quasar | adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1

Analysis

max time kernel
145s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Size

3.1MB
MD5

218b79ebe7679fa1beab775ca7e49c4b
SHA1

2d08ac223c07b13e93e6f8e2d73d3b7b08f4b54f
SHA256

adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1
SHA512

8e92fef65245e770a66d849c14bc344ff7231c68cb5e31e2ad6c5f1a7bfa85d4db89e426a2fdb22d9fead1563c9352693cbbeaecfe3252ad777ca9e035f15002
SSDEEP

49152:3vbI22SsaNYfdPBldt698dBcjHcxDE/glk/JxjoGdeTHHB72eh2NT:3vk22SsaNYfdPBldt6+dBcjHcxKF

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

127.0.0.0.1:4782

Mutex

89f58ee5-7af9-42de-843f-2a331a641e3f

Attributes

encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/372-1-0x0000000000A00000-0x0000000000D24000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2012	PING.EXE
852	PING.EXE
4308	PING.EXE
1816	PING.EXE
3708	PING.EXE
3872	PING.EXE
1764	PING.EXE
856	PING.EXE
1020	PING.EXE
1512	PING.EXE
4784	PING.EXE
2088	PING.EXE
2436	PING.EXE
4328	PING.EXE
1836	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1512	PING.EXE
4784	PING.EXE
2088	PING.EXE
1836	PING.EXE
852	PING.EXE
4308	PING.EXE
1764	PING.EXE
1816	PING.EXE
4328	PING.EXE
2012	PING.EXE
856	PING.EXE
1020	PING.EXE
3872	PING.EXE
3708	PING.EXE
2436	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	372	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	3840	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	4768	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	3792	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	636	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2596	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	4288	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	4548	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2776	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2340	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	4500	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	1576	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	3516	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	2600	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
Token: SeDebugPrivilege	612	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
372	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3840	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4768	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3792	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
636	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2596	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4288	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4548	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2776	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2340	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4500	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1576	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3516	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2600	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
612	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
372	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3840	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4768	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3792	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
636	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2596	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4288	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4548	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2776	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2340	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
4500	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
1576	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
3516	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
2600	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
612	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 1764	372	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	82
PID 372 wrote to memory of 1764	372	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	82
PID 1764 wrote to memory of 3288	1764	cmd.exe	84
PID 1764 wrote to memory of 3288	1764	cmd.exe	84
PID 1764 wrote to memory of 1816	1764	cmd.exe	85
PID 1764 wrote to memory of 1816	1764	cmd.exe	85
PID 1764 wrote to memory of 3840	1764	cmd.exe	86
PID 1764 wrote to memory of 3840	1764	cmd.exe	86
PID 3840 wrote to memory of 2612	3840	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	87
PID 3840 wrote to memory of 2612	3840	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	87
PID 2612 wrote to memory of 2744	2612	cmd.exe	89
PID 2612 wrote to memory of 2744	2612	cmd.exe	89
PID 2612 wrote to memory of 2436	2612	cmd.exe	90
PID 2612 wrote to memory of 2436	2612	cmd.exe	90
PID 2612 wrote to memory of 4768	2612	cmd.exe	95
PID 2612 wrote to memory of 4768	2612	cmd.exe	95
PID 4768 wrote to memory of 1904	4768	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	97
PID 4768 wrote to memory of 1904	4768	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	97
PID 1904 wrote to memory of 3636	1904	cmd.exe	99
PID 1904 wrote to memory of 3636	1904	cmd.exe	99
PID 1904 wrote to memory of 3708	1904	cmd.exe	100
PID 1904 wrote to memory of 3708	1904	cmd.exe	100
PID 1904 wrote to memory of 3792	1904	cmd.exe	105
PID 1904 wrote to memory of 3792	1904	cmd.exe	105
PID 3792 wrote to memory of 3124	3792	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	106
PID 3792 wrote to memory of 3124	3792	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	106
PID 3124 wrote to memory of 3208	3124	cmd.exe	108
PID 3124 wrote to memory of 3208	3124	cmd.exe	108
PID 3124 wrote to memory of 4328	3124	cmd.exe	109
PID 3124 wrote to memory of 4328	3124	cmd.exe	109
PID 3124 wrote to memory of 636	3124	cmd.exe	110
PID 3124 wrote to memory of 636	3124	cmd.exe	110
PID 636 wrote to memory of 1788	636	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	111
PID 636 wrote to memory of 1788	636	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	111
PID 1788 wrote to memory of 4448	1788	cmd.exe	113
PID 1788 wrote to memory of 4448	1788	cmd.exe	113
PID 1788 wrote to memory of 2012	1788	cmd.exe	114
PID 1788 wrote to memory of 2012	1788	cmd.exe	114
PID 1788 wrote to memory of 2596	1788	cmd.exe	115
PID 1788 wrote to memory of 2596	1788	cmd.exe	115
PID 2596 wrote to memory of 5104	2596	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	116
PID 2596 wrote to memory of 5104	2596	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	116
PID 5104 wrote to memory of 2804	5104	cmd.exe	118
PID 5104 wrote to memory of 2804	5104	cmd.exe	118
PID 5104 wrote to memory of 856	5104	cmd.exe	119
PID 5104 wrote to memory of 856	5104	cmd.exe	119
PID 5104 wrote to memory of 4288	5104	cmd.exe	120
PID 5104 wrote to memory of 4288	5104	cmd.exe	120
PID 4288 wrote to memory of 1216	4288	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	121
PID 4288 wrote to memory of 1216	4288	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	121
PID 1216 wrote to memory of 3948	1216	cmd.exe	123
PID 1216 wrote to memory of 3948	1216	cmd.exe	123
PID 1216 wrote to memory of 1020	1216	cmd.exe	124
PID 1216 wrote to memory of 1020	1216	cmd.exe	124
PID 1216 wrote to memory of 4548	1216	cmd.exe	125
PID 1216 wrote to memory of 4548	1216	cmd.exe	125
PID 4548 wrote to memory of 3444	4548	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	126
PID 4548 wrote to memory of 3444	4548	adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe	126
PID 3444 wrote to memory of 4312	3444	cmd.exe	128
PID 3444 wrote to memory of 4312	3444	cmd.exe	128
PID 3444 wrote to memory of 1836	3444	cmd.exe	129
PID 3444 wrote to memory of 1836	3444	cmd.exe	129
PID 3444 wrote to memory of 2776	3444	cmd.exe	130
PID 3444 wrote to memory of 2776	3444	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
"C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RVgCEndFDdIN.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3288
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1816
- - C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
    "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyYJdjliDERM.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2744
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2436
    - - C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4768
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9YnJcPNPHHBr.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p3lrBIBYB91O.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lg6qKG1igNE3.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgaLLrD7sPru.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uerj1VStlFBp.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\54oy9cLjNvZL.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GXDWjXdxTnoy.bat" "
        18⤵
        
        PID:4284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJQaOx0zVYoH.bat" "
        20⤵
        
        PID:1952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGDGxbcH6U2Z.bat" "
        22⤵
        
        PID:2532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1328
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkQmKzcaByZm.bat" "
        24⤵
        
        PID:2820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:5112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m5u9Q9pruvvh.bat" "
        26⤵
        
        PID:3464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ER27ZtHsofBk.bat" "
        28⤵
        
        PID:2408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe"
        29⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3b900kb2JT0N.bat" "
        30⤵
        
        PID:1676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\adc4c01dc28064c32c6b451a9c7d82001b21c9f58022a78dfbcbd8a36291aee1.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b900kb2JT0N.bat

Filesize
261B

MD5
b0296969c153603517ef0c6ca94a1afa

SHA1
a146b896e053907bb93d93e8c41e7e50297ab73d

SHA256
ffeaea61de86ea0f9c95668eff6df3b0ff670a28c14834f63b7123682a7fa20f

SHA512
3d18c719e4827506cec62be502fc1f01282cb37db6a02c63575ef9ed8076ef299bf3c4cce9a58ea8cb5dc408ea5b86a390befd1ae9c25879bd091bf9f9b48b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\54oy9cLjNvZL.bat

Filesize
261B

MD5
b374e838e54792dc37c8bb5d4b1636de

SHA1
486674719fc24d28246be001c7a2756e3a79ff8e

SHA256
e37cf9888d606a43e7c4f2c67af482fc781cf2010d2c5dd45aff1dcdcd500a94

SHA512
8ea6e9261976f8b008adae2e41948a8fc3a7076106064d70f27af602906f193d61224066fb01600f19256e1d931fe27bd77b4c1a12adc2d16ac707ca37d44dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9YnJcPNPHHBr.bat

