quasar | d8f7896edc45702da8a6c984d10fa00d2ea3c73c0fa8b08b689cf89ff1e5cd0e

Analysis

max time kernel
142s
max time network
142s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01/01/2025, 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Summrs.exe
Size

3.1MB
MD5

77d34210e82e24fb0b5adbb1094f272f
SHA1

bc20888016a83b6628e7ab460e68b0a467bf3bf3
SHA256

d8f7896edc45702da8a6c984d10fa00d2ea3c73c0fa8b08b689cf89ff1e5cd0e
SHA512

766f0f97752fd0e63d08474f1d4c32a7ca88854f58d2e59903f2218134136bed45e9fbb6d375fcc3677bca4b95a1aec3e0830e27f510bbf4f88e04e6814f4a04
SSDEEP

49152:CvgG42pda6D+/PjlLOlg6yQipVSyRJ6hbR3LoGd4jTHHB72eh2NT:Cvj42pda6D+/PjlLOlZyQipVSyRJ6DI

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

89.187.179.:4782

185.236.200.245:4782

Mutex

af4f2a23-513c-4ee2-8078-c3d27d9ee2fb

Attributes

encryption_key
1FFE2594933531CEBE3AD34C62F3DC58273CA88E
install_name
Isass.exe
log_directory
Fxs-Temp
reconnect_delay
1000
startup_key
Quasar Client Startup
subdirectory
da-DT

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/2100-1-0x00000000008D0000-0x0000000000BF4000-memory.dmp	family_quasar
behavioral1/files/0x0034000000016d42-6.dat	family_quasar
behavioral1/memory/2836-9-0x0000000001250000-0x0000000001574000-memory.dmp	family_quasar
behavioral1/memory/2012-44-0x0000000000180000-0x00000000004A4000-memory.dmp	family_quasar
behavioral1/memory/2308-56-0x00000000003E0000-0x0000000000704000-memory.dmp	family_quasar
behavioral1/memory/1496-67-0x00000000003A0000-0x00000000006C4000-memory.dmp	family_quasar
behavioral1/memory/2776-78-0x0000000000120000-0x0000000000444000-memory.dmp	family_quasar
behavioral1/memory/2492-91-0x0000000000280000-0x00000000005A4000-memory.dmp	family_quasar
behavioral1/memory/2816-102-0x00000000009C0000-0x0000000000CE4000-memory.dmp	family_quasar
behavioral1/memory/2976-113-0x00000000001B0000-0x00000000004D4000-memory.dmp	family_quasar
behavioral1/memory/1876-136-0x0000000000380000-0x00000000006A4000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

pid	Process
2836	Isass.exe
2768	Isass.exe
2032	Isass.exe
2012	Isass.exe
2308	Isass.exe
1496	Isass.exe
2776	Isass.exe
2492	Isass.exe
2816	Isass.exe
2976	Isass.exe
2596	Isass.exe
1876	Isass.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Summrs.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File created	C:\Windows\system32\da-DT\Isass.exe	Summrs.exe
File opened for modification	C:\Windows\system32\da-DT	Summrs.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT\Isass.exe	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe
File opened for modification	C:\Windows\system32\da-DT	Isass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
876	PING.EXE
1656	PING.EXE
856	PING.EXE
2736	PING.EXE
2196	PING.EXE
1552	PING.EXE
2688	PING.EXE
2088	PING.EXE
2808	PING.EXE
2224	PING.EXE
1940	PING.EXE
2172	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2196	PING.EXE
2808	PING.EXE
1656	PING.EXE
856	PING.EXE
1940	PING.EXE
2172	PING.EXE
2688	PING.EXE
2736	PING.EXE
876	PING.EXE
2224	PING.EXE
1552	PING.EXE
2088	PING.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	Summrs.exe
Token: SeDebugPrivilege	2836	Isass.exe
Token: SeDebugPrivilege	2768	Isass.exe
Token: SeDebugPrivilege	2032	Isass.exe
Token: SeDebugPrivilege	2012	Isass.exe
Token: SeDebugPrivilege	2308	Isass.exe
Token: SeDebugPrivilege	1496	Isass.exe
Token: SeDebugPrivilege	2776	Isass.exe
Token: SeDebugPrivilege	2492	Isass.exe
Token: SeDebugPrivilege	2816	Isass.exe
Token: SeDebugPrivilege	2976	Isass.exe
Token: SeDebugPrivilege	2596	Isass.exe
Token: SeDebugPrivilege	1876	Isass.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
2836	Isass.exe
2768	Isass.exe
2032	Isass.exe
2012	Isass.exe
2308	Isass.exe
1496	Isass.exe
2776	Isass.exe
2492	Isass.exe
2816	Isass.exe
2976	Isass.exe
2596	Isass.exe
1876	Isass.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2836	Isass.exe
2768	Isass.exe
2032	Isass.exe
2012	Isass.exe
2308	Isass.exe
1496	Isass.exe
2776	Isass.exe
2492	Isass.exe
2816	Isass.exe
2976	Isass.exe
2596	Isass.exe
1876	Isass.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2836	Isass.exe
2768	Isass.exe
2032	Isass.exe
2012	Isass.exe
2308	Isass.exe
1496	Isass.exe
2776	Isass.exe
2492	Isass.exe
2816	Isass.exe
2976	Isass.exe
2596	Isass.exe
1876	Isass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2836	2100	Summrs.exe	30
PID 2100 wrote to memory of 2836	2100	Summrs.exe	30
PID 2100 wrote to memory of 2836	2100	Summrs.exe	30
PID 2836 wrote to memory of 2796	2836	Isass.exe	31
PID 2836 wrote to memory of 2796	2836	Isass.exe	31
PID 2836 wrote to memory of 2796	2836	Isass.exe	31
PID 2796 wrote to memory of 2744	2796	cmd.exe	33
PID 2796 wrote to memory of 2744	2796	cmd.exe	33
PID 2796 wrote to memory of 2744	2796	cmd.exe	33
PID 2796 wrote to memory of 2808	2796	cmd.exe	34
PID 2796 wrote to memory of 2808	2796	cmd.exe	34
PID 2796 wrote to memory of 2808	2796	cmd.exe	34
PID 2796 wrote to memory of 2768	2796	cmd.exe	35
PID 2796 wrote to memory of 2768	2796	cmd.exe	35
PID 2796 wrote to memory of 2768	2796	cmd.exe	35
PID 2768 wrote to memory of 1308	2768	Isass.exe	36
PID 2768 wrote to memory of 1308	2768	Isass.exe	36
PID 2768 wrote to memory of 1308	2768	Isass.exe	36
PID 1308 wrote to memory of 2120	1308	cmd.exe	38
PID 1308 wrote to memory of 2120	1308	cmd.exe	38
PID 1308 wrote to memory of 2120	1308	cmd.exe	38
PID 1308 wrote to memory of 1656	1308	cmd.exe	39
PID 1308 wrote to memory of 1656	1308	cmd.exe	39
PID 1308 wrote to memory of 1656	1308	cmd.exe	39
PID 1308 wrote to memory of 2032	1308	cmd.exe	41
PID 1308 wrote to memory of 2032	1308	cmd.exe	41
PID 1308 wrote to memory of 2032	1308	cmd.exe	41
PID 2032 wrote to memory of 1924	2032	Isass.exe	42
PID 2032 wrote to memory of 1924	2032	Isass.exe	42
PID 2032 wrote to memory of 1924	2032	Isass.exe	42
PID 1924 wrote to memory of 1036	1924	cmd.exe	44
PID 1924 wrote to memory of 1036	1924	cmd.exe	44
PID 1924 wrote to memory of 1036	1924	cmd.exe	44
PID 1924 wrote to memory of 856	1924	cmd.exe	45
PID 1924 wrote to memory of 856	1924	cmd.exe	45
PID 1924 wrote to memory of 856	1924	cmd.exe	45
PID 1924 wrote to memory of 2012	1924	cmd.exe	46
PID 1924 wrote to memory of 2012	1924	cmd.exe	46
PID 1924 wrote to memory of 2012	1924	cmd.exe	46
PID 2012 wrote to memory of 1436	2012	Isass.exe	47
PID 2012 wrote to memory of 1436	2012	Isass.exe	47
PID 2012 wrote to memory of 1436	2012	Isass.exe	47
PID 1436 wrote to memory of 2264	1436	cmd.exe	49
PID 1436 wrote to memory of 2264	1436	cmd.exe	49
PID 1436 wrote to memory of 2264	1436	cmd.exe	49
PID 1436 wrote to memory of 2224	1436	cmd.exe	50
PID 1436 wrote to memory of 2224	1436	cmd.exe	50
PID 1436 wrote to memory of 2224	1436	cmd.exe	50
PID 1436 wrote to memory of 2308	1436	cmd.exe	51
PID 1436 wrote to memory of 2308	1436	cmd.exe	51
PID 1436 wrote to memory of 2308	1436	cmd.exe	51
PID 2308 wrote to memory of 2456	2308	Isass.exe	52
PID 2308 wrote to memory of 2456	2308	Isass.exe	52
PID 2308 wrote to memory of 2456	2308	Isass.exe	52
PID 2456 wrote to memory of 1192	2456	cmd.exe	54
PID 2456 wrote to memory of 1192	2456	cmd.exe	54
PID 2456 wrote to memory of 1192	2456	cmd.exe	54
PID 2456 wrote to memory of 1940	2456	cmd.exe	55
PID 2456 wrote to memory of 1940	2456	cmd.exe	55
PID 2456 wrote to memory of 1940	2456	cmd.exe	55
PID 2456 wrote to memory of 1496	2456	cmd.exe	56
PID 2456 wrote to memory of 1496	2456	cmd.exe	56
PID 2456 wrote to memory of 1496	2456	cmd.exe	56
PID 1496 wrote to memory of 924	1496	Isass.exe	57

C:\Users\Admin\AppData\Local\Temp\Summrs.exe
"C:\Users\Admin\AppData\Local\Temp\Summrs.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\system32\da-DT\Isass.exe
  "C:\Windows\system32\da-DT\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tFtcmorDJjsF.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2744
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2808
  - - C:\Windows\system32\da-DT\Isass.exe
      "C:\Windows\system32\da-DT\Isass.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\S8zBvXeVKfSg.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1308
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2120
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1656
      - C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jPOVdR2C2aUw.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:856
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PC3z9iZaFCgR.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2224
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\35gWos2dh7LS.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1940
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SSOM4GsYvN7F.bat" "
        13⤵
        
        PID:924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2172
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xwxRrXtt5R2f.bat" "
        15⤵
        
        PID:2216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1552
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mAOcXgMMV7ZN.bat" "
        17⤵
        
        PID:2320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2688
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\r4jcigXzQsFQ.bat" "
        19⤵
        
        PID:1476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2088
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9jJmVVV4WuYw.bat" "
        21⤵
        
        PID:872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2736
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2596
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OOGNET2rb8WT.bat" "
        23⤵
        
        PID:1576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2196
        
        C:\Windows\system32\da-DT\Isass.exe
        
        "C:\Windows\system32\da-DT\Isass.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\K9kAmQkrixHs.bat" "
        25⤵
        
        PID:2460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\35gWos2dh7LS.bat

Filesize
194B

MD5
cbadca3e176fc1923c6ae16015dc8f72

SHA1
e9bbb12ba5f3dca640448605cbacae07f99f476a

SHA256
9511b06b9be06d326edd3dc077d0a7a6c41e3e3fee953f4598255edb087d5e3c

SHA512
a4b5fc4a6b7d2a9fca409e3acbd42ab18b2afc07602cfcbb538d36d178c3dd8c396415594ab62d2f30f91228d6251f30f2a31b92d124fce6042bafc01df05d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\9jJmVVV4WuYw.bat

