quasar | 533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svhoste.exe
Size

502KB
MD5

a9c9735f6e34482c1cdd09e347a98787
SHA1

6214e43cdc3fd17978955abf9c01a8d8c3ea791e
SHA256

533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc
SHA512

084b40e683d88e8eda7a60047f1a640310455986629a63382b3b6ffa6a91f295b47963e2ba52115cb113f57f1f727f2adb98f910a9adca1596af242f266b4a50
SSDEEP

6144:sTEgdc0YeX1uRabMR0FdOWbYZTR9UbGzcEKVb8F9ywLlqlHcTR3t:sTEgdfYzRa9uza6FL4lHcdt

Score

10^/10

quasar target discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Target

127.0.0.1:6070

affasdqa.ddns.net:6070

haffasdqa.duckdns.org:6070

Mutex

670d21b7-71ed-4958-9ba7-a58fa54d8203

Attributes

encryption_key
25B2622CE0635F9A273AB61B1B7D7B94220AC509
install_name
svhoste.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhoste
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1200-1-0x0000000000790000-0x0000000000814000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b66-4.dat	family_quasar

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	svhoste.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	svhoste.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	svhoste.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	svhoste.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	svhoste.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	svhoste.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	svhoste.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	svhoste.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	svhoste.exe

Executes dropped EXE 10 IoCs

pid	Process
4084	svhoste.exe
4856	svhoste.exe
2172	svhoste.exe
512	svhoste.exe
3796	svhoste.exe
2708	svhoste.exe
4240	svhoste.exe
2000	svhoste.exe
3236	svhoste.exe
4880	svhoste.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
764	PING.EXE
2404	PING.EXE
1540	PING.EXE
4516	PING.EXE
1128	PING.EXE
4868	PING.EXE
4900	PING.EXE
5028	PING.EXE
1904	PING.EXE

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
4868	PING.EXE
4900	PING.EXE
5028	PING.EXE
1540	PING.EXE
4516	PING.EXE
1128	PING.EXE
764	PING.EXE
1904	PING.EXE
2404	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4792	schtasks.exe
3144	schtasks.exe
2636	schtasks.exe
928	schtasks.exe
1356	schtasks.exe
4996	schtasks.exe
3292	schtasks.exe
4624	schtasks.exe
5080	schtasks.exe
744	schtasks.exe
2304	schtasks.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1200	svhoste.exe
Token: SeDebugPrivilege	4084	svhoste.exe
Token: SeDebugPrivilege	4856	svhoste.exe
Token: SeDebugPrivilege	2172	svhoste.exe
Token: SeDebugPrivilege	512	svhoste.exe
Token: SeDebugPrivilege	3796	svhoste.exe
Token: SeDebugPrivilege	2708	svhoste.exe
Token: SeDebugPrivilege	4240	svhoste.exe
Token: SeDebugPrivilege	2000	svhoste.exe
Token: SeDebugPrivilege	3236	svhoste.exe
Token: SeDebugPrivilege	4880	svhoste.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4084	svhoste.exe
4856	svhoste.exe
2172	svhoste.exe
512	svhoste.exe
3796	svhoste.exe
2708	svhoste.exe
4240	svhoste.exe
2000	svhoste.exe
3236	svhoste.exe
4880	svhoste.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 5080	1200	svhoste.exe	83
PID 1200 wrote to memory of 5080	1200	svhoste.exe	83
PID 1200 wrote to memory of 4084	1200	svhoste.exe	85
PID 1200 wrote to memory of 4084	1200	svhoste.exe	85
PID 4084 wrote to memory of 2636	4084	svhoste.exe	86
PID 4084 wrote to memory of 2636	4084	svhoste.exe	86
PID 4084 wrote to memory of 3060	4084	svhoste.exe	90
PID 4084 wrote to memory of 3060	4084	svhoste.exe	90
PID 3060 wrote to memory of 1820	3060	cmd.exe	92
PID 3060 wrote to memory of 1820	3060	cmd.exe	92
PID 3060 wrote to memory of 764	3060	cmd.exe	93
PID 3060 wrote to memory of 764	3060	cmd.exe	93
PID 3060 wrote to memory of 4856	3060	cmd.exe	107
PID 3060 wrote to memory of 4856	3060	cmd.exe	107
PID 4856 wrote to memory of 744	4856	svhoste.exe	108
PID 4856 wrote to memory of 744	4856	svhoste.exe	108
PID 4856 wrote to memory of 2328	4856	svhoste.exe	111
PID 4856 wrote to memory of 2328	4856	svhoste.exe	111
PID 2328 wrote to memory of 1524	2328	cmd.exe	113
PID 2328 wrote to memory of 1524	2328	cmd.exe	113
PID 2328 wrote to memory of 4868	2328	cmd.exe	114
PID 2328 wrote to memory of 4868	2328	cmd.exe	114
PID 2328 wrote to memory of 2172	2328	cmd.exe	118
PID 2328 wrote to memory of 2172	2328	cmd.exe	118
PID 2172 wrote to memory of 928	2172	svhoste.exe	119
PID 2172 wrote to memory of 928	2172	svhoste.exe	119
PID 2172 wrote to memory of 2024	2172	svhoste.exe	123
PID 2172 wrote to memory of 2024	2172	svhoste.exe	123
PID 2024 wrote to memory of 4972	2024	cmd.exe	125
PID 2024 wrote to memory of 4972	2024	cmd.exe	125
PID 2024 wrote to memory of 2404	2024	cmd.exe	126
PID 2024 wrote to memory of 2404	2024	cmd.exe	126
PID 2024 wrote to memory of 512	2024	cmd.exe	128
PID 2024 wrote to memory of 512	2024	cmd.exe	128
PID 512 wrote to memory of 1356	512	svhoste.exe	129
PID 512 wrote to memory of 1356	512	svhoste.exe	129
PID 512 wrote to memory of 2096	512	svhoste.exe	132
PID 512 wrote to memory of 2096	512	svhoste.exe	132
PID 2096 wrote to memory of 1820	2096	cmd.exe	134
PID 2096 wrote to memory of 1820	2096	cmd.exe	134
PID 2096 wrote to memory of 4900	2096	cmd.exe	135
PID 2096 wrote to memory of 4900	2096	cmd.exe	135
PID 2096 wrote to memory of 3796	2096	cmd.exe	137
PID 2096 wrote to memory of 3796	2096	cmd.exe	137
PID 3796 wrote to memory of 2304	3796	svhoste.exe	138
PID 3796 wrote to memory of 2304	3796	svhoste.exe	138
PID 3796 wrote to memory of 3628	3796	svhoste.exe	141
PID 3796 wrote to memory of 3628	3796	svhoste.exe	141
PID 3628 wrote to memory of 3060	3628	cmd.exe	143
PID 3628 wrote to memory of 3060	3628	cmd.exe	143
PID 3628 wrote to memory of 5028	3628	cmd.exe	144
PID 3628 wrote to memory of 5028	3628	cmd.exe	144
PID 3628 wrote to memory of 2708	3628	cmd.exe	146
PID 3628 wrote to memory of 2708	3628	cmd.exe	146
PID 2708 wrote to memory of 4792	2708	svhoste.exe	147
PID 2708 wrote to memory of 4792	2708	svhoste.exe	147
PID 2708 wrote to memory of 3264	2708	svhoste.exe	150
PID 2708 wrote to memory of 3264	2708	svhoste.exe	150
PID 3264 wrote to memory of 4848	3264	cmd.exe	152
PID 3264 wrote to memory of 4848	3264	cmd.exe	152
PID 3264 wrote to memory of 1904	3264	cmd.exe	153
PID 3264 wrote to memory of 1904	3264	cmd.exe	153
PID 3264 wrote to memory of 4240	3264	cmd.exe	155
PID 3264 wrote to memory of 4240	3264	cmd.exe	155

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\svhoste.exe
"C:\Users\Admin\AppData\Local\Temp\svhoste.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\svhoste.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5080
- C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RhOCp7URn1s3.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1820
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:764
  - - C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:744
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KRJTgrOTZQ8K.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1524
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4868
      - C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scxuvfLNuNKc.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\87CezyJlDFiz.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4900
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8L24m2NpyTnk.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5028
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kw8LtyjHnlog.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1904
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PHQ0LlIpuBL7.bat" "
        15⤵
        
        PID:3116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1200
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pLYRdYlYNUGz.bat" "
        17⤵
        
        PID:4196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4516
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3236
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tZapsGT0UMIE.bat" "
        19⤵
        
        PID:2164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhoste.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\87CezyJlDFiz.bat

Filesize
208B

MD5
9818a20ce97ef08e7f021a765f58968e

SHA1
e8618499b92ee75a021292de58bb5160c345a034

SHA256
5a0d2ce2e81b18edf9df2ad6b4c048db18887b3ddb6e0042f892bed27affe9c9

SHA512
5fe4ae6f1d4eb1845c96d3e2db20082f4926c6e14f26dfa84ca0e8d4bdc50ee3286f9e262d87692fccd2d229cb02874a39409c0966e3b50a6cab1be9710fd115

Download Submit
C:\Users\Admin\AppData\Local\Temp\8L24m2NpyTnk.bat

Filesize
208B

MD5
56539e81b4d4c0d6a0516ebdef9b5d95

SHA1
e017a87b1442d6c768af06c85c3b44fd775013e4

SHA256
6c19d435066461e76b76d20e4bd3751c58b9461355d68ce2d39954c2f3e4788a

SHA512
b2e82c656a2701156de3f7831558a1e764090c391a5a4bd97bb0a9801c57733d398d9124d8578fb7f8cb15e0115333a4ecac6fd0c252a193c6fc3d929983428f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRJTgrOTZQ8K.bat

