quasar | 15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2klz.exe
Size

3.1MB
MD5

01cb0e497f40e7d02f93255475f175e1
SHA1

98c779497d6514b91cd1410f627a5320f6b3eab5
SHA256

15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95
SHA512

fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9
SSDEEP

49152:TvalL26AaNeWgPhlmVqvMQ7XSKKGRJ69bR3LoGdEMgTHHB72eh2NT:TvCL26AaNeWgPhlmVqkQ7XSKKGRJ6PU

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Extazz24535-22930.portmap.host:22930

Mutex

89f58ee5-7af9-42de-843f-2a331a641e3f

Attributes

encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
install_name
2klz.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/212-1-0x0000000000D00000-0x0000000001024000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c85-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2klz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2klz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2klz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2klz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2klz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2klz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2klz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2klz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2klz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2klz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2klz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2klz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2klz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2klz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2klz.exe

Executes dropped EXE 15 IoCs

pid	Process
3316	2klz.exe
2120	2klz.exe
2772	2klz.exe
4964	2klz.exe
1300	2klz.exe
5084	2klz.exe
212	2klz.exe
4812	2klz.exe
4484	2klz.exe
844	2klz.exe
2396	2klz.exe
3228	2klz.exe
3236	2klz.exe
4852	2klz.exe
4828	2klz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4172	PING.EXE
2400	PING.EXE
3824	PING.EXE
4360	PING.EXE
2968	PING.EXE
2904	PING.EXE
1884	PING.EXE
4140	PING.EXE
1248	PING.EXE
1312	PING.EXE
4984	PING.EXE
1780	PING.EXE
928	PING.EXE
528	PING.EXE
5092	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2904	PING.EXE
928	PING.EXE
3824	PING.EXE
2968	PING.EXE
4360	PING.EXE
1780	PING.EXE
4172	PING.EXE
528	PING.EXE
4140	PING.EXE
1248	PING.EXE
5092	PING.EXE
1312	PING.EXE
4984	PING.EXE
1884	PING.EXE
2400	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	2klz.exe
Token: SeDebugPrivilege	3316	2klz.exe
Token: SeDebugPrivilege	2120	2klz.exe
Token: SeDebugPrivilege	2772	2klz.exe
Token: SeDebugPrivilege	4964	2klz.exe
Token: SeDebugPrivilege	1300	2klz.exe
Token: SeDebugPrivilege	5084	2klz.exe
Token: SeDebugPrivilege	212	2klz.exe
Token: SeDebugPrivilege	4812	2klz.exe
Token: SeDebugPrivilege	4484	2klz.exe
Token: SeDebugPrivilege	844	2klz.exe
Token: SeDebugPrivilege	2396	2klz.exe
Token: SeDebugPrivilege	3228	2klz.exe
Token: SeDebugPrivilege	3236	2klz.exe
Token: SeDebugPrivilege	4852	2klz.exe
Token: SeDebugPrivilege	4828	2klz.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
3316	2klz.exe
2120	2klz.exe
2772	2klz.exe
4964	2klz.exe
1300	2klz.exe
5084	2klz.exe
212	2klz.exe
4812	2klz.exe
4484	2klz.exe
844	2klz.exe
2396	2klz.exe
3228	2klz.exe
3236	2klz.exe
4852	2klz.exe
4828	2klz.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
3316	2klz.exe
2120	2klz.exe
2772	2klz.exe
4964	2klz.exe
1300	2klz.exe
5084	2klz.exe
212	2klz.exe
4812	2klz.exe
4484	2klz.exe
844	2klz.exe
2396	2klz.exe
3228	2klz.exe
3236	2klz.exe
4852	2klz.exe
4828	2klz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 3316	212	2klz.exe	82
PID 212 wrote to memory of 3316	212	2klz.exe	82
PID 3316 wrote to memory of 3540	3316	2klz.exe	83
PID 3316 wrote to memory of 3540	3316	2klz.exe	83
PID 3540 wrote to memory of 2132	3540	cmd.exe	85
PID 3540 wrote to memory of 2132	3540	cmd.exe	85
PID 3540 wrote to memory of 2904	3540	cmd.exe	86
PID 3540 wrote to memory of 2904	3540	cmd.exe	86
PID 3540 wrote to memory of 2120	3540	cmd.exe	92
PID 3540 wrote to memory of 2120	3540	cmd.exe	92
PID 2120 wrote to memory of 1692	2120	2klz.exe	95
PID 2120 wrote to memory of 1692	2120	2klz.exe	95
PID 1692 wrote to memory of 4600	1692	cmd.exe	97
PID 1692 wrote to memory of 4600	1692	cmd.exe	97
PID 1692 wrote to memory of 4984	1692	cmd.exe	98
PID 1692 wrote to memory of 4984	1692	cmd.exe	98
PID 1692 wrote to memory of 2772	1692	cmd.exe	99
PID 1692 wrote to memory of 2772	1692	cmd.exe	99
PID 2772 wrote to memory of 4084	2772	2klz.exe	100
PID 2772 wrote to memory of 4084	2772	2klz.exe	100
PID 4084 wrote to memory of 4904	4084	cmd.exe	102
PID 4084 wrote to memory of 4904	4084	cmd.exe	102
PID 4084 wrote to memory of 4172	4084	cmd.exe	103
PID 4084 wrote to memory of 4172	4084	cmd.exe	103
PID 4084 wrote to memory of 4964	4084	cmd.exe	106
PID 4084 wrote to memory of 4964	4084	cmd.exe	106
PID 4964 wrote to memory of 3536	4964	2klz.exe	107
PID 4964 wrote to memory of 3536	4964	2klz.exe	107
PID 3536 wrote to memory of 3308	3536	cmd.exe	109
PID 3536 wrote to memory of 3308	3536	cmd.exe	109
PID 3536 wrote to memory of 928	3536	cmd.exe	110
PID 3536 wrote to memory of 928	3536	cmd.exe	110
PID 3536 wrote to memory of 1300	3536	cmd.exe	111
PID 3536 wrote to memory of 1300	3536	cmd.exe	111
PID 1300 wrote to memory of 4668	1300	2klz.exe	112
PID 1300 wrote to memory of 4668	1300	2klz.exe	112
PID 4668 wrote to memory of 1456	4668	cmd.exe	114
PID 4668 wrote to memory of 1456	4668	cmd.exe	114
PID 4668 wrote to memory of 1884	4668	cmd.exe	115
PID 4668 wrote to memory of 1884	4668	cmd.exe	115
PID 4668 wrote to memory of 5084	4668	cmd.exe	116
PID 4668 wrote to memory of 5084	4668	cmd.exe	116
PID 5084 wrote to memory of 4432	5084	2klz.exe	117
PID 5084 wrote to memory of 4432	5084	2klz.exe	117
PID 4432 wrote to memory of 4656	4432	cmd.exe	119
PID 4432 wrote to memory of 4656	4432	cmd.exe	119
PID 4432 wrote to memory of 528	4432	cmd.exe	120
PID 4432 wrote to memory of 528	4432	cmd.exe	120
PID 4432 wrote to memory of 212	4432	cmd.exe	121
PID 4432 wrote to memory of 212	4432	cmd.exe	121
PID 212 wrote to memory of 4828	212	2klz.exe	122
PID 212 wrote to memory of 4828	212	2klz.exe	122
PID 4828 wrote to memory of 3232	4828	cmd.exe	124
PID 4828 wrote to memory of 3232	4828	cmd.exe	124
PID 4828 wrote to memory of 4140	4828	cmd.exe	125
PID 4828 wrote to memory of 4140	4828	cmd.exe	125
PID 4828 wrote to memory of 4812	4828	cmd.exe	126
PID 4828 wrote to memory of 4812	4828	cmd.exe	126
PID 4812 wrote to memory of 1376	4812	2klz.exe	127
PID 4812 wrote to memory of 1376	4812	2klz.exe	127
PID 1376 wrote to memory of 672	1376	cmd.exe	129
PID 1376 wrote to memory of 672	1376	cmd.exe	129
PID 1376 wrote to memory of 2400	1376	cmd.exe	130
PID 1376 wrote to memory of 2400	1376	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\2klz.exe
"C:\Users\Admin\AppData\Local\Temp\2klz.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2c3AV2FFnEMZ.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2132
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2904
  - - C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deofAqccL2w5.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4600
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4984
      - C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nJEAHAzKA0hu.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4172
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pbzRr3yhP8aQ.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:928
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LJ4JIJvEesm9.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1884
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AzxTWV7ZqVzE.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:528
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8xpU3gHBHZvd.bat" "
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4140
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AHifm7ep3i7Y.bat" "
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKwf1S2q8zbD.bat" "
        19⤵
        
        PID:1600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1248
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NZjXPjhsG86h.bat" "
        21⤵
        
        PID:2452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5092
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5sGl11DoyPfz.bat" "
        23⤵
        
        PID:1072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1312
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z2Wp0AafBpRf.bat" "
        25⤵
        
        PID:640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3824
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIAXbd0wGEKF.bat" "
        27⤵
        
        PID:5108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4360
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pf6ix6gjCwda.bat" "
        29⤵
        
        PID:5036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z8payhEygvuN.bat" "
        31⤵
        
