quasar | 864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad

Analysis

max time kernel
143s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-12-2024 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad.exe
Size

3.1MB
MD5

7f888b6cbd5062a7558eea61eb9a9ca2
SHA1

2acfb5c3e7b8e569ea52397154b9b3ffb44e7d87
SHA256

864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad
SHA512

7da70e844e0fce4b4bbc70db89503b95b6514cabf9ce9cf66fed643f6c11aafc5e7a8f385b5d16f7fa802cc47c9200bf486030834551d14c55078307ef7e93d8
SSDEEP

49152:/v2lL26AaNeWgPhlmVqvMQ7XSKKQSYmzwXoGdVTHHB72eh2NT:/v2L26AaNeWgPhlmVqkQ7XSKKQSq

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

llordiWasHere-55715.portmap.host:55715

Mutex

124c5996-13c0-46a2-804a-191042a109db

Attributes

encryption_key
5F48258CBD7D9014A9443146E8A3D837D1715CAE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/2932-1-0x00000000011D0000-0x00000000014F4000-memory.dmp	family_quasar
behavioral1/files/0x000800000001707f-6.dat	family_quasar
behavioral1/memory/1308-10-0x0000000000D20000-0x0000000001044000-memory.dmp	family_quasar
behavioral1/memory/2408-23-0x00000000003E0000-0x0000000000704000-memory.dmp	family_quasar
behavioral1/memory/2152-35-0x0000000000CD0000-0x0000000000FF4000-memory.dmp	family_quasar
behavioral1/memory/2720-46-0x0000000000290000-0x00000000005B4000-memory.dmp	family_quasar
behavioral1/memory/2840-57-0x0000000000B50000-0x0000000000E74000-memory.dmp	family_quasar
behavioral1/memory/956-68-0x0000000000D50000-0x0000000001074000-memory.dmp	family_quasar
behavioral1/memory/1132-79-0x0000000000180000-0x00000000004A4000-memory.dmp	family_quasar
behavioral1/memory/1740-91-0x00000000011E0000-0x0000000001504000-memory.dmp	family_quasar
behavioral1/memory/2604-143-0x0000000000260000-0x0000000000584000-memory.dmp	family_quasar
behavioral1/memory/2740-156-0x0000000000900000-0x0000000000C24000-memory.dmp	family_quasar
behavioral1/memory/764-167-0x0000000001070000-0x0000000001394000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
1308	Client.exe
2408	Client.exe
2152	Client.exe
2720	Client.exe
2840	Client.exe
956	Client.exe
1132	Client.exe
1740	Client.exe
2832	Client.exe
2440	Client.exe
2204	Client.exe
2344	Client.exe
2604	Client.exe
2740	Client.exe
764	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2144	PING.EXE
2024	PING.EXE
2940	PING.EXE
3040	PING.EXE
2480	PING.EXE
1728	PING.EXE
688	PING.EXE
808	PING.EXE
2180	PING.EXE
1524	PING.EXE
2252	PING.EXE
2608	PING.EXE
1808	PING.EXE
1648	PING.EXE
2632	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2632	PING.EXE
2252	PING.EXE
1728	PING.EXE
2940	PING.EXE
1524	PING.EXE
3040	PING.EXE
2180	PING.EXE
688	PING.EXE
2144	PING.EXE
2608	PING.EXE
808	PING.EXE
2480	PING.EXE
2024	PING.EXE
1808	PING.EXE
1648	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad.exe
Token: SeDebugPrivilege	1308	Client.exe
Token: SeDebugPrivilege	2408	Client.exe
Token: SeDebugPrivilege	2152	Client.exe
Token: SeDebugPrivilege	2720	Client.exe
Token: SeDebugPrivilege	2840	Client.exe
Token: SeDebugPrivilege	956	Client.exe
Token: SeDebugPrivilege	1132	Client.exe
Token: SeDebugPrivilege	1740	Client.exe
Token: SeDebugPrivilege	2832	Client.exe
Token: SeDebugPrivilege	2440	Client.exe
Token: SeDebugPrivilege	2204	Client.exe
Token: SeDebugPrivilege	2344	Client.exe
Token: SeDebugPrivilege	2604	Client.exe
Token: SeDebugPrivilege	2740	Client.exe
Token: SeDebugPrivilege	764	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1308	Client.exe
2408	Client.exe
2152	Client.exe
2720	Client.exe
2840	Client.exe
956	Client.exe
1132	Client.exe
1740	Client.exe
2832	Client.exe
2440	Client.exe
2204	Client.exe
2344	Client.exe
2604	Client.exe
2740	Client.exe
764	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1308	Client.exe
2408	Client.exe
2152	Client.exe
2720	Client.exe
2840	Client.exe
956	Client.exe
1132	Client.exe
1740	Client.exe
2832	Client.exe
2440	Client.exe
2204	Client.exe
2344	Client.exe
2604	Client.exe
2740	Client.exe
764	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 1308	2932	864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad.exe	29
PID 2932 wrote to memory of 1308	2932	864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad.exe	29
PID 2932 wrote to memory of 1308	2932	864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad.exe	29
PID 1308 wrote to memory of 2448	1308	Client.exe	30
PID 1308 wrote to memory of 2448	1308	Client.exe	30
PID 1308 wrote to memory of 2448	1308	Client.exe	30
PID 2448 wrote to memory of 2784	2448	cmd.exe	32
PID 2448 wrote to memory of 2784	2448	cmd.exe	32
PID 2448 wrote to memory of 2784	2448	cmd.exe	32
PID 2448 wrote to memory of 1728	2448	cmd.exe	33
PID 2448 wrote to memory of 1728	2448	cmd.exe	33
PID 2448 wrote to memory of 1728	2448	cmd.exe	33
PID 2448 wrote to memory of 2408	2448	cmd.exe	34
PID 2448 wrote to memory of 2408	2448	cmd.exe	34
PID 2448 wrote to memory of 2408	2448	cmd.exe	34
PID 2408 wrote to memory of 2916	2408	Client.exe	35
PID 2408 wrote to memory of 2916	2408	Client.exe	35
PID 2408 wrote to memory of 2916	2408	Client.exe	35
PID 2916 wrote to memory of 1856	2916	cmd.exe	37
PID 2916 wrote to memory of 1856	2916	cmd.exe	37
PID 2916 wrote to memory of 1856	2916	cmd.exe	37
PID 2916 wrote to memory of 2144	2916	cmd.exe	38
PID 2916 wrote to memory of 2144	2916	cmd.exe	38
PID 2916 wrote to memory of 2144	2916	cmd.exe	38
PID 2916 wrote to memory of 2152	2916	cmd.exe	39
PID 2916 wrote to memory of 2152	2916	cmd.exe	39
PID 2916 wrote to memory of 2152	2916	cmd.exe	39
PID 2152 wrote to memory of 1812	2152	Client.exe	40
PID 2152 wrote to memory of 1812	2152	Client.exe	40
PID 2152 wrote to memory of 1812	2152	Client.exe	40
PID 1812 wrote to memory of 1152	1812	cmd.exe	42
PID 1812 wrote to memory of 1152	1812	cmd.exe	42
PID 1812 wrote to memory of 1152	1812	cmd.exe	42
PID 1812 wrote to memory of 2024	1812	cmd.exe	43
PID 1812 wrote to memory of 2024	1812	cmd.exe	43
PID 1812 wrote to memory of 2024	1812	cmd.exe	43
PID 1812 wrote to memory of 2720	1812	cmd.exe	44
PID 1812 wrote to memory of 2720	1812	cmd.exe	44
PID 1812 wrote to memory of 2720	1812	cmd.exe	44
PID 2720 wrote to memory of 1060	2720	Client.exe	45
PID 2720 wrote to memory of 1060	2720	Client.exe	45
PID 2720 wrote to memory of 1060	2720	Client.exe	45
PID 1060 wrote to memory of 2360	1060	cmd.exe	47
PID 1060 wrote to memory of 2360	1060	cmd.exe	47
PID 1060 wrote to memory of 2360	1060	cmd.exe	47
PID 1060 wrote to memory of 2940	1060	cmd.exe	48
PID 1060 wrote to memory of 2940	1060	cmd.exe	48
PID 1060 wrote to memory of 2940	1060	cmd.exe	48
PID 1060 wrote to memory of 2840	1060	cmd.exe	49
PID 1060 wrote to memory of 2840	1060	cmd.exe	49
PID 1060 wrote to memory of 2840	1060	cmd.exe	49
PID 2840 wrote to memory of 444	2840	Client.exe	50
PID 2840 wrote to memory of 444	2840	Client.exe	50
PID 2840 wrote to memory of 444	2840	Client.exe	50
PID 444 wrote to memory of 844	444	cmd.exe	52
PID 444 wrote to memory of 844	444	cmd.exe	52
PID 444 wrote to memory of 844	444	cmd.exe	52
PID 444 wrote to memory of 2632	444	cmd.exe	53
PID 444 wrote to memory of 2632	444	cmd.exe	53
PID 444 wrote to memory of 2632	444	cmd.exe	53
PID 444 wrote to memory of 956	444	cmd.exe	54
PID 444 wrote to memory of 956	444	cmd.exe	54
PID 444 wrote to memory of 956	444	cmd.exe	54
PID 956 wrote to memory of 2960	956	Client.exe	55

C:\Users\Admin\AppData\Local\Temp\864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad.exe
"C:\Users\Admin\AppData\Local\Temp\864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\FKPiHZljPKpb.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2784
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1728
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\13ySasohJUtR.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1856
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2144
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2k3xZWWqo0cD.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1152
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HBVsNSjflI0H.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lgRjb1LvHX1h.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7g7S1QkkzT9d.bat" "
        13⤵
        
        PID:2960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1132
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5q8jdtTReI7v.bat" "
        15⤵
        
        PID:2088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1740
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nN9l5jOa5jYJ.bat" "
        17⤵
        
        PID:1576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yVsUIoac1nM0.bat" "
        19⤵
        
        PID:2932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2440
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IMYQctWs89c2.bat" "
        21⤵
        
        PID:2532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2204
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zanGpjhYfFnb.bat" "
        23⤵
        
        PID:2332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2344
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cuXUKd8K1uvY.bat" "
        25⤵
        
        PID:2372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:808
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2604
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XVNdIFgGFDAv.bat" "
        27⤵
        
        PID:844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2480
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2740
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\w43iKy78ooZC.bat" "
        29⤵
        
        PID:944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:688
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:764
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Pirca19a8vZx.bat" "
        31⤵
        
        PID:1716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13ySasohJUtR.bat

Filesize
207B

MD5
b6c4bd30c5154ab25f92a3716cebb5b5

SHA1
0f39685b14eaccaacdbaf9fa4ded01b3a3ad596d

SHA256
6b69fa39534e1c03d3aa4912c80668a3a5c5d0c28b1c35aa21493c8eb9cecfdc

SHA512
47bd6a03a32b736f6dd5d512ff8fd36bb72500917e4b7a7ab23e2e8d522d9951afbed837aa6fbe1f1281731d6450b43f585cc9b75f6313afdadc5a1d3587fa95

Download Submit
C:\Users\Admin\AppData\Local\Temp\2k3xZWWqo0cD.bat

Filesize
207B

MD5
d4e82bccf22159f6baf73ba88893720a

SHA1
fdc615c393d3a3094cc2c107e8a13a0dacc10038

SHA256
b03c599b095a1588626f8f0d8d202b94d611bfe0a38549a1301e7c28a9ce5ad4

SHA512
5a7d2678007b0f16e70f70480d46998da14fdd2feef14b3f05713559d541ad3c07bf9ff24d78a32aa0ab03b40c33707d3bac4deb208f17ec11b374af58f92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5q8jdtTReI7v.bat

Filesize
207B

MD5
edeabe436c71e8eacad0532de0995872

SHA1
68f28e766b83d5034497cd95e82923662e69b06d

SHA256
f124c27f168b3bacb8950ba81366857fa7b14252a823066c0b602b6e252d4e0a

SHA512
219f0b015cf17289124b16ece9be4807fbfa61935cd34b542a68d40731735be3c117037252be60497fcf7a0ca967027b88d57dc4b22f59153c9597454b185b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\7g7S1QkkzT9d.bat

