quasar | cc4c02376c24053d287c965105bb92c236bbefea2dcff15cdf1c45b183246a8f

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

740d9f35b37dd1557744d0d1df0ae2a6
SHA1

fe55e2e2dc057298018a0ed7211096de0c014e0e
SHA256

cc4c02376c24053d287c965105bb92c236bbefea2dcff15cdf1c45b183246a8f
SHA512

8b7fb45bc4c44245f157225431aea64e8d600ee5441c3e8d0197d2ba366bf7ffc6c9a321323ba704b46f5f104d9f5d645c1f680223d38022605fbf182cf4e0cd
SSDEEP

49152:HvAG42pda6D+/PjlLOlg6yQipV3eRJ6/bR3LoGdtTHHB72eh2NT:HvD42pda6D+/PjlLOlZyQipV3eRJ6R

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

https://stable-notably-hound.ngrok-free.app:4782

Mutex

59d0faf1-ae3f-4d2f-9c0f-631501d0027c

Attributes

encryption_key
A5F0EE2DBE7A3009387617912AFB48C127E2B576
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/2396-1-0x0000000000B20000-0x0000000000E44000-memory.dmp	family_quasar
behavioral1/memory/2820-13-0x00000000002B0000-0x00000000005D4000-memory.dmp	family_quasar
behavioral1/memory/2036-23-0x0000000000D70000-0x0000000001094000-memory.dmp	family_quasar
behavioral1/memory/936-33-0x0000000000FA0000-0x00000000012C4000-memory.dmp	family_quasar
behavioral1/memory/2908-43-0x00000000001F0000-0x0000000000514000-memory.dmp	family_quasar
behavioral1/memory/2424-53-0x00000000000A0000-0x00000000003C4000-memory.dmp	family_quasar
behavioral1/memory/3024-63-0x0000000000F90000-0x00000000012B4000-memory.dmp	family_quasar
behavioral1/memory/1928-74-0x0000000000190000-0x00000000004B4000-memory.dmp	family_quasar
behavioral1/memory/2516-85-0x0000000000270000-0x0000000000594000-memory.dmp	family_quasar
behavioral1/memory/1032-105-0x00000000010A0000-0x00000000013C4000-memory.dmp	family_quasar
behavioral1/memory/684-133-0x0000000001280000-0x00000000015A4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2768	PING.EXE
1268	PING.EXE
2176	PING.EXE
1600	PING.EXE
2236	PING.EXE
1916	PING.EXE
2692	PING.EXE
2356	PING.EXE
2356	PING.EXE
2888	PING.EXE
2072	PING.EXE
1252	PING.EXE
1916	PING.EXE
2644	PING.EXE
2056	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1268	PING.EXE
2644	PING.EXE
1252	PING.EXE
2888	PING.EXE
2236	PING.EXE
2356	PING.EXE
2768	PING.EXE
2692	PING.EXE
2176	PING.EXE
2356	PING.EXE
1916	PING.EXE
2072	PING.EXE
1916	PING.EXE
2056	PING.EXE
1600	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	Client-built.exe
Token: SeDebugPrivilege	2820	Client-built.exe
Token: SeDebugPrivilege	2036	Client-built.exe
Token: SeDebugPrivilege	936	Client-built.exe
Token: SeDebugPrivilege	2908	Client-built.exe
Token: SeDebugPrivilege	2424	Client-built.exe
Token: SeDebugPrivilege	3024	Client-built.exe
Token: SeDebugPrivilege	1928	Client-built.exe
Token: SeDebugPrivilege	2516	Client-built.exe
Token: SeDebugPrivilege	2956	Client-built.exe
Token: SeDebugPrivilege	1032	Client-built.exe
Token: SeDebugPrivilege	928	Client-built.exe
Token: SeDebugPrivilege	2944	Client-built.exe
Token: SeDebugPrivilege	684	Client-built.exe
Token: SeDebugPrivilege	1828	Client-built.exe
Token: SeDebugPrivilege	540	Client-built.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2396	Client-built.exe
2820	Client-built.exe
2036	Client-built.exe
936	Client-built.exe
2908	Client-built.exe
2424	Client-built.exe
3024	Client-built.exe
1928	Client-built.exe
2516	Client-built.exe
2956	Client-built.exe
1032	Client-built.exe
928	Client-built.exe
2944	Client-built.exe
684	Client-built.exe
1828	Client-built.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2396	Client-built.exe
2820	Client-built.exe
2036	Client-built.exe
936	Client-built.exe
2908	Client-built.exe
2424	Client-built.exe
3024	Client-built.exe
1928	Client-built.exe
2516	Client-built.exe
2956	Client-built.exe
1032	Client-built.exe
928	Client-built.exe
2944	Client-built.exe
684	Client-built.exe
1828	Client-built.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2152	2396	Client-built.exe	30
PID 2396 wrote to memory of 2152	2396	Client-built.exe	30
PID 2396 wrote to memory of 2152	2396	Client-built.exe	30
PID 2152 wrote to memory of 2688	2152	cmd.exe	32
PID 2152 wrote to memory of 2688	2152	cmd.exe	32
PID 2152 wrote to memory of 2688	2152	cmd.exe	32
PID 2152 wrote to memory of 2356	2152	cmd.exe	33
PID 2152 wrote to memory of 2356	2152	cmd.exe	33
PID 2152 wrote to memory of 2356	2152	cmd.exe	33
PID 2152 wrote to memory of 2820	2152	cmd.exe	34
PID 2152 wrote to memory of 2820	2152	cmd.exe	34
PID 2152 wrote to memory of 2820	2152	cmd.exe	34
PID 2820 wrote to memory of 2780	2820	Client-built.exe	36
PID 2820 wrote to memory of 2780	2820	Client-built.exe	36
PID 2820 wrote to memory of 2780	2820	Client-built.exe	36
PID 2780 wrote to memory of 2860	2780	cmd.exe	38
PID 2780 wrote to memory of 2860	2780	cmd.exe	38
PID 2780 wrote to memory of 2860	2780	cmd.exe	38
PID 2780 wrote to memory of 2768	2780	cmd.exe	39
PID 2780 wrote to memory of 2768	2780	cmd.exe	39
PID 2780 wrote to memory of 2768	2780	cmd.exe	39
PID 2780 wrote to memory of 2036	2780	cmd.exe	40
PID 2780 wrote to memory of 2036	2780	cmd.exe	40
PID 2780 wrote to memory of 2036	2780	cmd.exe	40
PID 2036 wrote to memory of 1096	2036	Client-built.exe	41
PID 2036 wrote to memory of 1096	2036	Client-built.exe	41
PID 2036 wrote to memory of 1096	2036	Client-built.exe	41
PID 1096 wrote to memory of 676	1096	cmd.exe	43
PID 1096 wrote to memory of 676	1096	cmd.exe	43
PID 1096 wrote to memory of 676	1096	cmd.exe	43
PID 1096 wrote to memory of 2888	1096	cmd.exe	44
PID 1096 wrote to memory of 2888	1096	cmd.exe	44
PID 1096 wrote to memory of 2888	1096	cmd.exe	44
PID 1096 wrote to memory of 936	1096	cmd.exe	45
PID 1096 wrote to memory of 936	1096	cmd.exe	45
PID 1096 wrote to memory of 936	1096	cmd.exe	45
PID 936 wrote to memory of 2584	936	Client-built.exe	46
PID 936 wrote to memory of 2584	936	Client-built.exe	46
PID 936 wrote to memory of 2584	936	Client-built.exe	46
PID 2584 wrote to memory of 2496	2584	cmd.exe	48
PID 2584 wrote to memory of 2496	2584	cmd.exe	48
PID 2584 wrote to memory of 2496	2584	cmd.exe	48
PID 2584 wrote to memory of 1916	2584	cmd.exe	49
PID 2584 wrote to memory of 1916	2584	cmd.exe	49
PID 2584 wrote to memory of 1916	2584	cmd.exe	49
PID 2584 wrote to memory of 2908	2584	cmd.exe	50
PID 2584 wrote to memory of 2908	2584	cmd.exe	50
PID 2584 wrote to memory of 2908	2584	cmd.exe	50
PID 2908 wrote to memory of 2164	2908	Client-built.exe	51
PID 2908 wrote to memory of 2164	2908	Client-built.exe	51
PID 2908 wrote to memory of 2164	2908	Client-built.exe	51
PID 2164 wrote to memory of 2372	2164	cmd.exe	53
PID 2164 wrote to memory of 2372	2164	cmd.exe	53
PID 2164 wrote to memory of 2372	2164	cmd.exe	53
PID 2164 wrote to memory of 2692	2164	cmd.exe	54
PID 2164 wrote to memory of 2692	2164	cmd.exe	54
PID 2164 wrote to memory of 2692	2164	cmd.exe	54
PID 2164 wrote to memory of 2424	2164	cmd.exe	55
PID 2164 wrote to memory of 2424	2164	cmd.exe	55
PID 2164 wrote to memory of 2424	2164	cmd.exe	55
PID 2424 wrote to memory of 1360	2424	Client-built.exe	56
PID 2424 wrote to memory of 1360	2424	Client-built.exe	56
PID 2424 wrote to memory of 1360	2424	Client-built.exe	56
PID 1360 wrote to memory of 1744	1360	cmd.exe	58

