quasar | adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Size

3.1MB
MD5

218b79ebe7679fa1beab775ca7e49c4b
SHA1

2d08ac223c07b13e93e6f8e2d73d3b7b08f4b54f
SHA256

adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1
SHA512

8e92fef65245e770a66d849c14bc344ff7231c68cb5e31e2ad6c5f1a7bfa85d4db89e426a2fdb22d9fead1563c9352693cbbeaecfe3252ad777ca9e035f15002
SSDEEP

49152:3vbI22SsaNYfdPBldt698dBcjHcxDE/glk/JxjoGdeTHHB72eh2NT:3vk22SsaNYfdPBldt6+dBcjHcxKF

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

127.0.0.0.1:4782

Mutex

89f58ee5-7af9-42de-843f-2a331a641e3f

Attributes

encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/memory/1088-1-0x0000000001350000-0x0000000001674000-memory.dmp	family_quasar
behavioral1/memory/2912-32-0x00000000000A0000-0x00000000003C4000-memory.dmp	family_quasar
behavioral1/memory/1824-42-0x0000000001280000-0x00000000015A4000-memory.dmp	family_quasar
behavioral1/memory/552-63-0x00000000012A0000-0x00000000015C4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1668	PING.EXE
2704	PING.EXE
1488	PING.EXE
2864	PING.EXE
1924	PING.EXE
2056	PING.EXE
1504	PING.EXE
2404	PING.EXE
2548	PING.EXE
2804	PING.EXE
2532	PING.EXE
828	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
1504	PING.EXE
2548	PING.EXE
2804	PING.EXE
1488	PING.EXE
828	PING.EXE
2864	PING.EXE
1924	PING.EXE
2056	PING.EXE
2404	PING.EXE
1668	PING.EXE
2704	PING.EXE
2532	PING.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2632	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	1976	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2912	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	1824	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	880	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	552	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2444	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2700	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	840	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2980	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	1840	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
1088	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2632	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1976	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2912	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1824	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
880	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
552	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2444	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2700	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
840	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2980	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1840	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1088	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2632	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1976	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2912	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1824	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
880	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
552	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2444	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2700	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
840	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2980	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1840	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 2832	1088	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	30
PID 1088 wrote to memory of 2832	1088	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	30
PID 1088 wrote to memory of 2832	1088	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	30
PID 2832 wrote to memory of 2700	2832	cmd.exe	32
PID 2832 wrote to memory of 2700	2832	cmd.exe	32
PID 2832 wrote to memory of 2700	2832	cmd.exe	32
PID 2832 wrote to memory of 2864	2832	cmd.exe	33
PID 2832 wrote to memory of 2864	2832	cmd.exe	33
PID 2832 wrote to memory of 2864	2832	cmd.exe	33
PID 2832 wrote to memory of 2632	2832	cmd.exe	34
PID 2832 wrote to memory of 2632	2832	cmd.exe	34
PID 2832 wrote to memory of 2632	2832	cmd.exe	34
PID 2632 wrote to memory of 3056	2632	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	35
PID 2632 wrote to memory of 3056	2632	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	35
PID 2632 wrote to memory of 3056	2632	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	35
PID 3056 wrote to memory of 1532	3056	cmd.exe	37
PID 3056 wrote to memory of 1532	3056	cmd.exe	37
PID 3056 wrote to memory of 1532	3056	cmd.exe	37
PID 3056 wrote to memory of 1924	3056	cmd.exe	38
PID 3056 wrote to memory of 1924	3056	cmd.exe	38
PID 3056 wrote to memory of 1924	3056	cmd.exe	38
PID 3056 wrote to memory of 1976	3056	cmd.exe	39
PID 3056 wrote to memory of 1976	3056	cmd.exe	39
PID 3056 wrote to memory of 1976	3056	cmd.exe	39
PID 1976 wrote to memory of 576	1976	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	40
PID 1976 wrote to memory of 576	1976	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	40
PID 1976 wrote to memory of 576	1976	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	40
PID 576 wrote to memory of 2452	576	cmd.exe	42
PID 576 wrote to memory of 2452	576	cmd.exe	42
PID 576 wrote to memory of 2452	576	cmd.exe	42
PID 576 wrote to memory of 2056	576	cmd.exe	43
PID 576 wrote to memory of 2056	576	cmd.exe	43
PID 576 wrote to memory of 2056	576	cmd.exe	43
PID 576 wrote to memory of 2912	576	cmd.exe	44
PID 576 wrote to memory of 2912	576	cmd.exe	44
PID 576 wrote to memory of 2912	576	cmd.exe	44
PID 2912 wrote to memory of 1132	2912	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	45
PID 2912 wrote to memory of 1132	2912	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	45
PID 2912 wrote to memory of 1132	2912	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	45
PID 1132 wrote to memory of 976	1132	cmd.exe	47
PID 1132 wrote to memory of 976	1132	cmd.exe	47
PID 1132 wrote to memory of 976	1132	cmd.exe	47
PID 1132 wrote to memory of 1504	1132	cmd.exe	48
PID 1132 wrote to memory of 1504	1132	cmd.exe	48
PID 1132 wrote to memory of 1504	1132	cmd.exe	48
PID 1132 wrote to memory of 1824	1132	cmd.exe	49
PID 1132 wrote to memory of 1824	1132	cmd.exe	49
PID 1132 wrote to memory of 1824	1132	cmd.exe	49
PID 1824 wrote to memory of 2376	1824	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	50
PID 1824 wrote to memory of 2376	1824	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	50
PID 1824 wrote to memory of 2376	1824	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	50
PID 2376 wrote to memory of 2120	2376	cmd.exe	52
PID 2376 wrote to memory of 2120	2376	cmd.exe	52
PID 2376 wrote to memory of 2120	2376	cmd.exe	52
PID 2376 wrote to memory of 2404	2376	cmd.exe	53
PID 2376 wrote to memory of 2404	2376	cmd.exe	53
PID 2376 wrote to memory of 2404	2376	cmd.exe	53
PID 2376 wrote to memory of 880	2376	cmd.exe	55
PID 2376 wrote to memory of 880	2376	cmd.exe	55
PID 2376 wrote to memory of 880	2376	cmd.exe	55
PID 880 wrote to memory of 2344	880	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	56
PID 880 wrote to memory of 2344	880	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	56
PID 880 wrote to memory of 2344	880	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	56
PID 2344 wrote to memory of 772	2344	cmd.exe	58

C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
"C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\pNNPKhbY5LKI.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2700
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2864
- - C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
    "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\5GMdYSvVfB0W.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1532
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1924
    - - C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DRtjsWUxsqoO.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uvDhIWdVkV8K.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WaWt2Xpx46tq.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2120
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Gq7bCRRpv8gC.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:552
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Qs1w5ryld2iB.bat" "
        14⤵
        
        PID:2132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2444
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwsBb77kSdBi.bat" "
        16⤵
        
        PID:2208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2700
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rfnU0IPF5avr.bat" "
        18⤵
        
        PID:2288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:840
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rPeW0bXECC4z.bat" "
        20⤵
        
        PID:2636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2980
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RbixHKNSZEF1.bat" "
        22⤵
        
        PID:1080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1840
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QY0tTRKze4Fs.bat" "
        24⤵
        
        PID:268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5GMdYSvVfB0W.bat

Filesize
261B

MD5
1a1afe62c157d351f11f3e7f8f973071

SHA1
5c85cd982725cdbd91fd537e152d18b05da0356d

SHA256
b7ca056938e22d0ebddba9555adf7510dc5dab37b1c937959847a093ad15b0d5

SHA512
b8c6174171fb3ddcf495da5ffe5185efd2257d10dcccf61e1d0b8c426f739e8c15b9a21f36048c8d6bba2f0fa33285f7c3209eb7c19296831e953c03b0e0a68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRtjsWUxsqoO.bat

Filesize
261B

MD5
3e3828746527cc3c368eee5363288c6e

SHA1
4af1ec165b6965cd88192467a619f5d5ab24d53b

SHA256
e30476438f1bdb0f918356da721c2c41defa47fd3697dc8af2dfffbf962fb14d

SHA512
f5c6a98e66a7921c7544e2824d9cd605d2932751f1d59032fcf82b43835879b588d95030956bb44630bd7d44cfe5cee23542fde0af038704b7851b867e6deb9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gq7bCRRpv8gC.bat

Filesize
261B

MD5
0e5a835f3a7cae2cdab827015b104861

SHA1
3640a9672d123e718e4178fc5930d387e1af7de9

SHA256
fcf96660314c11e415d4db10e6a4efb7af61c6d85b571e6c6c9d93c9de191890

SHA512
60481833ca1cbb85ad9a0d8a9ec94a3679837328c4ecbaa62597eb9fb541edb763abf79aded1ca6430b58da865ca9ce24d28a7191703f4df3cfeca1b19bed6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NwsBb77kSdBi.bat

Filesize
261B

MD5
c48b94e4d6462863b15f7d7ba288f31d

SHA1
9172d3c54e02df97dd044616999ede4a2b2493a1

SHA256
f9428e87adaef64c8be713114a0d0189ab23f8120605ca122c2e41fbf354105d

SHA512
9996db2a6837286aa5b4b340ad9195ea9c28907a2061ced1ac22728bdbd1a92daebd2275e6966ad3f60273e2e531c52a946335f93c793bd842fd39d0641d7c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\QY0tTRKze4Fs.bat

Filesize
261B

MD5
2f5781b37b3b69961fad3d7366653478

SHA1
331b8d665777210a30fb6cb91c9d8386752b6f4e

SHA256
f43f4a471463e176e96c6db673675d8d55db8eb409ca0f5e735183bbeb0c4fd8

SHA512
1595997514b8bda2584db23a92ea50ba814f98ee687fc41286e8061c50ec470ab0b7d978bede17222e7ad546b60d56b6d6046bc28f435da41005c5b36e202d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qs1w5ryld2iB.bat

Filesize
261B

MD5
9230ce376d350076045936e4eac4580a

SHA1
38ecc4d3fd513f0d45ed181dd7531db0089bc5f4

SHA256
0f2b3d67dcf87112f12c6e7c106cccdce11563d82063f8ce975ee529ccfc29b3

SHA512
801b2f0047002d7c49e8aadbc00d4893e11a33c01c4358655019b671e840cead829377b6dbaa26e7087febfc219d8873d6961731688d67466d5075a0f30cbf1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RbixHKNSZEF1.bat

Filesize
261B

MD5
b84b80e91a7df2e24e605ea8fb76b199

SHA1
e8875f5ec04895196dfd68a592bea098c85572ed

SHA256
2c8c798794f5b58b4c2319efbdcc0384ebe9523aff9f875a5061df3e01b84edd

SHA512
932af7ee23d075e0fbba6fe20cf1f720eb1d002fed3d0f0c57073d304493ba25a86f957ffeafd7123a4e9339c6cc9694240d9f78e8a631c01e0feba1a3e66ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WaWt2Xpx46tq.bat

Filesize
261B

MD5
4a3d669f4e73d8aa4858d56847cf417e

SHA1
b072320063fa33d288c553d996cfb73da4d28076

SHA256
e1d15d05d6eebc68749472c4c64cb8b0949851c4899a1d31c47cb4367984e867

SHA512
3514507cea0b12f06c04a24540e5d6009314fb8e5a90dc48ce9a280693d1c8f4fe3e9e883f7395c2d2dc6cc70db1b7fd179ef58f939bb187548efc788354de4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pNNPKhbY5LKI.bat

Filesize
261B

MD5
0a7c9da186cb3b70a2d0da40a1d6c768

SHA1
3037d365533882f8025c54474b11dd5fb4b0455a

SHA256
957a34533eec2b7d6261270ab0a26d73fc1e409e611e848d40dba6c38db5a700

SHA512
481f8625f6ab1f747b9e179c4c0104d5f4a67bfa0f1546a599c2f620cf57829143020c3e20b904e368b785efb681270b0e82c4855d7fb59b1c8f77e5990a7483

Download Submit
C:\Users\Admin\AppData\Local\Temp\rPeW0bXECC4z.bat

Filesize
261B

MD5
ad25bb009f2e7fe46ae4e7c9ff0004ad

SHA1
8f4f5d7b71c0b77864f92679ce7eebc5005c6004

SHA256
ece6480df010ba0777fdff1f06736787b40cc1735b046f426aa497c2cbbe62aa

SHA512
8b11435a623f9f1e3a83bffefe15a5f18f66e50a3c4749064879041dc04cec07bbc9365183a41c46b93232e5f7d443b1c8db5016da43876e1fd38762cde7b159

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfnU0IPF5avr.bat

Filesize
261B

MD5
b56ce0bf678b844a0f87e80c93927172

SHA1
4ac584db44a00db4c983c38c8fe8e6c9aa723551

SHA256
2b140eb20738e2665657eddae57142f164bf312de6b393ca171ddc09aac3f338

SHA512
2fc9199a7c35ca1165fe8ba8b4cc63b8600343105984fa3819ece240d8c4405d511d45acc5e40604d8f710c454acb31ec6c3f4f68d097fe85eb74db8867bceec

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvDhIWdVkV8K.bat

Filesize
261B

MD5
570114adf597f17a1a4ad58c9e1b3fe9

SHA1
5d3480676f9de563467e63803344657c048eb614

SHA256
21487b79e2c7b8f36720b01064f7189c2097e6f79643d769bea6cf84dcf318dc

SHA512
08d6d22ae11b549ad3cb2cfd0f778009d91efe88065830a33ba9eec17d10c4952736d91c89ee2d7befa2df2de380cb877cd91b997e76fd5c73ceafa685e463f4

Download Submit
memory/552-63-0x00000000012A0000-0x00000000015C4000-memory.dmp

Filesize
3.1MB

Download
memory/1088-1-0x0000000001350000-0x0000000001674000-memory.dmp

Filesize
3.1MB

Download
memory/1088-0-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

Filesize
4KB

Download
memory/1088-12-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/1088-2-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/1824-42-0x0000000001280000-0x00000000015A4000-memory.dmp

Filesize
3.1MB

Download
memory/2912-32-0x00000000000A0000-0x00000000003C4000-memory.dmp

Filesize
3.1MB

Download