Filesize
194B

MD5
bf58571576335fbf4c45a4a47910d537

SHA1
36dd19ada7cc133f5a8b97e51dcd6e341ffeca9e

SHA256
e4ce5954547b456c432cd29c5679d4624360be7aeb867491fd8be01fcaa1c746

SHA512
377d932b13b8aa5405e5ff3551028a70795ae58ee22fa0ccd5104850ccaf93cc9f5f6036f342b593696b63e4e96fe98183423140e86c6bc002e16259e24ea07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9kAmQkrixHs.bat

Filesize
194B

MD5
bef867c13b4807594717cfae6bf18559

SHA1
4ee4680e289a650b0b90d1b674569d92463812c9

SHA256
3abf762f58e2362ce320443db290a83946c10c045612f7151f5fe53bef0ec169

SHA512
b1fecf48a45caf3158358a08191ab95709d41245f519a03a2107ae80186167340db3dfd896c45d56336906a9c6d42d110c4a35fa86b9390ea4c09b96c85705c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OOGNET2rb8WT.bat

Filesize
194B

MD5
e1d33a62687dae95c66ee81cdf5f0d7f

SHA1
bbf7b3bdbbd5c49a5365d19398c08120f281539c

SHA256
6090d50ab7c0ff00514a6569320db1b0d5bfe2045dea6d3c7265f0e2c2fae309

SHA512
4ff9576d143fdbb655436c4c151d72c6f55fbf3a8f0cac4d220970a81c54b28f3de8b60c8e4f45e6a3538ce1d55c6305b93b72ad30fe8da171b767d37b781716

Download Submit
C:\Users\Admin\AppData\Local\Temp\PC3z9iZaFCgR.bat

Filesize
194B

MD5
4175de4a74827060b6892d330a8a1142

SHA1
cbbecbfa74a96418a69354eca23f3a69c3b5cea1

SHA256
19f38c819fbc37a079b99a5a2dda3357db174dfdc71e54a31e8d81caac35b0f8

SHA512
410d8629ea4af218a1d7f128fa1513a84881264088ef8d1b8b757280013a593ebf41539de73b685eb1ed8cfd1ca3c4f6ee516c5e966c2dd5e1248dedc5262e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\S8zBvXeVKfSg.bat

Filesize
194B

MD5
ba9cecb8293c0363d54f1f0526ca16de

SHA1
5a9b04798034b75a75aab4b908635dba959cc539

SHA256
c2da81982b30385f629f792f7463a6491df4d9e8c9975188e9cef84fa8675f11

SHA512
810c6edb8ac62e7c37d97c6de03067203caa6920118c2ca9f0037ab9fb1feabb823f84cd034998ed540314b501f8c9ccdc3d12f49e840411e273992fbf27fb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\SSOM4GsYvN7F.bat

Filesize
194B

MD5
85f233549918d3f646012f27ad3f1bc0

SHA1
3e0d5318d4210c7b4dbf9854953aead6c4e6dee8

SHA256
eeece54668f3837ece2ca66bc4a43bebb5ef61453759521e2f53988742342909

SHA512
88f3299a612fa5a8df398c4be90e4ff974dce9d3b88959dc1641aad9d35d723cf913be61560b156d4e25c3e766fbe2090ea6afa46cfc461faa43cb3a27dd5fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jPOVdR2C2aUw.bat

Filesize
194B

MD5
08e77b18a8a4f892b6011489dd9bffbb

SHA1
0feec2a057321e6d80eaf30041dcc935e12650a8

SHA256
6cb8aa372eef28943bc63367ded2479070062c55a0446d1bbb49a7f2ae04dbc5

SHA512
7fa9a27a39ba7fb18f552e6a2f0a2efd8a7637af8c1f766fddecadd1500c1d90b4c4471f70ef4680c235e1d3a4b1b31d65d9bab8e1d3ecf90a0cd8eeaf53e944