Filesize
208B

MD5
1aa728bf719346e8e4961d9885a9cfca

SHA1
a9b261a775459325fceae9e493e0764118d143bb

SHA256
04d195670577762d99f5855d0e896ee6965a530861389e41630932e69272a1a0

SHA512
d61f2b61e26db84dec85fbc7dd862d22292d3a9b16dc77c5b5c1ee95a7bf4719de3fe83049f86168d476402fe150eda1597b93a4b07d86c74542436ab3cc7d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHQ0LlIpuBL7.bat

Filesize
208B

MD5
217951ed91919213cf33ea27ccd2ca0e

SHA1
91c6c01a836701955ac2611b97b0241d554eb2d4

SHA256
29d180e734da753b8a250d18e519f3e6ff1fa2913468365722c759837f3f8d4e

SHA512
9eb8e8ef200dc4b0f868fcecf09ef98ead3ebe6f69b2d2cbbc83ebb291e41c05d3feb27c1c40a4c5dcdf9a60bfa842688053fff6ee8a51e9536b52c118da4dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RhOCp7URn1s3.bat

Filesize
208B

MD5
46233d18e3d758d52b0ac36d73965713

SHA1
0116c4da8b6b082e5b9eb36420ad223b10363651

SHA256
18e85aa9e8c4fb3f7a9f0d3b59b531a54d175ab9fef61e5e0f5e8dc27884c541

SHA512
882cccd4b645b975d36223a1ea72576a1387edc79f6cecb6c0332b3ae1cc39c5eeb3c74ae4131cfd5836b899de642ced90fc7eb037a8c61097e8838dd86e9584

Download Submit
C:\Users\Admin\AppData\Local\Temp\kw8LtyjHnlog.bat

Filesize
208B

MD5
fb4550795e7f16ff27ffacbf6d326760

SHA1
448ca741ff7de82306574112ce20cefb65731dae

SHA256
9fc683ace0f44b6007d7c2a857ff3bab3ac2e2cae5c4b3d93d08fc8f442d4261

SHA512
47a5616e59c37f58f1f74665b83123fda302ea44bd4ba7c7ee07a9277bf1b8fb5e38b828250db2b3b83e5b2aa3526f02ef5b289724e43532c847e7fd69bc2f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\pLYRdYlYNUGz.bat

Filesize
208B

MD5
ac54c6d312efa0e88ee2a4d5877a2e63

SHA1
eb8106fcbc5f7fd0eff5e47d841f0e3f922faf62

SHA256
064555983fb060b778fba67a0cf693d4f95829b35214e98ebf953ab0d517e525

SHA512
9701625b1a4a5d56ff977a6c2549128d03d7848be366ce2fdac0a2c93bf836804cad529ea7ebf95070f7f68a272488b212de57728fc19d6af0f92467c8557ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scxuvfLNuNKc.bat

Filesize
208B

MD5
e6e65e9ec0e8f4ae74be45b088a09a0a

SHA1
7d12bb9922ed8e2a31c5e3e29f8947973a7891e3

SHA256
e189d3979fe750b426cdfd999c1141cb3ad16bc94a45c1f558200a243d2da273

SHA512
5b07c79ed196d1e878825e0b009a1bb86f78adb9255b7029c41dcb71c3b5aae5a2f6d4881d4dd93e5c740bdb113d2c068ff50c437340d6bb7b8e196de0301379

Download Submit
C:\Users\Admin\AppData\Local\Temp\tZapsGT0UMIE.bat

Filesize
208B

MD5
e0be991ed2a8e1b35b5236be6621c889

SHA1
10ec1abe45cc0bcd6f98f6933685ebf2f6c1ed3c

SHA256
cd5f9f715496893fd05d582ec93d6183f77c8f901840e346f218cb816faff54a

SHA512
4bebc108244ea311469beeb63070210d5a03569ce9c138959ef2bb62a08af25aff6205116244e2f916fb3f55040788886cdd620f12c040fc5897e3756b7fa7e0

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe

Filesize
502KB

MD5
a9c9735f6e34482c1cdd09e347a98787

SHA1
6214e43cdc3fd17978955abf9c01a8d8c3ea791e

SHA256
533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc

SHA512
084b40e683d88e8eda7a60047f1a640310455986629a63382b3b6ffa6a91f295b47963e2ba52115cb113f57f1f727f2adb98f910a9adca1596af242f266b4a50

Download Submit
memory/1200-9-0x00007FFB1AC10000-0x00007FFB1B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/1200-0-0x00007FFB1AC13000-0x00007FFB1AC15000-memory.dmp

Filesize
8KB

Download
memory/1200-2-0x00007FFB1AC10000-0x00007FFB1B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/1200-1-0x0000000000790000-0x0000000000814000-memory.dmp

Filesize
528KB

Download
memory/4084-17-0x00007FFB1AC10000-0x00007FFB1B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-12-0x000000001BB90000-0x000000001BC42000-memory.dmp

Filesize
712KB

Download
memory/4084-11-0x000000001B370000-0x000000001B3C0000-memory.dmp

Filesize
320KB

Download
memory/4084-10-0x00007FFB1AC10000-0x00007FFB1B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-8-0x00007FFB1AC10000-0x00007FFB1B6D1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads