quasar | 22e0e3319b3a845ef2c6f8a5efdcb3612ba9561fcdf5c70b8e95cc26d959ff50

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/01/2025, 16:35 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wefudoneset.exe
Size

3.1MB
MD5

06838ba1d6af1ff162f4bf79e8f7e451
SHA1

1cf5196a0436fed50538a2bfef6cb14e1f8e30ed
SHA256

22e0e3319b3a845ef2c6f8a5efdcb3612ba9561fcdf5c70b8e95cc26d959ff50
SHA512

e87ca2bf97c7d4d1a4e0857d75a40bd30e009fafdbcd70a905f1818994afd3694abc6680f89c127b8d7a965dd12420d097ac1371da575cfe0872f303a1735c68
SSDEEP

49152:8d9yr29T0PwfnBP6RTgxLul5XHpTTHHB72eh2NT:8dC29TffnB1xLw

Score

10^/10

quasar 1321 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.0

Botnet

1321

127.0.0.1:7000

Mutex

b8169f21-b1ab-4cdd-89e8-040d5b4d2b12

Attributes

encryption_key
14277F7D27CB958C695738C76EE5FBECE431CF60
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 15 IoCs

resource	yara_rule
behavioral1/memory/2812-1-0x0000000000EA0000-0x00000000011C4000-memory.dmp	family_quasar
behavioral1/memory/2436-13-0x0000000001020000-0x0000000001344000-memory.dmp	family_quasar
behavioral1/memory/1952-23-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar
behavioral1/memory/1160-33-0x0000000000840000-0x0000000000B64000-memory.dmp	family_quasar
behavioral1/memory/2596-44-0x0000000001180000-0x00000000014A4000-memory.dmp	family_quasar
behavioral1/memory/2012-54-0x00000000000E0000-0x0000000000404000-memory.dmp	family_quasar
behavioral1/memory/2956-64-0x00000000010D0000-0x00000000013F4000-memory.dmp	family_quasar
behavioral1/memory/2112-74-0x0000000001160000-0x0000000001484000-memory.dmp	family_quasar
behavioral1/memory/1556-84-0x0000000000360000-0x0000000000684000-memory.dmp	family_quasar
behavioral1/memory/2384-104-0x0000000000330000-0x0000000000654000-memory.dmp	family_quasar
behavioral1/memory/1032-114-0x0000000000C70000-0x0000000000F94000-memory.dmp	family_quasar
behavioral1/memory/768-125-0x00000000001D0000-0x00000000004F4000-memory.dmp	family_quasar
behavioral1/memory/1140-136-0x0000000000020000-0x0000000000344000-memory.dmp	family_quasar
behavioral1/memory/932-146-0x0000000000AB0000-0x0000000000DD4000-memory.dmp	family_quasar
behavioral1/memory/1300-157-0x0000000000CA0000-0x0000000000FC4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1676	PING.EXE
2892	PING.EXE
2124	PING.EXE
2140	PING.EXE
2380	PING.EXE
2124	PING.EXE
2968	PING.EXE
864	PING.EXE
2840	PING.EXE
2288	PING.EXE
1304	PING.EXE
2336	PING.EXE
1288	PING.EXE
2464	PING.EXE
3028	PING.EXE
2164	PING.EXE

