quasar | 15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95

Analysis

max time kernel
146s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2klz.exe
Size

3.1MB
MD5

01cb0e497f40e7d02f93255475f175e1
SHA1

98c779497d6514b91cd1410f627a5320f6b3eab5
SHA256

15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95
SHA512

fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9
SSDEEP

49152:TvalL26AaNeWgPhlmVqvMQ7XSKKGRJ69bR3LoGdEMgTHHB72eh2NT:TvCL26AaNeWgPhlmVqkQ7XSKKGRJ6PU

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Extazz24535-22930.portmap.host:22930

Mutex

89f58ee5-7af9-42de-843f-2a331a641e3f

Attributes

encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
install_name
2klz.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 12 IoCs

resource	yara_rule
behavioral1/memory/2328-1-0x0000000000A80000-0x0000000000DA4000-memory.dmp	family_quasar
behavioral1/files/0x00070000000195d6-6.dat	family_quasar
behavioral1/memory/2980-10-0x0000000000FE0000-0x0000000001304000-memory.dmp	family_quasar
behavioral1/memory/2788-23-0x0000000000030000-0x0000000000354000-memory.dmp	family_quasar
behavioral1/memory/2416-34-0x0000000000EF0000-0x0000000001214000-memory.dmp	family_quasar
behavioral1/memory/2896-45-0x0000000000130000-0x0000000000454000-memory.dmp	family_quasar
behavioral1/memory/1772-56-0x0000000000820000-0x0000000000B44000-memory.dmp	family_quasar
behavioral1/memory/496-67-0x0000000001030000-0x0000000001354000-memory.dmp	family_quasar
behavioral1/memory/1580-90-0x0000000000230000-0x0000000000554000-memory.dmp	family_quasar
behavioral1/memory/3060-101-0x0000000000A20000-0x0000000000D44000-memory.dmp	family_quasar
behavioral1/memory/2052-113-0x0000000000A50000-0x0000000000D74000-memory.dmp	family_quasar
behavioral1/memory/1356-124-0x00000000011D0000-0x00000000014F4000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2980	2klz.exe
2788	2klz.exe
2416	2klz.exe
2896	2klz.exe
1772	2klz.exe
496	2klz.exe
1844	2klz.exe
1580	2klz.exe
3060	2klz.exe
2052	2klz.exe
1356	2klz.exe
2612	2klz.exe
1192	2klz.exe
2084	2klz.exe
1828	2klz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2312	PING.EXE
2956	PING.EXE
2404	PING.EXE
1056	PING.EXE
1060	PING.EXE
1428	PING.EXE
1632	PING.EXE
1548	PING.EXE
3028	PING.EXE
2280	PING.EXE
696	PING.EXE
628	PING.EXE
2100	PING.EXE
2808	PING.EXE
2056	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
628	PING.EXE
2312	PING.EXE
2280	PING.EXE
2956	PING.EXE
2100	PING.EXE
2404	PING.EXE
1632	PING.EXE
1056	PING.EXE
696	PING.EXE
1428	PING.EXE
1548	PING.EXE
2056	PING.EXE
1060	PING.EXE
2808	PING.EXE
3028	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	2klz.exe
Token: SeDebugPrivilege	2980	2klz.exe
Token: SeDebugPrivilege	2788	2klz.exe
Token: SeDebugPrivilege	2416	2klz.exe
Token: SeDebugPrivilege	2896	2klz.exe
Token: SeDebugPrivilege	1772	2klz.exe
Token: SeDebugPrivilege	496	2klz.exe
Token: SeDebugPrivilege	1844	2klz.exe
Token: SeDebugPrivilege	1580	2klz.exe
Token: SeDebugPrivilege	3060	2klz.exe
Token: SeDebugPrivilege	2052	2klz.exe
Token: SeDebugPrivilege	1356	2klz.exe
Token: SeDebugPrivilege	2612	2klz.exe
Token: SeDebugPrivilege	1192	2klz.exe
Token: SeDebugPrivilege	2084	2klz.exe
Token: SeDebugPrivilege	1828	2klz.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2980	2klz.exe
2788	2klz.exe
2416	2klz.exe
2896	2klz.exe
1772	2klz.exe
496	2klz.exe
1844	2klz.exe
1580	2klz.exe
3060	2klz.exe
2052	2klz.exe
1356	2klz.exe
2612	2klz.exe
1192	2klz.exe
2084	2klz.exe
1828	2klz.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2980	2klz.exe
2788	2klz.exe
2416	2klz.exe
2896	2klz.exe
1772	2klz.exe
496	2klz.exe
1844	2klz.exe
1580	2klz.exe
3060	2klz.exe
2052	2klz.exe
1356	2klz.exe
2612	2klz.exe
1192	2klz.exe
2084	2klz.exe
1828	2klz.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2980	2klz.exe
1844	2klz.exe
1580	2klz.exe
3060	2klz.exe
1356	2klz.exe
1828	2klz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2980	2328	2klz.exe	30
PID 2328 wrote to memory of 2980	2328	2klz.exe	30
PID 2328 wrote to memory of 2980	2328	2klz.exe	30
PID 2980 wrote to memory of 2660	2980	2klz.exe	31
PID 2980 wrote to memory of 2660	2980	2klz.exe	31
PID 2980 wrote to memory of 2660	2980	2klz.exe	31
PID 2660 wrote to memory of 2812	2660	cmd.exe	33
PID 2660 wrote to memory of 2812	2660	cmd.exe	33
PID 2660 wrote to memory of 2812	2660	cmd.exe	33
PID 2660 wrote to memory of 2956	2660	cmd.exe	34
PID 2660 wrote to memory of 2956	2660	cmd.exe	34
PID 2660 wrote to memory of 2956	2660	cmd.exe	34
PID 2660 wrote to memory of 2788	2660	cmd.exe	35
PID 2660 wrote to memory of 2788	2660	cmd.exe	35
PID 2660 wrote to memory of 2788	2660	cmd.exe	35
PID 2788 wrote to memory of 296	2788	2klz.exe	36
PID 2788 wrote to memory of 296	2788	2klz.exe	36
PID 2788 wrote to memory of 296	2788	2klz.exe	36
PID 296 wrote to memory of 2240	296	cmd.exe	38
PID 296 wrote to memory of 2240	296	cmd.exe	38
PID 296 wrote to memory of 2240	296	cmd.exe	38
PID 296 wrote to memory of 1428	296	cmd.exe	39
PID 296 wrote to memory of 1428	296	cmd.exe	39
PID 296 wrote to memory of 1428	296	cmd.exe	39
PID 296 wrote to memory of 2416	296	cmd.exe	40
PID 296 wrote to memory of 2416	296	cmd.exe	40
PID 296 wrote to memory of 2416	296	cmd.exe	40
PID 2416 wrote to memory of 1588	2416	2klz.exe	41
PID 2416 wrote to memory of 1588	2416	2klz.exe	41
PID 2416 wrote to memory of 1588	2416	2klz.exe	41
PID 1588 wrote to memory of 1276	1588	cmd.exe	43
PID 1588 wrote to memory of 1276	1588	cmd.exe	43
PID 1588 wrote to memory of 1276	1588	cmd.exe	43
PID 1588 wrote to memory of 628	1588	cmd.exe	44
PID 1588 wrote to memory of 628	1588	cmd.exe	44
PID 1588 wrote to memory of 628	1588	cmd.exe	44
PID 1588 wrote to memory of 2896	1588	cmd.exe	45
PID 1588 wrote to memory of 2896	1588	cmd.exe	45
PID 1588 wrote to memory of 2896	1588	cmd.exe	45
PID 2896 wrote to memory of 1316	2896	2klz.exe	46
PID 2896 wrote to memory of 1316	2896	2klz.exe	46
PID 2896 wrote to memory of 1316	2896	2klz.exe	46
PID 1316 wrote to memory of 276	1316	cmd.exe	48
PID 1316 wrote to memory of 276	1316	cmd.exe	48
PID 1316 wrote to memory of 276	1316	cmd.exe	48
PID 1316 wrote to memory of 2100	1316	cmd.exe	49
PID 1316 wrote to memory of 2100	1316	cmd.exe	49
PID 1316 wrote to memory of 2100	1316	cmd.exe	49
PID 1316 wrote to memory of 1772	1316	cmd.exe	50
PID 1316 wrote to memory of 1772	1316	cmd.exe	50
PID 1316 wrote to memory of 1772	1316	cmd.exe	50
PID 1772 wrote to memory of 2164	1772	2klz.exe	51
PID 1772 wrote to memory of 2164	1772	2klz.exe	51
PID 1772 wrote to memory of 2164	1772	2klz.exe	51
PID 2164 wrote to memory of 2112	2164	cmd.exe	53
PID 2164 wrote to memory of 2112	2164	cmd.exe	53
PID 2164 wrote to memory of 2112	2164	cmd.exe	53
PID 2164 wrote to memory of 2404	2164	cmd.exe	54
PID 2164 wrote to memory of 2404	2164	cmd.exe	54
PID 2164 wrote to memory of 2404	2164	cmd.exe	54
PID 2164 wrote to memory of 496	2164	cmd.exe	55
PID 2164 wrote to memory of 496	2164	cmd.exe	55
PID 2164 wrote to memory of 496	2164	cmd.exe	55
PID 496 wrote to memory of 1556	496	2klz.exe	56

