp\5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe
  "C:\Users\Admin\AppData\Local\Temp\5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:932
- - C:\Users\Admin\AppData\Roaming\SubDir\workbook.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\workbook.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SubDir\workbook.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4812
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IoOrGePEOIrHFn.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1020
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IoOrGePEOIrHFn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A12.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2788
  - - C:\Users\Admin\AppData\Roaming\SubDir\workbook.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\workbook.exe"
      4⤵
      Executes dropped EXE
      PID:4824
  - - C:\Users\Admin\AppData\Roaming\SubDir\workbook.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\workbook.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4296
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3168
    - - C:\Windows\SysWOW64\shutdown.exe
        
        "C:\Windows\System32\shutdown.exe" /s /t 0
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3240

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3945055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bb01861441fda033890d5e7b054e689d

SHA1
fc40b7162fd5505e51db296b19b5e87f4d1de77c

SHA256
eb0b9f7dc45c04f8faa4bb0006e799172dadecde76b897868f894b9a60319ad8

SHA512
8d0c1adda2e0d69bff69cf56c0dcc4a47570e2340621b7a52c17796046c21310966b32a3720cbbc999926eb5bedef783d7d704d8964f05b1e794f04f91a57f86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
62cf798aa589186273ef66d986dafe8f

SHA1
5e7bbcf5d9c67c6f8f58dc26534b36b8584f11c9

SHA256
3f03150d62bc7c7b92aad6bc31960b233d8cd46081b5b5fa4030e595ba12b81f

SHA512
21ed68eb505e2a0e7875646d542979a5388d4eaf036e57321d193fcc6fb7fde72088c353c1dfc0430ea77819bcc1bcaa27e6417743401cb187adff5e24e0bb88

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_utuamb4c.o5f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE72.tmp

Filesize
1KB

MD5
d16f5892eeffa77e64ca4cbf741e7140

SHA1
9f22a14835c02709a9b6490c0368535023168f81

SHA256
6c8b867a986cc6a7e28c9ed9a8df8a457f92cb5f5d874f626c3e7afde9834d4c

SHA512
97295b3c17cd9458f8f5dd1f94c1436e49aed23af86997c7d538392947eae64e19c6841ac25d3c99c3fe8e4da09d467a5b30c40f58be9aee0182902c1c828edf

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\workbook.exe

Filesize
3.7MB

MD5
cd765738ca380479232b3742bec4681a

SHA1
72183452d01eabefa4a1dc4e4702df04aca6da4e

SHA256
5182c93d80ab847541599124d388613c23bfb193b7879f5395b421bba5c568f6

SHA512
047266f5d2f30661857c501c705a18128082551498351eee28600bfb051e276535e00abfa0dd30acbcdb01e9238958f06ca934abb094ee03666cae51475ed6f5

Download Submit
memory/1020-133-0x00000000714B0000-0x00000000714FC000-memory.dmp

Filesize
304KB

Download
memory/1020-148-0x0000000007C70000-0x0000000007C84000-memory.dmp

Filesize
80KB

Download
memory/2360-5-0x0000000004F80000-0x0000000004F8A000-memory.dmp

Filesize
40KB

Download
memory/2360-10-0x0000000006FA0000-0x000000000703C000-memory.dmp

Filesize
624KB

Download
memory/2360-9-0x00000000066D0000-0x0000000006A38000-memory.dmp

Filesize
3.4MB

Download
memory/2360-8-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/2360-7-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/2360-6-0x0000000007D60000-0x0000000007D78000-memory.dmp

Filesize
96KB

Download
memory/2360-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/2360-4-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/2360-3-0x0000000007A00000-0x0000000007A92000-memory.dmp

Filesize
584KB

Download
memory/2360-50-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/2360-2-0x0000000007ED0000-0x0000000008474000-memory.dmp

Filesize
5.6MB

Download
memory/2360-1-0x00000000007A0000-0x0000000000B4C000-memory.dmp

Filesize
3.7MB

Download
memory/2920-48-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/3128-88-0x0000000007720000-0x0000000007728000-memory.dmp

Filesize
32KB

Download
memory/3128-78-0x0000000007470000-0x000000000747A000-memory.dmp

Filesize
40KB

Download
memory/3128-24-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/3128-95-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/3128-19-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/3128-87-0x0000000007740000-0x000000000775A000-memory.dmp

Filesize
104KB

Download
memory/3128-86-0x0000000007640000-0x0000000007654000-memory.dmp

Filesize
80KB

Download
memory/3128-85-0x0000000007630000-0x000000000763E000-memory.dmp

Filesize
56KB

Download
memory/3128-63-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/3128-84-0x0000000007600000-0x0000000007611000-memory.dmp

Filesize
68KB

Download
memory/3128-45-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/3128-73-0x0000000006690000-0x00000000066AE000-memory.dmp

Filesize
120KB

Download
memory/3128-83-0x0000000007680000-0x0000000007716000-memory.dmp

Filesize
600KB

Download
memory/3128-77-0x0000000007400000-0x000000000741A000-memory.dmp

Filesize
104KB

Download
memory/3128-76-0x0000000007A50000-0x00000000080CA000-memory.dmp

Filesize
6.5MB

Download
memory/4104-53-0x00000000702A0000-0x00000000702EC000-memory.dmp

Filesize
304KB

Download
memory/4104-31-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/4104-52-0x0000000006D30000-0x0000000006D62000-memory.dmp

Filesize
200KB

Download
memory/4104-74-0x0000000006F70000-0x0000000007013000-memory.dmp

Filesize
652KB

Download
memory/4104-21-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/4104-25-0x0000000005760000-0x0000000005AB4000-memory.dmp

Filesize
3.3MB

Download
memory/4104-46-0x0000000005D80000-0x0000000005D9E000-memory.dmp

Filesize
120KB

Download
memory/4104-17-0x0000000004FD0000-0x00000000055F8000-memory.dmp

Filesize
6.2MB

Download
memory/4104-20-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

Filesize
136KB

Download
memory/4104-47-0x0000000006140000-0x000000000618C000-memory.dmp

Filesize
304KB

Download
memory/4104-94-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/4104-18-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/4104-15-0x0000000004840000-0x0000000004876000-memory.dmp

Filesize
216KB

Download
memory/4104-16-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/4104-22-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/4296-147-0x0000000006B80000-0x0000000006C32000-memory.dmp

Filesize
712KB

Download
memory/4296-144-0x0000000006D70000-0x0000000007388000-memory.dmp

Filesize
6.1MB

Download
memory/4296-145-0x0000000006910000-0x0000000006960000-memory.dmp

Filesize
320KB

Download
memory/4296-152-0x0000000006B50000-0x0000000006B62000-memory.dmp

Filesize
72KB

Download
memory/4296-153-0x0000000007F50000-0x0000000007F8C000-memory.dmp

Filesize
240KB

Download
memory/4812-139-0x0000000007130000-0x00000000071D3000-memory.dmp

Filesize
652KB

Download
memory/4812-123-0x00000000714B0000-0x00000000714FC000-memory.dmp

Filesize
304KB

Download
memory/4812-146-0x00000000073F0000-0x0000000007401000-memory.dmp

Filesize
68KB

Download
memory/4812-122-0x0000000006420000-0x000000000646C000-memory.dmp

Filesize
304KB

Download
memory/4812-103-0x0000000005830000-0x0000000005B84000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads