quasar | 4fb412dc8e1f77e2b47b1a677ca0475e5d25361d68e9e486c8aaf5148d635dfd

Analysis

max time kernel
98s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2025, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Exm Premium.exe
Size

3.5MB
MD5

1e0a2e8cc5ce58715fc43c44004f637c
SHA1

f85ba3c4bd766e12ac11840939f5773ecc2f90f3
SHA256

4fb412dc8e1f77e2b47b1a677ca0475e5d25361d68e9e486c8aaf5148d635dfd
SHA512

75852941b8033d7f58e3819d5c7117f0f0cad5bb9b95aefef2e24eee63d2237c98072e823905e0d084659324bb54f020e163fd3310f3ee344a245051ac214859
SSDEEP

49152:Pv4t62XlaSFNWPjljiFa2RoUYIdZRJ65bR3LoGd6THHB72eh2NTH:PvU62XlaSFNWPjljiFXRoUYIdZRJ677

Score

10^/10

quasar nmw discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

NMW

nm111-20223.portmap.host:20223

Mutex

0cf74134-5c38-42d6-bb49-4c83c1e37344

Attributes

encryption_key
F7F619EE7207F0CE79B19EAEA54D81315C5AE97B
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Exm Tweaks
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2992-1-0x0000000000F80000-0x000000000130E000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023c08-7.dat	family_quasar

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 10 IoCs

pid	Process
4708	Client.exe
3680	Client.exe
4564	Client.exe
2020	Client.exe
4740	Client.exe
1396	Client.exe
4248	Client.exe
3100	Client.exe
2312	Client.exe
1632	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
464	PING.EXE
4840	PING.EXE
808	PING.EXE
1700	PING.EXE
2436	PING.EXE
1876	PING.EXE
2108	PING.EXE
1688	PING.EXE
2492	PING.EXE
4076	PING.EXE

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
1688	PING.EXE
1700	PING.EXE
2492	PING.EXE
464	PING.EXE
4840	PING.EXE
2108	PING.EXE
808	PING.EXE
2436	PING.EXE
4076	PING.EXE
1876	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1848	schtasks.exe
2312	schtasks.exe
4780	schtasks.exe
3440	schtasks.exe
3112	schtasks.exe
4764	schtasks.exe
3528	schtasks.exe
4772	schtasks.exe
3620	schtasks.exe
3432	schtasks.exe
1564	schtasks.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	Exm Premium.exe
Token: SeDebugPrivilege	4708	Client.exe
Token: SeDebugPrivilege	3680	Client.exe
Token: SeDebugPrivilege	4564	Client.exe
Token: SeDebugPrivilege	2020	Client.exe
Token: SeDebugPrivilege	4740	Client.exe
Token: SeDebugPrivilege	1396	Client.exe
Token: SeDebugPrivilege	4248	Client.exe
Token: SeDebugPrivilege	3100	Client.exe
Token: SeDebugPrivilege	2312	Client.exe
Token: SeDebugPrivilege	1632	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3620	2992	Exm Premium.exe	83
PID 2992 wrote to memory of 3620	2992	Exm Premium.exe	83
PID 2992 wrote to memory of 4708	2992	Exm Premium.exe	85
PID 2992 wrote to memory of 4708	2992	Exm Premium.exe	85
PID 4708 wrote to memory of 3432	4708	Client.exe	86
PID 4708 wrote to memory of 3432	4708	Client.exe	86
PID 4708 wrote to memory of 1536	4708	Client.exe	88
PID 4708 wrote to memory of 1536	4708	Client.exe	88
PID 1536 wrote to memory of 3616	1536	cmd.exe	90
PID 1536 wrote to memory of 3616	1536	cmd.exe	90
PID 1536 wrote to memory of 1700	1536	cmd.exe	91
PID 1536 wrote to memory of 1700	1536	cmd.exe	91
PID 1536 wrote to memory of 3680	1536	cmd.exe	101
PID 1536 wrote to memory of 3680	1536	cmd.exe	101
PID 3680 wrote to memory of 1564	3680	Client.exe	102
PID 3680 wrote to memory of 1564	3680	Client.exe	102
PID 3680 wrote to memory of 1916	3680	Client.exe	105
PID 3680 wrote to memory of 1916	3680	Client.exe	105
PID 1916 wrote to memory of 432	1916	cmd.exe	108
PID 1916 wrote to memory of 432	1916	cmd.exe	108
PID 1916 wrote to memory of 2492	1916	cmd.exe	109
PID 1916 wrote to memory of 2492	1916	cmd.exe	109
PID 1916 wrote to memory of 4564	1916	cmd.exe	114
PID 1916 wrote to memory of 4564	1916	cmd.exe	114
PID 4564 wrote to memory of 1848	4564	Client.exe	115
PID 4564 wrote to memory of 1848	4564	Client.exe	115
PID 4564 wrote to memory of 4276	4564	Client.exe	118
PID 4564 wrote to memory of 4276	4564	Client.exe	118
PID 4276 wrote to memory of 4584	4276	cmd.exe	120
PID 4276 wrote to memory of 4584	4276	cmd.exe	120
PID 4276 wrote to memory of 2436	4276	cmd.exe	121
PID 4276 wrote to memory of 2436	4276	cmd.exe	121
PID 4276 wrote to memory of 2020	4276	cmd.exe	126
PID 4276 wrote to memory of 2020	4276	cmd.exe	126
PID 2020 wrote to memory of 2312	2020	Client.exe	127
PID 2020 wrote to memory of 2312	2020	Client.exe	127
PID 2020 wrote to memory of 808	2020	Client.exe	130
PID 2020 wrote to memory of 808	2020	Client.exe	130
PID 808 wrote to memory of 444	808	cmd.exe	132
PID 808 wrote to memory of 444	808	cmd.exe	132
PID 808 wrote to memory of 464	808	cmd.exe	133
PID 808 wrote to memory of 464	808	cmd.exe	133
PID 808 wrote to memory of 4740	808	cmd.exe	134
PID 808 wrote to memory of 4740	808	cmd.exe	134
PID 4740 wrote to memory of 3440	4740	Client.exe	135
PID 4740 wrote to memory of 3440	4740	Client.exe	135
PID 4740 wrote to memory of 4792	4740	Client.exe	138
PID 4740 wrote to memory of 4792	4740	Client.exe	138
PID 4792 wrote to memory of 1536	4792	cmd.exe	140
PID 4792 wrote to memory of 1536	4792	cmd.exe	140
PID 4792 wrote to memory of 4076	4792	cmd.exe	141
PID 4792 wrote to memory of 4076	4792	cmd.exe	141
PID 4792 wrote to memory of 1396	4792	cmd.exe	143
PID 4792 wrote to memory of 1396	4792	cmd.exe	143
PID 1396 wrote to memory of 3112	1396	Client.exe	144
PID 1396 wrote to memory of 3112	1396	Client.exe	144
PID 1396 wrote to memory of 924	1396	Client.exe	147
PID 1396 wrote to memory of 924	1396	Client.exe	147
PID 924 wrote to memory of 220	924	cmd.exe	149
PID 924 wrote to memory of 220	924	cmd.exe	149
PID 924 wrote to memory of 4840	924	cmd.exe	150
PID 924 wrote to memory of 4840	924	cmd.exe	150
PID 924 wrote to memory of 4248	924	cmd.exe	152
PID 924 wrote to memory of 4248	924	cmd.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Exm Premium.exe
"C:\Users\Admin\AppData\Local\Temp\Exm Premium.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3620
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vbIFeojdpR9e.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3616
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1700
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1564
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekZoyISD64bQ.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:432
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2492
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5CKzl0i7KzGk.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqkFVpJGoLjg.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:464
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKSho4x12KK5.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4076
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x1TAFBqZ4H95.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4840
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GtvfxnR03aWu.bat" "
        15⤵
        
        PID:2676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1876
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GlB9I8a5okec.bat" "
        17⤵
        
        PID:1224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dnrkg3keZnKt.bat" "
        19⤵
        
        PID:4244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:808
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOhQzNosk2W1.bat" "
        21⤵
        
        PID:2996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:5028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CKzl0i7KzGk.bat

Filesize
207B

MD5
d16762ab910aca8bcbe533079ee12c03

SHA1
01df71a24023c093b994099d41505d683fe35d3c

SHA256
d4cfb97a72f70bc17119e6d48a20ae95afea7450c986d908496c334cfa369b5e

SHA512
46ca342cf8d56858833cdcd852365a8e0e14a10e531c5486e413cfe839b7c31e9fe47f87100eabbf4dd212d1e6f31f0a5963e38053cb34cc216e706e4bb74b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dnrkg3keZnKt.bat

Filesize
207B

MD5
bc89746d50c0442bbf7980a37dec355f

SHA1
9e690d6ce70fd23d1bca1384d96fb2b67315d060

SHA256
9368dad301dcf4f6e1607acc7ec2c5b44f24207eb44baac2f5975a9633dce814

SHA512
5bb2bc2114e7ea004e6eb16197c8f43cf66ed662dbfe14e97649936dfbd5678bcf83847a293aae2e6cdba2727588d0d237d1a0b2e54b38054f63aa31dc7e4c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GlB9I8a5okec.bat

Filesize
207B

MD5
9bb8a98e96f56c172cc25fb06e450ba4

SHA1
a71d4a60380264d0435fe4da26a6f37130e1e27d

SHA256
fba800e41b92c767cdb5f6f97c6226b52aafaec74967d131882ecbc5071367c9

SHA512
ca639a521945a3e4fd208987497e62a32e753f16c50a825178b3cb9065a07a93e2833cf2660b6ac17b4d5c24d1a979f0c49f2c9c1260c1a254ded8490fe5d3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GtvfxnR03aWu.bat

Filesize
207B

MD5
65593d4e5feb20a987ac553286ec7911

SHA1
55426fc5f3d0b084ee563ca14299b0942547a119

SHA256
ff8a57648231c04677a7d102884eff8441965d78e5383ba5c7a0b3303c4c6d02

SHA512
f00ed7e72a10429352aa61025b91e5d03612f3b57cda8280f4b991000cbcf7e00bf2864c63b7c308e1c392213323fc24b0efbe20efbf91d749405cb6b2bd41f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekZoyISD64bQ.bat