C:\Users\Admin\AppData\Local\Temp\2klz.exe
"C:\Users\Admin\AppData\Local\Temp\2klz.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\9fewkV6ZCXSd.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2812
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2956
  - - C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2nf6tN6xCiJs.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:296
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2240
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1428
      - C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8Wuh8oIHkKo3.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:628
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rINbrSA0pJ5F.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gK3TR383Horx.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hy7jA2DrCi2T.bat" "
        13⤵
        
        PID:1556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1548
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ULQBCz6ONC42.bat" "
        15⤵
        
        PID:2088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\njqHLGju6CBo.bat" "
        17⤵
        
        PID:2560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2808
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIxTKLiv0Xgz.bat" "
        19⤵
        
        PID:2820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2052
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wLeFlBQDLyIc.bat" "
        21⤵
        
        PID:2400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2056
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JAK5VCIm8SW0.bat" "
        23⤵
        
        PID:1348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:808
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ocgqZPJz3tCk.bat" "
        25⤵
        
        PID:2160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1192
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\moBYoSB4QuJj.bat" "
        27⤵
        
        PID:892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:696
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2084
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bLcvjjb6dteP.bat" "
        29⤵
        
        PID:1036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2312
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\liQV252fFu8S.bat" "
        31⤵
        
        PID:1600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2nf6tN6xCiJs.bat

Filesize
205B

MD5
2256e976beb0de7f74d492f713cac280

SHA1
807389dce67d81112c02796367f3db48510bc8e2

SHA256
a76d06bb74e5d695daf99a9c636bd966332e97a8db11bb1f8b71e6f9f0c4a684

SHA512
c0ec36d2270f9edfd5a23c0ecd3c51894bd90a3fdfacfd0ca421de4de5d04a13f6e41d41bd95ba0ac5d051059d6518fba10a1c9f39870e8c25bacb21e603d1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Wuh8oIHkKo3.bat

Filesize
205B

MD5
6ff269b30dcfa6627a639f7d855968e4

SHA1
acd96dd17a2d8a552e58d10d8d4986a7878dca10

SHA256
c83ce5d301350217859763254c260c7417db2c896dc2cc84ee30a96a97ef5c19

SHA512
d86c9baeb08e0e59fb9558a370af399a581158fe98f91231048be9f60ffa8339b0b8b6d9bc93191f451afbc04f5bac9f0f4c134f8bbc721efe3ce6182d52b4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fewkV6ZCXSd.bat

Filesize
205B

MD5
07a922a95211eb0e40fc9c59bf494712

SHA1
52f160c9b1c65c4c0348a4cb42b27f045dd480a3

SHA256
00deab43af5487607664e55b7b88581405dbafa2da2de689efb5c0f1f603584e

SHA512
45063abd21970fea10870a2d850a94d3195ba749fd1b20087a8ab41181343f95e4734044cfc8d6af03def2309132a2dfb0cc35426e01e2ddb89a1543ac3c5f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIxTKLiv0Xgz.bat

Filesize
205B

MD5
cc3414b7deecd4e1291847aaa7cd22b5

SHA1
31d68abd27230e021ed686b8473b4faa80f5feb3

SHA256
70f820135e9f6aba40b4849b3f9702f7606f3cd3fb915173df6f3bc151a80c0e

SHA512
be068fad35e33b9b746389d051ebcd86b49fc5173c2a38353767f71fddcf654315aaed411de522f554cac75102d72d471aced9cbfa405b98448f9d68df4aefb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAK5VCIm8SW0.bat

Filesize
205B

MD5
e4782038354bc55dc456cbd5e62c4f10

SHA1
9d9e174298a915284a56b09393799e04e9f3d33c

SHA256
461c0da84b67616051509496d84d35e30dc593131f0e0e5e4e60fea08d4449a3

SHA512
f49905c6a9a5281c3de54637b55cfaecf8ba3b8d1137316f96248a894ad9981289b669861ed68bfafc1f985ff8d27e359415e21d573ade1a5aff332dc72de639

Download Submit
C:\Users\Admin\AppData\Local\Temp\ULQBCz6ONC42.bat

Filesize
205B

MD5
e3cf4e040ac650fc44f2b09bb309ff80

SHA1
ea25969366e000539aca294c4b7e3e073785b24c

SHA256
d98dde35b440b2440bbb3051e48b8e2e9bd57cf8e4aae2a18cb097cdb084413d

SHA512
19204123d0b98d1b12a6e127b3ed8d2696b2d97b03693c046ec981fac7ad7d3a62011ffc6fc33c80f499bc9542ff5fe925742c05956fa4cc86f93a6ecacc38a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bLcvjjb6dteP.bat

Filesize
205B

MD5
4b80cb1ab9c542fd5c4ee02db2ab0ba9

SHA1
a116143f43bdad3c44806f7efe77428a6503cf84

SHA256
988517475b2908a298b2a3af3f4bc3fc299e68719bd21ef1789b605394e06360

SHA512
10b385c63a2d99ee2d432ea43a0909c35547c4ee898e30765559bedc64d49fd3659160c6bff1b7fc08a5412b47b3ec482796c899ea9fc4c5c57b3681268469b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gK3TR383Horx.bat

Filesize
205B

MD5
86f309283514374e54ff200ea0a5f917

SHA1
7d3eb6383e50ca02ea57aad611e0b5f8f5944c81

SHA256
297247d66afb72124da0107b7191eefa55fd1215b70bb59b586c1e35a363207c

SHA512
9f1c6d5d4186484a740debc69d88f9cf1a8d96300030ea9c7b78676cb2834052b68d66263e78ed9d9f7f894ccd7f3bd3df688f51f5f097945d58bd7801d846e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hy7jA2DrCi2T.bat

Filesize
205B

MD5
3bb3796fd3bb8cb55858e0955393bd90

SHA1
c97f6509db2636cf3c8b0ddd996b3e5995bbd88f

SHA256
82a5720e8fb397d67c6e309ff1ce2c7f817dfa2786da889c77a30cb8014158af

SHA512
8da1f250550d8f129b29674e67408c3ba382492e02b93d815635a600f60abdbdca0e1533436e26bcc00a613f90abbec0da476d7a8aef272ddfd9cdcc2d68cd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\liQV252fFu8S.bat

Filesize
205B

MD5
bf89bcb63aee6940baf5669fb6056747

SHA1
2b2edd5833dcd4b1838e5891dd68d0ed8f43a936

SHA256
79ecebe8ee2fb638ad9cf9c64e785915fb8e6a07f940b82d556b2aae9de66d1a

SHA512
dba49eea567986b5e41ffa6e2ecd7601491f8385721586598ed566eff11b0e8bc11ed2108c8bb7fc8b9bb7e7a538dfbcd4056d1ed3f0051f864137ede6a5fe1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\moBYoSB4QuJj.bat

