quasar | d24b9d3579ee45a6f8d8762d8aa4c223a8b3935404658bb5009b008187fca45f

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CSP_200w_setup.exe
Size

398.8MB
MD5

7304f926256b156cbf9db5571d6388b4
SHA1

00a32364d77934faeb3c79b153eba1adf2977a7c
SHA256

d24b9d3579ee45a6f8d8762d8aa4c223a8b3935404658bb5009b008187fca45f
SHA512

830f685394235ce2b66ebbba9bcb0466afbc8a685722cbd6d978407ce6475f0e30d81aa75de5be1466eb1d27702c41b099283a167497a53898dd1599c53e5d74
SSDEEP

6291456:TJTVJsPA+MqNF524Jg0KOWDlBlKQLjfo+wO4Cm7iW9H2nXy2txJ0gX+xp2d9O9uZ:1+MiJYOiBlTvo+K9HUXyKd2P84O

Score

10^/10

quasar clip studio paint ex v!@!!!discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Clip Studio Paint EX v!@!!!

metavm.bumbleshrimp.com:1981

Mutex

GJrr6Uap8uTnzgSEPB

Attributes

encryption_key
KcRMp6Py3ZKc2huydbiR
install_name
Client.exe
log_directory
HDj
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/memory/844-249-0x0000000000400000-0x0000000000A70000-memory.dmp	family_quasar
behavioral1/memory/844-250-0x0000000000400000-0x0000000000A70000-memory.dmp	family_quasar
behavioral1/memory/844-246-0x0000000000400000-0x0000000000A70000-memory.dmp	family_quasar
behavioral1/memory/844-251-0x0000000000400000-0x0000000000A70000-memory.dmp	family_quasar
behavioral1/memory/844-244-0x0000000000400000-0x0000000000A70000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2988	powershell.exe
3060	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2348	CSP_200w_setup.exe
2800	CSP_200w_setup.exe
1880	ISBEW64.exe
1344	ISBEW64.exe
1192	ISBEW64.exe
2680	ISBEW64.exe
2184	ISBEW64.exe
916	ISBEW64.exe
1504	oyVKLvx6sZW27GG.exe

Loads dropped DLL 14 IoCs

pid	Process
2128	CSP_200w_setup.exe
2348	CSP_200w_setup.exe
2800	CSP_200w_setup.exe
2800	CSP_200w_setup.exe
2800	CSP_200w_setup.exe
2800	CSP_200w_setup.exe
2800	CSP_200w_setup.exe
2800	CSP_200w_setup.exe
2800	CSP_200w_setup.exe
2800	CSP_200w_setup.exe
2800	CSP_200w_setup.exe
2800	CSP_200w_setup.exe
2800	CSP_200w_setup.exe
2128	CSP_200w_setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1504 set thread context of 844	1504	oyVKLvx6sZW27GG.exe	47

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2716	844	WerFault.exe	47

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSP_200w_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oyVKLvx6sZW27GG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSP_200w_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSP_200w_setup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2868	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2868	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2988	powershell.exe
3060	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	844	RegSvcs.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe
2128	CSP_200w_setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
844	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2348	2128	CSP_200w_setup.exe	31
PID 2128 wrote to memory of 2348	2128	CSP_200w_setup.exe	31
PID 2128 wrote to memory of 2348	2128	CSP_200w_setup.exe	31
PID 2128 wrote to memory of 2348	2128	CSP_200w_setup.exe	31
PID 2128 wrote to memory of 2348	2128	CSP_200w_setup.exe	31
PID 2128 wrote to memory of 2348	2128	CSP_200w_setup.exe	31
PID 2128 wrote to memory of 2348	2128	CSP_200w_setup.exe	31
PID 2348 wrote to memory of 2800	2348	CSP_200w_setup.exe	32
PID 2348 wrote to memory of 2800	2348	CSP_200w_setup.exe	32
PID 2348 wrote to memory of 2800	2348	CSP_200w_setup.exe	32
PID 2348 wrote to memory of 2800	2348	CSP_200w_setup.exe	32
PID 2348 wrote to memory of 2800	2348	CSP_200w_setup.exe	32
PID 2348 wrote to memory of 2800	2348	CSP_200w_setup.exe	32
PID 2348 wrote to memory of 2800	2348	CSP_200w_setup.exe	32
PID 2800 wrote to memory of 1880	2800	CSP_200w_setup.exe	33
PID 2800 wrote to memory of 1880	2800	CSP_200w_setup.exe	33
PID 2800 wrote to memory of 1880	2800	CSP_200w_setup.exe	33
PID 2800 wrote to memory of 1880	2800	CSP_200w_setup.exe	33
PID 2800 wrote to memory of 1344	2800	CSP_200w_setup.exe	34
PID 2800 wrote to memory of 1344	2800	CSP_200w_setup.exe	34
PID 2800 wrote to memory of 1344	2800	CSP_200w_setup.exe	34
PID 2800 wrote to memory of 1344	2800	CSP_200w_setup.exe	34
PID 2800 wrote to memory of 1192	2800	CSP_200w_setup.exe	35
PID 2800 wrote to memory of 1192	2800	CSP_200w_setup.exe	35
PID 2800 wrote to memory of 1192	2800	CSP_200w_setup.exe	35
PID 2800 wrote to memory of 1192	2800	CSP_200w_setup.exe	35
PID 2800 wrote to memory of 2680	2800	CSP_200w_setup.exe	36
PID 2800 wrote to memory of 2680	2800	CSP_200w_setup.exe	36
PID 2800 wrote to memory of 2680	2800	CSP_200w_setup.exe	36
PID 2800 wrote to memory of 2680	2800	CSP_200w_setup.exe	36
PID 2800 wrote to memory of 2184	2800	CSP_200w_setup.exe	37
PID 2800 wrote to memory of 2184	2800	CSP_200w_setup.exe	37
PID 2800 wrote to memory of 2184	2800	CSP_200w_setup.exe	37
PID 2800 wrote to memory of 2184	2800	CSP_200w_setup.exe	37
PID 2800 wrote to memory of 916	2800	CSP_200w_setup.exe	38
PID 2800 wrote to memory of 916	2800	CSP_200w_setup.exe	38
PID 2800 wrote to memory of 916	2800	CSP_200w_setup.exe	38
PID 2800 wrote to memory of 916	2800	CSP_200w_setup.exe	38
PID 2128 wrote to memory of 1504	2128	CSP_200w_setup.exe	39
PID 2128 wrote to memory of 1504	2128	CSP_200w_setup.exe	39
PID 2128 wrote to memory of 1504	2128	CSP_200w_setup.exe	39
PID 2128 wrote to memory of 1504	2128	CSP_200w_setup.exe	39
PID 1504 wrote to memory of 2988	1504	oyVKLvx6sZW27GG.exe	41
PID 1504 wrote to memory of 2988	1504	oyVKLvx6sZW27GG.exe	41
PID 1504 wrote to memory of 2988	1504	oyVKLvx6sZW27GG.exe	41
PID 1504 wrote to memory of 2988	1504	oyVKLvx6sZW27GG.exe	41
PID 1504 wrote to memory of 3060	1504	oyVKLvx6sZW27GG.exe	43
PID 1504 wrote to memory of 3060	1504	oyVKLvx6sZW27GG.exe	43
PID 1504 wrote to memory of 3060	1504	oyVKLvx6sZW27GG.exe	43
PID 1504 wrote to memory of 3060	1504	oyVKLvx6sZW27GG.exe	43
PID 1504 wrote to memory of 1480	1504	oyVKLvx6sZW27GG.exe	45
PID 1504 wrote to memory of 1480	1504	oyVKLvx6sZW27GG.exe	45
PID 1504 wrote to memory of 1480	1504	oyVKLvx6sZW27GG.exe	45
PID 1504 wrote to memory of 1480	1504	oyVKLvx6sZW27GG.exe	45
PID 1504 wrote to memory of 844	1504	oyVKLvx6sZW27GG.exe	47
PID 1504 wrote to memory of 844	1504	oyVKLvx6sZW27GG.exe	47
PID 1504 wrote to memory of 844	1504	oyVKLvx6sZW27GG.exe	47
PID 1504 wrote to memory of 844	1504	oyVKLvx6sZW27GG.exe	47
PID 1504 wrote to memory of 844	1504	oyVKLvx6sZW27GG.exe	47
PID 1504 wrote to memory of 844	1504	oyVKLvx6sZW27GG.exe	47
PID 1504 wrote to memory of 844	1504	oyVKLvx6sZW27GG.exe	47
PID 1504 wrote to memory of 844	1504	oyVKLvx6sZW27GG.exe	47
PID 1504 wrote to memory of 844	1504	oyVKLvx6sZW27GG.exe	47
PID 1504 wrote to memory of 844	1504	oyVKLvx6sZW27GG.exe	47

C:\Users\Admin\AppData\Local\Temp\CSP_200w_setup.exe
"C:\Users\Admin\AppData\Local\Temp\CSP_200w_setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\fhgdghsahhggdd\CSP_200w_setup.exe
  C:\Users\Admin\AppData\Local\Temp\fhgdghsahhggdd\CSP_200w_setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\CSP_200w_setup.exe
    C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\CSP_200w_setup.exe -package:"C:\Users\Admin\AppData\Local\Temp\fhgdghsahhggdd\CSP_200w_setup.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\Disk1\" -tempdisk1folder:"C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\" -IS_OriginalLauncher:"C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\Disk1\CSP_200w_setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{71D72127-13EE-45BC-A9FD-5149C8128EAC}
      4⤵
      Executes dropped EXE
      PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4CC52FF0-405B-4054-96C7-6A42E38887EF}
      4⤵
      Executes dropped EXE
      PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1664FE82-8AE3-4150-8EBD-BAF2A6F02B66}
      4⤵
      Executes dropped EXE
      PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F77CED60-6233-41EE-AAA8-E7874C2A819D}
      4⤵
      Executes dropped EXE
      PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{98125E18-101B-4059-85FA-A2DBAE09ED74}
      4⤵
      Executes dropped EXE
      PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CE82B646-8F83-4014-813D-8FEAABB31187}
      4⤵
      Executes dropped EXE
      PID:916
- C:\Users\Admin\AppData\Local\Temp\fhgdghsahhggdd\oyVKLvx6sZW27GG.exe
  C:\Users\Admin\AppData\Local\Temp\fhgdghsahhggdd\oyVKLvx6sZW27GG.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fhgdghsahhggdd\oyVKLvx6sZW27GG.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kPETlT.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kPETlT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp16AC.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1480
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:844
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\4G1izq1n1d4y.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2868
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 1460
      4⤵
      Program crash
      PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4G1izq1n1d4y.bat

Filesize
216B

MD5
13b81ea6c655455340d3e6ccdd400e4e

SHA1
c034716bcef1c511f42d960ecc282282e9ad641e

SHA256
7c4e40c71a06b1882884a51c93c86c23cab13a41c394d9e1c77ee75ae20d6d03

SHA512
f848877f0574296172d38f95884ea9e872d542a196a39c7adc2e5e94ca9e2d13871f428a454ae2c7f237e51e528369311f8b0c3c04f313751f2b606b8e623b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp16AC.tmp

Filesize
1KB

MD5
da7a682e27c2719fbce729f5ba1e91a5

SHA1
de79b5a679cad9f1d1c4aa9cc07130bc0a9ac62a

SHA256
adde16e91f2645bc1721bae970068509e2a4e998a5a6e22b8ba272de82ee5fc7

SHA512
f7df2abfdffbe5b9dc0fb89bf2892e0068c547c7171a71d26abe03c7dace5024494412c84b1b26b292d75b5862cc810f3316cb338fa735490d4fd5075db2d37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\DIFxData.ini

Filesize
84B

MD5
1eb6253dee328c2063ca12cf657be560

SHA1
46e01bcbb287873cf59c57b616189505d2bb1607

SHA256
6bc8b890884278599e4c0ca4095cefdf0f5394c5796012d169cc0933e03267a1

SHA512
7c573896abc86d899afbce720690454c06dbfafa97b69bc49b8e0ddec5590ce16f3cc1a30408314db7c4206aa95f5c684a6587ea2da033aecc4f70720fc6189e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\FontData.ini

Filesize
37B

MD5
8ce28395a49eb4ada962f828eca2f130

SHA1
270730e2969b8b03db2a08ba93dfe60cbfb36c5f

SHA256
a7e91b042ce33490353c00244c0420c383a837e73e6006837a60d3c174102932

SHA512
bb712043cddbe62b5bfdd79796299b0c4de0883a39f79cd006d3b04a1a2bed74b477df985f7a89b653e20cb719b94fa255fdaa0819a8c6180c338c01f39b8382

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\_isuser_0x0409.dll

Filesize
356KB

MD5
cc85febea1606045f59c4ffcfd74bf90

SHA1
acb0dc4b8406848714657a0ac963e4616d5942a7

SHA256
21f33d41609d8928c76f9ba077707d9aae3a121c5c2f58b352252d65da965226

SHA512
3da68f50c5cda810f98c5fdd1851f49859308311cdd6dfe5bb01c789ddd1bd9b18b834af841adc65547908a3a3e23be77d8e8c46d77590d635503891b76b55ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\CSP_200w_setup.exe

Filesize
945KB

MD5
5066945542a53d6804aebc9fc396a476

SHA1
b21cc9523ce174adda98f823bd25292f8e324029

SHA256
c09882f267de685d7ffffe51ed11ca60ef8deb13a545627265faaeb4518f85fb

SHA512
6af557520ae8633386a5d70b7c08e1643f98c39f81f9886076f43765334f77ddd7dde0beb8986934de710c2b7081e0319d2a91c32dd06cd5c7bceeee3e85e37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\Disk1\0x0404.ini

Filesize
10KB

MD5
cd658d92df1ad180483136cd6960e7f6

SHA1
0d2808f19c659312372386276bb8dec386b2b638

SHA256
5d31e009a36325032ab1521d2b1ca1a5be89bb969d1948d4fe99c387b1055db1

SHA512
84540ddb853c9dcf49c2abe931601884f744c341d33f2f615f9d3290c41ead9d0709e0882358d5326b87fa25adf61ea1ff7a2b9bad52bfaab18b31d08047da31

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\Disk1\0x0407.ini

Filesize
25KB

MD5
1f71deaf7e3c298f4c4112db5e7ac029

SHA1
2d653e79c55e31cd00af51313a7b07aed123ab04

SHA256
b4d2bf8ddeee1e2acc5dfaa14ac602a69f52195c38eab4660408fd879ad41a56

SHA512
e0c0fe70904f768ebd191cd8aae285a7e851ff5e5ee3cbe5b78a708b6f378db33f499291eb89ee268fd3b3a694abaf6826162571aba74a6837f65c95a8078666

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\Disk1\0x0409.ini

Filesize
22KB

MD5
1196f20ca8bcaa637625e6a061d74c9e

SHA1
d0946b58676c9c6e57645dbcffc92c61eca3b274

SHA256
cdb316d7f9aa2d854eb28f7a333426a55cc65fa7d31b0bdf8ae108e611583d29

SHA512
75e0b3b98ad8269dc8f7048537ad2b458fa8b1dc54cf39df015306abd6701aa8357e08c7d1416d80150ccfd591376ba803249197abdf726e75d50f79d7370ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\Disk1\0x040a.ini

Filesize
25KB

MD5
b216bc7b827622578e60b0b37ce9c4c0

SHA1
18eb706aa172440c783382fb317dcb2ef7d04e2a

SHA256
4e42d96cf24224d3ed43e7e14227b96fde3b43235636480f8861db0b048ffddf

SHA512
e4211ee47bccf98369b7760502cc04e7c036e7ee8eb8a29143519c35cf5295f9984ee8de1fc8d7e93352119f9cf5fcb3412b7e3749b1540fd38af7d996ab0700

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\Disk1\0x040c.ini

Filesize
26KB

MD5
9a10eddf9169f9508688eace7b9e7797

SHA1
fe256fc1dd6a26478a7d06712d789d3f0db431d5

SHA256
d31b120f79c2fb8cd6f3fd7ede220a30ca3bb84e4d3c8b05c1bcc833734d13cf

SHA512
c3d5534e5edd819c03198ec19ab17bd90f29b33bd2f35a7f26e09ec4d59750065c4c3820efa2b6c8862e2fc00a0cf64fa928abeb62a3688b399eeb275de3ae5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\Disk1\0x0411.ini

Filesize
14KB

MD5
b807ce7552e96dc1928775956b9f422c

SHA1
d25122157365130bebae6497617d28cd86e8c638

SHA256
3f0778538202a35483c084fb0b109f693a9853f64d6452daa5c92ac75620aadc

SHA512
bb06ca5784e77ceb15331c5c6a9abad27364b1c5b800f229cd7b6d955fb120cbd7879c299508b606760f714b17a4a50aba333ccf6da7fb9bcd88b50772f64f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\Disk1\0x0412.ini

