quasar | adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Size

3.1MB
MD5

218b79ebe7679fa1beab775ca7e49c4b
SHA1

2d08ac223c07b13e93e6f8e2d73d3b7b08f4b54f
SHA256

adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1
SHA512

8e92fef65245e770a66d849c14bc344ff7231c68cb5e31e2ad6c5f1a7bfa85d4db89e426a2fdb22d9fead1563c9352693cbbeaecfe3252ad777ca9e035f15002
SSDEEP

49152:3vbI22SsaNYfdPBldt698dBcjHcxDE/glk/JxjoGdeTHHB72eh2NT:3vk22SsaNYfdPBldt6+dBcjHcxKF

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

127.0.0.0.1:4782

Mutex

89f58ee5-7af9-42de-843f-2a331a641e3f

Attributes

encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/1800-1-0x00000000002B0000-0x00000000005D4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
992	PING.EXE
4816	PING.EXE
3544	PING.EXE
3416	PING.EXE
4812	PING.EXE
1788	PING.EXE
228	PING.EXE
644	PING.EXE
1920	PING.EXE
4996	PING.EXE
776	PING.EXE
4576	PING.EXE
456	PING.EXE
4388	PING.EXE
3700	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3416	PING.EXE
1788	PING.EXE
1920	PING.EXE
4996	PING.EXE
4388	PING.EXE
4812	PING.EXE
4816	PING.EXE
776	PING.EXE
3544	PING.EXE
4576	PING.EXE
992	PING.EXE
456	PING.EXE
644	PING.EXE
3700	PING.EXE
228	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	3632	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	4772	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	1220	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	3792	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	4276	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	3136	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	564	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2608	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	1152	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	3388	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	712	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	4616	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	3416	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2948	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1800	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3632	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4772	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1220	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3792	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4276	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3136	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
564	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2608	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1152	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3388	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
712	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4616	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3416	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2948	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1800	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3632	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4772	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1220	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3792	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4276	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3136	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
564	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2608	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1152	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3388	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
712	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4616	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3416	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2948	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 3640	1800	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	83
PID 1800 wrote to memory of 3640	1800	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	83
PID 3640 wrote to memory of 2320	3640	cmd.exe	85
PID 3640 wrote to memory of 2320	3640	cmd.exe	85
PID 3640 wrote to memory of 4388	3640	cmd.exe	86
PID 3640 wrote to memory of 4388	3640	cmd.exe	86
PID 3640 wrote to memory of 3632	3640	cmd.exe	93
PID 3640 wrote to memory of 3632	3640	cmd.exe	93
PID 3632 wrote to memory of 5036	3632	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	95
PID 3632 wrote to memory of 5036	3632	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	95
PID 5036 wrote to memory of 4640	5036	cmd.exe	97
PID 5036 wrote to memory of 4640	5036	cmd.exe	97
PID 5036 wrote to memory of 3416	5036	cmd.exe	98
PID 5036 wrote to memory of 3416	5036	cmd.exe	98
PID 5036 wrote to memory of 4772	5036	cmd.exe	105
PID 5036 wrote to memory of 4772	5036	cmd.exe	105
PID 4772 wrote to memory of 1988	4772	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	107
PID 4772 wrote to memory of 1988	4772	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	107
PID 1988 wrote to memory of 1784	1988	cmd.exe	109
PID 1988 wrote to memory of 1784	1988	cmd.exe	109
PID 1988 wrote to memory of 4812	1988	cmd.exe	110
PID 1988 wrote to memory of 4812	1988	cmd.exe	110
PID 1988 wrote to memory of 1220	1988	cmd.exe	113
PID 1988 wrote to memory of 1220	1988	cmd.exe	113
PID 1220 wrote to memory of 4796	1220	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	115
PID 1220 wrote to memory of 4796	1220	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	115
PID 4796 wrote to memory of 4260	4796	cmd.exe	117
PID 4796 wrote to memory of 4260	4796	cmd.exe	117
PID 4796 wrote to memory of 4816	4796	cmd.exe	118
PID 4796 wrote to memory of 4816	4796	cmd.exe	118
PID 4796 wrote to memory of 3792	4796	cmd.exe	120
PID 4796 wrote to memory of 3792	4796	cmd.exe	120
PID 3792 wrote to memory of 376	3792	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	122
PID 3792 wrote to memory of 376	3792	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	122
PID 376 wrote to memory of 3528	376	cmd.exe	124
PID 376 wrote to memory of 3528	376	cmd.exe	124
PID 376 wrote to memory of 776	376	cmd.exe	125
PID 376 wrote to memory of 776	376	cmd.exe	125
PID 376 wrote to memory of 4276	376	cmd.exe	127
PID 376 wrote to memory of 4276	376	cmd.exe	127
PID 4276 wrote to memory of 2804	4276	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	129
PID 4276 wrote to memory of 2804	4276	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	129
PID 2804 wrote to memory of 4888	2804	cmd.exe	131
PID 2804 wrote to memory of 4888	2804	cmd.exe	131
PID 2804 wrote to memory of 3700	2804	cmd.exe	132
PID 2804 wrote to memory of 3700	2804	cmd.exe	132
PID 2804 wrote to memory of 3136	2804	cmd.exe	134
PID 2804 wrote to memory of 3136	2804	cmd.exe	134
PID 3136 wrote to memory of 3564	3136	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	136
PID 3136 wrote to memory of 3564	3136	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	136
PID 3564 wrote to memory of 4136	3564	cmd.exe	138
PID 3564 wrote to memory of 4136	3564	cmd.exe	138
PID 3564 wrote to memory of 4576	3564	cmd.exe	139
PID 3564 wrote to memory of 4576	3564	cmd.exe	139
PID 3564 wrote to memory of 564	3564	cmd.exe	141
PID 3564 wrote to memory of 564	3564	cmd.exe	141
PID 564 wrote to memory of 4992	564	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	143
PID 564 wrote to memory of 4992	564	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	143
PID 4992 wrote to memory of 764	4992	cmd.exe	145
PID 4992 wrote to memory of 764	4992	cmd.exe	145
PID 4992 wrote to memory of 992	4992	cmd.exe	146
PID 4992 wrote to memory of 992	4992	cmd.exe	146
PID 4992 wrote to memory of 2608	4992	cmd.exe	148
PID 4992 wrote to memory of 2608	4992	cmd.exe	148

