quasar | adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Size

3.1MB
MD5

218b79ebe7679fa1beab775ca7e49c4b
SHA1

2d08ac223c07b13e93e6f8e2d73d3b7b08f4b54f
SHA256

adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1
SHA512

8e92fef65245e770a66d849c14bc344ff7231c68cb5e31e2ad6c5f1a7bfa85d4db89e426a2fdb22d9fead1563c9352693cbbeaecfe3252ad777ca9e035f15002
SSDEEP

49152:3vbI22SsaNYfdPBldt698dBcjHcxDE/glk/JxjoGdeTHHB72eh2NT:3vk22SsaNYfdPBldt6+dBcjHcxKF

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

127.0.0.0.1:4782

Mutex

89f58ee5-7af9-42de-843f-2a331a641e3f

Attributes

encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral1/memory/848-1-0x0000000001020000-0x0000000001344000-memory.dmp	family_quasar
behavioral1/memory/2876-13-0x00000000001D0000-0x00000000004F4000-memory.dmp	family_quasar
behavioral1/memory/2796-23-0x00000000010B0000-0x00000000013D4000-memory.dmp	family_quasar
behavioral1/memory/2028-42-0x0000000000270000-0x0000000000594000-memory.dmp	family_quasar
behavioral1/memory/2956-52-0x0000000001310000-0x0000000001634000-memory.dmp	family_quasar
behavioral1/memory/2784-83-0x0000000000810000-0x0000000000B34000-memory.dmp	family_quasar
behavioral1/memory/2688-94-0x0000000001340000-0x0000000001664000-memory.dmp	family_quasar
behavioral1/memory/1372-113-0x00000000003C0000-0x00000000006E4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2940	PING.EXE
1800	PING.EXE
648	PING.EXE
1972	PING.EXE
668	PING.EXE
2612	PING.EXE
1324	PING.EXE
2888	PING.EXE
3012	PING.EXE
2912	PING.EXE
1640	PING.EXE
2616	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2940	PING.EXE
3012	PING.EXE
2912	PING.EXE
1640	PING.EXE
2612	PING.EXE
1324	PING.EXE
2888	PING.EXE
1800	PING.EXE
648	PING.EXE
1972	PING.EXE
668	PING.EXE
2616	PING.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2876	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2796	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2412	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2028	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2956	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	768	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	1804	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2784	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2688	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2280	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	1372	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
848	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2876	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2796	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2412	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2028	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2956	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
768	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1804	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2784	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2688	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2280	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1372	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
848	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2876	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2796	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2412	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2028	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2956	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
768	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1804	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2784	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2688	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2280	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1372	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1160	848	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	28
PID 848 wrote to memory of 1160	848	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	28
PID 848 wrote to memory of 1160	848	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	28
PID 1160 wrote to memory of 2932	1160	cmd.exe	30
PID 1160 wrote to memory of 2932	1160	cmd.exe	30
PID 1160 wrote to memory of 2932	1160	cmd.exe	30
PID 1160 wrote to memory of 2940	1160	cmd.exe	31
PID 1160 wrote to memory of 2940	1160	cmd.exe	31
PID 1160 wrote to memory of 2940	1160	cmd.exe	31
PID 1160 wrote to memory of 2876	1160	cmd.exe	32
PID 1160 wrote to memory of 2876	1160	cmd.exe	32
PID 1160 wrote to memory of 2876	1160	cmd.exe	32
PID 2876 wrote to memory of 2728	2876	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	33
PID 2876 wrote to memory of 2728	2876	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	33
PID 2876 wrote to memory of 2728	2876	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	33
