Overview

overview

10

Static

static

10

Wurst_Clie...23.rar

windows10-ltsc 2021-x64

10

Client/Wru...nu.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    30-11-2024 14:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client/Wrust Client/Wrust Client ModMenu.exe

  • Size

    3.1MB

  • MD5

    b6067d4946e40672793484c4ad1054f4

  • SHA1

    b06fb12cade407b0270aca2d2e14e7d19b92b36c

  • SHA256

    8e7dd1315b0523342ad5ded4942d1e6e6be61f0a6fe6b13336de3c95a8074239

  • SHA512

    12d902b2bfc7810f50277ed0f4344834390a6a712643076baadf43ab9e9c0b07e36b791637e2e1779fe0782ec240bf2120853f5f995b0f91d5d75c8cddadc78d

  • SSDEEP

    49152:SviI22SsaNYfdPBldt698dBcjHR7xNESE3k/iQLoGdQTHHB72eh2NT:Svv22SsaNYfdPBldt6+dBcjH5xmu

Score
10/10
quasaroffice04discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

myhost20292.ddns.net:4782

Mutex

829ab10d-b669-4914-94aa-0b29020c6f1f

Attributes
  • encryption_key

    975A6378A0F938D8B354B0AF273B7F68F0241913

  • install_name

    Wurst Client ModMenu.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Java Updater

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Drops file in System32 directory 33 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client\Wrust Client\Wrust Client ModMenu.exe
    "C:\Users\Admin\AppData\Local\Temp\Client\Wrust Client\Wrust Client ModMenu.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4040
    • C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
      "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3612
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4784
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tLaX8PGhryvt.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4280
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:3256
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4496
          • C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
            "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3756
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:832
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bnZ0FVXVqH0j.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1184
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2916
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4320
                • C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
                  "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3868
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2532
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vDKCAf5mJZi4.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3272
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:1708
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:2948
                      • C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
                        "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1108
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:2852
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NyE7w2kBJ6z2.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3156
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:3592
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:1772
                            • C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
                              "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:4444
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:4532
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cDubj6rTc0Ou.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2696
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:3840
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:5012
                                  • C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
                                    "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:3336
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4556
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PnZ7S08a5ZFB.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:3256
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:2992
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:3596
                                        • C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
                                          "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3776
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3864
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SPb9i43PVlFI.bat" "
                                            15⤵
                                              PID:3872
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:3076
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:1152
                                                • C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
                                                  "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2648
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3436
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4BpxVIkzmqrD.bat" "
                                                    17⤵
                                                      PID:240
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:4060
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:4604
                                                        • C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
                                                          "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3408
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2500
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMIhzWclaWB0.bat" "
                                                            19⤵
                                                              PID:3720
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:4208
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:1088
                                                                • C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
                                                                  "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:5024
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2624
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aA2j52roiqQz.bat" "
                                                                    21⤵
                                                                      PID:1160
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:4212
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:4136
                                                                        • C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
                                                                          "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:4000
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:3008
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qieilMjhOY4Q.bat" "
                                                                            23⤵
                                                                              PID:4084
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:2764
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:464
                                                                                • C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
                                                                                  "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2604
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:4932
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UbPHMOtkYID4.bat" "
                                                                                    25⤵
                                                                                      PID:2648
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:924
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:3040
                                                                                        • C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
                                                                                          "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:5116
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:2296
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEYLVa8dkDd8.bat" "
                                                                                            27⤵
                                                                                              PID:4616
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:4332
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:1956
                                                                                                • C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
                                                                                                  "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:3720
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:2256
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSjYMWCtlK5O.bat" "
                                                                                                    29⤵
                                                                                                      PID:1528
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:4464
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:1176
                                                                                                        • C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
                                                                                                          "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:2992
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:4532
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OHo4USAi2FLE.bat" "
                                                                                                            31⤵
                                                                                                              PID:1220
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                32⤵
                                                                                                                  PID:4080
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  32⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:4448
                                                  • C:\Windows\system32\taskmgr.exe
                                                    "C:\Windows\system32\taskmgr.exe" /7
                                                    1⤵
                                                    • Checks SCSI registry key(s)
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of FindShellTrayWindow
                                                    • Suspicious use of SendNotifyMessage
                                                    PID:472

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Wurst Client ModMenu.exe.log
                                                    Filesize

                                                    2KB

                                                    MD5

                                                    7787ce173dfface746f5a9cf5477883d

                                                    SHA1

                                                    4587d870e914785b3a8fb017fec0c0f1c7ec0004

                                                    SHA256

                                                    c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

                                                    SHA512

                                                    3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\4BpxVIkzmqrD.bat
                                                    Filesize

                                                    210B

                                                    MD5

                                                    7d2e274ee4d02b56d8f720779ba99e8a

                                                    SHA1

                                                    40fe114987acefe6c1f0b04a93ec6ed6dc2d61f6

                                                    SHA256

                                                    0c06adf1a2441f9f97193db5f59aff6472b34655291cfb82df1bfc982932c24f

                                                    SHA512

                                                    a3e3fc3c23674a16238ff9459d4dff6ab383129e838b15262bdc78bac449b64f5717e1ea9d4c8a3464ac4be317a0375b42cf28bb3b66255f37c12ea00c804b5e

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\EEYLVa8dkDd8.bat
                                                    Filesize

                                                    210B

                                                    MD5

                                                    1c85b4af71114976616c79c3755a98e0

                                                    SHA1

                                                    81a6909553b79073deca0f09e8c3c7f71ff9e036

                                                    SHA256

                                                    d2fdaaf4ad02d6715449841dd95ed21e9dbfc16c45cd22b99baa14e3fced6940

                                                    SHA512

                                                    990761ecd9538cb5e7fe41786ad49631146d8513c78d5487e2ed224c0212387c341eb9b836f1751b596d44d26e0e17c6fc570a8b1f0ee0aae5234114fee7889c

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\NyE7w2kBJ6z2.bat
                                                    Filesize

                                                    210B

                                                    MD5

                                                    4fd45190dbe1a05efc5a02c31202cd6f

                                                    SHA1

                                                    72f0d8274a7445f151c5a99e8b28937ee52201cf

                                                    SHA256

                                                    20e37edba2e389c990f2b6f76b932c541e96124e3d11b3beea5772632d1f0b7d

                                                    SHA512

                                                    a7c08696689f4bdb9192b77ae8faf344015afe9c2140ae074af0606d8cfd217be4e256fd071578efeaa470c250a83cf83282f878ae575719d8c39fc1748d6a3e

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\OHo4USAi2FLE.bat
                                                    Filesize

                                                    210B

                                                    MD5

                                                    0b47f3e6121c01e2960602a0e43c8f42

                                                    SHA1

                                                    2b028c202aae9910bcc8c3a109dd9e0fa8305859

                                                    SHA256

                                                    9e8438572b1698adcc6f44defd9a2ada5363e71a0a82bbdef8ec58973c06962d

                                                    SHA512

                                                    7a1306eea82c1eba35449d6ee4b833e60bef3e0fe6e43f628f93782d27ec415dbcdba56b0412e9c89815bb34708430bcbb240319610d514abcd19f63ed4e54d2

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\PnZ7S08a5ZFB.bat
                                                    Filesize

                                                    210B

                                                    MD5

                                                    4844488f919342e320becf13ce674f95

                                                    SHA1

                                                    98b773d2d92a2fed5494fd231a0de95958c4c0e9

                                                    SHA256

                                                    dfa32e6bfe47e2e331ed9818b83030f6eef6060168eb7445afe027ce68037246

                                                    SHA512

                                                    427eab7d7fc9329d098bdd7ad20a8ad0f8dc65386c034c0a20cb6e0553420f5514a3b05684f69eab97c44c8884ec32f99dcafc1ae960b6a155589fbbc499355e

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\SPb9i43PVlFI.bat
                                                    Filesize

                                                    210B

                                                    MD5

                                                    caccaf3f5abfca5da94d96bd925c315d

                                                    SHA1

                                                    371837b8469fc023bf764fba0037836b065cd228

                                                    SHA256

                                                    f857e083d9d875456fb6a314ca3d3a54e0496f9574aed0c79c53141e6643c8fa

                                                    SHA512

                                                    d20bfb4f85160077c6c8218904e142cb43a42b6fd0f6550f4d526d145edbfb7fa370a3b567227567b87faa987bb5c0bda2a8ab23c00aed7ab1c9c81e4f4e305c

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\UbPHMOtkYID4.bat
                                                    Filesize

                                                    210B

                                                    MD5

                                                    8196b56aae255f5ed75786885ada4ff9

                                                    SHA1

                                                    4d82d5d3ca4362fca6333d7bc5cf9442194f5613

                                                    SHA256

                                                    3e35c7a4417bc68ec16c5a246baa7abe259ca739982e9cd238c871753f7d0b13

                                                    SHA512

                                                    ef105fb23872915e83cdfa08ea0b03adcefbb36fd72c972b91a30f660a1461b12f861b1b6ad7874890b03beb8e0a2a06f51dffd1af4dd54330bb22ec323c0276

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\WSjYMWCtlK5O.bat
                                                    Filesize

                                                    210B

                                                    MD5

                                                    fc3fb97ef79f1029d794b84de8efa70a

                                                    SHA1

                                                    5c46e80fa9a6d1698ee1147b99056ee89e49abff

                                                    SHA256

                                                    7241ba4c2db70c1812c4fa976ac22861a348875d0a648fd85c6cd7ca9fd05570

                                                    SHA512

                                                    3966d0cd4b5fcfa5eddd7a5c18e25243c63d96f23c86a17561e05f5ecfa58bbcb508aa67cdb67e74c1f64bef0c5ac390c23260afec1059bd84ea3d95fe7efc9f

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\YMIhzWclaWB0.bat
                                                    Filesize

                                                    210B

                                                    MD5

                                                    2fa49634f3232cd1c9d2022532db200a

                                                    SHA1

                                                    422e70f4feb9eda22ed0dcb7acb54fa81bd05f55

                                                    SHA256

                                                    6e3aab9f20ec2ed04efe84961c30ff99def2953a03c3532c573abe7add044168

                                                    SHA512

                                                    4fe5a26d743a357e20a29d88cdf2d312d95b5688e2655caa11ef7c3494a001581aa2bf9c029e8caa4f606bd04496fccd0d8de4520821507dcb26b570647dff16

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\aA2j52roiqQz.bat
                                                    Filesize

                                                    210B

                                                    MD5

                                                    08d0021ea7c62d5126dde73902f5a0f0

                                                    SHA1

                                                    c0b21fa00e290741a3ed95c7642f98b1cecbfe39

                                                    SHA256

                                                    411e9e1ed30958d1da84d0ec6f37e0ad4d131bac24bbce97f84ecbd8ddd72dcb

                                                    SHA512

                                                    321b638c4b1b2daef89f782867b79d877c54e0afdffd32c6734bf6cea892d03895b1a69a3af98cfe68867de1e05243772aac8da085fc8e858bb5f9476a3084c3

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\bnZ0FVXVqH0j.bat
                                                    Filesize

                                                    210B

                                                    MD5

                                                    57d37ccd2f468f9b1749b3406d62e439

                                                    SHA1

                                                    c0b42f9b5ab4aa662d291312e307186990301e13

                                                    SHA256

                                                    94894a1bb1d2fa4fde1d484fc231ad5d37ad8a70b2efb7d48edce801b93d4bcb

                                                    SHA512

                                                    7cd6243031d1fa7f5922aa059b479985641953feb44702150f90cb972438c147ab254178c71c333966598c9d8827da656dd589a1c2b320b2fe7c883ff6b5b26d

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\cDubj6rTc0Ou.bat
                                                    Filesize

                                                    210B

                                                    MD5

                                                    3690026abbb02d75caf8a41079d76230

                                                    SHA1

                                                    581e7e6a899c30f57847f64d27d338b735a9a3dd

                                                    SHA256

                                                    ea8ba0bccebfadf96011a74aba39c8c2f9664d1ba0e2b23bb792806a8377efb2

                                                    SHA512

                                                    5d1cf89689c4c6af69d3d15441543bdbec5c2e0624918f2162439fceda768934a1db2c0321faa406b2a6c1047f510f2e8f152647f5132eb1f51d276095674692

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\qieilMjhOY4Q.bat
                                                    Filesize

                                                    210B

                                                    MD5

                                                    5c5293439d855e309c97756afac858e4

                                                    SHA1

                                                    32bb8a14856979270e36157a1a191d87347308b1

                                                    SHA256

                                                    e0ced14e352b03ded65ee3fd08a1e165039f63796350f2947decadc3f3449c1c

                                                    SHA512

                                                    d9341e4a43857a085ae00372f25e3bc9b04b5e1c9c2d4ff1cbfdbbc9acbd6cd9fb4afd681428047498ccd901755f3c30523c48afea3c15accb6b68ef5f2fab58

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\tLaX8PGhryvt.bat
                                                    Filesize

                                                    210B

                                                    MD5

                                                    adc067ec924b741447881650559d9b98

                                                    SHA1

                                                    6701a34b079a294c5048e87a9650152d89ff88aa

                                                    SHA256

                                                    ed48de1d6e938710b5cf9fe921cd8f29cbe15ac4f06003384334e87633bf8e0c

                                                    SHA512

                                                    e05ed688f2941ca17981fc34a61b4f16d332f162ba914d03d0e60aa114a89a719a41ad6e4dd310389ae14aea12f94064522e67d09d3f49816b5c41ac260bf4f5

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\vDKCAf5mJZi4.bat
                                                    Filesize

                                                    210B

                                                    MD5

                                                    ee11024fc6f6213b8dd5e3f28a882a0f

                                                    SHA1

                                                    4bdafd47fd646f1166f0f71f9f760fd642903841

                                                    SHA256

                                                    fadb0b9a19d6a2e656e94bae59f7beac1f5797948877800ba41d9950a4bf6b8c

                                                    SHA512

                                                    25fda326f1a313cf25954fcad716c95f6ac2d7644b4e491cbb805f3dfc928d8250c4e3d6099a30898c88c7676e1b5b5c0452db83ad3b3cc50f4aa1a02a8258ec

                                                    Download Submit

                                                  • C:\Windows\System32\SubDir\Wurst Client ModMenu.exe
                                                    Filesize

                                                    3.1MB

                                                    MD5

                                                    b6067d4946e40672793484c4ad1054f4

                                                    SHA1

                                                    b06fb12cade407b0270aca2d2e14e7d19b92b36c

                                                    SHA256

                                                    8e7dd1315b0523342ad5ded4942d1e6e6be61f0a6fe6b13336de3c95a8074239

                                                    SHA512

                                                    12d902b2bfc7810f50277ed0f4344834390a6a712643076baadf43ab9e9c0b07e36b791637e2e1779fe0782ec240bf2120853f5f995b0f91d5d75c8cddadc78d

                                                    Download Submit

                                                  • memory/408-1-0x0000000000F10000-0x0000000001234000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                    Download

                                                  • memory/408-2-0x00007FFEFA7A0000-0x00007FFEFB262000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/408-5-0x00007FFEFA7A0000-0x00007FFEFB262000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/408-0-0x00007FFEFA7A3000-0x00007FFEFA7A5000-memory.dmp

                                                    Filesize

                                                    8KB

                                                    Download

                                                  • memory/472-68-0x000002B811AB0000-0x000002B811AB1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/472-61-0x000002B811AB0000-0x000002B811AB1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/472-70-0x000002B811AB0000-0x000002B811AB1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/472-69-0x000002B811AB0000-0x000002B811AB1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/472-72-0x000002B811AB0000-0x000002B811AB1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/472-67-0x000002B811AB0000-0x000002B811AB1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/472-73-0x000002B811AB0000-0x000002B811AB1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/472-71-0x000002B811AB0000-0x000002B811AB1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/472-63-0x000002B811AB0000-0x000002B811AB1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/472-62-0x000002B811AB0000-0x000002B811AB1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/3612-9-0x000000001CC90000-0x000000001CD42000-memory.dmp

                                                    Filesize

                                                    712KB

                                                    Download

                                                  • memory/3612-6-0x00007FFEFA7A0000-0x00007FFEFB262000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/3612-7-0x00007FFEFA7A0000-0x00007FFEFB262000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/3612-8-0x000000001CB80000-0x000000001CBD0000-memory.dmp

                                                    Filesize

                                                    320KB

                                                    Download

                                                  • memory/3612-17-0x00007FFEFA7A0000-0x00007FFEFB262000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download