quasar | b12573a06d210c94325adff99d72041732ee2937d4000a2766afa930dc31bff7

Analysis

max time kernel
144s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xzczxczxczxvxzvxzv.exe
Size

3.1MB
MD5

61437e24f20626caa1da68d45dc6349c
SHA1

e8e757aa167f0dfd15528bf26f6465758fbbb6f3
SHA256

b12573a06d210c94325adff99d72041732ee2937d4000a2766afa930dc31bff7
SHA512

8da16a08df45608736fe6cfacad123b54f326b366fd6d4d449f7b5c32c6385d8110813e76767ee35e2093cdb554ea57d1ed8b1d10a4fef4d437d312dfaa7bcce
SSDEEP

49152:NvUI22SsaNYfdPBldt698dBcjH6q6rXMfltoGdXTHHB72eh2NT:NvZ22SsaNYfdPBldt6+dBcjH6q6r+

Score

10^/10

quasar shiba spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Shiba

score-seminars.gl.at.ply.gg:35300:35300

Mutex

987c652c-2a4e-4c5d-bc39-00c8c0f35c5c

Attributes

encryption_key
A88D7FED7F655EBDC4F99C21BAE5EC62300AADC7
install_name
$sxr-insta.exe
log_directory
$sxr-logs
reconnect_delay
1000
startup_key
$sxr-mstha
subdirectory
$sxr-start

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2324-1-0x0000000000D40000-0x0000000001064000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023414-7.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	$sxr-insta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	$sxr-insta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	$sxr-insta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	$sxr-insta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	$sxr-insta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	$sxr-insta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	$sxr-insta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	$sxr-insta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	$sxr-insta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	$sxr-insta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	$sxr-insta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	$sxr-insta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	$sxr-insta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	$sxr-insta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	$sxr-insta.exe

Executes dropped EXE 15 IoCs

pid	Process
1244	$sxr-insta.exe
2044	$sxr-insta.exe
1912	$sxr-insta.exe
1728	$sxr-insta.exe
548	$sxr-insta.exe
3956	$sxr-insta.exe
1416	$sxr-insta.exe
4848	$sxr-insta.exe
1496	$sxr-insta.exe
4504	$sxr-insta.exe
4224	$sxr-insta.exe
4536	$sxr-insta.exe
1428	$sxr-insta.exe
4608	$sxr-insta.exe
3796	$sxr-insta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3544	PING.EXE
5080	PING.EXE
2396	PING.EXE
4508	PING.EXE
3604	PING.EXE
4964	PING.EXE
3116	PING.EXE
4424	PING.EXE
4932	PING.EXE
3348	PING.EXE
4440	PING.EXE
4280	PING.EXE
4652	PING.EXE
2696	PING.EXE
1488	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	xzczxczxczxvxzvxzv.exe
Token: SeDebugPrivilege	1244	$sxr-insta.exe
Token: SeDebugPrivilege	2044	$sxr-insta.exe
Token: SeDebugPrivilege	1912	$sxr-insta.exe
Token: SeDebugPrivilege	1728	$sxr-insta.exe
Token: SeDebugPrivilege	548	$sxr-insta.exe
Token: SeDebugPrivilege	3956	$sxr-insta.exe
Token: SeDebugPrivilege	1416	$sxr-insta.exe
Token: SeDebugPrivilege	4848	$sxr-insta.exe
Token: SeDebugPrivilege	1496	$sxr-insta.exe
Token: SeDebugPrivilege	4504	$sxr-insta.exe
Token: SeDebugPrivilege	4224	$sxr-insta.exe
Token: SeDebugPrivilege	4536	$sxr-insta.exe
Token: SeDebugPrivilege	1428	$sxr-insta.exe
Token: SeDebugPrivilege	4608	$sxr-insta.exe
Token: SeDebugPrivilege	3796	$sxr-insta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1244	2324	xzczxczxczxvxzvxzv.exe	85
PID 2324 wrote to memory of 1244	2324	xzczxczxczxvxzvxzv.exe	85
PID 1244 wrote to memory of 428	1244	$sxr-insta.exe	87
PID 1244 wrote to memory of 428	1244	$sxr-insta.exe	87
PID 428 wrote to memory of 3896	428	cmd.exe	89
PID 428 wrote to memory of 3896	428	cmd.exe	89
PID 428 wrote to memory of 5080	428	cmd.exe	90
PID 428 wrote to memory of 5080	428	cmd.exe	90
PID 428 wrote to memory of 2044	428	cmd.exe	99
PID 428 wrote to memory of 2044	428	cmd.exe	99
PID 2044 wrote to memory of 3236	2044	$sxr-insta.exe	100
PID 2044 wrote to memory of 3236	2044	$sxr-insta.exe	100
PID 3236 wrote to memory of 1416	3236	cmd.exe	102
PID 3236 wrote to memory of 1416	3236	cmd.exe	102
PID 3236 wrote to memory of 2396	3236	cmd.exe	103
PID 3236 wrote to memory of 2396	3236	cmd.exe	103
PID 3236 wrote to memory of 1912	3236	cmd.exe	104
PID 3236 wrote to memory of 1912	3236	cmd.exe	104
PID 1912 wrote to memory of 2284	1912	$sxr-insta.exe	105
PID 1912 wrote to memory of 2284	1912	$sxr-insta.exe	105
PID 2284 wrote to memory of 4892	2284	cmd.exe	107
PID 2284 wrote to memory of 4892	2284	cmd.exe	107
PID 2284 wrote to memory of 4932	2284	cmd.exe	108
PID 2284 wrote to memory of 4932	2284	cmd.exe	108
PID 2284 wrote to memory of 1728	2284	cmd.exe	112
PID 2284 wrote to memory of 1728	2284	cmd.exe	112
PID 1728 wrote to memory of 4508	1728	$sxr-insta.exe	113
PID 1728 wrote to memory of 4508	1728	$sxr-insta.exe	113
PID 4508 wrote to memory of 2916	4508	cmd.exe	115
PID 4508 wrote to memory of 2916	4508	cmd.exe	115
PID 4508 wrote to memory of 4652	4508	cmd.exe	116
PID 4508 wrote to memory of 4652	4508	cmd.exe	116
PID 4508 wrote to memory of 548	4508	cmd.exe	117
PID 4508 wrote to memory of 548	4508	cmd.exe	117
PID 548 wrote to memory of 544	548	$sxr-insta.exe	118
PID 548 wrote to memory of 544	548	$sxr-insta.exe	118
PID 544 wrote to memory of 3224	544	cmd.exe	120
PID 544 wrote to memory of 3224	544	cmd.exe	120
PID 544 wrote to memory of 4964	544	cmd.exe	121
PID 544 wrote to memory of 4964	544	cmd.exe	121
PID 544 wrote to memory of 3956	544	cmd.exe	122
PID 544 wrote to memory of 3956	544	cmd.exe	122
PID 3956 wrote to memory of 428	3956	$sxr-insta.exe	123
PID 3956 wrote to memory of 428	3956	$sxr-insta.exe	123
PID 428 wrote to memory of 2960	428	cmd.exe	125
PID 428 wrote to memory of 2960	428	cmd.exe	125
PID 428 wrote to memory of 3348	428	cmd.exe	126
PID 428 wrote to memory of 3348	428	cmd.exe	126
PID 428 wrote to memory of 1416	428	cmd.exe	127
PID 428 wrote to memory of 1416	428	cmd.exe	127
PID 1416 wrote to memory of 3040	1416	$sxr-insta.exe	129
PID 1416 wrote to memory of 3040	1416	$sxr-insta.exe	129
PID 3040 wrote to memory of 4076	3040	cmd.exe	131
PID 3040 wrote to memory of 4076	3040	cmd.exe	131
PID 3040 wrote to memory of 2696	3040	cmd.exe	132
PID 3040 wrote to memory of 2696	3040	cmd.exe	132
PID 3040 wrote to memory of 4848	3040	cmd.exe	133
PID 3040 wrote to memory of 4848	3040	cmd.exe	133
PID 4848 wrote to memory of 4716	4848	$sxr-insta.exe	134
PID 4848 wrote to memory of 4716	4848	$sxr-insta.exe	134
PID 4716 wrote to memory of 376	4716	cmd.exe	136
PID 4716 wrote to memory of 376	4716	cmd.exe	136
PID 4716 wrote to memory of 4440	4716	cmd.exe	137
PID 4716 wrote to memory of 4440	4716	cmd.exe	137

C:\Users\Admin\AppData\Local\Temp\xzczxczxczxvxzvxzv.exe
"C:\Users\Admin\AppData\Local\Temp\xzczxczxczxvxzvxzv.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
  "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4nJ9PP8B7qmR.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3896
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:5080
  - - C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
      "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\by7ivEZNt6JM.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3236
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1416
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:2396
      - C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAhqgTCPVzJ2.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:4932
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RI4vv9nxNjwD.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        Runs ping.exe
        
        PID:4652
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e3GJGwyBPirL.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        Runs ping.exe
        
        PID:4964
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4QA7e1HO8MLV.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        Runs ping.exe
        
        PID:3348
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GLYvBFV4rTrV.bat" "
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        Runs ping.exe
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gblw3MOlfpU7.bat" "
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        Runs ping.exe
        
        PID:4440
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIfSBRRLW5cx.bat" "
        19⤵
        
        PID:4804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        Runs ping.exe
        
        PID:4280
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KZxs1baDtubP.bat" "
        21⤵
        
        PID:2496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        Runs ping.exe
        
        PID:4508
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQyih30fEG75.bat" "
        23⤵
        
        PID:5020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        Runs ping.exe
        
        PID:3604
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0oPvkGZ0djxX.bat" "
        25⤵
        
        PID:4520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        Runs ping.exe
        
        PID:1488
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lq3dLO3QZPSW.bat" "
        27⤵
        
        PID:4812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        Runs ping.exe
        
        PID:3116
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeGljBye87ES.bat" "
        29⤵
        
        PID:5004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        Runs ping.exe
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
        
        "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HO12vlaDjabk.bat" "
        31⤵
        
        PID:3120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        Runs ping.exe
        
        PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$sxr-insta.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0oPvkGZ0djxX.bat

Filesize
215B

MD5
9ee53b50957f65adeaa1fa42cfd499eb

SHA1
810128cd77f1c29ae987f375ca5a5e01facc291b

SHA256
4702d41fda7f449459933b7b539be49cbb396ecc027f977a8baa938dad3b81b2

SHA512
5a14582a6d9c1c8f46ced67bb686fe6fae65d4763bd8fafd31c779941813243c1d1aee924a761f598fa9f6fded83cab586b1255f8a6df8783649c4c03d7c67dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4QA7e1HO8MLV.bat

Filesize
215B

MD5
3b3db377ba9e7bd6c7f10411b25d9dfd

SHA1
50e557878defe8d17e17fd4dd2358a072ddb045b

SHA256
c7d31c8267049aaeaa0ee29d97532193a71375e7ece5a5e9dc1dd248a7938253

SHA512
9c81ef5048cd9dae556f778258de8122fa22443af8d7b73ffe690df63e359abf4979ab99109af66074b68de196012f07848c7d6306f2f83d553d0a7bf6e458b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4nJ9PP8B7qmR.bat

Filesize
215B

MD5
b6fb652d65bc5c3f58fd0b5865733169

SHA1
4937fc5f8b02ddd5f71129e7da2f8a12456e8514

SHA256
d74ab9d79e228ed2f8d5abe2ef2813b5e5681351ac3acf034554dc0b65cc85da

SHA512
38507a80b46edc4382d85be1de0ce36c185dd132f7c75da87e25d267a260c36e8225212de8fdaf1baaed23f1447e0fa4d3426065e4e115388ee4ffc8e4c8c4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLYvBFV4rTrV.bat