Runs ping.exe 1 TTPs 16 IoCs

Remote System Discovery

T1018

pid	Process
2336	PING.EXE
2124	PING.EXE
2288	PING.EXE
2140	PING.EXE
1288	PING.EXE
2968	PING.EXE
864	PING.EXE
2164	PING.EXE
2840	PING.EXE
1304	PING.EXE
2380	PING.EXE
1676	PING.EXE
2124	PING.EXE
2464	PING.EXE
3028	PING.EXE
2892	PING.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2812	wefudoneset.exe
2812	wefudoneset.exe
2436	wefudoneset.exe
2436	wefudoneset.exe
1952	wefudoneset.exe
1952	wefudoneset.exe
1160	wefudoneset.exe
1160	wefudoneset.exe
2596	wefudoneset.exe
2596	wefudoneset.exe
2012	wefudoneset.exe
2012	wefudoneset.exe
2956	wefudoneset.exe
2956	wefudoneset.exe
2112	wefudoneset.exe
2112	wefudoneset.exe
1556	wefudoneset.exe
1556	wefudoneset.exe
2792	wefudoneset.exe
2792	wefudoneset.exe
2384	wefudoneset.exe
2384	wefudoneset.exe
1032	wefudoneset.exe
1032	wefudoneset.exe
768	wefudoneset.exe
768	wefudoneset.exe
1140	wefudoneset.exe
1140	wefudoneset.exe
932	wefudoneset.exe
932	wefudoneset.exe
1300	wefudoneset.exe
1300	wefudoneset.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	wefudoneset.exe
Token: SeDebugPrivilege	2436	wefudoneset.exe
Token: SeDebugPrivilege	1952	wefudoneset.exe
Token: SeDebugPrivilege	1160	wefudoneset.exe
Token: SeDebugPrivilege	2596	wefudoneset.exe
Token: SeDebugPrivilege	2012	wefudoneset.exe
Token: SeDebugPrivilege	2956	wefudoneset.exe
Token: SeDebugPrivilege	2112	wefudoneset.exe
Token: SeDebugPrivilege	1556	wefudoneset.exe
Token: SeDebugPrivilege	2792	wefudoneset.exe
Token: SeDebugPrivilege	2384	wefudoneset.exe
Token: SeDebugPrivilege	1032	wefudoneset.exe
Token: SeDebugPrivilege	768	wefudoneset.exe
Token: SeDebugPrivilege	1140	wefudoneset.exe
Token: SeDebugPrivilege	932	wefudoneset.exe
Token: SeDebugPrivilege	1300	wefudoneset.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2680	2812	wefudoneset.exe	29
PID 2812 wrote to memory of 2680	2812	wefudoneset.exe	29
PID 2812 wrote to memory of 2680	2812	wefudoneset.exe	29
PID 2680 wrote to memory of 2544	2680	cmd.exe	31
PID 2680 wrote to memory of 2544	2680	cmd.exe	31
PID 2680 wrote to memory of 2544	2680	cmd.exe	31
PID 2680 wrote to memory of 1304	2680	cmd.exe	32
PID 2680 wrote to memory of 1304	2680	cmd.exe	32
PID 2680 wrote to memory of 1304	2680	cmd.exe	32
PID 2680 wrote to memory of 2436	2680	cmd.exe	33
PID 2680 wrote to memory of 2436	2680	cmd.exe	33
PID 2680 wrote to memory of 2436	2680	cmd.exe	33
PID 2436 wrote to memory of 2432	2436	wefudoneset.exe	34
PID 2436 wrote to memory of 2432	2436	wefudoneset.exe	34
PID 2436 wrote to memory of 2432	2436	wefudoneset.exe	34
PID 2432 wrote to memory of 2900	2432	cmd.exe	36
PID 2432 wrote to memory of 2900	2432	cmd.exe	36
PID 2432 wrote to memory of 2900	2432	cmd.exe	36
PID 2432 wrote to memory of 2464	2432	cmd.exe	37
PID 2432 wrote to memory of 2464	2432	cmd.exe	37
PID 2432 wrote to memory of 2464	2432	cmd.exe	37
PID 2432 wrote to memory of 1952	2432	cmd.exe	38
PID 2432 wrote to memory of 1952	2432	cmd.exe	38
PID 2432 wrote to memory of 1952	2432	cmd.exe	38
PID 1952 wrote to memory of 1012	1952	wefudoneset.exe	39
PID 1952 wrote to memory of 1012	1952	wefudoneset.exe	39
PID 1952 wrote to memory of 1012	1952	wefudoneset.exe	39
PID 1012 wrote to memory of 1800	1012	cmd.exe	41
PID 1012 wrote to memory of 1800	1012	cmd.exe	41
PID 1012 wrote to memory of 1800	1012	cmd.exe	41
PID 1012 wrote to memory of 2336	1012	cmd.exe	42
PID 1012 wrote to memory of 2336	1012	cmd.exe	42
PID 1012 wrote to memory of 2336	1012	cmd.exe	42
PID 1012 wrote to memory of 1160	1012	cmd.exe	43
PID 1012 wrote to memory of 1160	1012	cmd.exe	43
PID 1012 wrote to memory of 1160	1012	cmd.exe	43
PID 1160 wrote to memory of 1444	1160	wefudoneset.exe	44
PID 1160 wrote to memory of 1444	1160	wefudoneset.exe	44
PID 1160 wrote to memory of 1444	1160	wefudoneset.exe	44
PID 1444 wrote to memory of 2372	1444	cmd.exe	46
PID 1444 wrote to memory of 2372	1444	cmd.exe	46
PID 1444 wrote to memory of 2372	1444	cmd.exe	46
PID 1444 wrote to memory of 1288	1444	cmd.exe	47
PID 1444 wrote to memory of 1288	1444	cmd.exe	47
PID 1444 wrote to memory of 1288	1444	cmd.exe	47
PID 1444 wrote to memory of 2596	1444	cmd.exe	48
PID 1444 wrote to memory of 2596	1444	cmd.exe	48
PID 1444 wrote to memory of 2596	1444	cmd.exe	48
PID 2596 wrote to memory of 1480	2596	wefudoneset.exe	49
PID 2596 wrote to memory of 1480	2596	wefudoneset.exe	49
PID 2596 wrote to memory of 1480	2596	wefudoneset.exe	49
PID 1480 wrote to memory of 3032	1480	cmd.exe	51
PID 1480 wrote to memory of 3032	1480	cmd.exe	51
PID 1480 wrote to memory of 3032	1480	cmd.exe	51
PID 1480 wrote to memory of 3028	1480	cmd.exe	52
PID 1480 wrote to memory of 3028	1480	cmd.exe	52
PID 1480 wrote to memory of 3028	1480	cmd.exe	52
PID 1480 wrote to memory of 2012	1480	cmd.exe	53
PID 1480 wrote to memory of 2012	1480	cmd.exe	53
PID 1480 wrote to memory of 2012	1480	cmd.exe	53
PID 2012 wrote to memory of 2292	2012	wefudoneset.exe	54
PID 2012 wrote to memory of 2292	2012	wefudoneset.exe	54
PID 2012 wrote to memory of 2292	2012	wefudoneset.exe	54
PID 2292 wrote to memory of 2368	2292	cmd.exe	56

