quasar | 15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95

Analysis

max time kernel
145s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95.exe
Size

3.1MB
MD5

01cb0e497f40e7d02f93255475f175e1
SHA1

98c779497d6514b91cd1410f627a5320f6b3eab5
SHA256

15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95
SHA512

fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9
SSDEEP

49152:TvalL26AaNeWgPhlmVqvMQ7XSKKGRJ69bR3LoGdEMgTHHB72eh2NT:TvCL26AaNeWgPhlmVqkQ7XSKKGRJ6PU

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Extazz24535-22930.portmap.host:22930

Mutex

89f58ee5-7af9-42de-843f-2a331a641e3f

Attributes

encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
install_name
2klz.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 9 IoCs

resource	yara_rule
behavioral1/memory/3008-1-0x0000000000140000-0x0000000000464000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016d58-7.dat	family_quasar
behavioral1/memory/2504-9-0x0000000001140000-0x0000000001464000-memory.dmp	family_quasar
behavioral1/memory/1568-85-0x0000000001210000-0x0000000001534000-memory.dmp	family_quasar
behavioral1/memory/2168-106-0x0000000000320000-0x0000000000644000-memory.dmp	family_quasar
behavioral1/memory/1360-117-0x00000000002E0000-0x0000000000604000-memory.dmp	family_quasar
behavioral1/memory/1584-128-0x0000000000DD0000-0x00000000010F4000-memory.dmp	family_quasar
behavioral1/memory/2688-139-0x0000000000F80000-0x00000000012A4000-memory.dmp	family_quasar
behavioral1/memory/2008-151-0x00000000012A0000-0x00000000015C4000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2504	2klz.exe
2884	2klz.exe
576	2klz.exe
1348	2klz.exe
2516	2klz.exe
956	2klz.exe
864	2klz.exe
1568	2klz.exe
2748	2klz.exe
2168	2klz.exe
1360	2klz.exe
1584	2klz.exe
2688	2klz.exe
2008	2klz.exe
2204	2klz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2476	PING.EXE
2896	PING.EXE
2776	PING.EXE
1984	PING.EXE
1528	PING.EXE
940	PING.EXE
2744	PING.EXE
3036	PING.EXE
1788	PING.EXE
3012	PING.EXE
1780	PING.EXE
1004	PING.EXE
2380	PING.EXE
2784	PING.EXE
2320	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2380	PING.EXE
2784	PING.EXE
2776	PING.EXE
3036	PING.EXE
1780	PING.EXE
1788	PING.EXE
1528	PING.EXE
3012	PING.EXE
940	PING.EXE
2744	PING.EXE
2476	PING.EXE
2320	PING.EXE
2896	PING.EXE
1984	PING.EXE
1004	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95.exe
Token: SeDebugPrivilege	2504	2klz.exe
Token: SeDebugPrivilege	2884	2klz.exe
Token: SeDebugPrivilege	576	2klz.exe
Token: SeDebugPrivilege	1348	2klz.exe
Token: SeDebugPrivilege	2516	2klz.exe
Token: SeDebugPrivilege	956	2klz.exe
Token: SeDebugPrivilege	864	2klz.exe
Token: SeDebugPrivilege	1568	2klz.exe
Token: SeDebugPrivilege	2748	2klz.exe
Token: SeDebugPrivilege	2168	2klz.exe
Token: SeDebugPrivilege	1360	2klz.exe
Token: SeDebugPrivilege	1584	2klz.exe
Token: SeDebugPrivilege	2688	2klz.exe
Token: SeDebugPrivilege	2008	2klz.exe
Token: SeDebugPrivilege	2204	2klz.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2504	2klz.exe
2884	2klz.exe
576	2klz.exe
1348	2klz.exe
2516	2klz.exe
956	2klz.exe
864	2klz.exe
1568	2klz.exe
2748	2klz.exe
2168	2klz.exe
1360	2klz.exe
1584	2klz.exe
2688	2klz.exe
2008	2klz.exe
2204	2klz.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2504	2klz.exe
2884	2klz.exe
576	2klz.exe
1348	2klz.exe
2516	2klz.exe
956	2klz.exe
864	2klz.exe
1568	2klz.exe
2748	2klz.exe
2168	2klz.exe
1360	2klz.exe
1584	2klz.exe
2688	2klz.exe
2008	2klz.exe