Filesize
215B

MD5
491f6e97481a3d55443e1e02134337ac

SHA1
eec422978b4dd74202a0b656d21348a203acb175

SHA256
ee52c49baed80b9ae8005cc43f9c9d1b67c78447438138273149d05567dd21ef

SHA512
a40a32c6123eb0ae52e3232dd5e3ef6e43105e3c2a0cc82d63c5825446f81e42527ba3a1b01d05decc8acc6736102dc21084cc9044c98e2ba69cc5b4a05072f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HO12vlaDjabk.bat

Filesize
215B

MD5
76c38b843c805fcc37536665003f79a1

SHA1
7359c3ecaae7033ac246e78f51448d06da5c6954

SHA256
059efad7dd804a64775f798b730f74c5a72a02bc556ff0de3b1b201c0ebe5082

SHA512
3b633e0036478277bb2e4dd70d87949cd9704c33fd5545bc340c5215b92d82e4dc8ce75e5f9c17a8db43b3df8201e5ac639b9e4a986a6ff629c4232c6ae5d7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KZxs1baDtubP.bat

Filesize
215B

MD5
611c8cab0ef10289d6ede0a40e39731a

SHA1
f97e7e3456048aa58b20154c67fbb93cb1f42ed9

SHA256
813c9bdf53fe0b4266745401e5c201d6cdbc64190568fa6f7571aff43e7434a0

SHA512
68179e0ffa6d7d39db98b344b18962ba828d4154169229e0fdf47727867ad92d99172a9c7a7a380de90b2d2635bf1a69f466fcf610e799c211afb06c4090f90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lq3dLO3QZPSW.bat

Filesize
215B

MD5
211f7ef732bff76d0931f8b6a1b34b64

SHA1
49c9909d56fcc559aaaccc714b583d69372f613c

SHA256
2724a42099de04fc8b3233a9406f30a45c1af3ba150f87a6a0d7e03665d31467

SHA512
296d03e0afd2a5fc5ab32fa9ecbef7b41c9eef874d562f772875555b2c7143f4f64b7123fa19b28d7ca40add681cc545fe3174c98dcec994360dcfe1af98e5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RI4vv9nxNjwD.bat

Filesize
215B

MD5
0caebf771cda6c0bed6f98bb301b823a

SHA1
c8b3e26fce9612a925d525b373d3cd0aa3a610b3

SHA256
f24ad5ab56f7edf7552eb898c343cabbf8dc25b58271b2221421f795a49c8116

SHA512
47028a11ef2a6f251532cd253d525ad78c8df25031b8a284fec4905972a4be1c94565c77e9d919d5fb621df627e363183e1a2df44173c7f86105516b54814589

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQyih30fEG75.bat

Filesize
215B

MD5
b24b0154945569a0a020b2de42b2ddae

SHA1
08625503b13fd46b027276ab5c7214d6da9b74c9

SHA256
883c122e69ddad55bd4ae79d721df9c0300ad61c2f3cae04e579c938b60108cb

SHA512
7e820ae3344bae6fedb664f265c178fc1b95c4890760b159008cba8e51fce3eb2b1d75c082fd3d141bed02870c50859373c2c40f4b1fb253bdb1d89c0bc515b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeGljBye87ES.bat

Filesize
215B

MD5
495026863659f9c919324a9c6484a033

SHA1
e164108b8efddd81d0f671a84e7b2e6335185e7c

SHA256
5ea11d6572177a214a02c7b8029f8a31832e0e414a310efa8c3c217c021172ce

SHA512
f19a6abc2fbb38ce6e2ad5617f4a40858026b48a6972f4d6feabcb11921aa5b84ef637ebbea96f7ab9de6652bad888fa65dba0c14a832840717cff7613f4b092

Download Submit
C:\Users\Admin\AppData\Local\Temp\by7ivEZNt6JM.bat

Filesize
215B

MD5
c15c1c6dc265f94699ac24a2b82185eb

SHA1
99afc5ac0894be2950aac5441e7e3082fe3d8e0f

SHA256
bdcfc676d5ea3daabf36d58e1cdf0e5e230cc0643acb9c2d85ea99002ef23d13

SHA512
299e1e6f08262b01527636b49b43220f79c144c8085a28fc19f0b1888a3bc949a8bb6a11fdffc4be2230d6ceee0c7b138d2f00e170e58ed519732d2372ced413

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3GJGwyBPirL.bat

Filesize
215B

MD5
8d28177d21820246b0267b468aa74c06

SHA1
fbc26b057cf7613633128b151c7222d2761f32ba

SHA256
cfe8e6735892b3e1da0d6d3212eb0cdce6d7678e8d7bef44ad1e00ad59d6eddd

SHA512
c1e7823831bed23411cf4d8d54f77fffc941bf1b194f44bb5d21b2fba8be22dcc313c38a0dcdcffd58c2dfb7ceef363366848b5ce0496a7af591070fd1fd0bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gblw3MOlfpU7.bat

Filesize
215B

MD5
8b633f2889d9adf4c150b8c755f5fa86

SHA1
1ea8329e1fe61745bd8b1e06a4a935e0e1b0ecb3

SHA256
531a0fd6a7fdaab4c168d7c3d99607e0ce442a6aef70f376c3159d20866e10e6

SHA512
e9cdc6213f77a82bbf0d81175e76f634dda461898bba65ea12157fe0f6c3ff697353d233b185a09e91eadb22d973b847c599af8fb3c450ff0c138f6ba959f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAhqgTCPVzJ2.bat

Filesize
215B

MD5
75ea5240a4409e327768141614ca14b5

SHA1
067fa6bb77b1a459d234f553d7da980479a4c0be

SHA256
782eace874f5ca734dc26518bbf113d4676f5909ed8d4691879b0ed0d27abdff

SHA512
d323e87bc26fcd74a496d0c2a99af31be9bd1454817f04908375df67b1d41784700b73571671c244d6ab9738c290b59dcdd96c19bf76dc9d3afc76f38c36e43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIfSBRRLW5cx.bat

Filesize
215B

MD5
9bdd89b9eea51efee9a3ac60cdd6ee7b

SHA1
e0d973a689dc1e989d859fc657e4accb6e02b9a0

SHA256
664b44de05f060f90046937527823630ec48f0cd357a6040cde69aeda47e4114

SHA512
985568da4f3aadce09013b45e472d751ba15d3bc6cd5aeb4ff0235ea296934c7d865a21ed36d4ddaee7587d5725c484d322592287d12618ad40817d62362bb34

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe

Filesize
3.1MB

MD5
61437e24f20626caa1da68d45dc6349c

SHA1
e8e757aa167f0dfd15528bf26f6465758fbbb6f3

SHA256
b12573a06d210c94325adff99d72041732ee2937d4000a2766afa930dc31bff7

SHA512
8da16a08df45608736fe6cfacad123b54f326b366fd6d4d449f7b5c32c6385d8110813e76767ee35e2093cdb554ea57d1ed8b1d10a4fef4d437d312dfaa7bcce

Download Submit
memory/1244-19-0x00007FFA0F1E0000-0x00007FFA0FCA1000-memory.dmp

Filesize
10.8MB

Download
memory/1244-13-0x000000001C090000-0x000000001C142000-memory.dmp

Filesize
712KB

Download
memory/1244-12-0x000000001BA00000-0x000000001BA50000-memory.dmp

Filesize
320KB

Download
memory/1244-11-0x00007FFA0F1E0000-0x00007FFA0FCA1000-memory.dmp

Filesize
10.8MB

Download
memory/1244-9-0x00007FFA0F1E0000-0x00007FFA0FCA1000-memory.dmp

Filesize
10.8MB

Download
memory/2324-1-0x0000000000D40000-0x0000000001064000-memory.dmp

Filesize
3.1MB

Download
memory/2324-10-0x00007FFA0F1E0000-0x00007FFA0FCA1000-memory.dmp

Filesize
10.8MB

Download
memory/2324-2-0x00007FFA0F1E0000-0x00007FFA0FCA1000-memory.dmp

Filesize
10.8MB

Download
memory/2324-0-0x00007FFA0F1E3000-0x00007FFA0F1E5000-memory.dmp

Filesize
8KB

Download