Filesize
261B

MD5
3892e94144d7060ab3393c80e37a79b5

SHA1
62187730cfe348711ca6870c5ae163f573cf3a81

SHA256
f2c065c3c9c6b82175d762ad23c98d6aebb728c4161f9851dbc512ea9238c27f

SHA512
d6619aedc721fc5ad293e09d1c92bdd25c17732e98ed9477b6fa5f4c1cdfb2ae25e9f9e3f701df0e740d0cbb3ff84b357d8ecb71795c28d07bab33f4eadd6878

Download Submit
C:\Users\Admin\AppData\Local\Temp\ER27ZtHsofBk.bat

Filesize
261B

MD5
3a5de9817ae876328639992794be683a

SHA1
31bd50630bdc95e59bfc6ae61de1de00f1158d9c

SHA256
ab5fe593b3b53adb8d686edbfca3bc01a4497f763a1d75b16a2fde0ac46c15d7

SHA512
014f3de32fd478eb2a531516ac2d972845c7a8b344e7a4e6f891ab9a77d6ee0c3b26b9e625d6364fa08a15ad7e060baf56279bd84519de0d07b80ecf8ca6bad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GXDWjXdxTnoy.bat

Filesize
261B

MD5
5bfdfba7b2107051888e161579bfe6c0

SHA1
70ef70bf23a3d125c33bbfd04d29f3f2176124c1

SHA256
4768f9fdaf5e2b13bf9aefc9afbb6157ee597e51f5c5b77bda00f2632d5bde67

SHA512
f8d76e03e04e1fc581a483baf432eabb0b3b07603f2b6571c02063e81c15a3d2e52aa5ad82f2cc1bcfb7da78e2b270506109749d53102930144e3ac4ed66b1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lg6qKG1igNE3.bat

Filesize
261B

MD5
f695cdb7fc6c908489a0223bfdfeeb66

SHA1
3935abc5827fd75d66076ad79bfd71761c0d1567

SHA256
52478ff76b494d18c8626e5364721162aac1ac03e63ad1814ed4fbd3b6bb0786

SHA512
a6bd0b6f64aef2da761445547501c76f84f16c4c3b73f6a6a6d730f04e88dcb83acbe3686c5fa1221570cf8e715fe69eee61280a510f93efc455d350aabb5d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVgCEndFDdIN.bat

Filesize
261B

MD5
ebe746b10573b2cb86f342978e4d19fa

SHA1
46533b7d37d4df2c57db7dfe5283854a27e050e7

SHA256
c8ba5480cbda3fdc921a97a06ced46e3d57911cda34ddcc0a0e4c0ead4098c40

SHA512
40b3f2255dafe51a17b0dfaf3b3ad55e82e25f0a4fe9dadb99ae1f61b49652be5de7a4ac94e1a6889ae4f9a096c653e3119cf8e24bb17c73fba5572216a3ae9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyYJdjliDERM.bat

Filesize
261B

MD5
2d8cac6a549b93933d0d1eac4f689eb7

SHA1
fff1b05ea12f3beab9e3f56f92449daf63bd1a47

SHA256
93fd80dab3229d30eabcb2b749c800cdb9cac3bb0ac8c5e82d03680e9ef4c3e5

SHA512
5b8a9b7d15d70d47901d5d8c66f1f380703ecb04c1c35d329948f6bed9bede89388a10a31e41bc5fc5537ae35a52d9671e9dcc1b4bcbac0e57db40258bad5cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkQmKzcaByZm.bat

Filesize
261B

MD5
7a34ab2d8fb37c7707cb6106fd817e37

SHA1
f4d30e5ce865551560795a616aba3895f6e5884a

SHA256
5ef9dc73f485f63dad51c14d38c31e5a3ca99f45d71c1b27d03eb9b12e3c0f16

SHA512
2ef147ae8da281f34d60ed1aa0fb5cf8373aeb87f43f4fb0b0e0c566331cd822bcca8228703be4498f72fcb36a5f6579da102032df44e8d9fd3eea97febc42b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\m5u9Q9pruvvh.bat

Filesize
261B

MD5
1b38102169cfc253a0b938e3e32ff194

SHA1
06e59ce1e2843eaf1c30b4967c0351d2662449c6

SHA256
22b1801b12bdf5f8fd5d25908ed5ab161dbe3f0c753d42e6ffc469672e4b7df4

SHA512
c585793543eb32f1a3959b44afd21448565a995d99edeaef1c3e9ec991bfaaa75ed3c381337b520e3744f864be47c1c39ab6d7de310f6fd6c688229a4487551c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgaLLrD7sPru.bat

Filesize
261B

MD5
cd9d553d80f33b4afff9aaac1168c1ae

SHA1
7c80a3f2eeca86f8187b24ce642aa15a42617b2d

SHA256
59f16fd7f6f50f2a9d398c87f1983fd284ff2efd44c05c04c0d7543e19294ca5

SHA512
f4543f335f3a2e8ae2c5982046aaf8222cc83e03a4f368ea4201331516904b991941cdc327ca09b910786eb42d39837ad1d27fb0d1454e1b1c90b74e18ab8d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\p3lrBIBYB91O.bat

Filesize
261B

MD5
c58485e52f13233ee4b91bbdf5e02ea7

SHA1
3bd3c483de1666e434db44fa0a4927d466c7ac19

SHA256
19565d2ed9f6527313d13c5ec93e08144559a5179b627e9a0eb6086b334e4829

SHA512
c993c153078335fe86fadbe64d613690bb95e93bf608895d295dc99c69cd30658a021aff9b0250c88018d4981357355128ea16c2792555e0307450bedf80f55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pGDGxbcH6U2Z.bat

Filesize
261B

MD5
11139e9ce56cdc4928e99449840467ff

SHA1
899a3c4fe403c75d9762883b3d7b253c126a37f3

SHA256
a5fb57252df85e6d22dcef6c71725d02fb8515066e76c18289871af1c4023237

SHA512
411e4d86e98167003cf6dc667e0d2512a29cca2053093af50c53cd8a1e1808388548f6b867ad2083a678e29ed7b4ff24121b61e577f19e2c2c07b3e5128af565

Download Submit
C:\Users\Admin\AppData\Local\Temp\tJQaOx0zVYoH.bat

Filesize
261B

MD5
f5263e26c6ae729c6b655254555d007f

SHA1
be125366b194994bfe321d2c36842da36692e638

SHA256
dffc27163ec698e1263ddc2ad13e5a5296cf9efe1a339643fae8fecc2bbc3c54

SHA512
55cbb776ccdaef017a6cbdd1a25ace07cf021f929fd45a3dca91ca282c2fd24c6aa0f5e752dbe0780a7f326e5dd130dca31fab35c943c746d392f1d5ae005555

Download Submit
C:\Users\Admin\AppData\Local\Temp\uerj1VStlFBp.bat

Filesize
261B

MD5
fa65216be04dba975ebd434cfdf05694

SHA1
86d3e0d6a37fc8a0c037d35ebb4f1519f31fbbc4

SHA256
806953e5df02d0c0f75beb03372370afd3cacf4bcaaefa3ef7a77f0d1dee589d

SHA512
431fba1be1b47413e4543fecf24921549b93e2c7707713eefa6b19f180df711587a5475efec00b138f4665914d8e15112fb06fe0a0f575ed8948f4856afae0fc

Download Submit
memory/372-0-0x00007FF9D5903000-0x00007FF9D5905000-memory.dmp

Filesize
8KB

Download
memory/372-3-0x000000001DC90000-0x000000001DCE0000-memory.dmp

Filesize
320KB

Download
memory/372-4-0x000000001DDA0000-0x000000001DE52000-memory.dmp

Filesize
712KB

Download
memory/372-9-0x00007FF9D5900000-0x00007FF9D63C1000-memory.dmp

Filesize
10.8MB

Download
memory/372-2-0x00007FF9D5900000-0x00007FF9D63C1000-memory.dmp

Filesize
10.8MB

Download
memory/372-1-0x0000000000A00000-0x0000000000D24000-memory.dmp

Filesize
3.1MB

Download
memory/3840-17-0x00007FF9D5900000-0x00007FF9D63C1000-memory.dmp

Filesize
10.8MB

Download
memory/3840-13-0x00007FF9D5900000-0x00007FF9D63C1000-memory.dmp

Filesize
10.8MB

Download
memory/3840-12-0x00007FF9D5900000-0x00007FF9D63C1000-memory.dmp

Filesize
10.8MB

Download