quasar | 4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe
Size

3.1MB
MD5

35dea5908c411c55232760a766992b4d
SHA1

803e87e294445707b2480e0f6eeb21990be7522e
SHA256

4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c
SHA512

37f37e706d7ba27a00d06f5d30ba881b3cf606a74b0472a404e76acad17e446cf22bdcddbe5b79fa73f457302c028aca46e971a97543d3d1784c2393bff91631
SSDEEP

49152:DvrI22SsaNYfdPBldt698dBcjHCdHLoGdgTHHB72eh2NT:DvU22SsaNYfdPBldt6+dBcjHCdr

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hvhkcutuoujbobu672-22209.portmap.host:22209

Mutex

979a24d1-1ef3-4416-baf8-bf96d2280aed

Attributes

encryption_key
E634ECEC5FEC379E441CB9B04C771BAC550131B0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
service 32
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/3432-1-0x0000000000590000-0x00000000008B4000-memory.dmp family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar

resource	yara_rule
behavioral2/memory/3432-1-0x0000000000590000-0x00000000008B4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 10 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

4808 Client.exe
4396 Client.exe
3152 Client.exe
856 Client.exe
2444 Client.exe
2644 Client.exe
672 Client.exe
4588 Client.exe
3312 Client.exe
2576 Client.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2332 schtasks.exe
3684 schtasks.exe
2368 schtasks.exe
1296 schtasks.exe
2016 schtasks.exe
1724 schtasks.exe
2840 schtasks.exe
4592 schtasks.exe
3052 schtasks.exe
4924 schtasks.exe
4836 schtasks.exe
Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2696 PING.EXE
3980 PING.EXE
1408 PING.EXE
3096 PING.EXE
4532 PING.EXE
2280 PING.EXE
2568 PING.EXE
2028 PING.EXE
4140 PING.EXE

pid	process
4808	Client.exe
4396	Client.exe
3152	Client.exe
856	Client.exe
2444	Client.exe
2644	Client.exe
672	Client.exe
4588	Client.exe
3312	Client.exe
2576	Client.exe

pid	process
2332	schtasks.exe
3684	schtasks.exe
2368	schtasks.exe
1296	schtasks.exe
2016	schtasks.exe
1724	schtasks.exe
2840	schtasks.exe
4592	schtasks.exe
3052	schtasks.exe
4924	schtasks.exe
4836	schtasks.exe

pid	process
2696	PING.EXE
3980	PING.EXE
1408	PING.EXE
3096	PING.EXE
4532	PING.EXE
2280	PING.EXE
2568	PING.EXE
2028	PING.EXE
4140	PING.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3432	4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe
Token: SeDebugPrivilege	4808	Client.exe
Token: SeDebugPrivilege	4396	Client.exe
Token: SeDebugPrivilege	3152	Client.exe
Token: SeDebugPrivilege	856	Client.exe
Token: SeDebugPrivilege	2444	Client.exe
Token: SeDebugPrivilege	2644	Client.exe
Token: SeDebugPrivilege	672	Client.exe
Token: SeDebugPrivilege	4588	Client.exe
Token: SeDebugPrivilege	3312	Client.exe
Token: SeDebugPrivilege	2576	Client.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

4808 Client.exe
2644 Client.exe
672 Client.exe
4588 Client.exe
3312 Client.exe
2576 Client.exe

pid	process
4808	Client.exe
2644	Client.exe
672	Client.exe
4588	Client.exe
3312	Client.exe
2576	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 3432 wrote to memory of 4592	3432	4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe	schtasks.exe
PID 3432 wrote to memory of 4592	3432	4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe	schtasks.exe
PID 3432 wrote to memory of 4808	3432	4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe	Client.exe
PID 3432 wrote to memory of 4808	3432	4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe	Client.exe
PID 4808 wrote to memory of 2368	4808	Client.exe	schtasks.exe
PID 4808 wrote to memory of 2368	4808	Client.exe	schtasks.exe
PID 4808 wrote to memory of 2800	4808	Client.exe	cmd.exe
PID 4808 wrote to memory of 2800	4808	Client.exe	cmd.exe
PID 2800 wrote to memory of 2076	2800	cmd.exe	chcp.com
PID 2800 wrote to memory of 2076	2800	cmd.exe	chcp.com
PID 2800 wrote to memory of 2696	2800	cmd.exe	PING.EXE
PID 2800 wrote to memory of 2696	2800	cmd.exe	PING.EXE
PID 2800 wrote to memory of 4396	2800	cmd.exe	Client.exe
PID 2800 wrote to memory of 4396	2800	cmd.exe	Client.exe
PID 4396 wrote to memory of 1296	4396	Client.exe	schtasks.exe
PID 4396 wrote to memory of 1296	4396	Client.exe	schtasks.exe
PID 4396 wrote to memory of 876	4396	Client.exe	cmd.exe
PID 4396 wrote to memory of 876	4396	Client.exe	cmd.exe
PID 876 wrote to memory of 3928	876	cmd.exe	chcp.com
PID 876 wrote to memory of 3928	876	cmd.exe	chcp.com
PID 876 wrote to memory of 1408	876	cmd.exe	PING.EXE
PID 876 wrote to memory of 1408	876	cmd.exe	PING.EXE
PID 876 wrote to memory of 3152	876	cmd.exe	Client.exe
PID 876 wrote to memory of 3152	876	cmd.exe	Client.exe
PID 3152 wrote to memory of 2016	3152	Client.exe	schtasks.exe
PID 3152 wrote to memory of 2016	3152	Client.exe	schtasks.exe
PID 3152 wrote to memory of 4688	3152	Client.exe	cmd.exe
PID 3152 wrote to memory of 4688	3152	Client.exe	cmd.exe
PID 4688 wrote to memory of 1924	4688	cmd.exe	chcp.com
PID 4688 wrote to memory of 1924	4688	cmd.exe	chcp.com
PID 4688 wrote to memory of 3096	4688	cmd.exe	PING.EXE
PID 4688 wrote to memory of 3096	4688	cmd.exe	PING.EXE
PID 4688 wrote to memory of 856	4688	cmd.exe	Client.exe
PID 4688 wrote to memory of 856	4688	cmd.exe	Client.exe
PID 856 wrote to memory of 3052	856	Client.exe	schtasks.exe
PID 856 wrote to memory of 3052	856	Client.exe	schtasks.exe
PID 856 wrote to memory of 1320	856	Client.exe	cmd.exe
PID 856 wrote to memory of 1320	856	Client.exe	cmd.exe
PID 1320 wrote to memory of 1872	1320	cmd.exe	chcp.com
PID 1320 wrote to memory of 1872	1320	cmd.exe	chcp.com
PID 1320 wrote to memory of 4532	1320	cmd.exe	PING.EXE
PID 1320 wrote to memory of 4532	1320	cmd.exe	PING.EXE
PID 1320 wrote to memory of 2444	1320	cmd.exe	Client.exe
PID 1320 wrote to memory of 2444	1320	cmd.exe	Client.exe
PID 2444 wrote to memory of 4924	2444	Client.exe	schtasks.exe
PID 2444 wrote to memory of 4924	2444	Client.exe	schtasks.exe
PID 2444 wrote to memory of 4340	2444	Client.exe	cmd.exe
PID 2444 wrote to memory of 4340	2444	Client.exe	cmd.exe
PID 4340 wrote to memory of 4640	4340	cmd.exe	chcp.com
PID 4340 wrote to memory of 4640	4340	cmd.exe	chcp.com
PID 4340 wrote to memory of 2280	4340	cmd.exe	PING.EXE
PID 4340 wrote to memory of 2280	4340	cmd.exe	PING.EXE
PID 4340 wrote to memory of 2644	4340	cmd.exe	Client.exe
PID 4340 wrote to memory of 2644	4340	cmd.exe	Client.exe
PID 2644 wrote to memory of 1724	2644	Client.exe	schtasks.exe
PID 2644 wrote to memory of 1724	2644	Client.exe	schtasks.exe
PID 2644 wrote to memory of 2556	2644	Client.exe	cmd.exe
PID 2644 wrote to memory of 2556	2644	Client.exe	cmd.exe
PID 2556 wrote to memory of 4132	2556	cmd.exe	chcp.com
PID 2556 wrote to memory of 4132	2556	cmd.exe	chcp.com
PID 2556 wrote to memory of 3980	2556	cmd.exe	PING.EXE
PID 2556 wrote to memory of 3980	2556	cmd.exe	PING.EXE
PID 2556 wrote to memory of 672	2556	cmd.exe	Client.exe
PID 2556 wrote to memory of 672	2556	cmd.exe	Client.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe
"C:\Users\Admin\AppData\Local\Temp\4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4592