Filesize
205B

MD5
a9a36146c7fd9183c2dc2a4204e30d85

SHA1
bc90b9436af5207393042c05878e7075fd84e34a

SHA256
3e10fb2e59511b6e1d12bbbe6dbe35521b1ce0d69e273ea3c5b6cc4cd8b9c202

SHA512
e63be716af80c3822338ed367ea9a7783267d73e9e8f98cd1d3c73ea92fe5b2b9c1dcbe2a5d984c4e33e6fd4bccf996d77c72475ca00d56603aaed5a5baa3ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\njqHLGju6CBo.bat

Filesize
205B

MD5
4aed17bc843a4945b29ef08493a3aa9e

SHA1
00ed9d508e5883671861a6da974247f80626e4ba

SHA256
4748405357e109600f83cdf87d77ac6f5a0fe268ade97be38f46af50a6bc3a6b

SHA512
57769271ad5726d6a7c4b6004e06f7778f782f5de933a34f278308f4b41d6ff4d9111c271d50d0efd0e5c4af52f03326317c4b39bb0f2c632c0f8e476ee57a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocgqZPJz3tCk.bat

Filesize
205B

MD5
281a54d99c002750c61c57d189c1c8fe

SHA1
2109c81c585249dcdc571aae722ca7c5dec87e80

SHA256
1f3cd07b26f437deefd5272aca69569311c6d1772f5812ebd61d304b0861f51e

SHA512
6208edce044fe4d850f4fb3e03af7330270ede4a71c3cc3ca36c050f9cd932c9c70b9048c1613420551d98c48ed5a18a72d15c2291ad9d31281302836bdabf1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rINbrSA0pJ5F.bat

Filesize
205B

MD5
a5338708148f457a3b7914b847b5699d

SHA1
1b9bce5943f1025586f4f6dca25dd5a93df6d99f

SHA256
f88ada9e622a479406564c7daba54aab2835d486289d374f5c8a0cc81c2fbb15

SHA512
eab5618698597c62b575d533cf36d4b8b0703e477b47ae99250e390162d23bb847e6a80addd250a7f6c4e725e95cc4021d4d8de78269085117bc5c56911a2d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wLeFlBQDLyIc.bat

Filesize
205B

MD5
cd1bbd4773cefcc7747c86f5b562817d

SHA1
3768813397ba8e1731bc68b5cdd324cc970c4601

SHA256
3647be8df7e38b6dae975fbe421b2aac8db9576362476f07800362819370f4a4

SHA512
86c9fc3555a8b8ba33ec3572b4cb6ea72cf0eee5e7cb6f0cb6c84807b6dad2d749bb56cc1706b252b5daf8ad5b9adf3be59d4c194d6ca8a5732f3c87af10f804

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe

Filesize
3.1MB

MD5
01cb0e497f40e7d02f93255475f175e1

SHA1
98c779497d6514b91cd1410f627a5320f6b3eab5

SHA256
15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95

SHA512
fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9

Download Submit
memory/496-67-0x0000000001030000-0x0000000001354000-memory.dmp

Filesize
3.1MB

Download
memory/1356-124-0x00000000011D0000-0x00000000014F4000-memory.dmp

Filesize
3.1MB

Download
memory/1580-90-0x0000000000230000-0x0000000000554000-memory.dmp

Filesize
3.1MB

Download
memory/1772-56-0x0000000000820000-0x0000000000B44000-memory.dmp

Filesize
3.1MB

Download
memory/2052-113-0x0000000000A50000-0x0000000000D74000-memory.dmp

Filesize
3.1MB

Download
memory/2328-8-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2328-1-0x0000000000A80000-0x0000000000DA4000-memory.dmp

Filesize
3.1MB

Download
memory/2328-2-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2328-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

Filesize
4KB

Download
memory/2416-34-0x0000000000EF0000-0x0000000001214000-memory.dmp

Filesize
3.1MB

Download
memory/2788-23-0x0000000000030000-0x0000000000354000-memory.dmp

Filesize
3.1MB

Download
memory/2896-45-0x0000000000130000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/2980-9-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2980-11-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2980-10-0x0000000000FE0000-0x0000000001304000-memory.dmp

Filesize
3.1MB

Download
memory/2980-20-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/3060-101-0x0000000000A20000-0x0000000000D44000-memory.dmp

Filesize
3.1MB

Download