quasar | adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Size

3.1MB
MD5

218b79ebe7679fa1beab775ca7e49c4b
SHA1

2d08ac223c07b13e93e6f8e2d73d3b7b08f4b54f
SHA256

adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1
SHA512

8e92fef65245e770a66d849c14bc344ff7231c68cb5e31e2ad6c5f1a7bfa85d4db89e426a2fdb22d9fead1563c9352693cbbeaecfe3252ad777ca9e035f15002
SSDEEP

49152:3vbI22SsaNYfdPBldt698dBcjHcxDE/glk/JxjoGdeTHHB72eh2NT:3vk22SsaNYfdPBldt6+dBcjHcxKF

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

127.0.0.0.1:4782

Mutex

89f58ee5-7af9-42de-843f-2a331a641e3f

Attributes

encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4836-1-0x0000000000480000-0x00000000007A4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3676	PING.EXE
2348	PING.EXE
3604	PING.EXE
4200	PING.EXE
1168	PING.EXE
4796	PING.EXE
4512	PING.EXE
3268	PING.EXE
1380	PING.EXE
1288	PING.EXE
2188	PING.EXE
892	PING.EXE
4896	PING.EXE
3028	PING.EXE
2716	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2716	PING.EXE
2348	PING.EXE
4512	PING.EXE
2188	PING.EXE
3268	PING.EXE
4896	PING.EXE
3676	PING.EXE
4796	PING.EXE
1380	PING.EXE
1288	PING.EXE
3604	PING.EXE
4200	PING.EXE
892	PING.EXE
1168	PING.EXE
3028	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4836	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	3824	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	4140	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	1600	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	4980	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	4156	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	1008	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	4524	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	3704	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	3680	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	1896	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	960	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	1996	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	4356	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2208	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
4836	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3824	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4140	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1600	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4980	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4156	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1008	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4524	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3704	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3680	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1896	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
960	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1996	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4356	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2208	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4836	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3824	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4140	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1600	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4980	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4156	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1008	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4524	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3704	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3680	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1896	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
960	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1996	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4356	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2208	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 3232	4836	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	83
PID 4836 wrote to memory of 3232	4836	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	83
PID 3232 wrote to memory of 3544	3232	cmd.exe	85
PID 3232 wrote to memory of 3544	3232	cmd.exe	85
PID 3232 wrote to memory of 892	3232	cmd.exe	86
PID 3232 wrote to memory of 892	3232	cmd.exe	86
PID 3232 wrote to memory of 3824	3232	cmd.exe	95
PID 3232 wrote to memory of 3824	3232	cmd.exe	95
PID 3824 wrote to memory of 4800	3824	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	96
PID 3824 wrote to memory of 4800	3824	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	96
PID 4800 wrote to memory of 4816	4800	cmd.exe	99
PID 4800 wrote to memory of 4816	4800	cmd.exe	99
PID 4800 wrote to memory of 1168	4800	cmd.exe	100
PID 4800 wrote to memory of 1168	4800	cmd.exe	100
PID 4800 wrote to memory of 4140	4800	cmd.exe	105
PID 4800 wrote to memory of 4140	4800	cmd.exe	105
PID 4140 wrote to memory of 4576	4140	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	107
PID 4140 wrote to memory of 4576	4140	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	107
PID 4576 wrote to memory of 1752	4576	cmd.exe	109
PID 4576 wrote to memory of 1752	4576	cmd.exe	109
PID 4576 wrote to memory of 3268	4576	cmd.exe	110
PID 4576 wrote to memory of 3268	4576	cmd.exe	110
PID 4576 wrote to memory of 1600	4576	cmd.exe	114
PID 4576 wrote to memory of 1600	4576	cmd.exe	114
PID 1600 wrote to memory of 3992	1600	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	117
PID 1600 wrote to memory of 3992	1600	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	117
PID 3992 wrote to memory of 4268	3992	cmd.exe	119
PID 3992 wrote to memory of 4268	3992	cmd.exe	119
PID 3992 wrote to memory of 4896	3992	cmd.exe	120
PID 3992 wrote to memory of 4896	3992	cmd.exe	120
PID 3992 wrote to memory of 4980	3992	cmd.exe	121
PID 3992 wrote to memory of 4980	3992	cmd.exe	121
PID 4980 wrote to memory of 3216	4980	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	123
PID 4980 wrote to memory of 3216	4980	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	123
PID 3216 wrote to memory of 3200	3216	cmd.exe	125
PID 3216 wrote to memory of 3200	3216	cmd.exe	125
PID 3216 wrote to memory of 3676	3216	cmd.exe	126
PID 3216 wrote to memory of 3676	3216	cmd.exe	126
PID 3216 wrote to memory of 4156	3216	cmd.exe	127
PID 3216 wrote to memory of 4156	3216	cmd.exe	127
PID 4156 wrote to memory of 1472	4156	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	129
PID 4156 wrote to memory of 1472	4156	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	129
PID 1472 wrote to memory of 2856	1472	cmd.exe	131
PID 1472 wrote to memory of 2856	1472	cmd.exe	131
PID 1472 wrote to memory of 3028	1472	cmd.exe	132
PID 1472 wrote to memory of 3028	1472	cmd.exe	132
PID 1472 wrote to memory of 1008	1472	cmd.exe	134
PID 1472 wrote to memory of 1008	1472	cmd.exe	134
PID 1008 wrote to memory of 4736	1008	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	136
PID 1008 wrote to memory of 4736	1008	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	136
PID 4736 wrote to memory of 680	4736	cmd.exe	138
PID 4736 wrote to memory of 680	4736	cmd.exe	138
PID 4736 wrote to memory of 4796	4736	cmd.exe	139
PID 4736 wrote to memory of 4796	4736	cmd.exe	139
PID 4736 wrote to memory of 4524	4736	cmd.exe	141
PID 4736 wrote to memory of 4524	4736	cmd.exe	141
PID 4524 wrote to memory of 2044	4524	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	143
PID 4524 wrote to memory of 2044	4524	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	143
PID 2044 wrote to memory of 4716	2044	cmd.exe	145
PID 2044 wrote to memory of 4716	2044	cmd.exe	145
PID 2044 wrote to memory of 4512	2044	cmd.exe	146
PID 2044 wrote to memory of 4512	2044	cmd.exe	146
PID 2044 wrote to memory of 3704	2044	cmd.exe	147
PID 2044 wrote to memory of 3704	2044	cmd.exe	147