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DJ7hBtI02Tfb.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2076

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2696

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vtk5x93wg5vu.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:3928

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1408

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lA7twf9p5Qth.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:1924

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:3096

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Aey2QCrCwriU.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:1872

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4532

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yNBzVCGynMrQ.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:4640

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:2280

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EjSbw0xwjxi4.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:4132

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:3980

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:672

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y0s73wb6u9e4.bat" "
15⤵
PID:4468

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:4324

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2568

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4588

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiUN5yoj3wPk.bat" "
17⤵
PID:2016

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:2688

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2028

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3312

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RzqOTdakS4As.bat" "
19⤵
PID:4504

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:4944

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4140

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2576

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "service 32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:3684

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aey2QCrCwriU.bat
Filesize
207B

MD5
305ccce0d89fbc5fc1ce4c0ccee6a275

SHA1
804832257a6af36e49e8d01cd4ae9ee81107ff5c

SHA256
58f0daef023c56d0c186451cd1b7efd376622223b0c34a89c8c71a302f244525

SHA512
fcb59270af41c9989b22c04e7e11a1beea82aa72baf799cf2f25f5068c9ca7787a069f80a74f546ceb7105c45c747c066bac3d1a42020d4454132b13948b34f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DJ7hBtI02Tfb.bat
Filesize
207B

MD5
a961639e48687d66c3591424b5569c03

SHA1
04dc26dd8845f140a30193b124b383abbc066d4c

SHA256
42efcb3cca4e45c15a718d57fc489075420a59f6fba8441a6917f061e5f20f7f

SHA512
75ded69c4ac9201c5d5792a93b65622672deef829f242b6605e5a634c80de11d5c5ec07739ca9f345b39948f3bb109924c03744257f33c02781f3dd7c7952fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\EjSbw0xwjxi4.bat
Filesize
207B

MD5
6c843d02009a7eb137b1a2d8d72dccce

SHA1
64ce227be1ce5443407a61858a7f0f0987153107

SHA256
74f87f38314607170b04a273fd823404a57decdf49513b3525bfa80b08444cbd

SHA512
07bc8bbc37ae702b89780c3dfb929b4a72fee622fba9ed38aaaaf9c56095a38c78da945e064d97dbba8d947011e25ff808ef7a5a5a37582a3d4689cb4c48b01f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RzqOTdakS4As.bat
Filesize
207B

MD5
1839e68f43ca727824318602324900c7

SHA1
4253ab3fc67b8c9ac3010aa85c18e2de0d15f5af

SHA256
5a382c51fa8279c5b47686414fe08ccf9d497c137de69d020b89d3b43034e5a2

SHA512
2838b3fdd152f032116cdd23a39592d3e8c978e99f367e7b50a2e19fdf3126448e6fa9fe17b56a8cec7fd663152913822d4bd8be142662c7706df4ab6e46ad83

Download Submit
C:\Users\Admin\AppData\Local\Temp\lA7twf9p5Qth.bat
Filesize
207B

MD5
bada6bfcbe24d6f7e30492927b5fbfac

SHA1
8cea3dc401e7787d105529842a8e7d83e20c89d4

SHA256
8c658d6db7c413c124017429002d0366ec0b2ba71062debed4ecae7ac5ca8243

SHA512
856c89ff637309d6977fbf69578bd40b1ee976bcef09f90c0432c9c08b5c50fd1b67e1a14ddbccd4e0097b1906a37d5f00a5cb7295340115b19ee242981c0836