C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
"C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\PxwAI3ScVgld.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2544
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1304
- - C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
    "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\j7ZOQRSpg9sp.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2900
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2464
    - - C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\g9CkCSr74JUb.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kQX0hCBlNhUp.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\viPe1lcmaQXq.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nOGKonm5bctW.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        13⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGxl8ByJsQwB.bat" "
        14⤵
        
        PID:572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\V1v2xReZH7pR.bat" "
        16⤵
        
        PID:3052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        17⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AoVqCJeN769b.bat" "
        18⤵
        
        PID:2656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        19⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\k0SLbK8NtKQ2.bat" "
        20⤵
        
        PID:2468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        21⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ebb0gaQRZoax.bat" "
        22⤵
        
        PID:1964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        23⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dAMza6Rc8m8D.bat" "
        24⤵
        
        PID:1848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        25⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HDdRcTA14KW0.bat" "
        26⤵
        
        PID:808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        27⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0aWp9876Xc8t.bat" "
        28⤵
        
        PID:2400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        29⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FCCmnZTon6Em.bat" "
        30⤵
        
        PID:1536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        31⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gKBxQbScWUVv.bat" "
        32⤵
        
        PID:1108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:2952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0aWp9876Xc8t.bat

Filesize
208B

MD5
9510d14ec23d446412ed3174ec560dae

SHA1
019c09c609e0cbe9418fb9c0196a002f08e0830c

SHA256
f20bf17b064e797d12cbf196cab32541ea2b43c37187f42b81b87d5449ae2d3a

SHA512
7ead0c6fffee87c0fabbda3ce368e728ecc142abd841f487e1af5383c730acc7281f4af306bb98eb8d9c62c6d5cb3b1e92418d92cef70db786ce1d908170f013

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoVqCJeN769b.bat

Filesize
208B

MD5
93e0c5cbb2bd68327cc741887252a4fe

SHA1
869efe3083adb2764c6a3b0327f675e1bc4119e6

SHA256
3b79690a8a833a08056756febcec9b6b3b7a58ea3c68a96172e006f2d9cb6be6

SHA512
6b589160c91d3bb97bed608de5347efd0b1009bd8837a7133133500acaf04ef2f848ada754210548fb42c8a180b4120564f774651233fbfb8a584ceeac3d4103

Download Submit
C:\Users\Admin\AppData\Local\Temp\BGxl8ByJsQwB.bat

Filesize
208B

MD5
e8c412f4cf2cf061a4fad8d4c3bcc304

SHA1
91e75201b5b9dc69684ce4733ba28d7f473433f5

SHA256
ad86d610b34c6722520c134d562534b40c7426c3cbeaf5bbea118b2608d4e47a

SHA512
189609124a86690cfff76ec0f4cccb3734037234af99514bd9f4f419411e923e3ce739ca4591ad51318eeaa66c0d68775c3b2f4019e77f924a86cd7f771d037a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCCmnZTon6Em.bat