2204	2klz.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2504	2klz.exe
576	2klz.exe
2168	2klz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2504	3008	15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95.exe	30
PID 3008 wrote to memory of 2504	3008	15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95.exe	30
PID 3008 wrote to memory of 2504	3008	15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95.exe	30
PID 2504 wrote to memory of 2784	2504	2klz.exe	31
PID 2504 wrote to memory of 2784	2504	2klz.exe	31
PID 2504 wrote to memory of 2784	2504	2klz.exe	31
PID 2784 wrote to memory of 2848	2784	cmd.exe	33
PID 2784 wrote to memory of 2848	2784	cmd.exe	33
PID 2784 wrote to memory of 2848	2784	cmd.exe	33
PID 2784 wrote to memory of 2744	2784	cmd.exe	34
PID 2784 wrote to memory of 2744	2784	cmd.exe	34
PID 2784 wrote to memory of 2744	2784	cmd.exe	34
PID 2784 wrote to memory of 2884	2784	cmd.exe	36
PID 2784 wrote to memory of 2884	2784	cmd.exe	36
PID 2784 wrote to memory of 2884	2784	cmd.exe	36
PID 2884 wrote to memory of 2624	2884	2klz.exe	37
PID 2884 wrote to memory of 2624	2884	2klz.exe	37
PID 2884 wrote to memory of 2624	2884	2klz.exe	37
PID 2624 wrote to memory of 3040	2624	cmd.exe	39
PID 2624 wrote to memory of 3040	2624	cmd.exe	39
PID 2624 wrote to memory of 3040	2624	cmd.exe	39
PID 2624 wrote to memory of 3036	2624	cmd.exe	40
PID 2624 wrote to memory of 3036	2624	cmd.exe	40
PID 2624 wrote to memory of 3036	2624	cmd.exe	40
PID 2624 wrote to memory of 576	2624	cmd.exe	41
PID 2624 wrote to memory of 576	2624	cmd.exe	41
PID 2624 wrote to memory of 576	2624	cmd.exe	41
PID 576 wrote to memory of 1948	576	2klz.exe	42
PID 576 wrote to memory of 1948	576	2klz.exe	42
PID 576 wrote to memory of 1948	576	2klz.exe	42
PID 1948 wrote to memory of 1344	1948	cmd.exe	44
PID 1948 wrote to memory of 1344	1948	cmd.exe	44
PID 1948 wrote to memory of 1344	1948	cmd.exe	44
PID 1948 wrote to memory of 1780	1948	cmd.exe	45
PID 1948 wrote to memory of 1780	1948	cmd.exe	45
PID 1948 wrote to memory of 1780	1948	cmd.exe	45
PID 1948 wrote to memory of 1348	1948	cmd.exe	46
PID 1948 wrote to memory of 1348	1948	cmd.exe	46
PID 1948 wrote to memory of 1348	1948	cmd.exe	46
PID 1348 wrote to memory of 2420	1348	2klz.exe	47
PID 1348 wrote to memory of 2420	1348	2klz.exe	47
PID 1348 wrote to memory of 2420	1348	2klz.exe	47
PID 2420 wrote to memory of 2480	2420	cmd.exe	49
PID 2420 wrote to memory of 2480	2420	cmd.exe	49
PID 2420 wrote to memory of 2480	2420	cmd.exe	49
PID 2420 wrote to memory of 1004	2420	cmd.exe	50
PID 2420 wrote to memory of 1004	2420	cmd.exe	50
PID 2420 wrote to memory of 1004	2420	cmd.exe	50
PID 2420 wrote to memory of 2516	2420	cmd.exe	51
PID 2420 wrote to memory of 2516	2420	cmd.exe	51
PID 2420 wrote to memory of 2516	2420	cmd.exe	51
PID 2516 wrote to memory of 1456	2516	2klz.exe	52
PID 2516 wrote to memory of 1456	2516	2klz.exe	52
PID 2516 wrote to memory of 1456	2516	2klz.exe	52
PID 1456 wrote to memory of 2572	1456	cmd.exe	54
PID 1456 wrote to memory of 2572	1456	cmd.exe	54
PID 1456 wrote to memory of 2572	1456	cmd.exe	54
PID 1456 wrote to memory of 2476	1456	cmd.exe	55
PID 1456 wrote to memory of 2476	1456	cmd.exe	55
PID 1456 wrote to memory of 2476	1456	cmd.exe	55
PID 1456 wrote to memory of 956	1456	cmd.exe	56
PID 1456 wrote to memory of 956	1456	cmd.exe	56
PID 1456 wrote to memory of 956	1456	cmd.exe	56
PID 956 wrote to memory of 1916	956	2klz.exe	57

C:\Users\Admin\AppData\Local\Temp\15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95.exe
"C:\Users\Admin\AppData\Local\Temp\15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\37YEYj4AxIan.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2848
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2744
  - - C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8Oc3OO5vDISp.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3040
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3036
      - C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hYoldNT4fxxW.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZFlTEMgakwGb.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cia49AwzHqdY.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iX0tILY497uu.bat" "
        13⤵
        
        PID:1916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:864
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Sxw5XsWHmEM6.bat" "
        15⤵
        
        PID:2164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1568
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HhjRgj0gPZSj.bat" "
        17⤵
        
        PID:2536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2748
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WOK8WpKZiyBS.bat" "
        19⤵
        
        PID:2752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2784
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwCMtURfaI6B.bat" "
        21⤵
        
        PID:2600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1432
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1360
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\T4Aon5bUdtbZ.bat" "
        23⤵
        
        PID:1104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1584
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mrdTefHdYvJN.bat" "
        25⤵
        
        PID:1004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2688
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nlPnQkzlWzt3.bat" "
        27⤵
        
        PID:1456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2008
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\J3gfM6UM8fXd.bat" "
        29⤵
        
        PID:392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2204
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9M8d2KJ1bO19.bat" "
        31⤵
        
        PID:2436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1420
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\37YEYj4AxIan.bat

Filesize
205B

MD5
5a98a744946fd5bc4aa6b8c83490bd64

SHA1
f37b89511db03dd240328f518cd1c8dccf08767a

SHA256
2e928af396bf52ae2c1c12388df1b6c51b92bcf1f569a49c0f4195f2083585da

SHA512
42a8b4712821e18d3c6077c1448eac30dde3261923ffe5456a490ca653cc9bcd7ac2213715b2991e5487cd001d24968216a0d868c70e54bee98e817bbdae08a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Oc3OO5vDISp.bat

Filesize
205B

MD5
87c92131ba1f71eb2cd588415a11304c

SHA1
be54ac1c6956b43e51717af33e4e1f37825fea47

SHA256
7898fe36b3cb6a4c8e12cb0ac0ab6d3a2580ab6687962391043e5c72adfb9d07

SHA512
f27785598f1c81699b02c75e6bc0c7d79b9aa36b7cc1c32a6d4dd07d55fd8d3c024b0ab59bc73e91ede8e75411b38859adecd90cfeb9ee8e14109cafe2966783

Download Submit
C:\Users\Admin\AppData\Local\Temp\9M8d2KJ1bO19.bat

Filesize
205B

MD5
322eba5ccbe48837f359ce153e3cca66

SHA1
8dc84eb7d49f36834100e0bddc5736d2b3b48baf

SHA256
358b7d4e67bc67688cefe1ed7915c2ef6512c568fd4a78ce8834cc57bd0f5fb7

SHA512
3d3aec1e1f39c85783c21d464c5963f045e2a47e294a5b81d67b30ffe5182ddf8aca0ae555c53206a36c4b29529a55559973ca605741316336c8ecb6bbcf8f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HhjRgj0gPZSj.bat

Filesize
205B

MD5
d2472ea77ac93e3bf88ccf19a7f1ca3f

SHA1
6db666480c455b3ae983a343cda0b92106f916d1

SHA256
067370dbcb861a28bf6ee826feed5b345092abb6638d7b09c45a2e22d1f56817

SHA512
ef4f0f6f601c61c56a6eaa3f00eff9d1eb7befe05f0d83d49b3e6dc0f46009c98f36e4b5b8c0adca6aaa9b023547cb5a793f33f45fac09b36b55bd16eb315c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\J3gfM6UM8fXd.bat

Filesize
205B

MD5
02859a99c72781f291a6c34706bf7794

SHA1
a3f0f0870418ee45b5e55f89b5ffd62ff39b7587

SHA256
67634e41eecf9f5c27d491b12f65932df6e64fad53f50afccbd66fae66500a4e

SHA512
1dfad715c1d69fd8b0bc3e3e4b78c4b6a65dbcb7fad12134ddfbe94782fc56f837adc269f5357e79f8179bd5913df6f7cc3d6eb1f8fd01392fdd497babfe152c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sxw5XsWHmEM6.bat

Filesize
205B

MD5
17c49375631f9497ead9be29ab82027b

SHA1
1ad1804a572305e9b824278e0fa47b3de65de859

SHA256
0f2b8dfe5b2a430debfa16044601ddcd5f3aeec8c7317816cedbd608502d3c12

SHA512
800728cee1c16aba1aee1f79009ac8755f718031d3fe0ac3c5ce0d832cc5f4df52d11975f6e94247af29563ad64572413b17bf573db269706286794547dacef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\T4Aon5bUdtbZ.bat

Filesize
205B

MD5
0484bb0c04baf0ca6d99471f46bebbe0

SHA1
4c5e99f360b4ba1ff5ee071ce8a6a0c1ae6a0c52

SHA256
53f87bb7f7b9bb20197739f1a4414f002225d91974c286b4e90874f4100d90c1

SHA512
56d50946bd23993685ee213fce90baec9af03c5f249c48b5626ca0b4f49048a4455a43902e3e2a29886c3639864dd2ed5c5875d10349266ac50c2e865d3c8662

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOK8WpKZiyBS.bat

Filesize
205B

MD5
7c31a69cc267ed92ec3f8e28c751db07

SHA1
d75d56ae2b748c3450c0e296e4d21555648ca6ed

SHA256
f145247757ab0f135f71fff8d72759900dfa8e040a68dcf0372aedd1a393e68b

SHA512
1c8ac8ec47b63e66e23f487479bf373d5c28e775fe4d54873a695903302eee2505d607c71f80d6cc35b701e2be02d8da93973b3edb61c553e789c05f661a752a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZFlTEMgakwGb.bat

Filesize
205B

MD5
67732423de85aaa48af3b54dc1e8ad29

SHA1
8c167e5560c00ac15ee70f4a5a02f17dd96a9d1c

SHA256
b0bfcca8a60ac4ab7a21ad5f818f2b24d571f293ce228be734dfb5515073a28d

SHA512
a25511a133979a6c39edacc021b28a708ad06a40ae2838d28161051cab4a97e41bbde83f75142bd17509a625d0fea470cf56edf108a16ad28f4a7bc6ac0f834f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cia49AwzHqdY.bat

Filesize
205B

MD5
27a408f91ebf4bfe2c6a9c71aec93805

SHA1
7e0dfddfe2565c5c2f21d24dbc4f7c641dc70a8e

SHA256
811306a85848ed55f9c15f05d417fc44e4c0235928870ef63a8103a7aaca6138

SHA512
306db4b5d28de0ead8b94d447898afde92babad5721ec04f37180cc000d2272947955663644db6069e2cd6280f2e1f17b02123a4739b8562ebd07038f9b622c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYoldNT4fxxW.bat

Filesize
205B

MD5
3ba608414c956ba9b1438798cee3d96d

SHA1
4f4aa745272ca783de3825e76509122d59156d24

SHA256
192835cbe9e967e10125cfaaecfdda4f0c432ec01f13aa8dc379d9acca059302

SHA512
126cea8eda80561a649fb26d51067f4361de563b8433158966a45806a71c6e2dd624a07612dbac3c2a8a0a8c13e9444df8b80d898845919caf7380f802a46b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\iX0tILY497uu.bat

Filesize
205B

MD5
5831567e82212002779653c1727c0d7e

SHA1
f77588223302a3d2f98e7331fd06c8c5f0ae851d

SHA256
5818402d88410a509af4a578b0626bfb868b973e0fe688394288a0ee48990829

SHA512
ff57ac47635ef491a473ddd57218069fe3e819ecaa2e4e45b7d991c0c1cdd29a77dc97481b8f5b2224a0b6c30a603b5fc88c97cafcb576ddf363b55fd874bba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrdTefHdYvJN.bat

Filesize
205B

MD5
d89b2065e55c5148212438ea6ff5f5ec

SHA1
a185713dc89fdb7e7b0c5e8619b25b4aefd145c3

SHA256
e0338027c706b752b4216d563434c89770dcaffaf8a9ed30929eb70f93bf6015

SHA512
c36ed78424ad93615d6ccfee83e87355288602c228acb31b1c481e0fd940e1007ccd9a72eb5f3cbb53c3d43a4961c76e7460e6cc2b3f274f58227ac39626e179

Download Submit
C:\Users\Admin\AppData\Local\Temp\nlPnQkzlWzt3.bat

Filesize
205B

MD5
83fe45128bd134ea5452ee0552788a3f

SHA1
669b1843bdd5bb231d9fd31e20c42022849dd2c2

SHA256
cb7ad94eb3032f6dd1e4520510f86fe99330a681c5d96929b20c523ca7078eab

SHA512
9fa36c5420c236cb72c7d0b96fd5271988fcb323d32ec8d98d1fe8e8b5521afd1eb08d35e084886301c36659e4195863995a9d2f6b6fa0927acf9fdd30d0d049

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwCMtURfaI6B.bat

Filesize
205B

MD5
99ec4adce09267858bd00b6f29beac21

SHA1
f7fc3bbf4d6adb534c7bd8994abe9a923154c0f6

SHA256
eb70024fae087f6d0714c5e5bef0d037c427ef1d3874b7223f7ff62c148eaa8c

SHA512
c133c4d52396016450c22d141772a7b45779b6041e7e3e5c472108d629d54186fa6f21f6b56cc5010546339a8c1eff4de51d90657c4c62f4fe26eb10561062c7

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe

Filesize
3.1MB

MD5
01cb0e497f40e7d02f93255475f175e1

SHA1
98c779497d6514b91cd1410f627a5320f6b3eab5

SHA256
15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95

SHA512
fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9

Download Submit
memory/1360-117-0x00000000002E0000-0x0000000000604000-memory.dmp

Filesize
3.1MB

Download
memory/1568-85-0x0000000001210000-0x0000000001534000-memory.dmp

Filesize
3.1MB

Download
memory/1584-128-0x0000000000DD0000-0x00000000010F4000-memory.dmp

Filesize
3.1MB

Download
memory/2008-151-0x00000000012A0000-0x00000000015C4000-memory.dmp

Filesize
3.1MB

Download
memory/2168-106-0x0000000000320000-0x0000000000644000-memory.dmp

Filesize
3.1MB

Download
memory/2504-9-0x0000000001140000-0x0000000001464000-memory.dmp

Filesize
3.1MB

Download
memory/2504-8-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-10-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-21-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-139-0x0000000000F80000-0x00000000012A4000-memory.dmp

Filesize
3.1MB

Download
memory/3008-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

Filesize
4KB

Download
memory/3008-11-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/3008-2-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/3008-1-0x0000000000140000-0x0000000000464000-memory.dmp

Filesize
3.1MB

Download