C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
"C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nXFxkd0JAJIX.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3544
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:892
- - C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
    "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yBVJitNkzHuA.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4816
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1168
    - - C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4140
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iafc9nbFYvu6.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TdGW3KiTMMPm.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CRLzoAz1RYPN.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3200
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgCUeh0xCquk.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LhF3ibwVcBWo.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kVlgvCRX81ed.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccMk4nUINZJJ.bat" "
        18⤵
        
        PID:2324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MTF6Ql8V5XfU.bat" "
        20⤵
        
        PID:4776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ih2Z5pjbgH1m.bat" "
        22⤵
        
        PID:3676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogZdUWPppYXo.bat" "
        24⤵
        
        PID:3176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yRYmkb10dbZt.bat" "
        26⤵
        
        PID:4232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1P09VL1V8yVr.bat" "
        28⤵
        
        PID:4916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:3436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        29⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3hnujvR68TW6.bat" "
        30⤵
        
        PID:1832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:1380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1P09VL1V8yVr.bat

Filesize
261B

MD5
3541aca206384fd99e58e315bf1b0ca1

SHA1
8caa77d7bfa39b5050f82a639d5a72074fe86e81

SHA256
f2109f2231f82827c228dea847cbd5bd75b93a07bbd5b34a626a4713aabc0a86

SHA512
0cea8b344d01d7677e2337f2ad30b098153071b4bac6a1132a363ceaca4355a1deeccf0a38fefdff105a2aca4f457ff899b23dde488e8319cba2e2b3d034a24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3hnujvR68TW6.bat

Filesize
261B

MD5
b0466c32abcd12053c6e8df85b4efdb1

SHA1
6341f43ddff357e717e30e677ba14ae4ed4a0912

SHA256
269a810d2ba54f32d9a86238e2503cb5163b5bf9688cb763b7346ef5c4159bb4

SHA512
4399298eebdc098abb82f50fa4f912f9ee2a24021fbc13122cf79a8ed0e846f4e4ba896351bfeae8bbc8712a6a16e5bf8f4206abac6de6054cc8320a7fac02f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CRLzoAz1RYPN.bat