Filesize
208B

MD5
dad38ddbc5d61ae146b8fd8f48273b82

SHA1
a421c82d7eb7843d1aff5fd20a64b9ce5d88cd29

SHA256
3364a6fcfa1da2d40e65d7497e000a448485c3d9808b1aa719d9db870ef5601f

SHA512
d05fe409f89d01e8986fe97d418883bc5d4fc302321f80bd74a25aebe9a235ecc9b9b392a42646336a62b3db51bae718d0817f6c59cc580942833fd1958dfd5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HDdRcTA14KW0.bat

Filesize
208B

MD5
8d84b79c1d8573613da654611a4355b5

SHA1
e6da8664dc2c624bcd0d95608ae4a309d5a9431b

SHA256
8b2c5a519dba403fedf5510dea955841ffee8e755897943404685622c8933434

SHA512
00c74d5ada6c87851211ed395206ded69ea68c4ee7d38fb5fca0af45be19fbdf706536c1c783972a4525e1bb04992bead6d150a5f4f4477fdb53665366f609fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\PxwAI3ScVgld.bat

Filesize
208B

MD5
4108de4097d6d917c2c77e8fb49b41f6

SHA1
9d7feabe9055a4ae42b5e49e4be4a06331cd16e2

SHA256
4771624b5aa965fe193fe6f81a9eca87c7cbd441af96b0687eb92efc291c68d9

SHA512
2b1313ffd01f8fef6fc238e46bff18ccc62f0b6fc128fa77e356de4e5a6d541ae4140e1e9e9ee07962ecbd71af8a3a024051d8df05a804eb1d38b76279906c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\V1v2xReZH7pR.bat

Filesize
208B

MD5
538848d6ac31c1d84627ff505f336aac

SHA1
771b1d44120286634be3ad9552a3a9688bd60c8d

SHA256
29a645719ac63a6fa567102766996214fe92b3c13b5bf8526a8adb908d241b19

SHA512
83d8533c18e1295511e2fea21f56a30e0812cdf911b46f8a2fe4bfe8bb58829bd185bbfd0a566692159879ee658fbfa4c65aba12aecadd91ce5f3d9df78160f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAMza6Rc8m8D.bat

Filesize
208B

MD5
c4b5eaefdeda4aa62881fed6f18afd78

SHA1
0265bad72861feb6bae55ed49801129d5cb28b68

SHA256
54ef8e01c658e1b7ee928950e68c0babde42c9c80265b895284e70e685e68a51

SHA512
5d643217ab9b179195c4b67318cd99d07ae76cb77a23263bb9973a6abb724a0090cdeacea3e3fe1e3059a3784db9a66f82272ead36f91361a88423dad0bef021

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb0gaQRZoax.bat

Filesize
208B

MD5
117f4b58225d671d95d830f3bac140e4

SHA1
62f2088b8d22be88e76432f9aaf29b8234cdeed7

SHA256
4d0432b281f83b23aaae19f82579f78ed1060f6702caddab570787ef1590dcae

SHA512
1f8ab5db58808f278aa84ebe6b4d050f0c713619b409811af8fd69427f3d9fe8d14e6b51c0fd46b5060170bd261b0d680de3cc686e437067a7cb673f82145653

Download Submit
C:\Users\Admin\AppData\Local\Temp\g9CkCSr74JUb.bat

Filesize
208B

MD5
313018b98a903adea2c2974d0dffa7eb

SHA1
b1eb8335b565037afa7a07caf67cbcdac1088ce8

SHA256
bd3043ee6fa7f9d19a935766c1e7dd58a17f50ea254bdb1d68cd2c469b210d1c

SHA512
35c92d527579f54d0e29a5963e8e32d0ea5779117ff2e1c283cd6049f6bedf3ecaada24df7f6c77be0e479f9d6354a7ec378557235236a344321e19825fda10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gKBxQbScWUVv.bat

Filesize
208B

MD5
d17f8e1701c498c2971dd25afdb0b806

SHA1
8b3311614f838571b96feb86cba9633492f45383

SHA256
a76aaa127872436f9f4f26f4911e5d2217d1312f9e763fdff462f877e2aa75e9

SHA512
c63fc056936443d4a975281f6ce13d5e4b3287b44cb007fa2c6a96991184f8ab068faf56eaafd340986d818c892b426b365291c17a2daefb5c2ba3387867b7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\j7ZOQRSpg9sp.bat