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\eoMa9DmTm3B6.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2688
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2356
- - C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\Wzw3GbR7yXML.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2860
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2768
    - - C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yHHsAnJNROrm.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ikhWwQ2LQjkr.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CLhdLNL0LKOW.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\v6FGjIJUq9wQ.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3024
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KkdhjmPRLzGA.bat" "
        14⤵
        
        PID:2268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1928
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iZ0KqRayek2z.bat" "
        16⤵
        
        PID:2384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2516
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UY9GA1da7RGx.bat" "
        18⤵
        
        PID:2744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2956
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Z3hREjFLixAG.bat" "
        20⤵
        
        PID:2660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1032
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xlaoH1OVK396.bat" "
        22⤵
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:928
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LjaMIV3xHlja.bat" "
        24⤵
        
        PID:1912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2944
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QwRcpWWUZ6kf.bat" "
        26⤵
        
        PID:1804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:684
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ELNzxo9CvhJM.bat" "
        28⤵
        
        PID:1992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1828
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AaPlhgpuqbvL.bat" "
        30⤵
        
        PID:2992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:1436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bwhpGF5bRjQt.bat" "
        32⤵
        
        PID:1580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AaPlhgpuqbvL.bat

Filesize
209B

MD5
54ffc58560d5f586ec673a4325f87da1

SHA1
9f678b76f9a3f7c4f2f4609e8de9c652392d1ad0

SHA256
bcdd1a43e138dab0bd7d8f8c18280fc02fe9333b3768ff70883ab6eb946ba658

SHA512
fe78fc497ac164f1f4e886817c8e9e7e6b680818466f8dada03c8f89d536df0194e46b8de9e53d3519f8216b8e00252d8b6e715029e656896fd6a95417b23835

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLhdLNL0LKOW.bat

Filesize
209B

MD5
0db6ad89c9c0eee4aa764f57f53f6fd7

SHA1
23646d3c241541d68cc4aebf1c6dddd8bf5bbc60

SHA256
635448011f434edfbb0adaf4eed08f6cc43fd03aee79eb7934c4526b5b1d87b2

SHA512
15ae50dd8eee517096c7303f4e432eb4f6bdde6adc0303f2632133c51993aacce01b5e9c676ff1df378bad271ca5f5f52c340dd09717f15365b22c0240587b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELNzxo9CvhJM.bat

Filesize
209B

MD5
5b86de574917506b24acf34e281569ae

SHA1
14d6149892db751e9964707280ad86b5eba34c25

SHA256
1c0c935b7680d2b3127d239d74999a3ccaf7116db4f2fe29c26ebd834dee6771

SHA512
214bd3515b72d76675c328ab76ebec694e5f6180cc7b02938c9550882ac70f1fc94a30dacd52db133a72f72f70c15efe8f2f367397305bc4533ac6453828b5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkdhjmPRLzGA.bat

