Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/12/2024, 02:43 UTC

General

  • Target

    534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe

  • Size

    3.1MB

  • MD5

    f67e6aafbd9c86771f11c05ae83ae83e

  • SHA1

    c9fe04c78139d000182d89f4dd013e647db64cc0

  • SHA256

    534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362

  • SHA512

    f5d5b09a92a3bc7ff862cf87c5a4285e2ada1ec4cb9d5b1467e358ad3678a2dfe6acd2f1819b7f9646f1ef5e038c9ffb295ef8a6590a75cdf911913a5edaf27a

  • SSDEEP

    49152:avht62XlaSFNWPjljiFa2RoUYI+Y6a95fQrk/1LoGdpTHHB72eh2NT:avL62XlaSFNWPjljiFXRoUYI8aB

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

interestingsigma.hopto.org:20

Mutex

11bbf22e-826e-486b-b024-adbd86228a9e

Attributes
  • encryption_key

    7A589EDBC6A581E125BF830EF0D05FC74BB75E30

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    ctfmon

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 7 IoCs
  • Executes dropped EXE 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe
    "C:\Users\Admin\AppData\Local\Temp\534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2324
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2132
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZMVGIaFia3Se.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2772
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2792
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2868
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2716
            • C:\Windows\system32\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\fBPoWFC2AZMF.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2808
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:1656
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1644
                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:340
                  • C:\Windows\system32\schtasks.exe
                    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2376
                  • C:\Windows\system32\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\xy8FLLjUBS8v.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1784
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:1032
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:2008
                      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:2636
                        • C:\Windows\system32\schtasks.exe
                          "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:2832
                        • C:\Windows\system32\cmd.exe
                          cmd /c ""C:\Users\Admin\AppData\Local\Temp\NLX9llU4MN1S.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2216
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:2380
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:2436
                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              PID:1860
                              • C:\Windows\system32\schtasks.exe
                                "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:1756
                              • C:\Windows\system32\cmd.exe
                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\WOGyCsgQOWtr.bat" "
                                11⤵
                                  PID:2464
                                  • C:\Windows\system32\chcp.com
                                    chcp 65001
                                    12⤵
                                      PID:1636
                                    • C:\Windows\system32\PING.EXE
                                      ping -n 10 localhost
                                      12⤵
                                      • System Network Configuration Discovery: Internet Connection Discovery
                                      • Runs ping.exe
                                      PID:2292
                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of FindShellTrayWindow
                                      • Suspicious use of SendNotifyMessage
                                      PID:1340
                                      • C:\Windows\system32\schtasks.exe
                                        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                        13⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:596
                                      • C:\Windows\system32\cmd.exe
                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BJ0smnBRG94k.bat" "
                                        13⤵
                                          PID:540
                                          • C:\Windows\system32\chcp.com
                                            chcp 65001
                                            14⤵
                                              PID:908
                                            • C:\Windows\system32\PING.EXE
                                              ping -n 10 localhost
                                              14⤵
                                              • System Network Configuration Discovery: Internet Connection Discovery
                                              • Runs ping.exe
                                              PID:2108
                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              PID:1672
                                              • C:\Windows\system32\schtasks.exe
                                                "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                15⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3052
                                              • C:\Windows\system32\cmd.exe
                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\dNAghzgkeKg3.bat" "
                                                15⤵
                                                  PID:2504
                                                  • C:\Windows\system32\chcp.com
                                                    chcp 65001
                                                    16⤵
                                                      PID:1920
                                                    • C:\Windows\system32\PING.EXE
                                                      ping -n 10 localhost
                                                      16⤵
                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                      • Runs ping.exe
                                                      PID:1528
                                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of FindShellTrayWindow
                                                      • Suspicious use of SendNotifyMessage
                                                      PID:2784
                                                      • C:\Windows\system32\schtasks.exe
                                                        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                        17⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2988
                                                      • C:\Windows\system32\cmd.exe
                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zgqBHvnt5TVv.bat" "
                                                        17⤵
                                                          PID:2656
                                                          • C:\Windows\system32\chcp.com
                                                            chcp 65001
                                                            18⤵
                                                              PID:2548
                                                            • C:\Windows\system32\PING.EXE
                                                              ping -n 10 localhost
                                                              18⤵
                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                              • Runs ping.exe
                                                              PID:2716
                                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • Suspicious use of FindShellTrayWindow
                                                              • Suspicious use of SendNotifyMessage
                                                              PID:2712
                                                              • C:\Windows\system32\schtasks.exe
                                                                "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                19⤵
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:2952
                                                              • C:\Windows\system32\cmd.exe
                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\0wBQfxon0RJB.bat" "
                                                                19⤵
                                                                  PID:2096
                                                                  • C:\Windows\system32\chcp.com
                                                                    chcp 65001
                                                                    20⤵
                                                                      PID:2968
                                                                    • C:\Windows\system32\PING.EXE
                                                                      ping -n 10 localhost
                                                                      20⤵
                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                      • Runs ping.exe
                                                                      PID:2364
                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • Suspicious use of FindShellTrayWindow
                                                                      • Suspicious use of SendNotifyMessage
                                                                      PID:1728
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                        21⤵
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:1300
                                                                      • C:\Windows\system32\cmd.exe
                                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Yc3DeZgTkv5q.bat" "
                                                                        21⤵
                                                                          PID:864
                                                                          • C:\Windows\system32\chcp.com
                                                                            chcp 65001
                                                                            22⤵
                                                                              PID:1708
                                                                            • C:\Windows\system32\PING.EXE
                                                                              ping -n 10 localhost
                                                                              22⤵
                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                              • Runs ping.exe
                                                                              PID:2864
                                                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • Suspicious use of FindShellTrayWindow
                                                                              • Suspicious use of SendNotifyMessage
                                                                              PID:380
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                23⤵
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:2136
                                                                              • C:\Windows\system32\cmd.exe
                                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\mhlXVpDfgSc5.bat" "
                                                                                23⤵
                                                                                  PID:1396
                                                                                  • C:\Windows\system32\chcp.com
                                                                                    chcp 65001
                                                                                    24⤵
                                                                                      PID:448
                                                                                    • C:\Windows\system32\PING.EXE
                                                                                      ping -n 10 localhost
                                                                                      24⤵
                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                      • Runs ping.exe
                                                                                      PID:2040
                                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                      • Suspicious use of SendNotifyMessage
                                                                                      PID:1868
                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                        25⤵
                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                        PID:2644
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RxXEYZ6FpcS4.bat" "
                                                                                        25⤵
                                                                                          PID:1508
                                                                                          • C:\Windows\system32\chcp.com
                                                                                            chcp 65001
                                                                                            26⤵
                                                                                              PID:896
                                                                                            • C:\Windows\system32\PING.EXE
                                                                                              ping -n 10 localhost
                                                                                              26⤵
                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                              • Runs ping.exe
                                                                                              PID:2192
                                                                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                              26⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                              • Suspicious use of SendNotifyMessage
                                                                                              PID:3004
                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                27⤵
                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                PID:2240
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\l1OA1kXJsK5i.bat" "
                                                                                                27⤵
                                                                                                  PID:1720
                                                                                                  • C:\Windows\system32\chcp.com
                                                                                                    chcp 65001
                                                                                                    28⤵
                                                                                                      PID:1976
                                                                                                    • C:\Windows\system32\PING.EXE
                                                                                                      ping -n 10 localhost
                                                                                                      28⤵
                                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                      • Runs ping.exe
                                                                                                      PID:2196
                                                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                      28⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                      • Suspicious use of SendNotifyMessage
                                                                                                      PID:1920
                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                        29⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:1052
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0jzN8qwcyliS.bat" "
                                                                                                        29⤵
                                                                                                          PID:1740
                                                                                                          • C:\Windows\system32\chcp.com
                                                                                                            chcp 65001
                                                                                                            30⤵
                                                                                                              PID:1932
                                                                                                            • C:\Windows\system32\PING.EXE
                                                                                                              ping -n 10 localhost
                                                                                                              30⤵
                                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                              • Runs ping.exe
                                                                                                              PID:1804
                                                                                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                              30⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                              PID:2860
                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                31⤵
                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                PID:2660
                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\PzbMIYlNwxfs.bat" "
                                                                                                                31⤵
                                                                                                                  PID:2740
                                                                                                                  • C:\Windows\system32\chcp.com
                                                                                                                    chcp 65001
                                                                                                                    32⤵
                                                                                                                      PID:2760
                                                                                                                    • C:\Windows\system32\PING.EXE
                                                                                                                      ping -n 10 localhost
                                                                                                                      32⤵
                                                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                      • Runs ping.exe
                                                                                                                      PID:2552

                                                      Network

                                                      • flag-us
                                                        DNS
                                                        interestingsigma.hopto.org
                                                        Client.exe
                                                        Remote address:
                                                        8.8.8.8:53
                                                        Request
                                                        interestingsigma.hopto.org
                                                        IN A
                                                        Response
                                                        interestingsigma.hopto.org
                                                        IN A
                                                        0.0.0.0
                                                      No results found
                                                      • 8.8.8.8:53
                                                        interestingsigma.hopto.org
                                                        dns
                                                        Client.exe
                                                        72 B
                                                        88 B
                                                        1
                                                        1

                                                        DNS Request

                                                        interestingsigma.hopto.org

                                                        DNS Response

                                                        0.0.0.0

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Users\Admin\AppData\Local\Temp\0jzN8qwcyliS.bat

                                                        Filesize

                                                        207B

                                                        MD5

                                                        386bfb3192143ca42edc2a56a6aea223

                                                        SHA1

                                                        8539054f1605be7547441315a478faa86a25f0b2

                                                        SHA256

                                                        e13bbd889c4caeca4592e1508d15326fb31a8ba91d3715b6b9f56a7b7d92cce7

                                                        SHA512

                                                        931b54171569a50373a41ca091600724e1843a5649b3ac00b69a98a8ff1861af019f81fcc9b2c827a94f8a4e2309d613a9b5fb38a81c2161d94569eb0bc4b124

                                                      • C:\Users\Admin\AppData\Local\Temp\0wBQfxon0RJB.bat

                                                        Filesize

                                                        207B

                                                        MD5

                                                        0498a55541511e965ffce498577fb79d

                                                        SHA1

                                                        2b230029b86302170dc5296df370f1afb740762c

                                                        SHA256

                                                        ab75953146edb4b43874a7c365407a1067850c1b4c76648811f90cdc25e63a72

                                                        SHA512

                                                        010a9c33997db5d49b1eff2f968d4f954411895791eb0a6be4a4c07e87201a282ece534b1eebb07c37b5fecbc3196f50ca3bdfcd008bfa53dc36175be6245a88

                                                      • C:\Users\Admin\AppData\Local\Temp\BJ0smnBRG94k.bat

                                                        Filesize

                                                        207B

                                                        MD5

                                                        7e9be6b6d22c482542104fb3d4e3d831

                                                        SHA1

                                                        d6c2fb86beca0db952697121b5ee9f02277b1407

                                                        SHA256

                                                        ec3c6b66e9c392d270c7b08b1e4f1c33cf70276e23a0d7a95dcd30605daaff99

                                                        SHA512

                                                        78ea47eb60491eda67f0ae4a9d4a0ed88705ce802c1f36bfd8cf30db8148f040563b699c16ae43a19b0576bbdfe499f7793dca734fd7bfb97fb511d418e00799

                                                      • C:\Users\Admin\AppData\Local\Temp\NLX9llU4MN1S.bat

                                                        Filesize

                                                        207B

                                                        MD5

                                                        cadc4a6f951d07bec1dd21daea8b1b00

                                                        SHA1

                                                        3d8aa0ab81f03fc9c807c651f30dd15a2148c552

                                                        SHA256

                                                        c9a22f005547d275cf07177ca70cd7ef7c6cb690a606e147d91829bd2c3a7b48

                                                        SHA512

                                                        995a2bd85cda57ed38eab14626fbf9a9587529881c79e2371cf1ef0854b2c87bc2dcde06542500dd8558c2e97f617050dbaddbfe8f2044a94fc4541fa4cf90d9

                                                      • C:\Users\Admin\AppData\Local\Temp\PzbMIYlNwxfs.bat

                                                        Filesize

                                                        207B

                                                        MD5

                                                        9636c5fdcb11e50c6f8ef3b28766da00

                                                        SHA1

                                                        e4c593d68bfa86ba27e47051d106e63658ec39e5

                                                        SHA256

                                                        fa5f46ddcb46438494d9efe809d2149d39bc231a5bf16a91ee0e2b26b8f717a5

                                                        SHA512

                                                        3cd0ccd5f1dbbefe0a87fa7e88d38d44059ca2332e6d6fd0a52a4198c7032faa369a9cff141b94362db9cd4e8140a7e387d2688c2eca7f33e26a2f9f5db69f2c

                                                      • C:\Users\Admin\AppData\Local\Temp\RxXEYZ6FpcS4.bat

                                                        Filesize

                                                        207B

                                                        MD5

                                                        45f6d3ea4df4e092564b1074313f5908

                                                        SHA1

                                                        761dc0f86c6bab1a0ef9268eddab4b7592c89c47

                                                        SHA256

                                                        511d4c672dad44af05e982989ed3fbc1e3336d23042a6bebb12143bb69c95ad3

                                                        SHA512

                                                        12d28205412e1eb6970c61c097ee08d318a7f678be4ea43a10ed2eb2b71a51d8584fbe4249d23121efc34449ebb659ded3f513df477e4edcb25400da2ccc79f7

                                                      • C:\Users\Admin\AppData\Local\Temp\WOGyCsgQOWtr.bat

                                                        Filesize

                                                        207B

                                                        MD5

                                                        9d09116f0bbd4b4f46df1520dd09c289

                                                        SHA1

                                                        6ae29c8bfd40cc0c9dbda6d3301fe3c2ca5baa3b

                                                        SHA256

                                                        7df63ba22e797f003dfdfc371d2102e0672ad25e78910176fc6d4a30eb4f3b7b

                                                        SHA512

                                                        b6c09be387453fb3a88c699dd43866c0e8d345c81779bc8907ca736b46e6bf463751baee468366850feab5e86f53d6415c65420a6d9762c22c510c3bd760665b

                                                      • C:\Users\Admin\AppData\Local\Temp\Yc3DeZgTkv5q.bat

                                                        Filesize

                                                        207B

                                                        MD5

                                                        c7a85d8485c600ead1c572594284b4ff

                                                        SHA1

                                                        0986a325e46bbd1efd5d112cca4defa4aa318a72

                                                        SHA256

                                                        5c0cc3645ecc78950acfb8b5fe3327e0ed79277602eaede40bab8956bea26e4e

                                                        SHA512

                                                        4630026d08065b9768065346e9ef60b6a25085781982b9c0d706324c2b8ebc6ea04522f0cad9617b54b39fb45f2232958dc956bca9293ae4eb9175a3a14ea449

                                                      • C:\Users\Admin\AppData\Local\Temp\ZMVGIaFia3Se.bat

                                                        Filesize

                                                        207B

                                                        MD5

                                                        516a09d66c0d68210f3c0d4c6daac271

                                                        SHA1

                                                        86725ffc0291bead43ceab70903bb97d1f1f3caf

                                                        SHA256

                                                        e1468bfcc9cca99329c69214ce1e394bee715f73d84c7b448649eccf97651258

                                                        SHA512

                                                        5022f488b9ce5b27e60c17f785e27a2df2e1c77d11cd2a1b8e92d00a2b21df5e78053ab8dcd981a5b7acab6151cbfee6482d0e15d1c555b3c1d3a1a75ba0227b

                                                      • C:\Users\Admin\AppData\Local\Temp\dNAghzgkeKg3.bat

                                                        Filesize

                                                        207B

                                                        MD5

                                                        3f84db91a5eac19cf2f6bcd32959a82f

                                                        SHA1

                                                        f720813624d171b69b44a7c34f15a9d5a6e13106

                                                        SHA256

                                                        ce1cae9d92c0b6287dbf1d06c4cb6762ca82b9cbadb438c197e37850399c0324

                                                        SHA512

                                                        5aab7d733c26511b15b1bb533b30a508ff03b23cb66480fb250e4cf7c5a52ed76e406ff2d3f3d58823b7ddd3b07505b1844c4b013f35df62b9e200df16e0e5df

                                                      • C:\Users\Admin\AppData\Local\Temp\fBPoWFC2AZMF.bat

                                                        Filesize

                                                        207B

                                                        MD5

                                                        2758fc3189fabfc0c430f8027b2d9438

                                                        SHA1

                                                        4cb9069dcd0edd2efa414234bfda8939b2c9101d

                                                        SHA256

                                                        3051c1ce9572c3ba23803a3a1718e11371d12db35cf6d0b34469b8d09aff0437

                                                        SHA512

                                                        5d66e3196dddd9ca2ac6090a05b6fb143a85626ced2662d3f11f750f642ebf356176063b276b28d316aebb4edd59e018d23703a93f61c1ebb0d16acc60175657

                                                      • C:\Users\Admin\AppData\Local\Temp\l1OA1kXJsK5i.bat

                                                        Filesize

                                                        207B

                                                        MD5

                                                        7ec922671df74884a6ec084d147f68f5

                                                        SHA1

                                                        f4282b01c3b0e2d710838999917a290514f7ab8f

                                                        SHA256

                                                        7af27b5b8ae63d2812994ee61e2215c6390e10eedec8e4546e8fab10df41ab89

                                                        SHA512

                                                        bd8b1e403c12540d481d6d18a919c9aae95d40733a2a67e2b6c2177fe69d76ed696e672753d47dec7a90b5f1df04054b7b70f0881e59797fe42c6137e756210a

                                                      • C:\Users\Admin\AppData\Local\Temp\mhlXVpDfgSc5.bat

                                                        Filesize

                                                        207B

                                                        MD5

                                                        d2a04fe3b653599ad5dec0a84fb7c8d4

                                                        SHA1

                                                        cf9c80a7219ef1f56fd30e8ebc85f4c21dc4735f

                                                        SHA256

                                                        4a93950787837388746f197e17003d3fc19cb524234051362e20fc4c5c5b463f

                                                        SHA512

                                                        136ff1b26a07938fdba8d2cf8cd41a50cce6050938e7df7e1ee0bfe1b8e6134d3adc9fbf62c2889fdcf58a19506ce4355b37b5637f2a1b477618c000240f9cc6

                                                      • C:\Users\Admin\AppData\Local\Temp\xy8FLLjUBS8v.bat

                                                        Filesize

                                                        207B

                                                        MD5

                                                        cf549854115b477a9b34e83f61ea0dbf

                                                        SHA1

                                                        1436ed14a61d7a3c799cdac527d59f64c0b38812

                                                        SHA256

                                                        a99c213a4957b225225d9efad6ffd9e5218a0944436052113d52dde097c24dce

                                                        SHA512

                                                        8c2f134d2001d09faa80f9647345822e5028c61c2778c7464f688259733c46f0916643fb5b06997ce9e05d39c96e656087bb8d4968e6bee2f27ce43cb0d2039d

                                                      • C:\Users\Admin\AppData\Local\Temp\zgqBHvnt5TVv.bat

                                                        Filesize

                                                        207B

                                                        MD5

                                                        736b8b46f89e02a3a80e07a2d062ca53

                                                        SHA1

                                                        2d3790092a7e5b2995cd27207f5e4fd2b5a0166a

                                                        SHA256

                                                        38f04fe1a188fa563678230414b8758c3a8471372cb2b9cd201548d37fe06a7f

                                                        SHA512

                                                        f87b50c4f99ef44281676690272e8f8103d426c33b0f3b9352fd7acb23ea558baf9f41357a7d4686e386d234ac5b36a7187c75dc28aa6d1ef2741a42ad3bb375

                                                      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

                                                        Filesize

                                                        3.1MB

                                                        MD5

                                                        f67e6aafbd9c86771f11c05ae83ae83e

                                                        SHA1

                                                        c9fe04c78139d000182d89f4dd013e647db64cc0

                                                        SHA256

                                                        534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362

                                                        SHA512

                                                        f5d5b09a92a3bc7ff862cf87c5a4285e2ada1ec4cb9d5b1467e358ad3678a2dfe6acd2f1819b7f9646f1ef5e038c9ffb295ef8a6590a75cdf911913a5edaf27a

                                                      • memory/1868-124-0x0000000000160000-0x0000000000484000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/1920-146-0x0000000000140000-0x0000000000464000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2520-21-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2520-11-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2520-9-0x00000000013D0000-0x00000000016F4000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2520-8-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2860-157-0x0000000000F90000-0x00000000012B4000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2980-0-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/2980-10-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2980-2-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2980-1-0x0000000001350000-0x0000000001674000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/3004-135-0x0000000000F00000-0x0000000001224000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      We care about your privacy.

                                                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.