quasar | b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe
Size

3.1MB
MD5

f4da021b8bc9d8ef1ff9ce30b0ab3b79
SHA1

998a833c28617bf3e215fe7a8c3552972da36851
SHA256

b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545
SHA512

77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c
SSDEEP

98304:ZvlL26AaNeWgPhlmVqkQ7XSKVcRJ6p3I:Nj4SN43I

Score

10^/10

quasar nigga discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Nigga

yzs-42879.portmap.host:42879

Mutex

57d72303-b5e9-46aa-8cc4-9690809c1a9e

Attributes

encryption_key
F1EBDB1862062F9265C0B5AC4D02C76D026534D0
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
Temp

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/2524-1-0x0000000000290000-0x00000000005B4000-memory.dmp	family_quasar
behavioral1/files/0x000800000001925c-7.dat	family_quasar
behavioral1/memory/2412-10-0x0000000000810000-0x0000000000B34000-memory.dmp	family_quasar
behavioral1/memory/2780-23-0x0000000001190000-0x00000000014B4000-memory.dmp	family_quasar
behavioral1/memory/348-44-0x0000000000190000-0x00000000004B4000-memory.dmp	family_quasar
behavioral1/memory/2276-55-0x0000000000A50000-0x0000000000D74000-memory.dmp	family_quasar
behavioral1/memory/972-66-0x00000000000C0000-0x00000000003E4000-memory.dmp	family_quasar
behavioral1/memory/536-77-0x0000000000140000-0x0000000000464000-memory.dmp	family_quasar
behavioral1/memory/848-88-0x0000000000890000-0x0000000000BB4000-memory.dmp	family_quasar
behavioral1/memory/2524-99-0x0000000001280000-0x00000000015A4000-memory.dmp	family_quasar
behavioral1/memory/1304-130-0x0000000000040000-0x0000000000364000-memory.dmp	family_quasar
behavioral1/memory/2920-141-0x00000000001A0000-0x00000000004C4000-memory.dmp	family_quasar
behavioral1/memory/1340-152-0x0000000000E30000-0x0000000001154000-memory.dmp	family_quasar

Executes dropped EXE 16 IoCs

pid	Process
2412	RuntimeBroker.exe
2780	RuntimeBroker.exe
288	RuntimeBroker.exe
348	RuntimeBroker.exe
2276	RuntimeBroker.exe
972	RuntimeBroker.exe
536	RuntimeBroker.exe
848	RuntimeBroker.exe
2524	RuntimeBroker.exe
2196	RuntimeBroker.exe
936	RuntimeBroker.exe
1304	RuntimeBroker.exe
2920	RuntimeBroker.exe
1340	RuntimeBroker.exe
2320	RuntimeBroker.exe
2160	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1136	PING.EXE
2940	PING.EXE
1524	PING.EXE
2080	PING.EXE
1032	PING.EXE
2432	PING.EXE
3024	PING.EXE
2384	PING.EXE
2940	PING.EXE
2864	PING.EXE
2720	PING.EXE
1996	PING.EXE
2580	PING.EXE
1636	PING.EXE
2512	PING.EXE
2824	PING.EXE

Runs ping.exe 1 TTPs 16 IoCs

Remote System Discovery

T1018

pid	Process
2940	PING.EXE
1636	PING.EXE
2080	PING.EXE
3024	PING.EXE
2864	PING.EXE
1996	PING.EXE
2580	PING.EXE
1524	PING.EXE
2824	PING.EXE
2432	PING.EXE
2940	PING.EXE
1136	PING.EXE
2720	PING.EXE
2512	PING.EXE
1032	PING.EXE
2384	PING.EXE

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe
Token: SeDebugPrivilege	2412	RuntimeBroker.exe
Token: SeDebugPrivilege	2780	RuntimeBroker.exe
Token: SeDebugPrivilege	288	RuntimeBroker.exe
Token: SeDebugPrivilege	348	RuntimeBroker.exe
Token: SeDebugPrivilege	2276	RuntimeBroker.exe
Token: SeDebugPrivilege	972	RuntimeBroker.exe
Token: SeDebugPrivilege	536	RuntimeBroker.exe
Token: SeDebugPrivilege	848	RuntimeBroker.exe
Token: SeDebugPrivilege	2524	RuntimeBroker.exe
Token: SeDebugPrivilege	2196	RuntimeBroker.exe
Token: SeDebugPrivilege	936	RuntimeBroker.exe
Token: SeDebugPrivilege	1304	RuntimeBroker.exe
Token: SeDebugPrivilege	2920	RuntimeBroker.exe
Token: SeDebugPrivilege	1340	RuntimeBroker.exe
Token: SeDebugPrivilege	2320	RuntimeBroker.exe
Token: SeDebugPrivilege	2160	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2412	2524	b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe	30
PID 2524 wrote to memory of 2412	2524	b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe	30
PID 2524 wrote to memory of 2412	2524	b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe	30
PID 2412 wrote to memory of 2724	2412	RuntimeBroker.exe	31
PID 2412 wrote to memory of 2724	2412	RuntimeBroker.exe	31
PID 2412 wrote to memory of 2724	2412	RuntimeBroker.exe	31
PID 2724 wrote to memory of 2820	2724	cmd.exe	33
PID 2724 wrote to memory of 2820	2724	cmd.exe	33
PID 2724 wrote to memory of 2820	2724	cmd.exe	33
PID 2724 wrote to memory of 2720	2724	cmd.exe	34
PID 2724 wrote to memory of 2720	2724	cmd.exe	34
PID 2724 wrote to memory of 2720	2724	cmd.exe	34
PID 2724 wrote to memory of 2780	2724	cmd.exe	35
PID 2724 wrote to memory of 2780	2724	cmd.exe	35
PID 2724 wrote to memory of 2780	2724	cmd.exe	35
PID 2780 wrote to memory of 2252	2780	RuntimeBroker.exe	37
PID 2780 wrote to memory of 2252	2780	RuntimeBroker.exe	37
PID 2780 wrote to memory of 2252	2780	RuntimeBroker.exe	37
PID 2252 wrote to memory of 2300	2252	cmd.exe	39
PID 2252 wrote to memory of 2300	2252	cmd.exe	39
PID 2252 wrote to memory of 2300	2252	cmd.exe	39
PID 2252 wrote to memory of 2080	2252	cmd.exe	40
PID 2252 wrote to memory of 2080	2252	cmd.exe	40
PID 2252 wrote to memory of 2080	2252	cmd.exe	40
PID 2252 wrote to memory of 288	2252	cmd.exe	41
PID 2252 wrote to memory of 288	2252	cmd.exe	41
PID 2252 wrote to memory of 288	2252	cmd.exe	41
PID 288 wrote to memory of 520	288	RuntimeBroker.exe	42
PID 288 wrote to memory of 520	288	RuntimeBroker.exe	42
PID 288 wrote to memory of 520	288	RuntimeBroker.exe	42
PID 520 wrote to memory of 576	520	cmd.exe	44
PID 520 wrote to memory of 576	520	cmd.exe	44
PID 520 wrote to memory of 576	520	cmd.exe	44
PID 520 wrote to memory of 1996	520	cmd.exe	45
PID 520 wrote to memory of 1996	520	cmd.exe	45
PID 520 wrote to memory of 1996	520	cmd.exe	45
PID 520 wrote to memory of 348	520	cmd.exe	46
PID 520 wrote to memory of 348	520	cmd.exe	46
PID 520 wrote to memory of 348	520	cmd.exe	46
PID 348 wrote to memory of 1592	348	RuntimeBroker.exe	47
PID 348 wrote to memory of 1592	348	RuntimeBroker.exe	47
PID 348 wrote to memory of 1592	348	RuntimeBroker.exe	47
PID 1592 wrote to memory of 2924	1592	cmd.exe	49
PID 1592 wrote to memory of 2924	1592	cmd.exe	49
PID 1592 wrote to memory of 2924	1592	cmd.exe	49
PID 1592 wrote to memory of 2940	1592	cmd.exe	50
PID 1592 wrote to memory of 2940	1592	cmd.exe	50
PID 1592 wrote to memory of 2940	1592	cmd.exe	50
PID 1592 wrote to memory of 2276	1592	cmd.exe	51
PID 1592 wrote to memory of 2276	1592	cmd.exe	51
PID 1592 wrote to memory of 2276	1592	cmd.exe	51
PID 2276 wrote to memory of 732	2276	RuntimeBroker.exe	52
PID 2276 wrote to memory of 732	2276	RuntimeBroker.exe	52
PID 2276 wrote to memory of 732	2276	RuntimeBroker.exe	52
PID 732 wrote to memory of 3036	732	cmd.exe	54
PID 732 wrote to memory of 3036	732	cmd.exe	54
PID 732 wrote to memory of 3036	732	cmd.exe	54
PID 732 wrote to memory of 2580	732	cmd.exe	55
PID 732 wrote to memory of 2580	732	cmd.exe	55
PID 732 wrote to memory of 2580	732	cmd.exe	55
PID 732 wrote to memory of 972	732	cmd.exe	56
PID 732 wrote to memory of 972	732	cmd.exe	56
PID 732 wrote to memory of 972	732	cmd.exe	56
PID 972 wrote to memory of 1872	972	RuntimeBroker.exe	57

C:\Users\Admin\AppData\Local\Temp\b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe
"C:\Users\Admin\AppData\Local\Temp\b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7MNGwTXubJ6y.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2820
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2720
  - - C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZHXwMXD4hHse.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2300
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2080
      - C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:288
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\74Vj5CMbTnG2.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FH7AaE59unA1.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oOUVjN1M2rKw.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2580
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PRauCNB9eXIA.bat" "
        13⤵
        
        PID:1872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HF95VNtyYI8d.bat" "
        15⤵
        
        PID:2444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\a2ir4Wc9KKV5.bat" "
        17⤵
        
        PID:1700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8sSasrOQKEFd.bat" "
        19⤵
        
        PID:2916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UDOj7OMT02Cp.bat" "
        21⤵
        
        PID:1552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mGHyF8kbL6ME.bat" "
        23⤵
        
        PID:2500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SzjCtC3oKbPf.bat" "
        25⤵
        
        PID:2980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\j2Q3OEVgevpr.bat" "
        27⤵
        
        PID:616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1136
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EaO1SM1HsVi8.bat" "
        29⤵
        
        PID:2172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\olfwvxm2ASny.bat" "
        31⤵
        
        PID:2404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uCWfCVO9U60v.bat" "
        33⤵
        
        PID:1692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:2848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74Vj5CMbTnG2.bat

Filesize
212B

MD5
283b23c4ec8819cb9bd2883b5fa437cc

SHA1
6915da46ca275c0a8c730cf3f8ed78529428bace

SHA256
9e055dca9a1c0fe0d0dfe324f62a402b624871b4b545e3f8d0149e5a33c33be2

SHA512
60785acc01003b86af071c52d300421887839e9e02a2e17507526cf96d565fdc08b871432dbb285cffdcbf42351acaa8197649ff009f6a1c0193b1b64baa21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7MNGwTXubJ6y.bat

Filesize
212B

MD5
0b464ec4115366f8cf8cc5543ced245d

SHA1
08b2a4df4fdebc9eb00a49e241cdf83f8eebb6eb

SHA256
cd10a1868f401f69352a95c75ba3d1394b9586906afd728e49d00648e79b709a

SHA512
77968c8f85a153b144f1c550b6bf6e50a7986e7a66748c3a0aab716d760743ffcaa2293e5c7e4db520c25049cf991ffc770fa634b78f4e67a6011ad4b3fef00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8sSasrOQKEFd.bat

Filesize
212B

MD5
f3f50ddb5a30a4bfc50dadfcc6de75ca

SHA1
2bb94412ed19aaeb3737ce15657470dccac4b72c

SHA256
d5f8e7bc53db66b5d8d32fa8a3b34eecb9cb3813fb78d7fd373c3450fce90933

SHA512
667407f087d404df9a62ebfe3fae2dcb09bdc42c59840cc3bfcb4b69a7ae0000cf8514d0096a317395dba5d51a2ac444debc7d3ad062c267ede875048665fc77

Download Submit
C:\Users\Admin\AppData\Local\Temp\EaO1SM1HsVi8.bat

Filesize
212B

MD5
6fe95acf56eec913a5f801bef3759ed4

SHA1
99819041bad664ed0b9fe47f5a26c4184034349c

SHA256
0d2f9449c4c6e659aa3291d42ea50595b9e00b350d0f72cce3dc592d71a60dde

SHA512
42701e0805d7a07eb10ed2638396f845d34d7f290e7e92b9e376e4c7244da1c6183fc9d2db4457b116e23ea08e95fa334c12a32399ed1aa9e747688bc7172e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\FH7AaE59unA1.bat

Filesize
212B

MD5
8ed60dbc901ba2ffe5df3ba3a797bb81

SHA1
e6be9c10acb31a22a8e1a8cd1c32dbc52de95141

SHA256
9c025d72b5f001aa80988596e3666cd175162e692428d7dfa410e487ffec9b49

SHA512
9913d5758a152176ace27e4ae5e1e5d171a0c2860c957758812f254c4d9945d95dae69f775917600931004f61f9ce41eb4335521d2236a3483be26ed966fbc08

Download Submit
C:\Users\Admin\AppData\Local\Temp\HF95VNtyYI8d.bat

Filesize
212B

MD5
916bc8b8e8e0656b28f676efe54832b2

SHA1
bbc5081874c5daf9477d91c51648b8b97d53474f

SHA256
e0b49df96cc57d41754a6eef7f3ff35a6178f4fff2494392aee270e28767da07

SHA512
02cebc40f8f34ef5054d1dd23d2dabe0b402983a6545d715179ad6db0e2a4d9bbdd730231e07e6ffe5ea71c63422974106b0acc52fe178ad2af30288120d6751

Download Submit
C:\Users\Admin\AppData\Local\Temp\PRauCNB9eXIA.bat

Filesize
212B

MD5
c71052dd5291b68be815988ffe3d9b5f

SHA1
affca86810c4b5cce7bef86562a84a408da0d4eb

SHA256
39447016b84d72a64297cc5a870e4833bd5a8699c83605e805c8abf288469146

SHA512
81a2bcc0844f56f6dab82f2a4366c9b916161ca9bdec5ba30e8785a409edefe2ef62ca0bc33addbe6007108e6f0141431bc71a66c7ac8c497e8c2c62193f832a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SzjCtC3oKbPf.bat

Filesize
212B

MD5
2a3c45b8964b39d6b69fd7b5c47e09e6

SHA1
e39506f41d778d73888cf5245f4e70e56f34d5ab

SHA256
309f5b18046911005eef5a44a6b0bd26359077cf9b53c59ed17dca9153726d29

SHA512
132f30ab4f3b42c00e02122c2e8e5bc0092055c6df9dc6599731be0ce1254bb90695fafd64fa99f14cb97af82213aa0b13fe136acf83ac53b83c3c47547763c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UDOj7OMT02Cp.bat

Filesize
212B

MD5
8dca1dc20407fc5408796d3e497c1373

SHA1
d10655d7dbe3161de471b093c104901e878a1f6b

SHA256
394208e7eb088acff6554f57bf6a80df0593563eadac04e9966a670f57cce746

SHA512
a75462f9e54a2c368c058ffdfa96c00df443dbd7fa0fb2a3b74a2d74f0683df6bfdb49859acc75638426a74166333ad718e550408f054bab35741bfc67c26e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZHXwMXD4hHse.bat

Filesize
212B

MD5
3d3a154ac1e24beae1752decb34c4331

SHA1
03423c3ee505f9b878989398ff98b6a46efd0171

SHA256
923f442dbd53c168b2538b168fde188ef2fdd3282e18156dad0fec7c1a1106e2

SHA512
e72210e8aa19453bd1d732296994b02a4b226a68282a3b6a2cfa477c15c7a06fd4713bc6b2fa2c442ecead41ca7e9d133403d56870a263a4265be6bb3340de43

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2ir4Wc9KKV5.bat

Filesize
212B

MD5
ce65b0f545c371b401750bddc7f1e4f3

SHA1
4616c56ce1bf2f42ed0c3bd3a843dbea95bbd789

SHA256
104ce82ad149b0f60162bc5c89860ff9ddf10a0b0fa5c06eaf687cf559673a32

SHA512
318f87ef6f0e4d9ec21d12b65966e0c458ac20fec2edab5467a95707dfb13a29af663652509b546b9a1310fb4e029b78d217374c2fe484cd47f7a98dc572cd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2Q3OEVgevpr.bat

Filesize
212B

MD5
a4465438fd47fdb5cef8a758dc8247ce

SHA1
f179d25a7456510223334cf13bc19767813d99a1

SHA256
6cfefef375deb9e3511f90f4f186e4c0d0f6f94706d48530d4268bc5526774be

SHA512
9bbe123587dd0595943d6db9fc1abc73161304d949f96e791f60d14acd04d39a60d62d2e9a2760f860f48df28026bddbe9b2f64049c266f01dc79b2798894c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\mGHyF8kbL6ME.bat

Filesize
212B

MD5
d5f71a5a824d1b88d2d820c7ffd49677

SHA1
63da55293acc7f71003e0b238103325d6ad89e1b

SHA256
4a7a2989db966037f8d5779cf15ad1e98c0ef2b1dc03d36c51929e998f368049

SHA512
f6f45685dd4a83c9ae6a5526b251376a6e854a04396bbb80aeaf700e8b2242d231aa6ebdc055873c40c7aecd11b35865cde4e265501421b6478f4bfca6ebbbb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\oOUVjN1M2rKw.bat

Filesize
212B

MD5
5263394df1bee3865f310e5bcc301f6a

SHA1
63a6d0b8a5d900fabae4ff9c6bbac94b01b2cb7c

SHA256
981cbfce138be91804724905715716121ae4b7e1db85ce245120baa8c41ac9d4

SHA512
146b7b34f8131e88f565818f5bf52532756d027eeac00b847644c3443c71a47bc0d3768c8ad58021d7e2e4c12e79c7693de69cb32cb360241db1188fed409400

Download Submit
C:\Users\Admin\AppData\Local\Temp\olfwvxm2ASny.bat

Filesize
212B

MD5
daef9a2d3644991d5f2ef4c2a8093d89

SHA1
840fe6cb38656c6014b72ede8b6f71763bc7a32a

SHA256
317a9b9988490eeb97b47d93beb606623651b0eb953e6543977d0db066c9cf6a

SHA512
0d74fff143ce6dc700a3edfe2343829f2a903f1fe72b2e42495a18520792eec97d3dbbdd1ec743263369ca2cb4aefd0b3a6faf6390900394928b4ed58fabbce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uCWfCVO9U60v.bat

Filesize
212B

MD5
1d2d5fbc61fb75567bf73c4c236b906b

SHA1
82871a31c0f3ae5b699a846ec0b82d7be90485b8

SHA256
f871c4e03c8f0534c8c04a6057a1d8939b482b699391eeaedd4777d78b636309

SHA512
6916e6730fb3002bbb6cd63291ce1b8207751b809a828a7f5f49fa669aad2bba3d357ae11f98ac6947e2832a9ebc49fb89a4350caba62db95f7425d831afec2c

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe

Filesize
3.1MB

MD5
f4da021b8bc9d8ef1ff9ce30b0ab3b79

SHA1
998a833c28617bf3e215fe7a8c3552972da36851

SHA256
b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545

SHA512
77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c

Download Submit
memory/348-44-0x0000000000190000-0x00000000004B4000-memory.dmp

Filesize
3.1MB

Download
memory/536-77-0x0000000000140000-0x0000000000464000-memory.dmp

Filesize
3.1MB

Download
memory/848-88-0x0000000000890000-0x0000000000BB4000-memory.dmp

Filesize
3.1MB

Download
memory/972-66-0x00000000000C0000-0x00000000003E4000-memory.dmp

Filesize
3.1MB

Download
memory/1304-130-0x0000000000040000-0x0000000000364000-memory.dmp

Filesize
3.1MB

Download
memory/1340-152-0x0000000000E30000-0x0000000001154000-memory.dmp

Filesize
3.1MB

Download
memory/2276-55-0x0000000000A50000-0x0000000000D74000-memory.dmp

Filesize
3.1MB

Download
memory/2412-11-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2412-8-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2412-10-0x0000000000810000-0x0000000000B34000-memory.dmp

Filesize
3.1MB

Download
memory/2412-21-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2524-2-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2524-99-0x0000000001280000-0x00000000015A4000-memory.dmp

Filesize
3.1MB

Download
memory/2524-9-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2524-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/2524-1-0x0000000000290000-0x00000000005B4000-memory.dmp

Filesize
3.1MB

Download
memory/2780-23-0x0000000001190000-0x00000000014B4000-memory.dmp

Filesize
3.1MB

Download
memory/2920-141-0x00000000001A0000-0x00000000004C4000-memory.dmp

Filesize
3.1MB

Download