quasar | 22e0e3319b3a845ef2c6f8a5efdcb3612ba9561fcdf5c70b8e95cc26d959ff50

Analysis

max time kernel
142s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2025, 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wefudoneset.exe
Size

3.1MB
MD5

06838ba1d6af1ff162f4bf79e8f7e451
SHA1

1cf5196a0436fed50538a2bfef6cb14e1f8e30ed
SHA256

22e0e3319b3a845ef2c6f8a5efdcb3612ba9561fcdf5c70b8e95cc26d959ff50
SHA512

e87ca2bf97c7d4d1a4e0857d75a40bd30e009fafdbcd70a905f1818994afd3694abc6680f89c127b8d7a965dd12420d097ac1371da575cfe0872f303a1735c68
SSDEEP

49152:8d9yr29T0PwfnBP6RTgxLul5XHpTTHHB72eh2NT:8dC29TffnB1xLw

Score

10^/10

quasar 1321 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.0

Botnet

1321

127.0.0.1:7000

Mutex

b8169f21-b1ab-4cdd-89e8-040d5b4d2b12

Attributes

encryption_key
14277F7D27CB958C695738C76EE5FBECE431CF60
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4768-1-0x0000000000D40000-0x0000000001064000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wefudoneset.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wefudoneset.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wefudoneset.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wefudoneset.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wefudoneset.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wefudoneset.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wefudoneset.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wefudoneset.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wefudoneset.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wefudoneset.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wefudoneset.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wefudoneset.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wefudoneset.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wefudoneset.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wefudoneset.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
548	PING.EXE
1820	PING.EXE
3688	PING.EXE
4156	PING.EXE
2744	PING.EXE
4144	PING.EXE
4388	PING.EXE
472	PING.EXE
788	PING.EXE
760	PING.EXE
1508	PING.EXE
4484	PING.EXE
4492	PING.EXE
516	PING.EXE
4012	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2744	PING.EXE
4484	PING.EXE
4144	PING.EXE
4388	PING.EXE
4492	PING.EXE
516	PING.EXE
3688	PING.EXE
4012	PING.EXE
548	PING.EXE
4156	PING.EXE
472	PING.EXE
1820	PING.EXE
788	PING.EXE
760	PING.EXE
1508	PING.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4768	wefudoneset.exe
4768	wefudoneset.exe
1624	wefudoneset.exe
1624	wefudoneset.exe
2976	wefudoneset.exe
2976	wefudoneset.exe
3452	wefudoneset.exe
3452	wefudoneset.exe
4384	wefudoneset.exe
4384	wefudoneset.exe
2536	wefudoneset.exe
2536	wefudoneset.exe
5044	wefudoneset.exe
5044	wefudoneset.exe
2120	wefudoneset.exe
2120	wefudoneset.exe
4084	wefudoneset.exe
4084	wefudoneset.exe
3208	wefudoneset.exe
3208	wefudoneset.exe
4780	wefudoneset.exe
4780	wefudoneset.exe
2032	wefudoneset.exe
2032	wefudoneset.exe
1556	wefudoneset.exe
1556	wefudoneset.exe
2824	wefudoneset.exe
2824	wefudoneset.exe
3668	wefudoneset.exe
3668	wefudoneset.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	wefudoneset.exe
Token: SeDebugPrivilege	1624	wefudoneset.exe
Token: SeDebugPrivilege	2976	wefudoneset.exe
Token: SeDebugPrivilege	3452	wefudoneset.exe
Token: SeDebugPrivilege	4384	wefudoneset.exe
Token: SeDebugPrivilege	2536	wefudoneset.exe
Token: SeDebugPrivilege	5044	wefudoneset.exe
Token: SeDebugPrivilege	2120	wefudoneset.exe
Token: SeDebugPrivilege	4084	wefudoneset.exe
Token: SeDebugPrivilege	3208	wefudoneset.exe
Token: SeDebugPrivilege	4780	wefudoneset.exe
Token: SeDebugPrivilege	2032	wefudoneset.exe
Token: SeDebugPrivilege	1556	wefudoneset.exe
Token: SeDebugPrivilege	2824	wefudoneset.exe
Token: SeDebugPrivilege	3668	wefudoneset.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 444	4768	wefudoneset.exe	83
PID 4768 wrote to memory of 444	4768	wefudoneset.exe	83
PID 444 wrote to memory of 4476	444	cmd.exe	85
PID 444 wrote to memory of 4476	444	cmd.exe	85
PID 444 wrote to memory of 2744	444	cmd.exe	86
PID 444 wrote to memory of 2744	444	cmd.exe	86
PID 444 wrote to memory of 1624	444	cmd.exe	88
PID 444 wrote to memory of 1624	444	cmd.exe	88
PID 1624 wrote to memory of 4128	1624	wefudoneset.exe	89
PID 1624 wrote to memory of 4128	1624	wefudoneset.exe	89
PID 4128 wrote to memory of 2152	4128	cmd.exe	91
PID 4128 wrote to memory of 2152	4128	cmd.exe	91
PID 4128 wrote to memory of 4484	4128	cmd.exe	92
PID 4128 wrote to memory of 4484	4128	cmd.exe	92
PID 4128 wrote to memory of 2976	4128	cmd.exe	94
PID 4128 wrote to memory of 2976	4128	cmd.exe	94
PID 2976 wrote to memory of 3044	2976	wefudoneset.exe	95
PID 2976 wrote to memory of 3044	2976	wefudoneset.exe	95
PID 3044 wrote to memory of 1412	3044	cmd.exe	97
PID 3044 wrote to memory of 1412	3044	cmd.exe	97
PID 3044 wrote to memory of 4492	3044	cmd.exe	98
PID 3044 wrote to memory of 4492	3044	cmd.exe	98
PID 3044 wrote to memory of 3452	3044	cmd.exe	109
PID 3044 wrote to memory of 3452	3044	cmd.exe	109
PID 3452 wrote to memory of 4880	3452	wefudoneset.exe	110
PID 3452 wrote to memory of 4880	3452	wefudoneset.exe	110
PID 4880 wrote to memory of 2556	4880	cmd.exe	112
PID 4880 wrote to memory of 2556	4880	cmd.exe	112
PID 4880 wrote to memory of 548	4880	cmd.exe	113
PID 4880 wrote to memory of 548	4880	cmd.exe	113
PID 4880 wrote to memory of 4384	4880	cmd.exe	121
PID 4880 wrote to memory of 4384	4880	cmd.exe	121
PID 4384 wrote to memory of 1988	4384	wefudoneset.exe	122
PID 4384 wrote to memory of 1988	4384	wefudoneset.exe	122
PID 1988 wrote to memory of 2032	1988	cmd.exe	124
PID 1988 wrote to memory of 2032	1988	cmd.exe	124
PID 1988 wrote to memory of 516	1988	cmd.exe	125
PID 1988 wrote to memory of 516	1988	cmd.exe	125
PID 1988 wrote to memory of 2536	1988	cmd.exe	127
PID 1988 wrote to memory of 2536	1988	cmd.exe	127
PID 2536 wrote to memory of 1848	2536	wefudoneset.exe	128
PID 2536 wrote to memory of 1848	2536	wefudoneset.exe	128
PID 1848 wrote to memory of 3892	1848	cmd.exe	130
PID 1848 wrote to memory of 3892	1848	cmd.exe	130
PID 1848 wrote to memory of 1820	1848	cmd.exe	131
PID 1848 wrote to memory of 1820	1848	cmd.exe	131
PID 1848 wrote to memory of 5044	1848	cmd.exe	134
PID 1848 wrote to memory of 5044	1848	cmd.exe	134
PID 5044 wrote to memory of 2944	5044	wefudoneset.exe	135
PID 5044 wrote to memory of 2944	5044	wefudoneset.exe	135
PID 2944 wrote to memory of 4016	2944	cmd.exe	137
PID 2944 wrote to memory of 4016	2944	cmd.exe	137
PID 2944 wrote to memory of 4144	2944	cmd.exe	138
PID 2944 wrote to memory of 4144	2944	cmd.exe	138
PID 2944 wrote to memory of 2120	2944	cmd.exe	140
PID 2944 wrote to memory of 2120	2944	cmd.exe	140
PID 2120 wrote to memory of 3228	2120	wefudoneset.exe	141
PID 2120 wrote to memory of 3228	2120	wefudoneset.exe	141
PID 3228 wrote to memory of 4488	3228	cmd.exe	143
PID 3228 wrote to memory of 4488	3228	cmd.exe	143
PID 3228 wrote to memory of 3688	3228	cmd.exe	144
PID 3228 wrote to memory of 3688	3228	cmd.exe	144
PID 3228 wrote to memory of 4084	3228	cmd.exe	146
PID 3228 wrote to memory of 4084	3228	cmd.exe	146