Filesize
209B

MD5
c714a8b699a8b43e4cf8930fb520a0c7

SHA1
5316343fe412f47c68f81b5a502beba8636690e7

SHA256
0ad4a99d6297e6482d0544cb0edefb716dec352d4713ddf04f020b39e929106f

SHA512
e683c0fe4bd7bf608eacbd1e51ee43381dd1667d394cfb5f784fe80843d7e14b861997a183422a2851fb842396b933b7d9e3304dbd110f596231df38295eddb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\LjaMIV3xHlja.bat

Filesize
209B

MD5
b06a28d58ae4bc7008de8c9f8a37d01c

SHA1
b17a8e98c9070b2653b820ded650bc70d4715150

SHA256
0eb3bf34a53bae48de626257e21641dad53f0fa6958812acb8e70ab52f080333

SHA512
991adc43755797658d092e6bd4da5881e1bde61f11244f623fbf620b1b503700dff7a8799acba3c6d4ce25183bece2f8245caa4bac99accc8d40806168dc0e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwRcpWWUZ6kf.bat

Filesize
209B

MD5
6a9a3faec7bbea005915bb35464c8fe0

SHA1
2411adfa9bcf01e139bf618a722914a927ee558d

SHA256
e5b95efca9efaf2d9c535f335c52c7c4c5ea0cb278cd04dc7da0ac24acbfadce

SHA512
1d21ac2333950baebfdba74126b6521b5b069160b2e11baae1fc14364952b578dec8d75c790fe2bc501088f6100079b0eb617d7cda936e41a6b8f2c630b2bb59

Download Submit
C:\Users\Admin\AppData\Local\Temp\UY9GA1da7RGx.bat

Filesize
209B

MD5
545e9a989be6a51af038ce8ea398cac3

SHA1
80e0cda9366360c9ffcdabeaa400f45404fba1d3

SHA256
0e42b352b8597769503bc0d6f493a7f94db4b3ec592d2963b3cb8020d4a93207

SHA512
29d57de4207f30616dd1066e30d4b7461b522b91b0744f4f3a057c83b7cef4afaf30b65876d6a37f5988dcda8d7c1f46986e318eaf68ad9ab4076e2bde7c12d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wzw3GbR7yXML.bat

Filesize
209B

MD5
3c9d32199963c75853afaa93dbc87510

SHA1
41f34f5ab52395a6484503f98b63f98efe4b8597

SHA256
0fa714cf66d111ec1695862e43a6c8edcda31b299eabb931f08b273d7285cb99

SHA512
5bae3d056fc5e75e7f0e520395549fef23c2a6074b4181ced7678a70b30786f65a2afba35622ec41b1754ab466e51188542c6ce40309e12a20f4503ce4df29bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z3hREjFLixAG.bat

Filesize
209B

MD5
db3c4a3113dd6e8c04bbd4681423ff50

SHA1
d78b9ed5e1631c2a27c6764533e05acec4f35b7c

SHA256
9e071d1100697587a434721225cf456ac9ccdaec25ba52f6c06917c58680d37a

SHA512
479c96e7026410326b26919fd05ee1a69d5c2ca7c70b96ed4e11e36ef58bb305294f438bf5d3d988bd5277e110a72e153033d9eaa4bd03df18faa5c14dec2884

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwhpGF5bRjQt.bat

Filesize
209B

MD5
7f57900c1732ae9b6c970a860a64d60f

SHA1
428ff9932a41326616d6be43e8f69e6446a50035

SHA256
16f043f28344b05818b796577cacd06a0b4013aaa36cae0741a1ab5292e5af01

SHA512
e6c34bbebfd8934406ec5c50401b81fba1080b3d98cb7b3494270bf2723a4937074aadd8176acd356b6dbeca4f4507bf255b1427dddb63f2114106bf653d227f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoMa9DmTm3B6.bat

Filesize
209B

MD5
fd2967bad0b28161de9e71461a400b56

SHA1
92d04cd702144beb153798267409b6d23d496ba3

SHA256
db18e7157205f996ded19e608939ccbfc75715aa6f4c8e1789ec477fe0b4ed37

SHA512
c9d39a175095f2d7079120b6ebe8ab5722f677ebc50944b9adcf1ee45833292987d6e5a26ae688da971d757567b5e352edb35ac4c2e0d23945f8c1523fb85ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iZ0KqRayek2z.bat

Filesize
209B

MD5
bef6d68d73d70da221f2401873d01f2b

SHA1
a7272963287ecd5771f89fe4daac23f8db735519

SHA256
1a55591717f4b47ba2f4aa04656dbb6c029acdb5d27cd1d4041bfb3c7412ca0a

SHA512
12d62599655fb2549f58eae39b1489630ccefe97466a25327d68fd81482708c5053326f1ceeb54fffb14a0bc3ef71c1b5cc394eff55e84183ae0d079609b554f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikhWwQ2LQjkr.bat

Filesize
209B

MD5
0b00f844bb02606736540f5d5bd32df4

SHA1
8debbc909db2480618285919f69043c7535949af

SHA256
741af8686b3cfa828838300273c9234e82c7267ea9eadca6c2f222f8dab8c475

SHA512
3551368521376e8780100a46490514480429d3fc848656a021d5d1245d000285a8790b148872b667429402755a77b3bd83e7d2815106230d36a31d32fbdb4328

Download Submit
C:\Users\Admin\AppData\Local\Temp\v6FGjIJUq9wQ.bat

Filesize
209B

MD5
46b49df049fec9657e24d7d51af11ee8

SHA1
4a94a68bea727ea154f2ebeaafc74ba7db2272c6

SHA256
e5846d83bbdf49073b44969a1df778aaba38d5dec11aef41507f80760c486298

SHA512
7c3d0af9482026576e670b8d1448c176f025988ef3ed8106273a887a0a13a200963a152e7bd519df50b4506eb5cee0516d56401f90157db5f314153a1dd4afd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlaoH1OVK396.bat

Filesize
209B

MD5
689370dc617f87d0a41c395d42711399

SHA1
846bfa3f66aa84f0f303b9d3450805334849b89a

SHA256
3532ba035db85371ae01e8da9825bec9d55b70bfdfca6548a67611dbc3e56d25

SHA512
5b936cc3a80939dc57b176f0598061ea7aed1066d04fa9583dd09041e68cd61dfe8ac4667c2014d2b14ce69aaf6f7d78ffe52545c023595ba697401a449cb788

Download Submit
C:\Users\Admin\AppData\Local\Temp\yHHsAnJNROrm.bat

Filesize
209B

MD5
212c8b2f3a788d8e4a5b63b880451420

SHA1
ea71ba1781e6630d3adc3c3b97aa270751e6d1e0

SHA256
262962bb4b822edbd155ddfef29d910081cc0d1d013d14ef86e475c937091ace

SHA512
c2b5a2fc898e80161f52522e287281d66efac98f22bcd05dc9feaeaea8772abca8f846b77c39da773ea4320bafc14c49e52e9c9db50a9326e38dfd2cbe04000a

Download Submit
memory/684-133-0x0000000001280000-0x00000000015A4000-memory.dmp

Filesize
3.1MB

Download
memory/936-33-0x0000000000FA0000-0x00000000012C4000-memory.dmp

Filesize
3.1MB

Download
memory/1032-105-0x00000000010A0000-0x00000000013C4000-memory.dmp

Filesize
3.1MB

Download
memory/1928-74-0x0000000000190000-0x00000000004B4000-memory.dmp

Filesize
3.1MB

Download
memory/2036-23-0x0000000000D70000-0x0000000001094000-memory.dmp

Filesize
3.1MB

Download
memory/2396-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/2396-11-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-2-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-1-0x0000000000B20000-0x0000000000E44000-memory.dmp

Filesize
3.1MB

Download
memory/2424-53-0x00000000000A0000-0x00000000003C4000-memory.dmp

Filesize
3.1MB

Download
memory/2516-85-0x0000000000270000-0x0000000000594000-memory.dmp

Filesize
3.1MB

Download
memory/2820-13-0x00000000002B0000-0x00000000005D4000-memory.dmp

Filesize
3.1MB

Download
memory/2908-43-0x00000000001F0000-0x0000000000514000-memory.dmp

Filesize
3.1MB

Download
memory/3024-63-0x0000000000F90000-0x00000000012B4000-memory.dmp

Filesize
3.1MB

Download