        PID:2952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2klz.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c3AV2FFnEMZ.bat

Filesize
205B

MD5
bf85145d7dde09e528fd4ee0e0868e5e

SHA1
1cfabab666d35f2093afc636b2c5c1f3f964362a

SHA256
c0dce2856ff5caa7869ecd8317bbe7f089d17ec918245dac85ddeadef3592cc6

SHA512
e9686b669cf962c3e97df3f1fdafa21f41af4aa6755d0c54c72a2515b95c648b237e8f0334411c70f2bd2c2cd98b22b95e7459ec765015adf2632c69648209b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5sGl11DoyPfz.bat

Filesize
205B

MD5
0b2f694bbc204810df2800529b6de276

SHA1
b2eab3ee538418c4b743edd404becfb6124f792a

SHA256
e0da30881d132153c84d6aa8d6df2875ef215b1b51399d166b49057605e6f6cb

SHA512
221fa8c758ea775b68ec6b4109f4c4f2b84522c8a4d3c94ec301f1ae988d8ce2e506670b7a3c9bd041cb9485e6e001b5e52d41fa8f7e27020f3bff34be7a693d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8xpU3gHBHZvd.bat

Filesize
205B

MD5
d4cc881050f9d9c426f3497f7cfa6b3c

SHA1
f13d233cc4257394ec24321cf4f0b2794d391c16

SHA256
5d8079a2bf1b46caf02af49d14bb0237981bed07bf07a240aaa2fdcb79b26d0b

SHA512
ad9a1a71e504c9c2c97602648441a0a0674d8356138b4e72eb04df3e281a7e49092afb3b45a5117699a1d7520ad76267b9b20b10e945a8dc3219a4822c7bf052

Download Submit
C:\Users\Admin\AppData\Local\Temp\AHifm7ep3i7Y.bat

Filesize
205B

MD5
4b22525f3bba35476abb45c80c3ae70b

SHA1
74816e553c5152a85e77b9fa1a8fbb451a432cb3

SHA256
6e7f8e71e5e66f7b0ca60de94eb628ac26cd0439bc2020cd1bb3a20f591cfba3

SHA512
91ab8f92b872297593f5970caa346b8995dff373f89ac546a994fc8a5b9f889fbc7b307a139d7b21108408a0cab703fc60b2d12800e3b9a67fe7e4f8323d0b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\AzxTWV7ZqVzE.bat

Filesize
205B

MD5
c981e3f3553b2a10473bd8889d6a5567

SHA1
ac4ae6abec3facf0544957c88eabdcd359d75728

SHA256
043acffcbd16a24a344a74225d94d029a09ae9b58cf588a7df94e3723d48de44

SHA512
1be5386c982ee6739caeb1546f40b69e7974ce30f0316df60250a53f7bc4f725262f2ccc7f74cae1be555aae03b2d47d548f1c2dba7c7b133b2c4d8219c2a467

Download Submit
C:\Users\Admin\AppData\Local\Temp\LJ4JIJvEesm9.bat

Filesize
205B

MD5
d03f81aa2149f802c47261c824598be0

SHA1
bced0c2c536567bc0d09fcdeb15c76fe471dd92b

SHA256
197c5c1986b880d1caf3976bb34ca04d3cd0263133b4aabe765a7fd16a39cd0e

SHA512
499ef92fe76ddce7bae94a2becdc416b2a51ded63b729f808c4119601d3535f6eeaae679e336023a27b60749e007f32a4d45205c7c1d6ba89d4f60d4ef07e322

Download Submit
C:\Users\Admin\AppData\Local\Temp\NKwf1S2q8zbD.bat

Filesize
205B

MD5
2f194206162aba9b3068980d84589939

SHA1
d80195a07a11cd3381693ee5c78aa40b9b9f6c7d

SHA256
21de48bed84ad15d58b7ec5e052e846bf71d90947525c06f13d13d07ab650a6b

SHA512
11215cdfc39d0406a63a2adb2d52719a8b303bac0287cebdc5bc653aa1bfc3efad196d556766d610daf1b4197996f6180054dfb4ec37486ba0a3c906bde04923

Download Submit
C:\Users\Admin\AppData\Local\Temp\NZjXPjhsG86h.bat

Filesize
205B

MD5
284a2cb0f5a888fb4a51a288354f49c5

SHA1
f20850639c271b8392e4f6cde1b7225e10e899be

SHA256
f20b81eed444f8ce4076f15890df4a231b67e36364c1863ddd1320ae56fd6861

SHA512
ad34b5b2ef84764eb24aea75b565babadac042df24d794ddbadf6e798ceb69f893b749999c39426ce9db580b1fa92c6b2e58ce735529365a7218e676df7e48b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pf6ix6gjCwda.bat