Filesize
208B

MD5
258caedb33204a890dcc6dc35427cbbe

SHA1
aa0e9275ddd04750e3bbbf20133845d65933f0e9

SHA256
c8568afdca22cd5955a23e6d0cd9f2f53e9407333e1590e55d47ce09e128d6f5

SHA512
6bfe32e9113bb56b9ebfe6c87382d9c8221b0fb025941a5dfc148a5364ff37b92ec728a88b54b5f4d7b53db69837dcb934e91e5d9a67fb04960303b6bc11a062

Download Submit
C:\Users\Admin\AppData\Local\Temp\k0SLbK8NtKQ2.bat

Filesize
208B

MD5
0dba21285705bad1dc14c4685731c068

SHA1
eea93e25b1ad4d386841b207650a94a0e745d9ed

SHA256
e4d30c0930415125154a3dce93efc9dce2841315140bf347a18baf9d0962591d

SHA512
230463a2595e96c0b95b27c17ac3b62aaa6515c0709318a4c3e43708e80594d0190ae8b8c491b29f15861557a2704234015c012d30fde323f1f9f41aa7b1ca52

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQX0hCBlNhUp.bat

Filesize
208B

MD5
405fa53e3be9bcf5e155c9799f6fe95a

SHA1
99a4daaa6fb94a574681145658adf348ecfd7999

SHA256
352ab72f0a4569ddaa5ac4a86fe3d53dfbbaf5d96672542a3b72a5cacab8bfdb

SHA512
9e6385e3702ee0144ff8f3b2237b0ba8f512b6b92c58536a93f1d68fb51fc0690422207749ac6f2c6e19ca0bac6c3a8a0bb3d06ce67d0eb6a72a58a4f6a48e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\nOGKonm5bctW.bat

Filesize
208B

MD5
0c06a6899442d4cd12d42812fffae568

SHA1
4352ac5e84036d1e791948d74484747b4efa9fd5

SHA256
2dcf2e5eb7dbcc04f87d91f656becc9e94a7c2cf344349a4b9fb78e78fb96c0a

SHA512
268a25917a7dc6a2442c725cd034220dbaf353f64ca95186eb7f2591c6396beda6abc07b2f3307fd0e8ba80f321e3b8af7d37d89a1687ab311048de649bc6047

Download Submit
C:\Users\Admin\AppData\Local\Temp\viPe1lcmaQXq.bat

Filesize
208B

MD5
11a72bbe5d5f64728957c1bfc2eebd70

SHA1
95669329777e025abb1c50ecc09a35b343ef76f2

SHA256
0fbefed4609df08cee1dcd2a81c254eb1ad19db1b2764f497f1a396d6d4891bf

SHA512
ff6d273d6e276b12ee93f11231a87823ed2a5df1b2090642948946c3e838be31dce86eb23cf7bfa20ce112ceff055dadda5d8984e57a90a7724c5a7789ac43fd

Download Submit
memory/768-125-0x00000000001D0000-0x00000000004F4000-memory.dmp

Filesize
3.1MB

Download
memory/932-146-0x0000000000AB0000-0x0000000000DD4000-memory.dmp

Filesize
3.1MB

Download
memory/1032-114-0x0000000000C70000-0x0000000000F94000-memory.dmp

Filesize
3.1MB

Download
memory/1140-136-0x0000000000020000-0x0000000000344000-memory.dmp

Filesize
3.1MB

Download
memory/1160-33-0x0000000000840000-0x0000000000B64000-memory.dmp

Filesize
3.1MB

Download
memory/1300-157-0x0000000000CA0000-0x0000000000FC4000-memory.dmp

Filesize
3.1MB

Download
memory/1556-84-0x0000000000360000-0x0000000000684000-memory.dmp

Filesize
3.1MB

Download
memory/1952-23-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/2012-54-0x00000000000E0000-0x0000000000404000-memory.dmp

Filesize
3.1MB

Download
memory/2112-74-0x0000000001160000-0x0000000001484000-memory.dmp

Filesize
3.1MB

Download
memory/2384-104-0x0000000000330000-0x0000000000654000-memory.dmp

Filesize
3.1MB

Download
memory/2436-13-0x0000000001020000-0x0000000001344000-memory.dmp

Filesize
3.1MB

Download
memory/2596-44-0x0000000001180000-0x00000000014A4000-memory.dmp

Filesize
3.1MB

Download
memory/2812-11-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-2-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-1-0x0000000000EA0000-0x00000000011C4000-memory.dmp

Filesize
3.1MB

Download
memory/2812-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/2956-64-0x00000000010D0000-0x00000000013F4000-memory.dmp

Filesize
3.1MB

Download