Filesize
261B

MD5
a8dd164cc5b6dfa4859a0a2d54af8dd8

SHA1
52ec24140da68e9a32be4881f2154a7ba45c8586

SHA256
66905ca1445423e6d695ebf06d8692c96e57f35beacd85a3158a22565d401ea4

SHA512
0a7dc722b36a6589c4cfc8ff0ff8ff274c602f21ef54f9a4d3f61090617dbe4f1ac7f831bb2563926747a97b4df8e08b40db983b568d67ce560182d5036009c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\LhF3ibwVcBWo.bat

Filesize
261B

MD5
879495ec48b9a3849f3477176104f77a

SHA1
ced425094c9094cb38ea17b3aa5120644d551b90

SHA256
bdf22e93bb305fe2f1f7f4eca71f4f88279bc9e83a697423d3da0d1f1816759f

SHA512
952c8c644561cb5c0d525092ee889400bad6a072bc87af7d94d9748c2bcc3d70247e8868cd7c73be8a0745879075df3c0550eb823e2379025e30c64cbea4763c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MTF6Ql8V5XfU.bat

Filesize
261B

MD5
11e2f759b28efc8b4cb9740eaef30317

SHA1
c6666acd709fce3275c6bb0853b4e50fffe5e241

SHA256
d0e7a4a3cdabcd1bb5a637f857201644c682f045cc6b26e5c05b5903594ec13a

SHA512
fd754d5e8a7c494ccbeea28778bbbbbfb00ca5ff4115bbf2ad54bfc2a8f1bd1eaaaab98af6944100cdea81ff5a44b59ae740baacaa2d6fb275f0214c6f798c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TdGW3KiTMMPm.bat

Filesize
261B

MD5
69e194a418a383a4d370bdbd1586c1a7

SHA1
25fe0345c0b35afe8d7e1f8088852db15185cefb

SHA256
fa30701c1730272981935dd0f4ff741c05dfd57ed27a73f5b95fb13217be9ebb

SHA512
6970217865ee02f7d28ce734524f7968adae649f1dc0411c207f67d0213fc1f5cfd3997e04263759ae3b91bb6ad94c6490e41ac0c657b72f22406fe2d2bc5e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccMk4nUINZJJ.bat

Filesize
261B

MD5
2b1588132e2606017b4de764cf1a076a

SHA1
f12c730b5aa95d9b6a5db408944b76ce58122362

SHA256
7af079e7ac667a7a92d8540f379aae9c715cf27d8ae2fb3b25470b44668ea735

SHA512
15abdc34a6aa8119969d28b35eb52d62888711f2196cf341ea8c0f8ca38947ad72c44b327217148a9f9847e9d3a527a44e6fc723b6c3b4f05edb97198e73e5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\iafc9nbFYvu6.bat

Filesize
261B

MD5
339983575733853712c7e1ef87348d4f

SHA1
75bf2fd6d22e7f410705d92307dbf79ce5e452b7

SHA256
a10e45f408545778f0a7c1125bf0b8bf1b4b66d4c644df1c77db3d4ed260c61a

SHA512
232c3ba918665bcc470ec847ba17ee9cd28d9307a43fca88344860f1512509cd76066b872fdc82fa97d18528413dc68518554e3caea5c68b1c9a60359c0a3c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\ih2Z5pjbgH1m.bat

Filesize
261B

MD5
9814d6fb1f7ca2b012d28c4a0ae8f794

SHA1
b42bb2b8b14b0e3adf70c6d2979e69204fa95f0c

SHA256
78e5959236d92dd61a622cab2b80a0f3400b8d27b02bd986501c2b48a5460d1d

SHA512
9b5061e75fdfd5cca4b72c2214f758df170552ecb8d3a4e4a54fabeeff356ea6425d8007061966f1dd5e55cf7605fc76ac28481a26e47fd83ea77fa14fae9499