Filesize
205B

MD5
e625eed91f12b064336fd8db14dde916

SHA1
3f6ad54bac184b7b1367f1081721198d8634d28d

SHA256
54000d15c1c97702c0ff8c90066738bf308a349e90fac540aaea06278a509bbe

SHA512
66b9ef70e1fe74f5166acc4056459d88090afe3df1e66b75c6a39bf5ad8b4aad59a0fc1c4d6dfadf9a9ce85dd61f9079b8157a160518d5c095ebdee277a63306

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIAXbd0wGEKF.bat

Filesize
205B

MD5
ed1ba9b24aa3640df8510991c19e7dc1

SHA1
d06bfae5f610a3e1331d13e6ad7fc5225287524e

SHA256
234b2e601faf3d39d4896b24efac81c12dcab4d014154278d1e7f01422f8f597

SHA512
7b944b1ad99e91f55b16bf703fcef810954c496a8b0833efb49bedc40b8ac1062b428c027235bdfc54c6b9ca1388edd5e0ae8a706fd6b39a8e9350f4449a30c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z2Wp0AafBpRf.bat

Filesize
205B

MD5
0fd84a2a88fc701bac02f756a01456aa

SHA1
946fceb1e0bca6ff88021e0aa290f83fbdd18fb8

SHA256
b52b8cb64faa857084cd3c3cd4cfdfa19b057f85410f875ced663b52309a2ff1

SHA512
fb4cb5eb806ef77f29f2672292360b2d3d7f8ab56889a13e58f3886e9740e2b87a48ef347f7859855c57a7cb45a1f37b557290dbb7bc1e86d726749c32d3f3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\deofAqccL2w5.bat

Filesize
205B

MD5
5dd3697725ae5565498d7660a95837b3

SHA1
b6dd4b3907f959f89e0f910749c09c1bf839297f

SHA256
a02ca267ef4eab421cd78e5c07d0a5ac65961db8586a5a4a5d6dde9aaa2da2f7

SHA512
08466801a46f7aac037f9642a3b5996c2f0364adf39aedb5821828fc89effea5f59a459733fcd0c1afb0914e4d1170a16d4f6e4f9a4fdf99b32b6607e2276753

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJEAHAzKA0hu.bat

Filesize
205B

MD5
4c7f5f71a2e6329d019c3cfc6b6a91c3

SHA1
dc90a8a973d3ad1bc9e15acbe4cf62111e3f9660

SHA256
cb431ffd7ed8045a67dd1b599f414d87b9c24f0b62fcb02706ccc684bfd7bca1

SHA512
1dbfeb3ea3c2eccad93a41294095f2718f57013528de709de1ede4969ec0d831a327c7d350ef716a0c45ddd25941c6b22b27a8425b824c1f00fd291d1436ea4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pbzRr3yhP8aQ.bat

Filesize
205B

MD5
43eb0188698449eed824074a1a6837fc

SHA1
a7c7710b690e090e44d9fe64b2663d8c3a8452e0

SHA256
fa8622422a496096607f6c6ed527aa2a24349a641faf9267cf2a7395ffef2ebd

SHA512
61c162d1af85ba8c43736005d4c7a010f83d82ab61f10b8684604547bae61a7485e2922249f9b6f633a3ac7c8a55ac4d8ade2a76c3c40b70629ccb198a6ef10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\z8payhEygvuN.bat

Filesize
205B

MD5
f557590e5044698376b983d4c4809d51

SHA1
c915293601072766d972e13c7d407c7c5a79f4b0

SHA256
d5ddc5506e74352510c89f8963feb4fbf7833318e5dcf937ed6b102f97daac99

SHA512
d4ac45b8c44ef4bd7f95c523ca0844c276b19c9fbf9fc296a87fe9c3e0ab0132e5d6b721834e2b7182f425656c022c8827f293c1ef25bd05dd342dbf4f8bd549

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe

Filesize
3.1MB

MD5
01cb0e497f40e7d02f93255475f175e1

SHA1
98c779497d6514b91cd1410f627a5320f6b3eab5

SHA256
15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95

SHA512
fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9

Download Submit
memory/212-0-0x00007FFB29E63000-0x00007FFB29E65000-memory.dmp

Filesize
8KB

Download
memory/212-1-0x0000000000D00000-0x0000000001024000-memory.dmp

Filesize
3.1MB

Download
memory/212-2-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/212-11-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/3316-18-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/3316-10-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/3316-12-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/3316-13-0x000000001BD80000-0x000000001BDD0000-memory.dmp

Filesize
320KB

Download
memory/3316-14-0x000000001BE90000-0x000000001BF42000-memory.dmp

Filesize
712KB

Download