Filesize
14KB

MD5
59b2e4a2d3898f3e4f49186ff150e26c

SHA1
42f49643ef257d3ba2817af5731a165b42c42bfd

SHA256
9416c7b55d1fd9dc06f20e1e3ebbac1357217113833553d49586e339360529c7

SHA512
e6601b583567291088f1c522adf38dbc3408855463429354c7ceee2a46459c76daffc3db1f770e4979a59b88cea43599f88eb9b4dd170cf337008039775dff62

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\Disk1\0x0416.ini

Filesize
23KB

MD5
eb6dae1391cac22014afd6ccf4c2c333

SHA1
0476104dff6077de57ed24d43b2d4f8a74b6ad3e

SHA256
af54db26c9464b7a610d7eb73f06f36b43ac51e879ac4d21a1c70eb4524a2b24

SHA512
d40a5478056ff3a59e06dc779166baf144eb0db33819180fc6ac47808f49a2249158d8e5cf106c654ce42ab71b6f6f16c3b9777a6b445b1297f741affe09f587

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\Disk1\0x041e.ini

Filesize
22KB

MD5
733f697e11797f50f950b08701a0c1ec

SHA1
e24d6f9064dfa404739485647a5bd8c6b7165579

SHA256
372dc097b80442810781d777cdd23296a0558be58b3418f4ea088cbcd7f661b2

SHA512
edba839537d63713d6dd708384296d4b6d995dacd9d01813063810e230deafc166baddb2c987442f7985b01a283454a7f5fa4076ebc276fca03c95d175091fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\Disk1\0x0421.ini

Filesize
24KB

MD5
94afe5b2ac909992f6b7e3c629815d7d

SHA1
f6cea0560818c77d9de5447cc0d5e24da12e52bf

SHA256
af34e34cb979dae26a2ed08673e0ea20fcdb5d1f7ee9acf42f93afe16a64521c

SHA512
5acb1c761a392b96588c5c223e25497a80a7ac7cf8d80e5efb55bdb225544e8adbaafd1ae1f51bc076a29e7d7bf229ac57c8728b969f68b15678f1ccf8445826

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\Disk1\ISSetup.dll

Filesize
1.6MB

MD5
d6ef5008acd26a15e65435111b83a457

SHA1
e52ba57faf4d01e50babfb7ebc3511315f2aa422

SHA256
a9c83d986a29fba1f4868158672aac7535d161126f73bc2d0a2a5dbc016569ba

SHA512
165ee1d4cb4b6d4fc3697865fad29439617859d02e05ac2181cb9f15f7905db18b448c03cfc716bab5b7a5a5d84f5a834ff44557ec6a2ccf6afdf89d338b780e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\Disk1\data1.hdr

Filesize
528KB

MD5
c5bde9f1ec21026da0d2768b7672c099

SHA1
1b7b6a5dfae62cd4f3034050f79daba2d5316947

SHA256
22828e675993fd542d635e0f23eaea89945b700bfab5a9d4f7ceb890d0e0ea60

SHA512
1e650559dc572087993fb3ba8c37fd12523e9533f6ddcd7adcaf9f342058462d5b84878720ee0faebfad53a8724892046129fd2bf144792d22983c1285527608

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\Disk1\layout.bin

Filesize
848B

MD5
22051cd477b54ce88af4b54a46089de7

SHA1
c844a55c6a5d4e123b44b52ab1c2b25269058398

SHA256
6b04905e96bb2388347df395aab336112897b400e49147a553fe2da74325f203

SHA512
c67b4bbcbe4160db3866fa591867763a24852c9f3914630ae3721e6b98f6e72b24a1229dac813a75e05e87769c71d1f764d0581f2aaf2cc2e4866dd82d2a18b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\Disk1\setup.inx

Filesize
263KB

MD5
b8cfa9610ca6b8498814f7c5d3d3ff29

SHA1
ecb355b8110850359e789b01276c67868a6fdb74

SHA256
7ed6ee16411c860855b5ef8e6672f8cbe68b04f4c844924c1f675bb2873c2341

SHA512
9e7ad885e444b7f9218ff96e32eae3d613c8a341e66d24a01fede972554c51ee736610937b534acef854c1aaa33a53966fddc3035cdaa46524f7ae4c62ac5c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80CA59FD-F5C4-4341-A740-6087502BD60F}\setup.ini

