quasar | b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe
Size

3.1MB
MD5

f4da021b8bc9d8ef1ff9ce30b0ab3b79
SHA1

998a833c28617bf3e215fe7a8c3552972da36851
SHA256

b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545
SHA512

77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c
SSDEEP

98304:ZvlL26AaNeWgPhlmVqkQ7XSKVcRJ6p3I:Nj4SN43I

Score

10^/10

quasar nigga discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Nigga

yzs-42879.portmap.host:42879

Mutex

57d72303-b5e9-46aa-8cc4-9690809c1a9e

Attributes

encryption_key
F1EBDB1862062F9265C0B5AC4D02C76D026534D0
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
Temp

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1828-1-0x0000000000180000-0x00000000004A4000-memory.dmp	family_quasar
behavioral2/files/0x000d000000023a69-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 15 IoCs

pid	Process
3484	RuntimeBroker.exe
2044	RuntimeBroker.exe
3488	RuntimeBroker.exe
2212	RuntimeBroker.exe
4152	RuntimeBroker.exe
3608	RuntimeBroker.exe
1220	RuntimeBroker.exe
1972	RuntimeBroker.exe
3392	RuntimeBroker.exe
1700	RuntimeBroker.exe
3440	RuntimeBroker.exe
3648	RuntimeBroker.exe
944	RuntimeBroker.exe
4164	RuntimeBroker.exe
3400	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3920	PING.EXE
3896	PING.EXE
2832	PING.EXE
4524	PING.EXE
3944	PING.EXE
1808	PING.EXE
4116	PING.EXE
4216	PING.EXE
1508	PING.EXE
2996	PING.EXE
4344	PING.EXE
4652	PING.EXE
1808	PING.EXE
1576	PING.EXE
4020	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
4116	PING.EXE
4216	PING.EXE
1508	PING.EXE
3896	PING.EXE
1808	PING.EXE
4020	PING.EXE
3920	PING.EXE
4652	PING.EXE
2996	PING.EXE
1576	PING.EXE
3944	PING.EXE
4344	PING.EXE
2832	PING.EXE
4524	PING.EXE
1808	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1828	b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe
Token: SeDebugPrivilege	3484	RuntimeBroker.exe
Token: SeDebugPrivilege	2044	RuntimeBroker.exe
Token: SeDebugPrivilege	3488	RuntimeBroker.exe
Token: SeDebugPrivilege	2212	RuntimeBroker.exe
Token: SeDebugPrivilege	4152	RuntimeBroker.exe
Token: SeDebugPrivilege	3608	RuntimeBroker.exe
Token: SeDebugPrivilege	1220	RuntimeBroker.exe
Token: SeDebugPrivilege	1972	RuntimeBroker.exe
Token: SeDebugPrivilege	3392	RuntimeBroker.exe
Token: SeDebugPrivilege	1700	RuntimeBroker.exe
Token: SeDebugPrivilege	3440	RuntimeBroker.exe
Token: SeDebugPrivilege	3648	RuntimeBroker.exe
Token: SeDebugPrivilege	944	RuntimeBroker.exe
Token: SeDebugPrivilege	4164	RuntimeBroker.exe
Token: SeDebugPrivilege	3400	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 3484	1828	b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe	84
PID 1828 wrote to memory of 3484	1828	b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe	84
PID 3484 wrote to memory of 3352	3484	RuntimeBroker.exe	85
PID 3484 wrote to memory of 3352	3484	RuntimeBroker.exe	85
PID 3352 wrote to memory of 4152	3352	cmd.exe	87
PID 3352 wrote to memory of 4152	3352	cmd.exe	87
PID 3352 wrote to memory of 4344	3352	cmd.exe	88
PID 3352 wrote to memory of 4344	3352	cmd.exe	88
PID 3352 wrote to memory of 2044	3352	cmd.exe	98
PID 3352 wrote to memory of 2044	3352	cmd.exe	98
PID 2044 wrote to memory of 436	2044	RuntimeBroker.exe	100
PID 2044 wrote to memory of 436	2044	RuntimeBroker.exe	100
PID 436 wrote to memory of 3852	436	cmd.exe	102
PID 436 wrote to memory of 3852	436	cmd.exe	102
PID 436 wrote to memory of 1808	436	cmd.exe	103
PID 436 wrote to memory of 1808	436	cmd.exe	103
PID 436 wrote to memory of 3488	436	cmd.exe	109
PID 436 wrote to memory of 3488	436	cmd.exe	109
PID 3488 wrote to memory of 2560	3488	RuntimeBroker.exe	111
PID 3488 wrote to memory of 2560	3488	RuntimeBroker.exe	111
PID 2560 wrote to memory of 1964	2560	cmd.exe	113
PID 2560 wrote to memory of 1964	2560	cmd.exe	113
PID 2560 wrote to memory of 4116	2560	cmd.exe	114
PID 2560 wrote to memory of 4116	2560	cmd.exe	114
PID 2560 wrote to memory of 2212	2560	cmd.exe	118
PID 2560 wrote to memory of 2212	2560	cmd.exe	118
PID 2212 wrote to memory of 4528	2212	RuntimeBroker.exe	120
PID 2212 wrote to memory of 4528	2212	RuntimeBroker.exe	120
PID 4528 wrote to memory of 1680	4528	cmd.exe	122
PID 4528 wrote to memory of 1680	4528	cmd.exe	122
PID 4528 wrote to memory of 4216	4528	cmd.exe	123
PID 4528 wrote to memory of 4216	4528	cmd.exe	123
PID 4528 wrote to memory of 4152	4528	cmd.exe	126
PID 4528 wrote to memory of 4152	4528	cmd.exe	126
PID 4152 wrote to memory of 4420	4152	RuntimeBroker.exe	128
PID 4152 wrote to memory of 4420	4152	RuntimeBroker.exe	128
PID 4420 wrote to memory of 4864	4420	cmd.exe	130
PID 4420 wrote to memory of 4864	4420	cmd.exe	130
PID 4420 wrote to memory of 1508	4420	cmd.exe	131
PID 4420 wrote to memory of 1508	4420	cmd.exe	131
PID 4420 wrote to memory of 3608	4420	cmd.exe	133
PID 4420 wrote to memory of 3608	4420	cmd.exe	133
PID 3608 wrote to memory of 1232	3608	RuntimeBroker.exe	135
PID 3608 wrote to memory of 1232	3608	RuntimeBroker.exe	135
PID 1232 wrote to memory of 4620	1232	cmd.exe	137
PID 1232 wrote to memory of 4620	1232	cmd.exe	137
PID 1232 wrote to memory of 3920	1232	cmd.exe	138
PID 1232 wrote to memory of 3920	1232	cmd.exe	138
PID 1232 wrote to memory of 1220	1232	cmd.exe	141
PID 1232 wrote to memory of 1220	1232	cmd.exe	141
PID 1220 wrote to memory of 4352	1220	RuntimeBroker.exe	143
PID 1220 wrote to memory of 4352	1220	RuntimeBroker.exe	143
PID 4352 wrote to memory of 5008	4352	cmd.exe	145
PID 4352 wrote to memory of 5008	4352	cmd.exe	145
PID 4352 wrote to memory of 4652	4352	cmd.exe	146
PID 4352 wrote to memory of 4652	4352	cmd.exe	146
PID 4352 wrote to memory of 1972	4352	cmd.exe	148
PID 4352 wrote to memory of 1972	4352	cmd.exe	148
PID 1972 wrote to memory of 1968	1972	RuntimeBroker.exe	150
PID 1972 wrote to memory of 1968	1972	RuntimeBroker.exe	150
PID 1968 wrote to memory of 3004	1968	cmd.exe	152
PID 1968 wrote to memory of 3004	1968	cmd.exe	152
PID 1968 wrote to memory of 3896	1968	cmd.exe	153
PID 1968 wrote to memory of 3896	1968	cmd.exe	153

C:\Users\Admin\AppData\Local\Temp\b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe
"C:\Users\Admin\AppData\Local\Temp\b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m9cUMx4apBFE.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3352
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4152
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4344
  - - C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYozjFPEyHE7.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:436
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3852
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1808
      - C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwmCx25bJsv4.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4116
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EG8XJoXFuJCX.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4216
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyjQjAZFKmFH.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DBmuAVhmkYq6.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3920
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSsio62OpCQd.bat" "
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:5008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4652
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oZhlx3KvUU1d.bat" "
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3896
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\otHapNzLZuDF.bat" "
        19⤵
        
        PID:3916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKIKgsA0nfw0.bat" "
        21⤵
        
        PID:4932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2ZKsVio5xIa.bat" "
        23⤵
        
        PID:1872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4524
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RT6mwY7Uq7WY.bat" "
        25⤵
        
        PID:4808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKY4fqljQJI9.bat" "
        27⤵
        
        PID:4088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MdFt6xjSzQHd.bat" "
        29⤵
        
        PID:1948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3944
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MRJWH80c40gz.bat" "
        31⤵
        
        PID:2688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2ZKsVio5xIa.bat

Filesize
212B

MD5
756c0edc8f305a07665cd67f40b203a3

SHA1
d7bb43a14452e92b88e1940ee62eae21cbc77272

SHA256
c226442f51d844295a4ed2702a7d9ae47a9dd34900c0e7e85d5ec7251bdddee8

SHA512
7c9ac84b85816f84c2305992cda9f8f7329d719cfa3cf786fa257d2b14e01189d3a902f3150c0704c18370efe6f48678979f2464629e056c75644c5371cf962c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DBmuAVhmkYq6.bat

Filesize
212B

MD5
54a006f2fd20d38902f6713e96eab4b3

SHA1
a9aeb99717b8416f5d9f55eb6e93b48486a441d6

SHA256
645892b9cee27b6899a3e9a4caa25f750020d8d819b0f651ca58e814455dd271

SHA512
469d79230b9e364ca825a04614b71731c265145404e5ea3e60aaa83cd366e0ca63d0f207d4a7a1ea3323e1538f75a44305990bd33a6e47af163ed77ac4a1cbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EG8XJoXFuJCX.bat

Filesize
212B

MD5
1f5a370d8e3d4743da4803d2a5e644e1

SHA1
8ba505c39fbedd69465dc5310e458edd17ceffe7

SHA256
4d2056bbadcee11bd8a49c669bcd60b71c99001cb20355a4749759611777fe5c

SHA512
b80460a56216a608cb7bb279caeed5c2aa3ab5abe8f4fe1dca749e4413070e242a3a0b89708e86225832f096b011c1d95270ad2fd6f67ea12d720f47256fb44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYozjFPEyHE7.bat

Filesize
212B

MD5
955fc76ca3ea645852c11101a1ee7698

SHA1
f0c81e03c1d489780b623f37210ba5b83b75191c

SHA256
d461f8aa539e4a9cb903a492c361da76d59dc542fe7db92028728c25d3dc3642

SHA512
c0a2bcefe3435a8d81408f0fb5e956109a537b965c26a594dd66b24fe353f1c35475403470df222e98667a3ae90b9c56dbdc42bd244824e1fa8f96008cb853f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRJWH80c40gz.bat

Filesize
212B

MD5
32df0a3f2359b953a6e848b9da8f497e

SHA1
c426117188be68aac5767cd64fb914cfd6d2d3c2

SHA256
845f92fd2a6247747ffd2b8abcb4e33eb120d94e1cfabd602094f8037d6a4eaa

SHA512
837bb6328d926c3705c876f46223f0e10bffeddf82c0885c594ae9db4cfa76975dd7368bb0ea5950536dc17347a5d70a3ceaf4cce20f40457b6912cfc3c90d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\MdFt6xjSzQHd.bat

Filesize
212B

MD5
4dc0d3462b5cc115bed15a726c92335d

SHA1
9e15a25b4953a1621ef873765d1086b7dce0730e

SHA256
c8d644f0f78ab438b9c672bfda059cb75cc3677e9a7f98065fe36745aca6e0c3

SHA512
a4fc2f7900d07b9ccfe58c9f70c3a216610eadccc95ab3d7c7cf8a95e9c7b6d1a4c0a6e64307eb9e880ea4c452edebd8aa47c44bc28d12e29ef7215f5b6a62a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyjQjAZFKmFH.bat

Filesize
212B

MD5
efe94e376b2ab951151ec9fa1db82f23

SHA1
4cd0d08212845ec7d13fcea5fadb2c8eaa6009e2

SHA256
aebe334b1746a6a19ed4a2529b9cc9e9cc2117790bb5b9f25b8bbb2377e519b4

SHA512
047d8009ec07ea18b653850eb8dbebc68e6f01f1d4d37137087f1ba6ec178b0cca87f2327a24078f47af5f786469e47fa1b2b4e934dff2cd28edc2e765b907a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RT6mwY7Uq7WY.bat

Filesize
212B

MD5
acc042414cf57a311f63fe24a2b62553

SHA1
5fe0de22761f839249cbc213512f3a5bd9f6b227

SHA256
6564fd43a2be4d729853d4e884cabac066cac120752eeb4abc60dd27d63ff93d

SHA512
0bbb0cff249cbc91cf5d74744df7af138ef5d0440daf9780d84610f6c88bacfbc367bf463badf43a4ce8c9faa5615dedbc077884e6c4dc4400e69c0d93e18f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\dKY4fqljQJI9.bat

Filesize
212B

MD5
a014827f2ac8f7723e442b881a1670a7

SHA1
730d6d649120ff323a20ab421f16cf8250942f9c

SHA256
0b3a4321d926840a72b0f13dd7d633625a985bbeab81faf064643c13ab5be0f3

SHA512
c832d7e38b90866c048114e87bf532b6592c5321ecf7b6088dc08faab2b2c5644e6dd03f3e7c2eced01de09b4a78147bd1cacf7dbcb8a4ff163ee2b1cbaf9cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\dSsio62OpCQd.bat

Filesize
212B

MD5
0119159f7f0e151dafdc02aff554c61d

SHA1
92904fa02a0785de6be8d6410d61c5ff58a830b4

SHA256
005acc79bc5177ddba3df92c3fb5cb8fe76918ee0b8bb2df6e7aca3b4bf40612

SHA512
55bbe1ce8b963f36dfca7fbb8c367cf1b13aac388980d759e49f63233b790d94b83d2b6775c3593fa22d4284703553337920da20a0a3db56423e03b577e4cabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\m9cUMx4apBFE.bat

Filesize
212B

MD5
75b0eec0e22374d805e0419802882750

SHA1
1d4f68da4e96977b4e03030cc8092683ba1c725d

SHA256
ed18ce9877a007fa3c95b2769b3fc186b0c60f8f139782a3080f84891c50d96f

SHA512
d04dbc919c10fc244697729846e65fe7954b12687ed0a2bbd63278778c48ad3004d661f9e80dc99ba1fa38e0920e5a76e8c3f807bbd1cd1d3f0f81177bf279bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwmCx25bJsv4.bat

Filesize
212B

MD5
53293f7b6d2a88092b0932694feacf5d

SHA1
9ee3942ca30c5d5b3cc1cdae7fec10bab9e12d9f

SHA256
236ba4366f5b0b0864bf58be9bd85980de488bcebbc5a846a6c9bfc803710c71

SHA512
014551d24813931aaf48c98afbe02465cf3bb9ce06ebc5896acd71e69f629468be78759f34340037708beb98e52dc7b89ee486e073a35104c15aaaa73b4c6a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\oZhlx3KvUU1d.bat

Filesize
212B

MD5
08f42896e298ceb77b6e749233919148

SHA1
235d1dc2c4d7b930838bce07c6cc5f951dadea92

SHA256
f779a1d8c143c5bb0d689f84bd11e27eb574214428b2fab8812edde38d216055

SHA512
11d8bbcf36ee38a82b7d7c4aca2f0f19dac9238f0862ef258e43b0b017d7fd1bf581671b2e4642e23e35ee4a95f0e25491ac2ba978fe7c5e83a9e1b56a629786

Download Submit
C:\Users\Admin\AppData\Local\Temp\otHapNzLZuDF.bat

Filesize
212B

MD5
d50871f43a7b41f40f7d4bf96c93f9ad

SHA1
22500ddaf54a530e12669c582bb1591080d3e59e

SHA256
953aab657170f46a90b1a0910c7ee8d40a494b4d77a7cf398009a61755c0cfb5

SHA512
e266d90afb4f903c5389341658ef4d585dbcdd198c58a46197f196028d341792762c50fb4e190347e7644c5ab0310e4d1c316d88995d0d4b843f79ca0f41e5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\uKIKgsA0nfw0.bat

Filesize
212B

MD5
21a3c2e5ca5da77383130d58e7e4dddb

SHA1
28a5142a1d9e198f9a297dc7b0106ef66e0dbb95

SHA256
6f41670811ff8da2e59ae0df2ba25d836d6a0238930a955475065e3de4a668e0

SHA512
062c95545357acd079961961e0a6aeabc3cc1ec3da6dbb211085b6b44a601ff6ecfc00982b19dce2b0fac6f3c6e94e15cb3f9f9654219af5b916e6465a2324b8

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe

Filesize
3.1MB

MD5
f4da021b8bc9d8ef1ff9ce30b0ab3b79

SHA1
998a833c28617bf3e215fe7a8c3552972da36851

SHA256
b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545

SHA512
77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c

Download Submit
memory/1828-0-0x00007FF9F5A73000-0x00007FF9F5A75000-memory.dmp

Filesize
8KB

Download
memory/1828-9-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

Filesize
10.8MB

Download
memory/1828-2-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

Filesize
10.8MB

Download
memory/1828-1-0x0000000000180000-0x00000000004A4000-memory.dmp

Filesize
3.1MB

Download
memory/3484-17-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

Filesize
10.8MB

Download
memory/3484-12-0x000000001BC00000-0x000000001BCB2000-memory.dmp

Filesize
712KB

Download
memory/3484-11-0x000000001BAF0000-0x000000001BB40000-memory.dmp

Filesize
320KB

Download
memory/3484-10-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

Filesize
10.8MB

Download