quasar | 69fbca1394d5efdfd1973a67d5679a1312def1a1a10280499bf2dc9aeb143ab2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nigger.exe
Size

3.1MB
MD5

845a2dbcbf3dc2c02816d5f8f40f8c31
SHA1

a8455efb6ba57174000a4545eeb0b8ffc00ce4f2
SHA256

69fbca1394d5efdfd1973a67d5679a1312def1a1a10280499bf2dc9aeb143ab2
SHA512

418c71294087aa7b8fbd5c9b13c74fb7a23ec1576a478f1371dd6d02c1d5a26c479094fbcbdb0d96df43dc924b58ff6efbfad89d4b304a8d6fe9245fae5b20ed
SSDEEP

49152:DvTlL26AaNeWgPhlmVqvMQ7XSKZZwbhIarNUoGdiTHHB72eh2NT:DvJL26AaNeWgPhlmVqkQ7XSKrAhY

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pre-write.gl.at.ply.gg:62773:3689

Mutex

09827d08-4f88-4bee-b8ca-67037feaa38c

Attributes

encryption_key
A23940D6648448640871767639F1B4B0ABAD5298
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/1796-1-0x00000000004E0000-0x0000000000804000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	nigger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	nigger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	nigger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	nigger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	nigger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	nigger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	nigger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	nigger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	nigger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	nigger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	nigger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	nigger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	nigger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	nigger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	nigger.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2776	PING.EXE
2968	PING.EXE
1204	PING.EXE
628	PING.EXE
2836	PING.EXE
3100	PING.EXE
1692	PING.EXE
1924	PING.EXE
2484	PING.EXE
1292	PING.EXE
4796	PING.EXE
3460	PING.EXE
3584	PING.EXE
1172	PING.EXE
3620	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1692	PING.EXE
3100	PING.EXE
1924	PING.EXE
2776	PING.EXE
628	PING.EXE
2484	PING.EXE
3620	PING.EXE
3584	PING.EXE
2836	PING.EXE
3460	PING.EXE
1204	PING.EXE
1292	PING.EXE
4796	PING.EXE
2968	PING.EXE
1172	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	nigger.exe
Token: SeDebugPrivilege	2932	nigger.exe
Token: SeDebugPrivilege	2564	nigger.exe
Token: SeDebugPrivilege	756	nigger.exe
Token: SeDebugPrivilege	3968	nigger.exe
Token: SeDebugPrivilege	4528	nigger.exe
Token: SeDebugPrivilege	216	nigger.exe
Token: SeDebugPrivilege	4268	nigger.exe
Token: SeDebugPrivilege	4700	nigger.exe
Token: SeDebugPrivilege	4476	nigger.exe
Token: SeDebugPrivilege	4104	nigger.exe
Token: SeDebugPrivilege	3604	nigger.exe
Token: SeDebugPrivilege	1856	nigger.exe
Token: SeDebugPrivilege	1844	nigger.exe
Token: SeDebugPrivilege	2080	nigger.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1796	nigger.exe
2932	nigger.exe
2564	nigger.exe
756	nigger.exe
3968	nigger.exe
4528	nigger.exe
216	nigger.exe
4268	nigger.exe
4700	nigger.exe
4476	nigger.exe
4104	nigger.exe
3604	nigger.exe
1856	nigger.exe
1844	nigger.exe
2080	nigger.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1796	nigger.exe
2932	nigger.exe
2564	nigger.exe
756	nigger.exe
3968	nigger.exe
4528	nigger.exe
216	nigger.exe
4268	nigger.exe
4700	nigger.exe
4476	nigger.exe
4104	nigger.exe
3604	nigger.exe
1856	nigger.exe
1844	nigger.exe
2080	nigger.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 3012	1796	nigger.exe	84
PID 1796 wrote to memory of 3012	1796	nigger.exe	84
PID 3012 wrote to memory of 3972	3012	cmd.exe	86
PID 3012 wrote to memory of 3972	3012	cmd.exe	86
PID 3012 wrote to memory of 2484	3012	cmd.exe	87
PID 3012 wrote to memory of 2484	3012	cmd.exe	87
PID 3012 wrote to memory of 2932	3012	cmd.exe	97
PID 3012 wrote to memory of 2932	3012	cmd.exe	97
PID 2932 wrote to memory of 3472	2932	nigger.exe	99
PID 2932 wrote to memory of 3472	2932	nigger.exe	99
PID 3472 wrote to memory of 1284	3472	cmd.exe	101
PID 3472 wrote to memory of 1284	3472	cmd.exe	101
PID 3472 wrote to memory of 3620	3472	cmd.exe	102
PID 3472 wrote to memory of 3620	3472	cmd.exe	102
PID 3472 wrote to memory of 2564	3472	cmd.exe	108
PID 3472 wrote to memory of 2564	3472	cmd.exe	108
PID 2564 wrote to memory of 4080	2564	nigger.exe	110
PID 2564 wrote to memory of 4080	2564	nigger.exe	110
PID 4080 wrote to memory of 3068	4080	cmd.exe	112
PID 4080 wrote to memory of 3068	4080	cmd.exe	112
PID 4080 wrote to memory of 1292	4080	cmd.exe	113
PID 4080 wrote to memory of 1292	4080	cmd.exe	113
PID 4080 wrote to memory of 756	4080	cmd.exe	117
PID 4080 wrote to memory of 756	4080	cmd.exe	117
PID 756 wrote to memory of 4324	756	nigger.exe	119
PID 756 wrote to memory of 4324	756	nigger.exe	119
PID 4324 wrote to memory of 1656	4324	cmd.exe	121
PID 4324 wrote to memory of 1656	4324	cmd.exe	121
PID 4324 wrote to memory of 4796	4324	cmd.exe	122
PID 4324 wrote to memory of 4796	4324	cmd.exe	122
PID 4324 wrote to memory of 3968	4324	cmd.exe	124
PID 4324 wrote to memory of 3968	4324	cmd.exe	124
PID 3968 wrote to memory of 3788	3968	nigger.exe	126
PID 3968 wrote to memory of 3788	3968	nigger.exe	126
PID 3788 wrote to memory of 4940	3788	cmd.exe	128
PID 3788 wrote to memory of 4940	3788	cmd.exe	128
PID 3788 wrote to memory of 2968	3788	cmd.exe	129
PID 3788 wrote to memory of 2968	3788	cmd.exe	129
PID 3788 wrote to memory of 4528	3788	cmd.exe	131
PID 3788 wrote to memory of 4528	3788	cmd.exe	131
PID 4528 wrote to memory of 3136	4528	nigger.exe	133
PID 4528 wrote to memory of 3136	4528	nigger.exe	133
PID 3136 wrote to memory of 2512	3136	cmd.exe	135
PID 3136 wrote to memory of 2512	3136	cmd.exe	135
PID 3136 wrote to memory of 1692	3136	cmd.exe	136
PID 3136 wrote to memory of 1692	3136	cmd.exe	136
PID 3136 wrote to memory of 216	3136	cmd.exe	139
PID 3136 wrote to memory of 216	3136	cmd.exe	139
PID 216 wrote to memory of 5000	216	nigger.exe	141
PID 216 wrote to memory of 5000	216	nigger.exe	141
PID 5000 wrote to memory of 3940	5000	cmd.exe	143
PID 5000 wrote to memory of 3940	5000	cmd.exe	143
PID 5000 wrote to memory of 3460	5000	cmd.exe	144
PID 5000 wrote to memory of 3460	5000	cmd.exe	144
PID 5000 wrote to memory of 4268	5000	cmd.exe	146
PID 5000 wrote to memory of 4268	5000	cmd.exe	146
PID 4268 wrote to memory of 3068	4268	nigger.exe	148
PID 4268 wrote to memory of 3068	4268	nigger.exe	148
PID 3068 wrote to memory of 4620	3068	cmd.exe	150
PID 3068 wrote to memory of 4620	3068	cmd.exe	150
PID 3068 wrote to memory of 3100	3068	cmd.exe	151
PID 3068 wrote to memory of 3100	3068	cmd.exe	151
PID 3068 wrote to memory of 4700	3068	cmd.exe	153
PID 3068 wrote to memory of 4700	3068	cmd.exe	153