Filesize
207B

MD5
eeeab0c7e504a883f114cc0afc7b1a53

SHA1
c5b850103b0e4fabb78a11318a3cb98485d75b4f

SHA256
cd1d113cdde58dc74c665af18d052cb259ec1e7f4be695ea467c9d6912389be3

SHA512
7ac820f68b032036718c681fc2a4dc644a3caf2662b2bc9293f5b2aa8b1dc4d258f1f989a2b02392f60e26c0ea690dd817a8ee2e08b6615da89b4b713e40e8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\iKSho4x12KK5.bat

Filesize
207B

MD5
99ad9a212ffbe18f190ad3bc99536ab6

SHA1
408b6010bd7b9ac7ee3ac296a4c4e6cd808afaeb

SHA256
a6708162f0e7b190a2d5eb4aed877113478a2fb2e89d2d09c77c780352810070

SHA512
a40fc97d7f984b9f09ab46686ee6b5cc5f15180ad47111a0ac35005ac64f6f51cb247cb0535d09bc34d3686b0c04e179ab4d70b9b0367c5e63e4bdce371701ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\qOhQzNosk2W1.bat

Filesize
207B

MD5
47b06747bfd691a1df4f77f3493f5219

SHA1
653967920aa0ee292b47cf8bd2fec913c6d4aaee

SHA256
205d597fefff13f990b326951be299358127691d76411caefb04dccb7cb7a709

SHA512
756be2a885a229a2df5d2f9307084b56aa4c82f54ac34195a66ec5c167e9ebe1f547ab142dc499b3654f1eedbb49a82719710a72962d8c0a6cbbc1e5ad409194

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqkFVpJGoLjg.bat

Filesize
207B

MD5
7bd10302bc05a1b9e8eaf637fb18a276

SHA1
efbfeb29c0758d13b6bea65429e33c728ad6154d

SHA256
b91e9952affc20fc8bca48193f942d9f4eb8b035404436565d627a5ed511b3fc

SHA512
dd485731b59f0da2d202653eb60428375af06e30bf9f30f8e408231da2a5b9a661aa86116b589bd30ce4a6508f5ec847038f3b25130da71aa01536a0d0455650

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbIFeojdpR9e.bat

Filesize
207B

MD5
5a63533eea92d1460dc162a9bc25fa41

SHA1
51e473c57b1c1b84457f821f3fddc8bb7f2724c9

SHA256
3ac869195d4c67e4362b538a5963f707b2db09a12f5cd4cddbe27f31464a7bbb

SHA512
63f3a082d6721f967388ec12541fab0d975119fe7473d2c8595394c3e39b596a3ea15031a6f7a2458fed9afba874a617673d466112758c16ed60bc9588d136bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1TAFBqZ4H95.bat

Filesize
207B

MD5
b91b3587a4616e84920465d381bf3b05

SHA1
cb855c1b3d265cd7f51b27ffc413df2f2311bc2f

SHA256
197d2a856b61a273d6290fee507213ad2f8e9e344c5c51ef29e5c34ee9531b6b

SHA512
5abd3c5e288c3c620b20d2e4505d4e5e4036de159718765082e04e7ee6a1dbec6d6f744d6157379368c45c0d6965e07d5cde9aceb8f9f76f9ba7855c893091ed

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.5MB

MD5
1e0a2e8cc5ce58715fc43c44004f637c

SHA1
f85ba3c4bd766e12ac11840939f5773ecc2f90f3

SHA256
4fb412dc8e1f77e2b47b1a677ca0475e5d25361d68e9e486c8aaf5148d635dfd

SHA512
75852941b8033d7f58e3819d5c7117f0f0cad5bb9b95aefef2e24eee63d2237c98072e823905e0d084659324bb54f020e163fd3310f3ee344a245051ac214859

Download Submit
memory/2992-0-0x00007FFAB1A13000-0x00007FFAB1A15000-memory.dmp

Filesize
8KB

Download
memory/2992-9-0x00007FFAB1A10000-0x00007FFAB24D1000-memory.dmp

Filesize
10.8MB

Download
memory/2992-2-0x00007FFAB1A10000-0x00007FFAB24D1000-memory.dmp

Filesize
10.8MB

Download
memory/2992-1-0x0000000000F80000-0x000000000130E000-memory.dmp

Filesize
3.6MB

Download
memory/4708-18-0x00007FFAB1A10000-0x00007FFAB24D1000-memory.dmp

Filesize
10.8MB

Download
memory/4708-13-0x000000001B890000-0x000000001B942000-memory.dmp

Filesize
712KB

Download
memory/4708-12-0x000000001B780000-0x000000001B7D0000-memory.dmp

Filesize
320KB

Download
memory/4708-11-0x00007FFAB1A10000-0x00007FFAB24D1000-memory.dmp

Filesize
10.8MB

Download
memory/4708-10-0x00007FFAB1A10000-0x00007FFAB24D1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads