quasar | adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Size

3.1MB
MD5

218b79ebe7679fa1beab775ca7e49c4b
SHA1

2d08ac223c07b13e93e6f8e2d73d3b7b08f4b54f
SHA256

adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1
SHA512

8e92fef65245e770a66d849c14bc344ff7231c68cb5e31e2ad6c5f1a7bfa85d4db89e426a2fdb22d9fead1563c9352693cbbeaecfe3252ad777ca9e035f15002
SSDEEP

49152:3vbI22SsaNYfdPBldt698dBcjHcxDE/glk/JxjoGdeTHHB72eh2NT:3vk22SsaNYfdPBldt6+dBcjHcxKF

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

127.0.0.0.1:4782

Mutex

89f58ee5-7af9-42de-843f-2a331a641e3f

Attributes

encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 7 IoCs

resource	yara_rule
behavioral1/memory/2288-1-0x0000000000170000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/548-13-0x0000000000140000-0x0000000000464000-memory.dmp	family_quasar
behavioral1/memory/2980-23-0x00000000013E0000-0x0000000001704000-memory.dmp	family_quasar
behavioral1/memory/328-73-0x00000000000F0000-0x0000000000414000-memory.dmp	family_quasar
behavioral1/memory/316-83-0x0000000000D10000-0x0000000001034000-memory.dmp	family_quasar
behavioral1/memory/1260-93-0x0000000001100000-0x0000000001424000-memory.dmp	family_quasar
behavioral1/memory/1908-123-0x0000000001150000-0x0000000001474000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1080	PING.EXE
2284	PING.EXE
1628	PING.EXE
2744	PING.EXE
2948	PING.EXE
1948	PING.EXE
588	PING.EXE
2900	PING.EXE
2268	PING.EXE
2752	PING.EXE
1780	PING.EXE
624	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2284	PING.EXE
1628	PING.EXE
2900	PING.EXE
2752	PING.EXE
1780	PING.EXE
624	PING.EXE
2948	PING.EXE
2744	PING.EXE
1948	PING.EXE
588	PING.EXE
2268	PING.EXE
1080	PING.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	548	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2980	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	672	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2008	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2316	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	1548	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	328	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	316	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	1260	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	1808	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2936	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	1908	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2288	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
548	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2980	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
672	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2008	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2316	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1548	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
328	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
316	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1260	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1808	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2936	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1908	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
2288	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
548	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2980	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
672	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2008	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2316	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1548	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
328	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
316	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1260	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1808	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2936	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1908	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 1804	2288	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	28
PID 2288 wrote to memory of 1804	2288	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	28
PID 2288 wrote to memory of 1804	2288	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	28
PID 1804 wrote to memory of 2064	1804	cmd.exe	30
PID 1804 wrote to memory of 2064	1804	cmd.exe	30
PID 1804 wrote to memory of 2064	1804	cmd.exe	30
PID 1804 wrote to memory of 1080	1804	cmd.exe	31
PID 1804 wrote to memory of 1080	1804	cmd.exe	31
PID 1804 wrote to memory of 1080	1804	cmd.exe	31
PID 1804 wrote to memory of 548	1804	cmd.exe	32
PID 1804 wrote to memory of 548	1804	cmd.exe	32
PID 1804 wrote to memory of 548	1804	cmd.exe	32
PID 548 wrote to memory of 3036	548	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	33
PID 548 wrote to memory of 3036	548	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	33
PID 548 wrote to memory of 3036	548	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	33
PID 3036 wrote to memory of 2740	3036	cmd.exe	35
PID 3036 wrote to memory of 2740	3036	cmd.exe	35
PID 3036 wrote to memory of 2740	3036	cmd.exe	35
PID 3036 wrote to memory of 2744	3036	cmd.exe	36
PID 3036 wrote to memory of 2744	3036	cmd.exe	36
PID 3036 wrote to memory of 2744	3036	cmd.exe	36
PID 3036 wrote to memory of 2980	3036	cmd.exe	39
PID 3036 wrote to memory of 2980	3036	cmd.exe	39
PID 3036 wrote to memory of 2980	3036	cmd.exe	39
PID 2980 wrote to memory of 2984	2980	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	40
PID 2980 wrote to memory of 2984	2980	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	40
PID 2980 wrote to memory of 2984	2980	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	40
PID 2984 wrote to memory of 2940	2984	cmd.exe	42
PID 2984 wrote to memory of 2940	2984	cmd.exe	42
PID 2984 wrote to memory of 2940	2984	cmd.exe	42
PID 2984 wrote to memory of 2948	2984	cmd.exe	43
PID 2984 wrote to memory of 2948	2984	cmd.exe	43
PID 2984 wrote to memory of 2948	2984	cmd.exe	43
PID 2984 wrote to memory of 672	2984	cmd.exe	44
PID 2984 wrote to memory of 672	2984	cmd.exe	44
PID 2984 wrote to memory of 672	2984	cmd.exe	44
PID 672 wrote to memory of 1228	672	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	45
PID 672 wrote to memory of 1228	672	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	45
PID 672 wrote to memory of 1228	672	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	45
PID 1228 wrote to memory of 832	1228	cmd.exe	47
PID 1228 wrote to memory of 832	1228	cmd.exe	47
PID 1228 wrote to memory of 832	1228	cmd.exe	47
PID 1228 wrote to memory of 2284	1228	cmd.exe	48
PID 1228 wrote to memory of 2284	1228	cmd.exe	48
PID 1228 wrote to memory of 2284	1228	cmd.exe	48
PID 1228 wrote to memory of 2008	1228	cmd.exe	49
PID 1228 wrote to memory of 2008	1228	cmd.exe	49
PID 1228 wrote to memory of 2008	1228	cmd.exe	49
PID 2008 wrote to memory of 2584	2008	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	50
PID 2008 wrote to memory of 2584	2008	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	50
PID 2008 wrote to memory of 2584	2008	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	50
PID 2584 wrote to memory of 1616	2584	cmd.exe	52
PID 2584 wrote to memory of 1616	2584	cmd.exe	52
PID 2584 wrote to memory of 1616	2584	cmd.exe	52
PID 2584 wrote to memory of 1948	2584	cmd.exe	53
PID 2584 wrote to memory of 1948	2584	cmd.exe	53
PID 2584 wrote to memory of 1948	2584	cmd.exe	53
PID 2584 wrote to memory of 2316	2584	cmd.exe	54
PID 2584 wrote to memory of 2316	2584	cmd.exe	54
PID 2584 wrote to memory of 2316	2584	cmd.exe	54
PID 2316 wrote to memory of 448	2316	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	55
PID 2316 wrote to memory of 448	2316	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	55
PID 2316 wrote to memory of 448	2316	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	55
PID 448 wrote to memory of 1832	448	cmd.exe	57

C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
"C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LCrEofizBnkR.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2064
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1080
- - C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
    "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\m0Bc7SCtMl4o.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2740
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0rdWF6c45EOY.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PX8JETJyd9p9.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZEFRNhsJwnNl.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oBDFwbHfoOHh.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1548
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UwLcS1UZRVMl.bat" "
        14⤵
        
        PID:1712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:328
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dSX6ccxsNFoH.bat" "
        16⤵
        
        PID:888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:316
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kuxCUq2rzWLW.bat" "
        18⤵
        
        PID:1208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1260
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3SUsIVQMPBAG.bat" "
        20⤵
        
        PID:2784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1808
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TT1NoLLyqw1w.bat" "
        22⤵
        
        PID:2068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DbJyW9z1Obho.bat" "
        24⤵
        
        PID:1992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0rdWF6c45EOY.bat

Filesize
261B

MD5
cfcc7b9cd2ce319036f240b0f5c508df

SHA1
09b6a0e009c9ccd80074a554509eef96607ca2ff

SHA256
d40330a4d55351085aa0481a80273b009b1e31cb807610446db339b5612fd463

SHA512
aa1c076782c5e30e9f7b7612f8bea74612c0cbfc1ee0d595753d11c5d220d60f94efbc03e2aeb4b40939d410771c0b678194c8f727adbff0fb536f00709d6e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3SUsIVQMPBAG.bat

Filesize
261B

MD5
dbbf8da726470b446b2adfd1280f49c6

SHA1
66ace6a91132e7aa0b73a2d7815803d66c5564c9

SHA256
415eba6b90cc86c7c4d618bbc0aa8f86b9ff6ac1e269dcf810e5e34dd6c9dfa2

SHA512
b343773428cf4c199c3c314bd9a4f6f0178dd00b3585d237e44d90dd45df63f8a76510e174b9d8dc665c23076931c0e2a79ea95bf2d8b50f1ff387472b36e633

Download Submit
C:\Users\Admin\AppData\Local\Temp\DbJyW9z1Obho.bat

Filesize
261B

MD5
c7dee7b4363bd1b34ef93b6d45af451c

SHA1
f98c701caa6c951810df109883f46502851dfba3

SHA256
7283937b79e6747ee818b742bab651a268c7177bdae9abd4e0e654778fd280f3

SHA512
e16eecdcf14ca4c456917cea5b440679fb0ccd7aa0443379234b2e32ce3008792862ae63cbdb87fef8ff480c119e7f34e91e9bea613e20ea912993d85c635040

Download Submit
C:\Users\Admin\AppData\Local\Temp\LCrEofizBnkR.bat

Filesize
261B

MD5
6bec756b777fd817b8a9bd52137d95ac

SHA1
ed11f6647d12999fa1941e2bbf6854e0d17978ec

SHA256
48872eef8c1a5c06cc4bcd7a68d504a80e2386f42b296607ebb40d1d658fb519

SHA512
35c87efd0ca101d50a7adeb604c51db980f87eb808f3b72d120efcd0235227d1612b6263250d05a1b7904b1906cce6477eb064052e2deb9b99c45d70edbcc84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PX8JETJyd9p9.bat

Filesize
261B

MD5
5fb48531789ab5a7c41f3007dd689978

SHA1
5d5d446199bc7e50a5ad5181cdcd339bbab0dcde

SHA256
2608c615b885a915db26467af24272a4f0b56cf2e9d497ba28a0c6a6d7a919ef

SHA512
717ad60ad13777fcbb327c88c3c64fbd181eb5ffd9a209dd5c3e31d268145c21819c1c71cb281687e1a180715908ec5ec35a12bbc831eea53b4b2058c1c23881

Download Submit
C:\Users\Admin\AppData\Local\Temp\TT1NoLLyqw1w.bat

Filesize
261B

MD5
8a40acfd21bacbb86a0eacd898c7223a

SHA1
d86e55531ccbe276017457cc3f49e31b12abdb97

SHA256
132f114c60397d73e06e6534a8d131151ccd15536d390a77f33454d5a7d1b9d6

SHA512
2de4f2d171e9ef497f36cebfdd6841206ffcacd9471b3dc02a3b3697d0f34fa82cacbb90d10a76ae51f551b7f759c15b7936108d789eab553e14ba7e80f18c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwLcS1UZRVMl.bat

Filesize
261B

MD5
9604e861aebc3128b553a3e179fce049

SHA1
169f18a21a2a9216a5623a67dd6421d7c51f2737

SHA256
d51d6faa001657dfb6165151f5e3a9e5da0527e5d624ce12f7f4df791e4203d8

SHA512
d1ee6f04bca2e92319aff8cbd2786be83f2ccb9fe456052b9bbe0839a075225c95bce4342cd1dbe7f11ab3323ed6f1a0b92f6e9ee17f27ad1b96a9398f05955e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZEFRNhsJwnNl.bat

Filesize
261B

MD5
9dce11db56a33632726b6c48a25c8b04

SHA1
c9600945322cc137c28a93f6d01d52d49405d362

SHA256
d306734ff6901a7376a2eeda76685d281ddafd5e961698119d1009b3afee14f3

SHA512
d97aa25099835121b160006b523f072c5bf0efd79c42cf4333926d04d0009ed5878042b36c106d55a594f5680ccf976591e7aa542f342f4e2255beb6ca23f07b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dSX6ccxsNFoH.bat

Filesize
261B

MD5
407bf84b3e2ee2a6d8f749fe27abda7b

SHA1
8864c026e2e9555bfe7c0e68532e7e48d1265a8c

SHA256
ab2e97cf66b5ee182dc27a1855fb826985eb8ddb97a08809f5b7bac29bb42a5a

SHA512
3b8f9ae7575f8c4283859c892b2c3a3f91015331f915ee454818ae89bc7072395d4294aeb556255f5d1326a3329312d9711e5f5397434eb02aabc391d2570437

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuxCUq2rzWLW.bat

Filesize
261B

MD5
c24bab27e11bd4c5724a6616741fc751

SHA1
d73abd3cdbdaa4924a233be7323ce285110f71cd

SHA256
5f4c569e806b7c0527796ddc7ee3d441bdfb564e1b2f1664ea10713fe3a98ba8

SHA512
aa2cf12a6c8762329b490961041b227ed39c3a5a3fe4acdbbdf0dcb22d18eb7ff42f70a344d628203eb5da985c8ff343180e25ada58427e8c08d670c9ea43b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\m0Bc7SCtMl4o.bat

Filesize
261B

MD5
e4f34352a6e05495d515f6cbf918b3ca

SHA1
c5487d5e5d3046789e5beb1dd960a09e103d70f6

SHA256
e72d2dae0860547628425f782570c327e9dbdd5b5217a80417c5a83455eadf24

SHA512
8b0db2c47b06f404176e7bab02ecd8a1460231dfb736ea9260f7fdf5806a776495203becbb158b264f1c689c2fe1caf5ca566be2c3a46b5f25e5d3a758887d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oBDFwbHfoOHh.bat

Filesize
261B

MD5
d11fe0ea50eee1f8c4a2523384b08ed4

SHA1
6e7a14f657484aad1e3f2fe2dfa71b5ea5cdf6a9

SHA256
9379aa0f14b6caeba057b8004a962752c1fac6f59c2201ec30322ed13dc34a6b

SHA512
87bfb2f8695ecf1e3141536eddad9ab35f77d06fea0b28ab7d97aa2f80dd49eaa8666c3cbc038fb1581ca620d57a5881c65132914394e47822123deb7fd3a3fc

Download Submit
memory/316-83-0x0000000000D10000-0x0000000001034000-memory.dmp

Filesize
3.1MB

Download
memory/328-73-0x00000000000F0000-0x0000000000414000-memory.dmp

Filesize
3.1MB

Download
memory/548-13-0x0000000000140000-0x0000000000464000-memory.dmp

Filesize
3.1MB

Download
memory/1260-93-0x0000000001100000-0x0000000001424000-memory.dmp

Filesize
3.1MB

Download
memory/1908-123-0x0000000001150000-0x0000000001474000-memory.dmp

Filesize
3.1MB

Download
memory/2288-0-0x000007FEF5CF3000-0x000007FEF5CF4000-memory.dmp

Filesize
4KB

Download
memory/2288-12-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2288-2-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2288-1-0x0000000000170000-0x0000000000494000-memory.dmp

Filesize
3.1MB

Download
memory/2980-23-0x00000000013E0000-0x0000000001704000-memory.dmp

Filesize
3.1MB

Download