quasar | 5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95

Analysis

max time kernel
112s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31/12/2024, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
Size

3.1MB
MD5

3d5f1d38a92807e7de7d98838e05c7e8
SHA1

38382972e6317a6e7010a8d48041e0960188fc48
SHA256

5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95
SHA512

35266e8c23536a0328e775ef879aac5683688994ada6eb9f91d4cdffdae71ff3a687bcb43deaf792c93b4735be2334b1fa6629a5f500645815cb32273dccaac0
SSDEEP

49152:DvilL26AaNeWgPhlmVqvMQ7XSKnIRJ6ibR3LoGdWhNTHHB72eh2NTk:DvaL26AaNeWgPhlmVqkQ7XSKnIRJ6cY7

Score

10^/10

quasar triage discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Triage

sekacex395-58825.portmap.host:1194

Mutex

144ba9a1-0ea5-481a-929a-2aff73023537

Attributes

encryption_key
480A149BDA5F1D4EEBD5CF8EA0711405B7FC59B1
install_name
Client.exe
log_directory
kLogs
reconnect_delay
3000
startup_key
Avast Free Antivirus
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/memory/2484-1-0x0000000001160000-0x0000000001484000-memory.dmp	family_quasar
behavioral1/files/0x000d000000016fc9-6.dat	family_quasar
behavioral1/memory/2628-9-0x0000000001240000-0x0000000001564000-memory.dmp	family_quasar
behavioral1/memory/1856-23-0x0000000000010000-0x0000000000334000-memory.dmp	family_quasar
behavioral1/memory/2720-34-0x0000000000AE0000-0x0000000000E04000-memory.dmp	family_quasar
behavioral1/memory/620-45-0x0000000001340000-0x0000000001664000-memory.dmp	family_quasar
behavioral1/memory/2504-56-0x0000000000140000-0x0000000000464000-memory.dmp	family_quasar
behavioral1/memory/2844-77-0x0000000000C40000-0x0000000000F64000-memory.dmp	family_quasar
behavioral1/memory/2124-98-0x0000000000D80000-0x00000000010A4000-memory.dmp	family_quasar
behavioral1/memory/1160-109-0x0000000001320000-0x0000000001644000-memory.dmp	family_quasar

Executes dropped EXE 10 IoCs

pid	Process
2628	Client.exe
1856	Client.exe
2720	Client.exe
620	Client.exe
2504	Client.exe
2552	Client.exe
2844	Client.exe
2416	Client.exe
2124	Client.exe
1160	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1600	PING.EXE
3068	PING.EXE
2216	PING.EXE
564	PING.EXE
2164	PING.EXE
2188	PING.EXE
768	PING.EXE
2740	PING.EXE
2304	PING.EXE
2888	PING.EXE

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
2188	PING.EXE
1600	PING.EXE
3068	PING.EXE
2216	PING.EXE
2164	PING.EXE
2888	PING.EXE
2740	PING.EXE
2304	PING.EXE
564	PING.EXE
768	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2896	schtasks.exe
2800	schtasks.exe
2340	schtasks.exe
752	schtasks.exe
2220	schtasks.exe
2776	schtasks.exe
2680	schtasks.exe
2276	schtasks.exe
1696	schtasks.exe
2444	schtasks.exe
972	schtasks.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
Token: SeDebugPrivilege	2628	Client.exe
Token: SeDebugPrivilege	1856	Client.exe
Token: SeDebugPrivilege	2720	Client.exe
Token: SeDebugPrivilege	620	Client.exe
Token: SeDebugPrivilege	2504	Client.exe
Token: SeDebugPrivilege	2552	Client.exe
Token: SeDebugPrivilege	2844	Client.exe
Token: SeDebugPrivilege	2416	Client.exe
Token: SeDebugPrivilege	2124	Client.exe
Token: SeDebugPrivilege	1160	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2896	2484	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	30
PID 2484 wrote to memory of 2896	2484	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	30
PID 2484 wrote to memory of 2896	2484	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	30
PID 2484 wrote to memory of 2628	2484	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	32
PID 2484 wrote to memory of 2628	2484	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	32
PID 2484 wrote to memory of 2628	2484	5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe	32
PID 2628 wrote to memory of 2800	2628	Client.exe	33
PID 2628 wrote to memory of 2800	2628	Client.exe	33
PID 2628 wrote to memory of 2800	2628	Client.exe	33
PID 2628 wrote to memory of 2696	2628	Client.exe	35
PID 2628 wrote to memory of 2696	2628	Client.exe	35
PID 2628 wrote to memory of 2696	2628	Client.exe	35
PID 2696 wrote to memory of 2072	2696	cmd.exe	37
PID 2696 wrote to memory of 2072	2696	cmd.exe	37
PID 2696 wrote to memory of 2072	2696	cmd.exe	37
PID 2696 wrote to memory of 2888	2696	cmd.exe	38
PID 2696 wrote to memory of 2888	2696	cmd.exe	38
PID 2696 wrote to memory of 2888	2696	cmd.exe	38
PID 2696 wrote to memory of 1856	2696	cmd.exe	39
PID 2696 wrote to memory of 1856	2696	cmd.exe	39
PID 2696 wrote to memory of 1856	2696	cmd.exe	39
PID 1856 wrote to memory of 2276	1856	Client.exe	40
PID 1856 wrote to memory of 2276	1856	Client.exe	40
PID 1856 wrote to memory of 2276	1856	Client.exe	40
PID 1856 wrote to memory of 2500	1856	Client.exe	42
PID 1856 wrote to memory of 2500	1856	Client.exe	42
PID 1856 wrote to memory of 2500	1856	Client.exe	42
PID 2500 wrote to memory of 1708	2500	cmd.exe	44
PID 2500 wrote to memory of 1708	2500	cmd.exe	44
PID 2500 wrote to memory of 1708	2500	cmd.exe	44
PID 2500 wrote to memory of 2188	2500	cmd.exe	45
PID 2500 wrote to memory of 2188	2500	cmd.exe	45
PID 2500 wrote to memory of 2188	2500	cmd.exe	45
PID 2500 wrote to memory of 2720	2500	cmd.exe	46
PID 2500 wrote to memory of 2720	2500	cmd.exe	46
PID 2500 wrote to memory of 2720	2500	cmd.exe	46
PID 2720 wrote to memory of 1696	2720	Client.exe	47
PID 2720 wrote to memory of 1696	2720	Client.exe	47
PID 2720 wrote to memory of 1696	2720	Client.exe	47
PID 2720 wrote to memory of 572	2720	Client.exe	49
PID 2720 wrote to memory of 572	2720	Client.exe	49
PID 2720 wrote to memory of 572	2720	Client.exe	49
PID 572 wrote to memory of 1048	572	cmd.exe	51
PID 572 wrote to memory of 1048	572	cmd.exe	51
PID 572 wrote to memory of 1048	572	cmd.exe	51
PID 572 wrote to memory of 1600	572	cmd.exe	52
PID 572 wrote to memory of 1600	572	cmd.exe	52
PID 572 wrote to memory of 1600	572	cmd.exe	52
PID 572 wrote to memory of 620	572	cmd.exe	53
PID 572 wrote to memory of 620	572	cmd.exe	53
PID 572 wrote to memory of 620	572	cmd.exe	53
PID 620 wrote to memory of 2444	620	Client.exe	54
PID 620 wrote to memory of 2444	620	Client.exe	54
PID 620 wrote to memory of 2444	620	Client.exe	54
PID 620 wrote to memory of 2556	620	Client.exe	56
PID 620 wrote to memory of 2556	620	Client.exe	56
PID 620 wrote to memory of 2556	620	Client.exe	56
PID 2556 wrote to memory of 2560	2556	cmd.exe	58
PID 2556 wrote to memory of 2560	2556	cmd.exe	58
PID 2556 wrote to memory of 2560	2556	cmd.exe	58
PID 2556 wrote to memory of 768	2556	cmd.exe	59
PID 2556 wrote to memory of 768	2556	cmd.exe	59
PID 2556 wrote to memory of 768	2556	cmd.exe	59
PID 2556 wrote to memory of 2504	2556	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe
"C:\Users\Admin\AppData\Local\Temp\5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2896
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2800
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1F00fZZRnqwo.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2072
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2888
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2276
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iSrD4QbvyXAJ.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1708
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2188
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1696
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tSYvQVxMFm0v.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2444
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vwQpGsU2dDOE.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:768
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:972
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iyv48FxfKsWw.bat" "
        11⤵
        
        PID:1772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2220
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQdvoa0RfsNk.bat" "
        13⤵
        
        PID:1020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2216
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pfAwEwgzwUBU.bat" "
        15⤵
        
        PID:1784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2740
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2340
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YKFNkXIHVNRF.bat" "
        17⤵
        
        PID:2236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0yxaJpRSGb4j.bat" "
        19⤵
        
        PID:2104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:564
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:752
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qRK56npENPm5.bat" "
        21⤵
        
        PID:2576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2128
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0yxaJpRSGb4j.bat

Filesize
207B

MD5
300e9215cdd63c946cb29adb4351d827

SHA1
247674907e7c1970c07ed6fcc6d7077313e235ce

SHA256
5f635b530bb57de0452cb0b413105db3e504ddb36f371b9a84fb8b6fc210bf13

SHA512
e848120dd32f80f5603f609e36d51f1d752208c46b2e99873ee56ba4e87f60ab1b2b90eca23ec79c6a6f32b8a2c764fe48ec6cc1a2301b1fa838f4044d4c85d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F00fZZRnqwo.bat

Filesize
207B

MD5
2d57df7554e70d7e1dd039a0d685687d

SHA1
7ec191176712e98dcde97022543fad3d602e7447

SHA256
852ebbb897affce9e11a932ed6e471ab196272405625cd9e0216b46cc8ba90c1

SHA512
270ce955f1a4b9d828ed32d5b392f6f5aaa127241cdac23474b8edf5b95675f47b5501cec0c20c11e7d78e7e20ab9645eb4ea9a6ab72b62d94969f7a506a88bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKFNkXIHVNRF.bat

Filesize
207B

MD5
9a8d58a70f79d1ec39cdf9b3b70629a4

SHA1
1de717b1b1c32ca2ef7be38820cef6de494b9c62

SHA256
8d4ddaa60c96432c4a3aa59403fae4f77d43f3e5eb416e5631365aca1da3571f

SHA512
9a5122a2fb136d58a02b4f79eb1ee8e38f7b1809605f90b2c8fefc5c2dbf33cb84fee526760782621cc2aecc2395f95cd059721ffd0c610878ad1ba66c65a044

Download Submit
C:\Users\Admin\AppData\Local\Temp\iSrD4QbvyXAJ.bat

Filesize
207B

MD5
f77fb5c0703a39b04f139d43f5f7fdcc

SHA1
b708586e0653099ea17e37301f9b62d7311906f3

SHA256
ea99da17e90cbf39293a74d604daef0f287d6c72e9c084b3abb3673b91978235

SHA512
acc0f23b28a736632339f105b9e34210555453a9c465e61c2612b855e2e1366f3f31e8329291ba56cc2f5964700107dcdc639510a2846603b7c87d5e4207662e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyv48FxfKsWw.bat

Filesize
207B

MD5
31f86f78ccc8ed4fd267f701f28819bd

SHA1
3ff1b675729389ae92079abf7fab558c76285a23

SHA256
dad74ed817178e3dd6df11581dc6d74cd763dec5bcdc682a033f103e20842e40

SHA512
657e2d295d821496792f86a7ee8a17893db776bf12a90e42dbbd2403b0401a3e6bfae11959eed56aa1765a51c5f2bad6c9ba2e327169f2a9ee85fc6fdb672b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQdvoa0RfsNk.bat

Filesize
207B

MD5
f7847f4028daf46c99aa555f244cca08

SHA1
22eab382eb7e63cad1ccf0d6d664d3ba044d381f

SHA256
38a44c9f5738a5d75996bdac470a2482dd97d0891e5f22a824542be679280bc5

SHA512
bd0c7f9a8f129022dd8dfd3063085d2e31ad7f42f1c998450b26ce05892b94a28286bcf69becd1139abd39d735ec45c7a9af5138fc290fa683a7b3e15dc39d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfAwEwgzwUBU.bat

Filesize
207B

MD5
8302d3c62e0afefceb73e73efcae4237

SHA1
a28b4732c428f107dd9b53b44a9e14939f28b371

SHA256
38e8680dfe638014b93e2a9e4ba12f5c8e8b67d9febcdffa67c8fd15a6098198

SHA512
a0ad21251bf26d081d780861d7dde70aa70e55d8d151f77f005d5d9ade9502a66bbac7af9a609c0b0b1b7b0ad14ad9240cff11965fab413a838414c624e7b270

Download Submit
C:\Users\Admin\AppData\Local\Temp\qRK56npENPm5.bat

Filesize
207B

MD5
56849ac179a64ae650befd8fc215641f

SHA1
afc43c546df9042c13e9cdd67520b2efbb5fc615

SHA256
488e28cd2d136e2141b33a4f38e5de639b1a6701516cf7200c40285cecffd27b

SHA512
63e809267d987d3b766529aa8162498e839ae7b3abc16d2bb1f40fdd565fc7e37f053d53622f2085c8c976255640c521f9625d09f06f3e3651a2d2eb6e68fc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\tSYvQVxMFm0v.bat

Filesize
207B

MD5
60265aba633366dd95c5a48cda579b15

SHA1
ea4746fb498b6ad7b83f5a682a7c2f14a753673d

SHA256
4b5c34e49ade9ee5a2a5b4513bf26a28db4bffa490c8833d443b0c8f81dd4d1e

SHA512
a52b6b261056718c624d6f3ac29ad95f7771f72362b980fda265f1e97686bd9db22ee7611d7f7fe442f5adc3cf5d7f7896fb6b2790b36f7295dfb0cbf0e37851

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwQpGsU2dDOE.bat

Filesize
207B

MD5
1707156e8d88094389e95a0afcb74f75

SHA1
0dfd664b0e1c7eac8796b0cac66db20d95616264

SHA256
28cfd42b9d417ea7219adb77d9703ea5578aabcbd83913046737a12ab50d593d

SHA512
c5917f6d3e840f0ac0c29d678858363f78a9da3546b64060c1eb094eafe81e3e2109e3e0ab2bd3a15bfb682f9b0f3e702b168749d8ab9cc7a3fa424ebac4d412

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
3d5f1d38a92807e7de7d98838e05c7e8

SHA1
38382972e6317a6e7010a8d48041e0960188fc48

SHA256
5ab24c4a8d7dfdae95475a5252b0fc94561bbf18af68a84a81662050af2c6c95

SHA512
35266e8c23536a0328e775ef879aac5683688994ada6eb9f91d4cdffdae71ff3a687bcb43deaf792c93b4735be2334b1fa6629a5f500645815cb32273dccaac0

Download Submit
memory/620-45-0x0000000001340000-0x0000000001664000-memory.dmp

Filesize
3.1MB

Download
memory/1160-109-0x0000000001320000-0x0000000001644000-memory.dmp

Filesize
3.1MB

Download
memory/1856-23-0x0000000000010000-0x0000000000334000-memory.dmp

Filesize
3.1MB

Download
memory/2124-98-0x0000000000D80000-0x00000000010A4000-memory.dmp

Filesize
3.1MB

Download
memory/2484-10-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-0-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2484-2-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-1-0x0000000001160000-0x0000000001484000-memory.dmp

Filesize
3.1MB

Download
memory/2504-56-0x0000000000140000-0x0000000000464000-memory.dmp

Filesize
3.1MB

Download
memory/2628-21-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2628-11-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2628-9-0x0000000001240000-0x0000000001564000-memory.dmp

Filesize
3.1MB

Download
memory/2628-8-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2720-34-0x0000000000AE0000-0x0000000000E04000-memory.dmp

Filesize
3.1MB

Download
memory/2844-77-0x0000000000C40000-0x0000000000F64000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads