Analysis Overview
SHA256
948d003947b71983cf3c828c73d3945bdb82520d8c6bbfa403ff6a7bb4231dac
Threat Level: Known bad
The file NEAS.MercuriUpdateexe.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar RAT
Quasar payload
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-02 10:23
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-02 10:23
Reported
2023-12-02 10:26
Platform
win7-20231130-en
Max time kernel
145s
Max time network
141s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\S2R2BLWcUaDD.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TrV9Xr1pZud8.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yMNXKLDpLZVw.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\A7Peklf5aEuQ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KYbG9ym1pIk1.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qcGDNMQhfheA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IsgCDyBWTBVw.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vxc-63595.portmap.host | udp |
| US | 8.8.8.8:53 | vxc-63595.portmap.host | udp |
| US | 8.8.8.8:53 | vxc-63595.portmap.host | udp |
| US | 8.8.8.8:53 | vxc-63595.portmap.host | udp |
| US | 8.8.8.8:53 | vxc-63595.portmap.host | udp |
| US | 8.8.8.8:53 | vxc-63595.portmap.host | udp |
| US | 8.8.8.8:53 | vxc-63595.portmap.host | udp |
Files
memory/2856-0-0x0000000000870000-0x0000000000B94000-memory.dmp
memory/2856-1-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp
memory/2856-2-0x000000001B1E0000-0x000000001B260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\S2R2BLWcUaDD.bat
| MD5 | 438bf0d4208407ee2b6faddebd13f5c2 |
| SHA1 | 9dcbf43cfea1089b76a6f150a3f83b947cc8da5f |
| SHA256 | 6575fafaa661fd6effecee1a812ad9d85f22e068530840120105b80822009e42 |
| SHA512 | b3902118235386ad94bf7c230a3d5a5cf758ed57c9ddf92894b46cb978cd82ee4d1133283b7bcfcd8d7b21dab9fbbb98908cb8a5858afc08874796cbe5c29a3a |
C:\Users\Admin\AppData\Local\Temp\S2R2BLWcUaDD.bat
| MD5 | 438bf0d4208407ee2b6faddebd13f5c2 |
| SHA1 | 9dcbf43cfea1089b76a6f150a3f83b947cc8da5f |
| SHA256 | 6575fafaa661fd6effecee1a812ad9d85f22e068530840120105b80822009e42 |
| SHA512 | b3902118235386ad94bf7c230a3d5a5cf758ed57c9ddf92894b46cb978cd82ee4d1133283b7bcfcd8d7b21dab9fbbb98908cb8a5858afc08874796cbe5c29a3a |
memory/2856-12-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp
memory/2480-13-0x0000000001160000-0x0000000001484000-memory.dmp
memory/2480-14-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp
memory/2480-15-0x000000001B1F0000-0x000000001B270000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TrV9Xr1pZud8.bat
| MD5 | 8b3fd2313c02cb7d888981bea63eea9b |
| SHA1 | 8e5b214d7cb73d4189cc944ec539cff82c40cc05 |
| SHA256 | ba51306e94771a87f242e4095974760d4ab7177d3fbd3fdba829d5fd4f6a5436 |
| SHA512 | 678668696f7ac1646eaf8bc5c0a9235019189265976c4d13a27ab8dc5766f14f0f33954403d25cc68b173da08c40257e8d10e924b594c4974ed4ec602c93fafd |
C:\Users\Admin\AppData\Local\Temp\TrV9Xr1pZud8.bat
| MD5 | 8b3fd2313c02cb7d888981bea63eea9b |
| SHA1 | 8e5b214d7cb73d4189cc944ec539cff82c40cc05 |
| SHA256 | ba51306e94771a87f242e4095974760d4ab7177d3fbd3fdba829d5fd4f6a5436 |
| SHA512 | 678668696f7ac1646eaf8bc5c0a9235019189265976c4d13a27ab8dc5766f14f0f33954403d25cc68b173da08c40257e8d10e924b594c4974ed4ec602c93fafd |
memory/2480-25-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp
memory/2996-26-0x000007FEF4DD0000-0x000007FEF57BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yMNXKLDpLZVw.bat
| MD5 | cdaf4f4f4e959846d729a854c84a602a |
| SHA1 | 80c660c4fa94177c9ed76a0d55b0a7a75d650cb7 |
| SHA256 | d6e843dd38906c0ca2c9ef0ad4088b184eff1253c54a5485b33accc628451ffa |
| SHA512 | 54716c5f3a9025da5b2730f47e37c29a3109e11c4a1a5b5bde7c0f5d9b8817b3265eccd5879d5e18a58faf856f7aad1369666057b52c3b44b280f8b0aaafb162 |
C:\Users\Admin\AppData\Local\Temp\yMNXKLDpLZVw.bat
| MD5 | cdaf4f4f4e959846d729a854c84a602a |
| SHA1 | 80c660c4fa94177c9ed76a0d55b0a7a75d650cb7 |
| SHA256 | d6e843dd38906c0ca2c9ef0ad4088b184eff1253c54a5485b33accc628451ffa |
| SHA512 | 54716c5f3a9025da5b2730f47e37c29a3109e11c4a1a5b5bde7c0f5d9b8817b3265eccd5879d5e18a58faf856f7aad1369666057b52c3b44b280f8b0aaafb162 |
memory/2996-36-0x000007FEF4DD0000-0x000007FEF57BC000-memory.dmp
memory/1036-38-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp
memory/1036-37-0x0000000001290000-0x00000000015B4000-memory.dmp
memory/1036-39-0x000000001AFB0000-0x000000001B030000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\A7Peklf5aEuQ.bat
| MD5 | 5e50c45aaa4e2fc87e7a509ba107b344 |
| SHA1 | fc7900618efd82b33935e8b5aec36e5dfc05f212 |
| SHA256 | 2a993fb021001616df1d7ce2efe5515183e65671d3f5c2b006448941431b9014 |
| SHA512 | 160f1b9cca31c15d37b1432903f51f2a1fc66c624661679efbd14fc435a11fe4d55df15cc345a744ace4832db0ab80bbb24f4659120d7b0e53fa7c2c7cf51f05 |
C:\Users\Admin\AppData\Local\Temp\A7Peklf5aEuQ.bat
| MD5 | 5e50c45aaa4e2fc87e7a509ba107b344 |
| SHA1 | fc7900618efd82b33935e8b5aec36e5dfc05f212 |
| SHA256 | 2a993fb021001616df1d7ce2efe5515183e65671d3f5c2b006448941431b9014 |
| SHA512 | 160f1b9cca31c15d37b1432903f51f2a1fc66c624661679efbd14fc435a11fe4d55df15cc345a744ace4832db0ab80bbb24f4659120d7b0e53fa7c2c7cf51f05 |
memory/1036-50-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp
memory/1644-51-0x000007FEF5720000-0x000007FEF610C000-memory.dmp
memory/1644-52-0x0000000000290000-0x0000000000310000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KYbG9ym1pIk1.bat
| MD5 | c26e9aa85298f9019464f53aacd00165 |
| SHA1 | 37ca9be323e1b538ccec8befa4ee171c6241275b |
| SHA256 | f35a61c63750e794921268099acfa7cf12f614edbf23378996d63e741c70e7b7 |
| SHA512 | 52233d02611684d7daa552728c40f40554e43cf6064349ee3075559cea1382c9793472f071e454f42b0ef9e5ce047a236300c30f7d4a91c269253ba08055fcf0 |
C:\Users\Admin\AppData\Local\Temp\KYbG9ym1pIk1.bat
| MD5 | c26e9aa85298f9019464f53aacd00165 |
| SHA1 | 37ca9be323e1b538ccec8befa4ee171c6241275b |
| SHA256 | f35a61c63750e794921268099acfa7cf12f614edbf23378996d63e741c70e7b7 |
| SHA512 | 52233d02611684d7daa552728c40f40554e43cf6064349ee3075559cea1382c9793472f071e454f42b0ef9e5ce047a236300c30f7d4a91c269253ba08055fcf0 |
memory/1644-62-0x000007FEF5720000-0x000007FEF610C000-memory.dmp
memory/624-63-0x000007FEF5680000-0x000007FEF606C000-memory.dmp
memory/624-64-0x000000001B270000-0x000000001B2F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qcGDNMQhfheA.bat
| MD5 | 6e4285f9c6f2788cf46b36a7b196e8df |
| SHA1 | 054edd72e35eb4148d1932048923578f9c25470b |
| SHA256 | e01c38fc03a6ae67438667f3197023bf5c676970b2c1a335481656753a320e08 |
| SHA512 | 893c5edf67248bde0437df15faeb62861bd1a2ee0b4d07945eee77e1e5cacea7313f9f5fde850b41907ea684b5a3b4d989958f94038a489291486d29d7028f41 |
C:\Users\Admin\AppData\Local\Temp\qcGDNMQhfheA.bat
| MD5 | 6e4285f9c6f2788cf46b36a7b196e8df |
| SHA1 | 054edd72e35eb4148d1932048923578f9c25470b |
| SHA256 | e01c38fc03a6ae67438667f3197023bf5c676970b2c1a335481656753a320e08 |
| SHA512 | 893c5edf67248bde0437df15faeb62861bd1a2ee0b4d07945eee77e1e5cacea7313f9f5fde850b41907ea684b5a3b4d989958f94038a489291486d29d7028f41 |
memory/624-74-0x000007FEF5680000-0x000007FEF606C000-memory.dmp
memory/1856-75-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp
memory/1856-76-0x000000001B180000-0x000000001B200000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IsgCDyBWTBVw.bat
| MD5 | 2665e99d44fba1d2fb27c947e6e27b01 |
| SHA1 | 743957e3249f85c25a879b1e49cf7355de10ca61 |
| SHA256 | 2494d8997a85ac1e81e65624eb3a8ca34bfc29e7bd89d62ff1a850ef14828dd1 |
| SHA512 | bfc580bb9064ce6935ba41e457125d290d0aa42a19cf1a2e108e9d43a1b4ff9621578e5184d8443b55a88accb916dd61c4e1a3769d4da7ef51836d9812e264b8 |
C:\Users\Admin\AppData\Local\Temp\IsgCDyBWTBVw.bat
| MD5 | 2665e99d44fba1d2fb27c947e6e27b01 |
| SHA1 | 743957e3249f85c25a879b1e49cf7355de10ca61 |
| SHA256 | 2494d8997a85ac1e81e65624eb3a8ca34bfc29e7bd89d62ff1a850ef14828dd1 |
| SHA512 | bfc580bb9064ce6935ba41e457125d290d0aa42a19cf1a2e108e9d43a1b4ff9621578e5184d8443b55a88accb916dd61c4e1a3769d4da7ef51836d9812e264b8 |
memory/1856-86-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-02 10:23
Reported
2023-12-02 10:26
Platform
win10v2004-20231201-en
Max time kernel
145s
Max time network
142s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\98zRC8TAHlkX.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z9u6DGjlX354.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1DsXpcHar4Qs.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ENGNg6ID3ZyV.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwqHydeU2bQc.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jugJMDsBbfgp.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GE1Xkf6xXcOy.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.MercuriUpdateexe.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUQ3xRLcM4LP.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | vxc-63595.portmap.host | udp |
| US | 8.8.8.8:53 | vxc-63595.portmap.host | udp |
| US | 8.8.8.8:53 | vxc-63595.portmap.host | udp |
| US | 8.8.8.8:53 | vxc-63595.portmap.host | udp |
| US | 8.8.8.8:53 | vxc-63595.portmap.host | udp |
| US | 8.8.8.8:53 | vxc-63595.portmap.host | udp |
Files
memory/5100-0-0x00000000000B0000-0x00000000003D4000-memory.dmp
memory/5100-1-0x00007FFC65920000-0x00007FFC663E1000-memory.dmp
memory/5100-2-0x000000001B1A0000-0x000000001B1B0000-memory.dmp
memory/5100-3-0x000000001B0C0000-0x000000001B110000-memory.dmp
memory/5100-4-0x000000001B660000-0x000000001B712000-memory.dmp
memory/5100-9-0x00007FFC65920000-0x00007FFC663E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\98zRC8TAHlkX.bat
| MD5 | 25d001724390213d89d353f10e3c2b65 |
| SHA1 | 119e2697b83b7959c4cec838f8f42d728ddf20ee |
| SHA256 | dc8e02e7e6c7c0c7885053b5a3ebbae86fdc4e2c40d5932656a67751dfddcb8d |
| SHA512 | 45945ccd8a263cfaa6baca54715bb00919d9e072d024b2921f5693e80835a6c4c58feef2a94159c828b1bb61bd09850b0dcbc3bc0ef8fd44d68fd584c1d2739a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NEAS.MercuriUpdateexe.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
memory/3216-12-0x00007FFC65770000-0x00007FFC66231000-memory.dmp
memory/3216-13-0x0000000002E10000-0x0000000002E20000-memory.dmp
memory/3216-17-0x00007FFC65770000-0x00007FFC66231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\z9u6DGjlX354.bat
| MD5 | 23e56fa30ad511f7aabbb0e826531671 |
| SHA1 | 110b49e0bcf8f208b36b823a2bc3084cec2fd12f |
| SHA256 | 2a0f518e63407813cb29c17b38ea819daee9cf31af9663753ce8cd5ecec720a0 |
| SHA512 | 46b26ae9612e93dc25e1b91df32c8154fbd820f087cd720e977322d7a05b04b8939f35fce5d85320c440dcf3beed725d2a3ea92efd12708b7c58def68eaeff8c |
memory/3592-19-0x00007FFC65770000-0x00007FFC66231000-memory.dmp
memory/3592-23-0x00007FFC65770000-0x00007FFC66231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1DsXpcHar4Qs.bat
| MD5 | b3038b344679f91004363f7dab219f4b |
| SHA1 | 4a1021e37e55335bb4bea372d233ade3101279a6 |
| SHA256 | 785ffc64142578f1a4014c069a41618f545268ff8ebc19321d13fe69171166f3 |
| SHA512 | 4a70a06358ace025e6f9f1731477da265297ccbf953714cb9c1b21ce2de27f386ed7eced9b34e5f83cd4c5a68580bc4488d1e0a4c3ec37475019bb0831449e27 |
memory/2976-25-0x00007FFC65770000-0x00007FFC66231000-memory.dmp
memory/2976-30-0x00007FFC65770000-0x00007FFC66231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ENGNg6ID3ZyV.bat
| MD5 | d82b5d1e233441a9c336af8805b30f61 |
| SHA1 | a667b009f9427619965bacd8c46f934db0c84e78 |
| SHA256 | 9955b656a6360e72c583bea3ced833aed0534169fdbf545224e9b75c718d75df |
| SHA512 | 3db462d448a13bc33807a1fae89bf07e9d5e9cc9c723df60ce9dda2fe2968b0a36c2895ffaaa04d1cbb559325e80a10544a8d4af3306e85f2bf731dd56bf84f5 |
memory/4076-31-0x00007FFC65770000-0x00007FFC66231000-memory.dmp
memory/4076-35-0x00007FFC65770000-0x00007FFC66231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BwqHydeU2bQc.bat
| MD5 | 8d3f6637023648ea6d15519c18b25db6 |
| SHA1 | 135bec0a9ffe976d8e236bd11e2ec6ce87ebd967 |
| SHA256 | 7cda3e0e68b1cd95770b68e5f556580e4f6916cbe24f790eba8b45530a6a66f4 |
| SHA512 | 1038d62ff268c2bbd1e5ebb8c923e81faa9f86935d2e1878d6d7630a7888ac52b47613e5b2d84d8308d6cf6f035804aafec2ec433060992c156a8028b8db19d3 |
memory/1304-37-0x00007FFC65770000-0x00007FFC66231000-memory.dmp
memory/1304-41-0x00007FFC65770000-0x00007FFC66231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jugJMDsBbfgp.bat
| MD5 | 8d17e6c8ab58e332a9e5f3d141c49ddc |
| SHA1 | f91970bd30e2f947bb3966b668875332ed27f941 |
| SHA256 | 6b0d98edb890b956b0b11b6ddc51aec6544465ddfba475e4b8e3d016643e2951 |
| SHA512 | d13ef28fdfa0c25da103aa1c943465f708ddcdea8baa578b46e8190a5a5db252052c11bb170dc817ecb7beb8afa41fd4ef3c0122c92cb773339332619da0046d |
memory/2216-43-0x00007FFC65770000-0x00007FFC66231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GE1Xkf6xXcOy.bat
| MD5 | ff80fb7fddd6017d2cc949fc9931719e |
| SHA1 | b28950c8c8e4c274b84fdacf72c707a537322c1a |
| SHA256 | f91f07960c6090abc4cda7a9921fffa859802c2af31f3f3b270379487226453f |
| SHA512 | daa7757928d4a0e46676886b47f66031c9ba0cdd9a53e64de3e3586789c74595dffac10129ecafc5e40229d79f35ea583f72954513936a5f7f87c6b5cc6df9e2 |
memory/2216-48-0x00007FFC65770000-0x00007FFC66231000-memory.dmp
memory/2920-49-0x00007FFC65770000-0x00007FFC66231000-memory.dmp
memory/2920-53-0x00007FFC65770000-0x00007FFC66231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NUQ3xRLcM4LP.bat
| MD5 | bf02fc40c7ad5f8d7f88c86deb73b5f8 |
| SHA1 | 0665f7a4c7246871373e38768dfcb63bc9a63704 |
| SHA256 | 8cf7e1605fdd1282f00d31fdec32b4fda12db0b590e90da007e907723f1d5a0b |
| SHA512 | 32836562b39c69ad70c7a2f3dfc918aa03a462ba9add9f4df1bfd10bca7a435d35430cbc9d5d643f4712ae74e0fb4830cb1e5b001d00066a93ca934176d680b7 |