PID 2728 wrote to memory of 2608	2728	cmd.exe	35
PID 2728 wrote to memory of 2608	2728	cmd.exe	35
PID 2728 wrote to memory of 2608	2728	cmd.exe	35
PID 2728 wrote to memory of 2888	2728	cmd.exe	36
PID 2728 wrote to memory of 2888	2728	cmd.exe	36
PID 2728 wrote to memory of 2888	2728	cmd.exe	36
PID 2728 wrote to memory of 2796	2728	cmd.exe	37
PID 2728 wrote to memory of 2796	2728	cmd.exe	37
PID 2728 wrote to memory of 2796	2728	cmd.exe	37
PID 2796 wrote to memory of 2536	2796	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	38
PID 2796 wrote to memory of 2536	2796	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	38
PID 2796 wrote to memory of 2536	2796	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	38
PID 2536 wrote to memory of 2964	2536	cmd.exe	40
PID 2536 wrote to memory of 2964	2536	cmd.exe	40
PID 2536 wrote to memory of 2964	2536	cmd.exe	40
PID 2536 wrote to memory of 3012	2536	cmd.exe	41
PID 2536 wrote to memory of 3012	2536	cmd.exe	41
PID 2536 wrote to memory of 3012	2536	cmd.exe	41
PID 2536 wrote to memory of 2412	2536	cmd.exe	42
PID 2536 wrote to memory of 2412	2536	cmd.exe	42
PID 2536 wrote to memory of 2412	2536	cmd.exe	42
PID 2412 wrote to memory of 536	2412	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	43
PID 2412 wrote to memory of 536	2412	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	43
PID 2412 wrote to memory of 536	2412	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	43
PID 536 wrote to memory of 2212	536	cmd.exe	45
PID 536 wrote to memory of 2212	536	cmd.exe	45
PID 536 wrote to memory of 2212	536	cmd.exe	45
PID 536 wrote to memory of 1800	536	cmd.exe	46
PID 536 wrote to memory of 1800	536	cmd.exe	46
PID 536 wrote to memory of 1800	536	cmd.exe	46
PID 536 wrote to memory of 2028	536	cmd.exe	47
PID 536 wrote to memory of 2028	536	cmd.exe	47
PID 536 wrote to memory of 2028	536	cmd.exe	47
PID 2028 wrote to memory of 1784	2028	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	48
PID 2028 wrote to memory of 1784	2028	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	48
PID 2028 wrote to memory of 1784	2028	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	48
PID 1784 wrote to memory of 1000	1784	cmd.exe	50
PID 1784 wrote to memory of 1000	1784	cmd.exe	50
PID 1784 wrote to memory of 1000	1784	cmd.exe	50
PID 1784 wrote to memory of 648	1784	cmd.exe	51
PID 1784 wrote to memory of 648	1784	cmd.exe	51
PID 1784 wrote to memory of 648	1784	cmd.exe	51
PID 1784 wrote to memory of 2956	1784	cmd.exe	52
PID 1784 wrote to memory of 2956	1784	cmd.exe	52
PID 1784 wrote to memory of 2956	1784	cmd.exe	52
PID 2956 wrote to memory of 2600	2956	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	53
PID 2956 wrote to memory of 2600	2956	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	53
PID 2956 wrote to memory of 2600	2956	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	53
PID 2600 wrote to memory of 960	2600	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
"C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\6cJJ6JG9NESe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2932
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2940
- - C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
    "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgQBN60Of7gu.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2608
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2888
    - - C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BO9xTj47fq2Q.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOnFocH6OKsH.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yJ2C7onqCjSa.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGBr13XIvvbm.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:768
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vjEaNiY8425I.bat" "
        14⤵
        
        PID:1348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1804
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RxaJNlezN9id.bat" "
        16⤵
        
        PID:1736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        17⤵
        
        PID:1944
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4ZAMODLEfHOa.bat" "
        18⤵
        
        PID:2588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2236
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2784
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nSq2McclRX9g.bat" "
        20⤵
        
        PID:2712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2688
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\h1AzPbNFw9q7.bat" "
        22⤵
        
        PID:2520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2280
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Q6sdXQnwZb8B.bat" "
        24⤵
        
        PID:2824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6cJJ6JG9NESe.bat

Filesize
261B

MD5
36f470096d72496ea999045c3791bc87

SHA1
00ec178ed07994140b86b9e44d307132ffe7f8cf

SHA256
6590902a1ed6bb5a0dbb5b4d4db90e2a8578ead4e0d9a53ffbdcd309d70264bb

SHA512
ecbc76ba55c1d3b8610651ebb52003775687ff005e6d364f96cecfe79b468fef8a21b0ce833cec2c6a752dc8d1a6a625697010f6d359fd7dbf6821ed3a3ed1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\BO9xTj47fq2Q.bat

Filesize
261B

MD5
2399e9ad152e2f537440f8ea8d5b14d2

SHA1
b67c1c8b47787e75f10b12c38c10b6f8f98f6d5c

SHA256
84352b809973157609ac0049a139c934337936eff8841165cbeac63312070f11

SHA512
8b46c14029fe5ea233135c30e08adc7cb11fa787916e005a51e5322926ebeb1c8466c342d7f41bfde457baa59812b3dec88bd3774c09d3eaedb9f886a8357482

Download Submit
C:\Users\Admin\AppData\Local\Temp\CGBr13XIvvbm.bat

Filesize
261B

MD5
9fbef10dae8f0508e08eaefeb5cafb15

SHA1
34219e80152a03da37f37a5c324f0a201fb9e297

SHA256
1115a504694c46ba76cb72d6b2372d5b71135a55b89fc5f94873e2a501408d0d

SHA512
f5175a530650a7077018c1d78af65c567867f5a0b00de61e82b1815847745c813f7e99ee345758160c8b99eb20ce1ab581eea4175bc75af09518651bb15f8914

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgQBN60Of7gu.bat

Filesize
261B

MD5
a1814a814567bf1bb980c3d11f420bb5

SHA1
b90f5ef34a1c70713aefaba53eb0c32e4371d100

SHA256
3969c10ad680c91d016dad0959c50ee404aa1e54f172164319b6a9487d7054ec

SHA512
19e21e8c050fb85c59d200f4e42a1af8f441e0e83f0afec58a476369daa985373810cf7d21da977a4414fdc3081060803df14259e8115fa8bc108d6f4b0738e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOnFocH6OKsH.bat

Filesize
261B

MD5
63fc82fc4be07b23bd4e0e9c88dd11a1

SHA1
bbcd7dfe127f129a8e5e16cfeb175600b6d2a90d

SHA256
e025800b03f7cb13df976e2e296e825fc84ba3a0c501365abed06bb7618c75a8

SHA512
e3c5a3d38b8197afd7e0c47ef6093246c52047824b0c05be1bb2687474184d34cb03cbc88222bcb021d464b89ca41349ceae58d5e0239ed84ec8c304fa1774e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q6sdXQnwZb8B.bat

Filesize
261B

MD5
7e01677e508dee94dbe568c740733f93

SHA1
0f1bb8c12df2e7bea814fdcda284ecae65a0f6ae

SHA256
338e9584dce5cf29460bed629efce6a3820aa27101dd6e7d26381a8a48dc5df2

SHA512
943f39890b5d096184aec4265602b7b87764bd179c6c538188f03bc029a36082cb43ab9c3a43af7e6a24daedf8ac957ac8cb700dd09508e0cdc64ad3eb613448

Download Submit
C:\Users\Admin\AppData\Local\Temp\RxaJNlezN9id.bat

Filesize
261B

MD5
749e2d2e3f46dc69d55da8ea7992b0a3

SHA1
87b712e3fad3d401791cf02fc5b8067e85d56228

SHA256
f5e6d13aa123c2fe30222e9db4d657c3d1f248709b30a2aa5914df9fc9596857

SHA512
fda3b09b647e8aae3f76672b9ee2f51950e3a0b174e291d3b5774401f42ed331b55529575cb2a7afc69f7ba5d8f249aa38145bf05849c8e76af7174aa2195186