Filesize
2KB

MD5
fc8a0ac43218330f118424a64f5f0cd0

SHA1
36ec4fb5f86e521ad67519f2eb6195981ab4ac5d

SHA256
ea239b8e11fd28a85387e9b7a5324a60fd29fdbf113aa9f89f62096b6bef101e

SHA512
fb6d3aca0781e3c9c2a174abd9f4ba6de2536cff28fc3905c3cb9f19a9d5ff637066acbd19560579b1d73f43b92b0cb695f81d3f0853e3548759f539d67108b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0286bd06b770b5740037716d7389896d

SHA1
df3c7b2433f7c9e6bbe9d76e967c9e47b18295e0

SHA256
a7d1af229d04e4d3c10c83efa6230a65ad29a196007c07636b48a803c531754a

SHA512
fbb43794330726abfa211b755c98cd1fa2be39749ae0231761f59563c7a4437203fad6d7a8d1f2348c1cbe6f4f3324b5ae1b30bccbdee80a08e016001a63aced

Download Submit
\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\ISBEW64.exe

Filesize
182KB

MD5
cb279e894409aef5f9410d7d8d113c54

SHA1
300c199084e171880bb206a5f5c11c7a5b15744f

SHA256
e984815636a4f457069b13e5d2ab02ddbbc692e26dedba4d74bb9c9172a89232

SHA512
a58962ee7d9499da216c1f6d93ce27ae4b759ca605469fd19ae48ae926cda909d5d3762345f7304132d9c1eb3407797bb21498dc2bc10b0eb6fee5a87657126b

Download Submit
\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\InstallshieldSupportModule.dll

Filesize
184KB

MD5
a65d3f22e82802871d3f698fc1016f21

SHA1
dc17fe50a1b1821f5f251114897faeb889457398

SHA256
2a27b247c1387082036bcd83fb20dbef9d923b0ffa56573c093d0b71edf6d57b

SHA512
08054d4ccbf3c1f6c40e338c273908ac3250a23399328ed645a7bfd79fa28293db59718d8114316a2263345347d03f772b390980c24ef78acced69d92030a968

Download Submit
\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\_isres_0x0409.dll

Filesize
1.8MB

MD5
47883e42b1859329eba55075290a2c5a

SHA1
7cd7c1a82aa8a74db7926129e3844cefdf79376b

SHA256
ead0b66d81c87d26cf530ec5833d04d11782aa01adc9420ad939f492e2ce016c

SHA512
adc92de860d2f09013ce03a13af941e38ba569e89b53cedfb7fb25abe3d3654c173e70cc86407646df13cb7da14557e788ea2d2ce6370c01f885d73e6115048c

Download Submit
\Users\Admin\AppData\Local\Temp\{0BA29F60-11D8-4B77-AC15-657516470E1A}\{1E4572D2-28BC-4BC9-B743-13DC6CFD71DB}\isrt.dll

Filesize
430KB

MD5
e9208322f81fc26beaaa5a73cafda4a2

SHA1
11863afbef0456bf0e8c8bfab1cffad0356f80cb

SHA256
0fe47b313616738f2d0864d17d4c7ba1fd0778c8f95d741989d597fe23d6cc7c

SHA512
a32193f7ba02faa959de9949c332c716949af674b353a43e1dce846747492eaa818963c28afcaf837e757f93aa98a7f244177a5afd204ad6b54d6006e522ec68

Download Submit
memory/844-240-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download
memory/844-248-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/844-244-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download
memory/844-251-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download
memory/844-246-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download
memory/844-250-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download
memory/844-249-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download
memory/844-242-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download
memory/1504-223-0x0000000000440000-0x000000000045A000-memory.dmp

Filesize
104KB

Download
memory/1504-239-0x0000000005C90000-0x0000000006302000-memory.dmp

Filesize
6.4MB

Download
memory/1504-238-0x0000000000860000-0x0000000000866000-memory.dmp

Filesize
24KB

Download
memory/1504-225-0x000000000B1F0000-0x000000000B8DC000-memory.dmp

Filesize
6.9MB

Download
memory/1504-224-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/1504-222-0x0000000000C80000-0x00000000013BE000-memory.dmp

Filesize
7.2MB

Download
memory/2800-188-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/2800-149-0x0000000004230000-0x00000000043F7000-memory.dmp

Filesize
1.8MB

Download
memory/2800-146-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/3020-262-0x0000000001040000-0x000000000104E000-memory.dmp

Filesize
56KB

Download
memory/3020-263-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download