Filesize
207B

MD5
5b1d18810254705c7143bffc30284de9

SHA1
1088c5326c7943b76f42734eebc0d969e95e3f29

SHA256
abd15f2410d49e0642103b8259fa7e6de16e18a38a32cf3768185ac47659c1e9

SHA512
7bab9d3cb272f78e4455c8a5457663b66d888813a335602dbc4903fd100056dac604eda8bee1d2547f5c4a41bb3333f8f8ce53b43af7233b3e6f1343421fb0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FKPiHZljPKpb.bat

Filesize
207B

MD5
728f475c2b743c28885e7580d5d23c70

SHA1
113d838d65ba35420cfc68ffa8b2a350992c2e9c

SHA256
8d4d58f845508fb9a7f51dd18d109ce505c254ca4cc00200523dc02bc3c04c76

SHA512
5b9e5ab923ee49448173084b20c6c7e66f1999059e83c3b1eb4e4f7d37a97a6f209b8c45661705562bd9c33c0ada9629680e053056ebdff42d38dffe8dde575f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HBVsNSjflI0H.bat

Filesize
207B

MD5
121deb426d36b44dfb7b366b5a1d59c7

SHA1
d90c42b27f84830edcd5fad772bf82725adffb74

SHA256
6ade00cb5e3e0cc929ad153d5ba305162c3452d4e6ba927943afca9346b1fb98

SHA512
1e1000e33cf8aa3ec67b03718be368afe77b256f3150c57f0aac157b1759e20f857d7fb7315168dba8312fcf48f9d9b3c2dbd80ff0a0b1fe2d32a8248d7e5f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMYQctWs89c2.bat

Filesize
207B

MD5
8bb1615f1c030d5d7c88370728c24ca6

SHA1
79a1df98b71e5da4601b7344b37fec7813ad8a7f

SHA256
abf0a8af01dc18da1d690ea8f202c432d309596d8bb975d7bdbc68ec64b151ae

SHA512
d3e843da0c1b6b2e5db2418b31eb44e44f6ce22836b955ef413a51c79835a7cef71d0d81bd6d10f84954035da52afb86cc13b3cc4c0b40ecc7715f416569d6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pirca19a8vZx.bat

Filesize
207B

MD5
c98a875fb25807d15d633e8963795e26

SHA1
2f1d07d56a70ba1d6c8f914ec15246df9eecd229

SHA256
17783a74c97296e516dcaece69996c7dad8faaf4ae09059398ab0b1f37818036

SHA512
5461750b197a6a2e875c834e9682b60f808d5fe3b26742b09b71a176a2113cafc77d973b395c2b30617e2fd20d6806141c5f190ea391248609a9eb29963221be

Download Submit
C:\Users\Admin\AppData\Local\Temp\XVNdIFgGFDAv.bat

Filesize
207B

MD5
962a76c2f446e0a6910a0a23700c9dd8

SHA1
e854071332f9b23282bd7ac4ee12e1e90f6c099d

SHA256
a1cf2a1428b740858add0a93899f4e2b65acb12fb24cc02b6715a8bb839f95c6

SHA512
593b4c54f85033c5e9dce0262867db16486339c659cc7987f7b4defed08631282a47163329029baaafea297e964daf00e55dc94640aa5f2056c74f70efb9b67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuXUKd8K1uvY.bat

Filesize
207B

MD5
f0e0a9773160f3146c339a8797c8500a

SHA1
9b49b332a429c9c715c8aeee1b2daf11c69655cb

SHA256
94a6ffc25f1411a6c41561e654409f3439fa9b7be2476df92a433a94eb92d1e4

SHA512
2d8f36d22df92f7bee47a58789426a31b3bd739c4a914548841c6ed41cea5802162e8b5eb0b921011d19a158018fc2e5d1e14071caab21af073b161bdbc24349

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgRjb1LvHX1h.bat

Filesize
207B

MD5
2326aa834c8cc37b816d128f2348a244

SHA1
2299fab99dd8675b1e7784c8694bc9231aada470

SHA256
aa9fe0e1ba2d45c9095f13d7815d8a23d12b1fc558d4ec8464c7723cef27fa38

SHA512
36e357fc11840f493542f1f2783a47cb5789ef8f918bf29248f5371a9be58f3560c54d5608428eb01d1f0de6e8f9dc99e432b4e0c64642e90ad168ab7580352d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nN9l5jOa5jYJ.bat

Filesize
207B

MD5
4466752cee40f45a55008dd4f7f5b3cd

SHA1
a876aa12d707548ff909aebad762acb85c05d0c0

SHA256
c3a52e8334ffd60d996cb20677626b209dff5359a1491a8ba96d6e749c851f52

SHA512
64e1bec42b65c5aee2b61e533bd9ce68cfb4bdb0bee75e22928a96d2b245ab51c51001eb1e238051c06b67964beb5a774ae2bba9599beea1801be2860b30c51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\w43iKy78ooZC.bat

Filesize
207B

MD5
a68b674a44be9959563a138746f2a649

SHA1
336b2508910672ba4a54a283f4a296401bc20131

SHA256
665fd5bcaadd93b929be61fc7aeba617114aa520b212910802526e4dec189f30

SHA512
185a8cfebaf1a70add941dc85fb82f07c952fa92e0806111e01be8c6489babdc800003c0f57e907ed17f64477e72f3bfcbd9f107a9a437d073c0275d18ff32ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\yVsUIoac1nM0.bat

Filesize
207B

MD5
300c8fb59ab18fcc3f0364046e235fb6

SHA1
9fed2afb48330ab886b10c5e3258b96ef65a4893

SHA256
78db8bf2bb415f391b5c83fce6cbfe1395c7ce6097e4cfca0c72258cf3567b39

SHA512
29cf561a3b19d656a2f26d3a51760173f6f53491a3e87eef10c124675d902857ae90f2083dc69481cb1689f2e0a544b62ce4c991a1ce4273da9d2ded3214a4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zanGpjhYfFnb.bat

Filesize
207B

MD5
f7fa0807ac1eef7a0e7a0e2285f0e1c9

SHA1
7f3609e1423553ad87bb02ee7ab0595c7e3fddbd

SHA256
001a8b4f34c78536f444d922433d49789b22eaaebd0f159aa4387127c0e64726

SHA512
96f8bd076b0647a6747c70e550d10dfb25c0c3fa3319c68adee46ea95f1be4e4bb1a5e6b8b2e1eacca26bb1408d26d54d054245adc8d38020e6625964fbef7f4

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
7f888b6cbd5062a7558eea61eb9a9ca2

SHA1
2acfb5c3e7b8e569ea52397154b9b3ffb44e7d87

SHA256
864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad

SHA512
7da70e844e0fce4b4bbc70db89503b95b6514cabf9ce9cf66fed643f6c11aafc5e7a8f385b5d16f7fa802cc47c9200bf486030834551d14c55078307ef7e93d8

Download Submit
memory/764-167-0x0000000001070000-0x0000000001394000-memory.dmp

Filesize
3.1MB

Download
memory/956-68-0x0000000000D50000-0x0000000001074000-memory.dmp

Filesize
3.1MB

Download
memory/1132-79-0x0000000000180000-0x00000000004A4000-memory.dmp

Filesize
3.1MB

Download
memory/1308-20-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1308-9-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1308-11-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1308-10-0x0000000000D20000-0x0000000001044000-memory.dmp

Filesize
3.1MB

Download
memory/1740-91-0x00000000011E0000-0x0000000001504000-memory.dmp

Filesize
3.1MB

Download
memory/2152-35-0x0000000000CD0000-0x0000000000FF4000-memory.dmp

Filesize
3.1MB

Download
memory/2408-23-0x00000000003E0000-0x0000000000704000-memory.dmp

Filesize
3.1MB

Download
memory/2604-143-0x0000000000260000-0x0000000000584000-memory.dmp

Filesize
3.1MB

Download
memory/2720-46-0x0000000000290000-0x00000000005B4000-memory.dmp

Filesize
3.1MB

Download
memory/2740-156-0x0000000000900000-0x0000000000C24000-memory.dmp

Filesize
3.1MB

Download
memory/2840-57-0x0000000000B50000-0x0000000000E74000-memory.dmp

Filesize
3.1MB

Download
memory/2932-1-0x00000000011D0000-0x00000000014F4000-memory.dmp

Filesize
3.1MB

Download
memory/2932-2-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2932-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/2932-8-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download