C:\Users\Admin\AppData\Local\Temp\nigger.exe
"C:\Users\Admin\AppData\Local\Temp\nigger.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noeauescwlS2.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3972
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2484
- - C:\Users\Admin\AppData\Local\Temp\nigger.exe
    "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcs3j8EhORET.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1284
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3620
    - - C:\Users\Admin\AppData\Local\Temp\nigger.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I92Woz7q3L7a.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\nigger.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hM0u29wYHQ6J.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\nigger.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f6Yuw6BiAzKK.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\nigger.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ne54yfluJT5U.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\nigger.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWp3c7yEiNyV.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\nigger.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NfJ7L3HVxI3K.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\nigger.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ov2pzqKbIVww.bat" "
        18⤵
        
        PID:2792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\nigger.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F6ceNwXTmGmz.bat" "
        20⤵
        
        PID:1620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\nigger.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ntII1qzxZO6Z.bat" "
        22⤵
        
        PID:3596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\nigger.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f3hdcvLX4ixw.bat" "
        24⤵
        
        PID:1788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\nigger.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JtIV6yyevf1d.bat" "
        26⤵
        
        PID:2056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\nigger.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R3LqtYbdg76e.bat" "
        28⤵
        
        PID:4912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\nigger.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
        29⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BvMCc7xTlXzQ.bat" "
        30⤵
        
        PID:624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\nigger.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BvMCc7xTlXzQ.bat

Filesize
203B

MD5
310a1504f0f79b9eefb6aa4f0a67240c

SHA1
94ad139210fc12c71e93703e114d3f7bb46508fd

SHA256
5744739689d5887e0fc232c3ade8e4f9311cc518c800ff90ea23b74f03172a84

SHA512
72f18bb0af049dd3c35f9a88da9a3ab54d69fd4cc9a8f0a7b2db62eb4278f922a312d78ac325e72dfa5c4a7ad06470bf07da703e44bed81060eaca044cc56205

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6ceNwXTmGmz.bat

Filesize
203B

MD5
88ac3ea2f0714277aaff965b8d880e69

SHA1
0a22b10a2ab63bbdc65d202c068964e36da6c8c9

SHA256
7276a991a2580fb3bca0c16eb60e01fb096bc793147de2f35f65964cf3baa09a

SHA512
25386727030c9a64bbf86648f84dc88d295719b1ce336b5873c4ab85fa212c403e7e55f785503db67138c8cc843f7ab7c4976cb61712dbbca54aafb1bcad4355

Download Submit
C:\Users\Admin\AppData\Local\Temp\I92Woz7q3L7a.bat

Filesize
203B

MD5
df69c22a7fef3ff4c6bb687de2c14c75

SHA1
10447a793e033d9e3fe5e71c5e60fdbd72dcf88c

SHA256
dc780c7b04a74cf5e13536d676a2b7e311f7b6b3b858d97f9bbcd2f9053577d8

SHA512
1cf8a4f65f2d3b0c03a5050df62570da2e8c87e80a65ae8655a138529b19b5c1830bf0500606ce5b08751ed53d05ddcfa852a1610f583c99273f6a7e68e97164

Download Submit
C:\Users\Admin\AppData\Local\Temp\JtIV6yyevf1d.bat

Filesize
203B

MD5
c9122047d3e9be3a63aa26d98edb0035

SHA1
cb5772d90965d37718d3df29ac7b4b8b8ac888ca

SHA256
cefe2030dbc0fd43ecd1e0f459e56a7c8e7d4156ed69f3957fcfb3fc963970b5

SHA512
825824407cad5ef55be3f0de30ee14a0b16f7ad83af6d7f98fab12ddbfdea37c5f2541b3dd50f97e0819ae6084c6e67cb5a6c1b09185b382a310df38931f42cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NfJ7L3HVxI3K.bat

Filesize
203B

MD5
8e70386ba67394129122224488bc38d6

SHA1
1a94253506bdbe8f54ab195b3ba0709c04794b89

SHA256
5ba9a5675ec4d6afeb9023ec2cb58a396086ec2cd4fad2beb0192b386baef77b

SHA512
94f0d53cc5a4bc21c0a94ae4601184b87fcfba09b7e70da9e4332a61bf62e741cb6ffc0b719bc27898ac7c0bb7c83dca194ac5b85318d9be0f3d40d49511b746

Download Submit
C:\Users\Admin\AppData\Local\Temp\R3LqtYbdg76e.bat

Filesize
203B

MD5
aad9de78b95e47d70f1ff3792e0af5e5

SHA1
7edde9de55bf6ceaf0c3707e17f92a6a50433daa

SHA256
3d64e68578cfa81970ccb355554bf816b722f159a16f53efcd72088d206c2bae

SHA512
b088dc01016eee2476b23dba02979247d75519e16d2175f69d17c8a9b122c0bc863a0fa82b69054de69ee7cc197aa06803e44a49825df5c4927583ca6244e34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3hdcvLX4ixw.bat

Filesize
203B

MD5
f2617571c7fd2400971c7a6d0fa4699d

SHA1
094add013c83b3d022c17ffea48df8daba90489a

SHA256
970e97f2bc36038a845329d96537f6cca0202cb5400ad42b95e4793747be65a7

SHA512
bb1f190d6efeb88fabf981c0a05ebb869fac5956acc1c1f2ff15c681017f5dadf14614b75d3c5987b95569eed2da9363832cc34d50b4a5b5db9addc78db4912b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6Yuw6BiAzKK.bat

Filesize
203B

MD5
3d73cb28fcc7be1c4fbbdcb7c2071121

SHA1
5bf0bdf7757ef1c1c8be2617451df166974a7a7c

SHA256
af74918e4a2db6842226cda37779509df16b251fed249459be63f86ecf6505c8

SHA512
247102d08ca13410e1ea6494fe2f6e98fb5118bc9bc14b46b880d97816ab2d31a400a5b9e29f787d0666a6adbb4666fe5a9039a43f0e206b8a1d9f720eaf7be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hM0u29wYHQ6J.bat

Filesize
203B

MD5
4ca77ab9fdc5d4da5c50812e71c16539

SHA1
a8c27659a04715ddf9d98e517683744dd7696215

SHA256
6e171417bdbfaaa819d49d449178a85c9f13e1dda45053354231a9d2917c3aef

SHA512
a88d10d39680b6d105a023d814355b6c33531d7f641f4f78aacc870fcad6f56ec300bd67345034efb3236dcb5e0b8c86255e599f081eb60abff1b392ef0c51db

Download Submit
C:\Users\Admin\AppData\Local\Temp\iWp3c7yEiNyV.bat

Filesize
203B

MD5
5a2035b1df66a88af1ef9cdd79ef3101

SHA1
bc9cb8dfca11f903ace96b18b93d6a061f73440a

SHA256
634db90b7abff3b663360e8bde7cd7dc88d142c38fb1261ab3100036ff44e831

SHA512
870a74fe9dddda8b3d6a06cd89ee0903e68266d912be07b28615cebd976b067e9d9640060aba5d330adbe9f569de03a023abc3488a50b613fb4e533a98e97498

Download Submit
C:\Users\Admin\AppData\Local\Temp\ne54yfluJT5U.bat

Filesize
203B

MD5
a862dec78476d808fb7d13aa35117680

SHA1
6482812ac10a4b78375d7169132f8d0875704947

SHA256
6c0e8be480fde72a81c16affac36006ad69a631f4bb8a72c5838fecfde648a24

SHA512
b60fb807764a3f954cf08aaba10444e24fa1534134f08fda72eabcd63cb666c74ab26ca9dab46cef90bb499687c9e511c8ca4891f15bdc6fde04e63fc7c47d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\noeauescwlS2.bat

Filesize
203B

MD5
f6bd06f554e2765a55508ec804037150

SHA1
192e2fb62f19a2503a4e402b4b1210d318a87eaf

SHA256
bcb7bc8c5f927af5f50343b3e74e298a87f7acba47483bed69c0b7b25c7e03ef

SHA512
6cc21d993d9ae87cca536c8d5cf5d3dcc4675ad9d278518c21dcb85f23228ba6830acdc5a4ca1e08526e65020dfede181da268f94a7ed00e0b8bfc003a37f44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntII1qzxZO6Z.bat

Filesize
203B

MD5
9700727230c41ca6be954aee34b8c7d5

SHA1
2b609d010c4a263c5c97d739e187756f4bf01a23

SHA256
2d27e138b25323c47f77c23bc4caa0d7ceaa7197b4350fa205fab01fe6cf2da6

SHA512
dfe83ff4bc20d84c9f9ef1faeebaa831d345cc1c3c82ca9660622de605805a24c19562d5bcb07806e5cf4927dd7c7de3c136071d36779be4a7a2887b79910a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\ov2pzqKbIVww.bat

Filesize
203B

MD5
1224a8c7cddabf05fd87b22d74fc22d8

SHA1
4c800e27b1ad5302bb391e119277e97ba2a8ecdf

SHA256
800230688bd0598aa58d8e96367b5efe542ee74cb63b28f458d10bbf78a3c893

SHA512
51d17cde1b829425bc17c423b1873e15ac3733ae46baec294d6623dfd3347806814211405eb2a9277245a4acbca24da451e842df0163ec614a2d4f07486c729d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcs3j8EhORET.bat

Filesize
203B

MD5
9345a1630fd3f5eb552b03e48a1b70d7

SHA1
70a92319a06b566eb2a36ebad25ff5c9c560c935

SHA256
48fe8271d0e20565ff06ee51eff5008d2be44ee686ea22b424f368dd965a2efe

SHA512
1d11ba3a878f86efe4dbcfee375643bf391ca016079cb7c9e58ad261052654d2a60024a6057b1c9def44c2a78c9f300ff9d534f7f328ee65241dbc5258223981

Download Submit
memory/1796-0-0x00007FFE642D3000-0x00007FFE642D5000-memory.dmp

Filesize
8KB

Download
memory/1796-9-0x00007FFE642D0000-0x00007FFE64D91000-memory.dmp

Filesize
10.8MB

Download
memory/1796-4-0x000000001D880000-0x000000001D932000-memory.dmp

Filesize
712KB

Download
memory/1796-3-0x000000001D770000-0x000000001D7C0000-memory.dmp

Filesize
320KB

Download
memory/1796-2-0x00007FFE642D0000-0x00007FFE64D91000-memory.dmp

Filesize
10.8MB

Download
memory/1796-1-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/2932-12-0x00007FFE63D80000-0x00007FFE64841000-memory.dmp

Filesize
10.8MB

Download
memory/2932-16-0x00007FFE63D80000-0x00007FFE64841000-memory.dmp

Filesize
10.8MB

Download