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiUN5yoj3wPk.bat
Filesize
207B

MD5
61a5c1351b9065b7842771cb25e1b533

SHA1
6ed216fae7e000f0a1914c4d4fbc148e6dbbbeba

SHA256
6a3db3c983eedf8fca656dccc618278d858eb08ef0bd719892afcc86964681ba

SHA512
2111cedc4d2f477b2757c0508025dcc069399e0b4aec3259aaf3b90f1e2a689f8f0ad2033b71b87362b3d05cbb13d5eb65750e92812b7ae17d88bc01c8334226

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtk5x93wg5vu.bat
Filesize
207B

MD5
927cdbd73a17430f701afc890939211c

SHA1
a0de16c6ca3c5300c50c1b44bc03c18bd3d16d19

SHA256
f20a4e273c126b1dab7e50f4e49f04ab326160ae10c368c2988ba961570e5bdc

SHA512
75dbc07091e8ba7087c698ecbdb56bc1e34e03b7e51788e6102d24a4cefb88999c6dc07bbde889f3d8dc408bba3e4178b3558e5c8fb0e6092fd8cb40a25f714d

Download Submit
C:\Users\Admin\AppData\Local\Temp\y0s73wb6u9e4.bat
Filesize
207B

MD5
0bbcaac201b5d5d2af35935315b37d8b

SHA1
d779b938cf67078d3f476cbbbef1cadfb8f144e0

SHA256
3ac6627b9e3c02a71240ee2a596a727aceeb95390905360c12c23a5bc962a6ec

SHA512
f98415d8d58721591c5b73dc0eedca5c5c5d0c8cc55cf7d4067ba50bcb6a0376f0ae03f51b2412b80a8babeda141ddea8ef7c4f7b7ac86139d4d77fbfab47b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\yNBzVCGynMrQ.bat
Filesize
207B

MD5
00a8eef0e60aaebc075ca28ea1cc860a

SHA1
0de8d72216bc60a124bd2d8ee07b4e198ce203b9

SHA256
4c78a3971f131a3763f4a7da0346c327d7cf56abe72f6cc9e536d1d19577c471

SHA512
2254c1668777df79bd46e974bdd3d76139cc4c8746452eacb5906d2ce86bf5ad43a88b49d0874403d190998ce92fb69e35cb7780ea57b672797490b231a1990f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
3.1MB

MD5
35dea5908c411c55232760a766992b4d

SHA1
803e87e294445707b2480e0f6eeb21990be7522e

SHA256
4833f6e7b2beb3821ccd544a936f3d6db6403ee58c05038f15f2d1544f2acd3c

SHA512
37f37e706d7ba27a00d06f5d30ba881b3cf606a74b0472a404e76acad17e446cf22bdcddbe5b79fa73f457302c028aca46e971a97543d3d1784c2393bff91631

Download Submit
memory/3432-9-0x00007FFF5E980000-0x00007FFF5F441000-memory.dmp

Filesize
10.8MB

Download
memory/3432-0-0x00007FFF5E983000-0x00007FFF5E985000-memory.dmp

Filesize
8KB

Download
memory/3432-2-0x00007FFF5E980000-0x00007FFF5F441000-memory.dmp

Filesize
10.8MB

Download
memory/3432-1-0x0000000000590000-0x00000000008B4000-memory.dmp

Filesize
3.1MB

Download
memory/4808-18-0x00007FFF5E980000-0x00007FFF5F441000-memory.dmp

Filesize
10.8MB

Download
memory/4808-13-0x000000001D090000-0x000000001D142000-memory.dmp

Filesize
712KB

Download
memory/4808-12-0x000000001CF80000-0x000000001CFD0000-memory.dmp

Filesize
320KB

Download
memory/4808-11-0x00007FFF5E980000-0x00007FFF5F441000-memory.dmp

Filesize
10.8MB

Download
memory/4808-10-0x00007FFF5E980000-0x00007FFF5F441000-memory.dmp

Filesize
10.8MB

Download