Download Submit
C:\Users\Admin\AppData\Local\Temp\kVlgvCRX81ed.bat

Filesize
261B

MD5
9ff5abac9edec6c6eddf2883cf4609fc

SHA1
53b58c141268eee2755817ee8601bbdcdc665fc6

SHA256
d3ac04fb6c667cb7bd4c43660fdfb6b0d88dcc87309b4e516e68b271962fb10d

SHA512
2ca5f583128fa465f0db96d4fb4b5be4b8eb3f1d0954a484e061844c93b22bd896c304d46cb81a06687d635e264cf63a8ecdedf4da4c085f707e816e34bed902

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgCUeh0xCquk.bat

Filesize
261B

MD5
bd705d2584c948b01f827479dff8cfc4

SHA1
52dfcfc7784e01bbf52882fee72d0ab8f0f29639

SHA256
abb8f3510b9de03b561c9c1fa6ce8db5e87ccfbce9a9f4b4d5fdf4518554ac43

SHA512
36f4c3ed0197c61566a3d60db389a64f9ac6569afd05131490f5f50bd0c60cd8d0be47d4bece3243d2c1d55d497869d551da979b47501e8f48b580c4263682b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nXFxkd0JAJIX.bat

Filesize
261B

MD5
aa30f3cfbf94f9b188e6ac948d5236ce

SHA1
f5df30cfbd55b8a8d8bd01032212ede560353c97

SHA256
922fd36419349f19d9b0e8415bba2f98d0e256dd900697beff70c75d0d44772d

SHA512
87124c9e48e2202227a6d0721768d29fc6716cae3c526cb297be1eeb950672120ef1028a611773ac61a3f21ffed473e3a633114a5a16dad69f392d37f204f200

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogZdUWPppYXo.bat

Filesize
261B

MD5
420c050ab245e018f5ef24e58d9428f0

SHA1
a072187c3358817b060b14ca48081284acc1d366

SHA256
06f08abd919c80b7001130ff5c3b73dedbb07c493b1bf09dd97c3dedcc6b44b4

SHA512
647ed1365920a36102e944be97d026ebb50db47b001681b73eec85987dbf71b903ce5964f4dc6f9cd84090e51c14024ecf4d9d44d31ce9cc5467a16abf2041ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\yBVJitNkzHuA.bat

Filesize
261B

MD5
32d9066e417e8affc03db197f1c5b38f

SHA1
e4e485383a695443e622386598bec18f4f328dbd

SHA256
73e542fa3fdb7cc3123fb05163dc056e34d31ed23217e09b0fc6eaf308561b93

SHA512
a04b918411f2739f6b185baa3710ae73c44eebfae8fcc08f84854654aa9b357e12b20cd1748bf342c5ea1b2d2d4fe7131e7d0199cbf6f378619ed19eb72b456d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yRYmkb10dbZt.bat

Filesize
261B

MD5
6952240601fc7df6217661750cd50afb

SHA1
2c027a61450b5d23906ed8ccdd182c8f610632a0

SHA256
ceed060606c19000b8ec13867b9b57cd9d194274d60fc602e54540da88b09f56

SHA512
94a0d73361717b3ddcf21fdc614b186333d57e85bd82393dadba64f05792359494376275c5f0447e32752d462e02fb6f8582a7ba0aba317c3f5b527b07b768ef

Download Submit
memory/3824-12-0x00007FFEF9A60000-0x00007FFEFA521000-memory.dmp

Filesize
10.8MB

Download
memory/3824-17-0x00007FFEF9A60000-0x00007FFEFA521000-memory.dmp

Filesize
10.8MB

Download
memory/3824-13-0x00007FFEF9A60000-0x00007FFEFA521000-memory.dmp

Filesize
10.8MB

Download
memory/4836-0-0x00007FFEF9FB3000-0x00007FFEF9FB5000-memory.dmp

Filesize
8KB

Download
memory/4836-9-0x00007FFEF9FB0000-0x00007FFEFAA71000-memory.dmp

Filesize
10.8MB

Download
memory/4836-4-0x000000001BFB0000-0x000000001C062000-memory.dmp

Filesize
712KB

Download
memory/4836-3-0x000000001BEA0000-0x000000001BEF0000-memory.dmp

Filesize
320KB

Download
memory/4836-2-0x00007FFEF9FB0000-0x00007FFEFAA71000-memory.dmp

Filesize
10.8MB

Download
memory/4836-1-0x0000000000480000-0x00000000007A4000-memory.dmp

Filesize
3.1MB

Download