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAOcXgMMV7ZN.bat

Filesize
194B

MD5
bd056238415b8f47d08531564c2f02ee

SHA1
abf35ef14cddf7c9e22bb310b68b4494ec121d3a

SHA256
7a35a755eb8b002d398c187a002c6e36f734b9596a475415928cf82168c3b4d0

SHA512
116573e562579d4b53edcd6613cccc1d44816ef5d97ff6bc001373093e9503957356517a6ca04df6a8779634f64c681e0a3ae8f3a6f732753122076b435b3ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\r4jcigXzQsFQ.bat

Filesize
194B

MD5
926fe4cedca51e832eaf400f2b326d8d

SHA1
06f62fe2322b92f1bb30df6b6bdf8b9e4d288849

SHA256
675d63e7aac89f7067029c05bdbfc1cd9809ea6f36d8512d70e46c36cff41883

SHA512
ed1a48c3f45bd9818825275f4ca322597878cd5ca663954855da23dc280ebd97a9d35e1d15dccdff9f2447727a943089f812afed25fb355032686074b9143d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\tFtcmorDJjsF.bat

Filesize
194B

MD5
bf15c013726d5864a12e8d641578e75b

SHA1
eb708495d6db14fb02009c1d80bf49c4b07a753e

SHA256
444654d6a7dd596e8b24a0805829a80068426a193b23672de7aca94c7eadb374

SHA512
9998aa1fd61917405d44ac5d9f49b05c70dc369267bb6b0715f0d24540807e7bfa245e356ce55bb70f07eab6513c81335d1a4261fc8fb3484e2a93d08891715c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwxRrXtt5R2f.bat

Filesize
194B

MD5
1286b93fd9b752000095e37e898a3433

SHA1
767709e457703c4fa0251d0556d040dce5fac0e9

SHA256
35c83ca044b461719c1f95df750082929f8bec97cc7c51960a10ff1ec4a5e447

SHA512
d8202805b5d769c36b085926f64b4e227118379048056674540aefa3581ff75ad4d762dfd475335ee4e6ea23a69621eef23ddb9305b80fd04b5e0c94790d4679

Download Submit
C:\Windows\System32\da-DT\Isass.exe

Filesize
3.1MB

MD5
77d34210e82e24fb0b5adbb1094f272f

SHA1
bc20888016a83b6628e7ab460e68b0a467bf3bf3

SHA256
d8f7896edc45702da8a6c984d10fa00d2ea3c73c0fa8b08b689cf89ff1e5cd0e

SHA512
766f0f97752fd0e63d08474f1d4c32a7ca88854f58d2e59903f2218134136bed45e9fbb6d375fcc3677bca4b95a1aec3e0830e27f510bbf4f88e04e6814f4a04

Download Submit
memory/1496-67-0x00000000003A0000-0x00000000006C4000-memory.dmp

Filesize
3.1MB

Download
memory/1876-136-0x0000000000380000-0x00000000006A4000-memory.dmp

Filesize
3.1MB

Download
memory/2012-44-0x0000000000180000-0x00000000004A4000-memory.dmp

Filesize
3.1MB

Download
memory/2100-8-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2100-0-0x000007FEF6173000-0x000007FEF6174000-memory.dmp

Filesize
4KB

Download
memory/2100-2-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2100-1-0x00000000008D0000-0x0000000000BF4000-memory.dmp

Filesize
3.1MB

Download
memory/2308-56-0x00000000003E0000-0x0000000000704000-memory.dmp

Filesize
3.1MB

Download
memory/2492-91-0x0000000000280000-0x00000000005A4000-memory.dmp

Filesize
3.1MB

Download
memory/2776-78-0x0000000000120000-0x0000000000444000-memory.dmp

Filesize
3.1MB

Download
memory/2816-102-0x00000000009C0000-0x0000000000CE4000-memory.dmp

Filesize
3.1MB

Download
memory/2836-20-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-9-0x0000000001250000-0x0000000001574000-memory.dmp

Filesize
3.1MB

Download
memory/2836-10-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-11-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2976-113-0x00000000001B0000-0x00000000004D4000-memory.dmp

Filesize
3.1MB

Download