C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
"C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7bolSH7604EB.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2320
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4388
- - C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
    "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rnqegzc6OkMi.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4640
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3416
    - - C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4772
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TK1YOpwsKoDB.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fg1vZcd8Ic1C.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4260
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kNfvh383hkBI.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYfG4WMechV1.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4888
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuUuuY7hAtCr.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bma1tWpmPaVp.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l6AnrwTzH3oC.bat" "
        18⤵
        
        PID:948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwvVHDcXsyCf.bat" "
        20⤵
        
        PID:428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IDZ5VzXFXrnU.bat" "
        22⤵
        
        PID:376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wJyQDBqKTzt7.bat" "
        24⤵
        
        PID:1640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S8AVP1E4x7KT.bat" "
        26⤵
        
        PID:4732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ezd5oLZnUOA4.bat" "
        28⤵
        
        PID:3128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2236
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        29⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bl4hWVkyFGpV.bat" "
        30⤵
        
        PID:4520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bolSH7604EB.bat

Filesize
261B

MD5
17b8dfa178fff98cb98769a77970fbeb

SHA1
e41cafba23bcaa87467f8f93972fd9b42edddda4

SHA256
e3d1a31c9ae44d4f461dfa4a03cbf575ecb83bbea892817c29d113607c4e51fb

SHA512
72d3f33719b0e96ff9eed46ded4601ec44a96e2d3b26f38f63d0514141d0784dcf7de304eb852c306ab331c2f36156948a05aa841f232d565567acf3c3448338

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bl4hWVkyFGpV.bat

Filesize
261B

MD5
dc9942716a3a83ba43162a1fe368b215

SHA1
e28c913d9a15a614edbb1b3b2c651126bed1fa2a

SHA256
86e7ce9e2738da1d8c11809bbc0426b32903180a1045526bdb5e7aa0ed7d2218

SHA512
ceda8d1b74b14d80ae219417e9631a2fc2c33285ebcc17901f9ad14aed89e2f7483b552336eedd227e93ad9d1dbbc6294716dd3c5f2dfd67bb6d8cca78bb9869

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bma1tWpmPaVp.bat

Filesize
261B

MD5
8a26a008c235a4895b3aeec605490caa

SHA1
dc940f5e6aead67beede27b81848501ab889dca6

SHA256
ff67489a274188a36a80c0c48c2642b96459562ae76374dc8dc23b9826146719

SHA512
3f67fe1e6f0579b7aedfcb6dfaaec4a550a096844677c2396241e8f0c6b7efa9b0a93cf9c8029860bc30b3d1fb738ba9b319f94985648be65018a02bdca1fb8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDZ5VzXFXrnU.bat

Filesize
261B

MD5
8a6e2b71764f14365930f5358fe75822

SHA1
8499d40c9c144856123b6ed120f593458d856f17

SHA256
75ac9a92166132f3ca557c5d188025bc4ba62ee8f043817c0386dc440818cf65

SHA512
8250c8c41514b8ec22879ac52b0803fd7dcbfc1b4f7e46750c4dd2abcc8305ee37187bc343b5fa4ef558ad9d32cbe6481e7b9138304e73a83060422fc8558de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYfG4WMechV1.bat

Filesize
261B

MD5
0ae476e747c604f0cf9aacdb01d722dd

SHA1
241dfa63ce0e2ca802985e3c504767c8c39ed560

SHA256
877b25a599aaf5cf2d3641c9777b93d792f35ed8ed6012c7df1141a1f13cb25a

SHA512
51aa1baccd941aca9446ad5d65c74f036d26406aa0541c73c8e37ae14de66b6adb1631f5516dce68deae100332131287b4462ea3416f58b415297e6f0dcaada5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwvVHDcXsyCf.bat

Filesize
261B

MD5
656091b5d50da33db5883e9228763d52

SHA1
75d1ddbc39ac26b81ec95daf2922c0a71c906b6c

SHA256
5151e3307ae2fab4be2372b7b92e8c456f31bb41fbd3697280190b25d341f3b9

SHA512
09b3c8bf2ee263af3332b83c76ab8b4f715291f07c4b2927167f00f4be5c8d94fbb99b8d982f69ec6c3bee1b0dee5ab678645e05354af3787388230a45fdead0

Download Submit
C:\Users\Admin\AppData\Local\Temp\S8AVP1E4x7KT.bat

Filesize
261B

MD5
fa607edfcbd8092fd335d17562e31b70

SHA1
f19add8486b79c36445b4f435fb68e3bca9c63ed

SHA256
e743af887e4a19789c3e9ae72b4482dd4d2fc8f71c5761c111d78c880088dd19

SHA512
0be63b596e4a9b15a168bc0c3ab091df9c60a2c54d4f29c58095b2c3fa2c2d2c1d63cf9c284e52a84a060cf2f366f940ef79e36d73029247c58c0ca721a64114

Download Submit
C:\Users\Admin\AppData\Local\Temp\TK1YOpwsKoDB.bat

Filesize
261B

MD5
fab8ae64ba9dd85ff645c3500b53da45

SHA1
c20b8fec30963324ef1fc3f0458bc8732628e6f9

SHA256
1554b8034e45a7beb0ca58f390604824b3f9bd6f67c948c75f7a381fa4e864f3

SHA512
00e08414dedf0e010a2e198d728224e309d41d08ac9b3082ac9b7e7f3ed02bb873b948ed847e0459769b1c5caf5549982af453400d43390a351896a8c5be5af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZuUuuY7hAtCr.bat

Filesize
261B

MD5
b6863e89023ee990201e16a26e55b9ce

SHA1
5a2729c0c3cb0a094c7ec00d4e9eb0fbe260211a

SHA256
f0d4e17a333575fdda01ce510e176485091d72feb19a3cd30455671d22f83e5c

SHA512
43e2a596c2c0227b7f8b7db5482c03b073045c328754127f427378792828033b1d7e1391070e37e3c2daa48a2e976bdfdc19efb99e46a4fbe6c0287b18e37b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezd5oLZnUOA4.bat

Filesize
261B

MD5
50e69fedd91cbf04e2fd12d89c7b9d9f

SHA1
a6ab18dd759af048e46e8e5d30ac69d1b25eb392

SHA256
1660054804393c981f991abe55d7ca8a1ef6d0a747e12548f47cb6a8788b672a

SHA512
2475c49b972d51d1c520740971210eee0071c76eee531b49f522a46ecbd01df634340a0f564e9af293c1cce5d270f4fb275aaa342bdb7127fca79005c3e7401e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fg1vZcd8Ic1C.bat

Filesize
261B

MD5
a352e693106b957a3f9edc8ff1ded109

SHA1
f504a80a1cdbf468547b170c236a80c4538e1672

SHA256
246b632e0331c24a95bacd7649ac6d8e25cb0c74d5448a2eaea8aa72b30f0e6c

SHA512
b623f3af5e587f29e28e831b8991514d9c90cfb397c02716a69f6ab553e44508c066351f3d1bbb573da746c00472d9a1a381d49afc91309a2d1ff48592da92ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\kNfvh383hkBI.bat

Filesize
261B

MD5
e585c7ad8b36034f7cb3f334e3f136c3

SHA1
9f1a8cf5dd451877a6275dc80b7692f2a07eadd0

SHA256
e54007d6b0d481ed05bb2013fd80cffc9398d34e34a1d04246657b3b03f3daf4

SHA512
a584b60a59f0aa708fa2a92a74e8200461828f834bd2f7c73215a9ad6c928ca729f6b4cb2ebec3de2295f8af824fb7743f2c1357227846bed7483f05455e362c

Download Submit
C:\Users\Admin\AppData\Local\Temp\l6AnrwTzH3oC.bat

Filesize
261B

MD5
b9b1fc22af942aacc4a8d4a0220001ad

SHA1
c47ec9dccb10582a333b9ce55c727217705061c5

SHA256
f3382e527b09a82fbe4174ae216323adfada7c1618b454cdace1199285f32c26

SHA512
79d76b904a3f4895cf51d4a21072431366daef941c73fb004843b642445b55fd59a6415b03951db96e69d17d0dfc4c8ca9384c7fa0121d9e047288c099789496

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnqegzc6OkMi.bat

Filesize
261B

MD5
e50fc1f0f6241763abd944f62afa13e8

SHA1
a1a0745f2eaaebdbe13871cfe6136c7cdb84b9ba

SHA256
cc02d3b3718267be17a55fc098331c53685b55aa765d448eaaebe6d7cc49b3cd

SHA512
04c5f98c945743fc703fb0232c0c4375b16c053193a0e5737618cda62969c7c348e24aeed1cb9d805c9355d1a844e954147cfa07f774c48d9905183c00dd1deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wJyQDBqKTzt7.bat

Filesize
261B

MD5
7cb98f4071e125e54274f1ff9ece8555

SHA1
f67dcfaed69c7059620345372f2906c6a01e4f4e

SHA256
d20315d833ba14c81b20619ee0622bad819b758d7aa78a699824b30eddee8c4c

SHA512
352bf4a02dfe48b213513be1e6b83d6ee5dc29ef1aa2eb127b48117dad29f132fbab23b5d1b35b131b7ea6f726877646d1e1840530b22302495ea4568b880a41

Download Submit
memory/1800-3-0x000000001BCD0000-0x000000001BD20000-memory.dmp

Filesize
320KB

Download
memory/1800-9-0x00007FFD82370000-0x00007FFD82E31000-memory.dmp

Filesize
10.8MB

Download
memory/1800-0-0x00007FFD82373000-0x00007FFD82375000-memory.dmp

Filesize
8KB

Download
memory/1800-2-0x00007FFD82370000-0x00007FFD82E31000-memory.dmp

Filesize
10.8MB

Download
memory/1800-4-0x000000001BDE0000-0x000000001BE92000-memory.dmp

Filesize
712KB

Download
memory/1800-1-0x00000000002B0000-0x00000000005D4000-memory.dmp

Filesize
3.1MB

Download
memory/3632-12-0x00007FFD81DF0000-0x00007FFD828B1000-memory.dmp

Filesize
10.8MB

Download
memory/3632-16-0x00007FFD81DF0000-0x00007FFD828B1000-memory.dmp

Filesize
10.8MB

Download