Download Submit
C:\Users\Admin\AppData\Local\Temp\h1AzPbNFw9q7.bat

Filesize
261B

MD5
874f872dfe4ef7f94e1e477a81304562

SHA1
6179c8f7298b753179f24102dfec7f8132dc2389

SHA256
8cc3f958ed276a79b2c0953ca8f17d85fd31b1dcd9f79bf086e58a912d80678f

SHA512
1c697c0caaac472bca7345c1fd3576cb70636f1007df7c97337b124fd645821719d1e6801b15091deea0403e4fc760a5fc97c48c463d5e636bfe3b4b37a01609

Download Submit
C:\Users\Admin\AppData\Local\Temp\nSq2McclRX9g.bat

Filesize
261B

MD5
1bbf823a640ceeff38330213a2d31ace

SHA1
c40697a355fbb27f21f3c305a8291c7b0f70e52b

SHA256
31b55ae8b4eb6de9dd39e974e624cbef63104713378a30372d6a03747c8916ad

SHA512
2be18ef88a2d48eea38aec1a80ba5e9a35f2e7d07fa86ec6a143e4379e23fc86df8f027776b25c5e23d9d06f76b8d5f3e282697de0a0a83beb86be5ba91c8262

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjEaNiY8425I.bat

Filesize
261B

MD5
15411fc648bac1f26d075834c9885ae9

SHA1
2024d7eec2bd4a38cb61a5cfcbf7fae9d1402612

SHA256
2b729af1be8878000e1ff81b54a00f5f86b8eca1a11319c4ecf047edf8f7eb44

SHA512
625a4822059d62c5454da13f54d41ed2eb0f28b63f89924483862296b0f10493001f96dd320f2f27b500e3e6eb4a37f665dd37fde77b05bcfd02e5faad443f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\yJ2C7onqCjSa.bat

Filesize
261B

MD5
3ed5ebd3f272b35fbb936e777f806bc1

SHA1
37b771d6a1800770ea56fac2a9391afb6f5a1bb5

SHA256
c71867596cfb3238f00a1be8d248217ae6e1531a29ac0e12d4d5d550f7f70ee3

SHA512
8cdaff22769ce4f0372c5dab67e4a628b3a288824cebca272fe7253ad9cd22ad1e3c2d25f0ba907596a497a6ba85fc7e6c5304fa5ae8cacc490cba202854e773

Download Submit
memory/848-12-0x000007FEF64A0000-0x000007FEF6E8C000-memory.dmp

Filesize
9.9MB

Download
memory/848-0-0x000007FEF64A3000-0x000007FEF64A4000-memory.dmp

Filesize
4KB

Download
memory/848-2-0x000007FEF64A0000-0x000007FEF6E8C000-memory.dmp

Filesize
9.9MB

Download
memory/848-1-0x0000000001020000-0x0000000001344000-memory.dmp

Filesize
3.1MB

Download
memory/1372-113-0x00000000003C0000-0x00000000006E4000-memory.dmp

Filesize
3.1MB

Download
memory/2028-42-0x0000000000270000-0x0000000000594000-memory.dmp

Filesize
3.1MB

Download
memory/2688-94-0x0000000001340000-0x0000000001664000-memory.dmp

Filesize
3.1MB

Download
memory/2784-83-0x0000000000810000-0x0000000000B34000-memory.dmp

Filesize
3.1MB

Download
memory/2796-23-0x00000000010B0000-0x00000000013D4000-memory.dmp

Filesize
3.1MB

Download
memory/2876-13-0x00000000001D0000-0x00000000004F4000-memory.dmp

Filesize
3.1MB

Download
memory/2956-52-0x0000000001310000-0x0000000001634000-memory.dmp

Filesize
3.1MB

Download