C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
"C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCNC1F1HcmTG.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4476
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2744
- - C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
    "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RnGQ1nFzmLhK.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4128
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2152
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4484
    - - C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYSgxE1Bd9Ih.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        7⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwJ3QSD4xgNy.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        9⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SpqTz8wOBy84.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        11⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bnAzSg2k2T96.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        13⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5PqysQQfM8sW.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        15⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\azo6QfuZz7mK.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        17⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\83j4hV2Hc1oW.bat" "
        18⤵
        
        PID:3156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        19⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1YTmxJXfQtBM.bat" "
        20⤵
        
        PID:2916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        21⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qZkJigPzMpw5.bat" "
        22⤵
        
        PID:3104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        23⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dJBR2sqhcn5p.bat" "
        24⤵
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        25⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\45E7c6Gj3sAQ.bat" "
        26⤵
        
        PID:4112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        27⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CbnCecsE4RZE.bat" "
        28⤵
        
        PID:1104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:3792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wefudoneset.exe"
        29⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6RZai4r9kf5R.bat" "
        30⤵
        
        PID:3316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wefudoneset.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\1YTmxJXfQtBM.bat

Filesize
208B

MD5
0521d99c6734ee5d2123879a0c1b7d0a

SHA1
18a3b5071b9aa753db6a4bdc144b9baa1e4c7125

SHA256
66f9fdd4c210cef05b5429a4158b704dad0fd0af1a4a935f3df3c854e783f4a0

SHA512
710dfd668740deff4fc899a094873e8e65fe2319f3ff3eaf88a3c6cbfe7faef84ff618a54b0371537a48843c9435e9ef5bbc552baccc66f35030c55c8ef840e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\45E7c6Gj3sAQ.bat

Filesize
208B

MD5
408cf5d667ca95b248b65a0d871e18d1

SHA1
ad8479a7bdec8d4b9b87e3c7e2d1f9069846a5dd

SHA256
8a0160da1e24baab96dfdf01883515a6af07fafc601518d5803eb3a912e2d929

SHA512
30972a770bb4f5efc0f2209ef82073cab3a5ce396276b3003f8209f135a5d3602721c7e20ede03a01ecea912e0575941fe75d2dd71f00df23bae68ca3db4a3f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5PqysQQfM8sW.bat

Filesize
208B

MD5
ec332d9eba1d172a0177a2011c3e197d

SHA1
8993d447ee035dd5e2cf43ee1d7faa2910622553

SHA256
828fded3802f209dac818afb82700215897a8f98a6536a899aed10fabe9e341f

SHA512
5784dd20dfcd3908b863b219ae4cd9726692b701dd39e330a78d1bcce2893d6feeae72bdb6e5962a456416706e68aea36442ba18ddd649ff46e3724072a796ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\6RZai4r9kf5R.bat

Filesize
208B

MD5
79dd03daafd7f981d1f3e53601475ee9

SHA1
cc12131ec950feea614a4f48aae6298a109c95d4

SHA256
e07ffaba5dc6266cba99f28bfedd8d90a5cb730d5bbdba5baa307f2d523b8c8e

SHA512
41f1df63d41998f8947f5baad4c44214b41b1b617444c9ab4909b7d37d7de706c1d04e90d56876b2eefa0b944a5e4760e22ee894ac9b284344c57c20a70929a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\83j4hV2Hc1oW.bat

Filesize
208B

MD5
9d868dc48d00c4eefe115f2a055b954a

SHA1
f317e631a906be987717e958236ca1aea73507d7

SHA256
0f2bb44bdb39b39aa51b1a4963e27ab03737b87234b56f5485a88177e398909f

SHA512
3f088f225a494b96e531e2793a5058bd620b0ceb513fbbfed906141206229bca7163ac55ddfac0d5e9ab374014e1adafd002e03edfd33552533c067d2dd9a6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CbnCecsE4RZE.bat

Filesize
208B

MD5
1b0f4ab33ab3fd7a560bb2b5b291b597

SHA1
5e1cd4c0b156ae777aefc8f7fd6dfc90426f7a0d

SHA256
5b8c947b63701dba4f4d5c43bda31fe4f71425b41f04afe23a3f487f4f5b3fc0

SHA512
47fdbcc53d0ed5f6ca9fac1c6161514ddabc2c911637e7ef07c3dfeac325af4f8a6da6418b88611ee8897f32b0376102038e37c585b1549c4046197890e7aea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RnGQ1nFzmLhK.bat

Filesize
208B

MD5
edf1e553bbfd73c4fafd256204efd943

SHA1
6eaa91b536e2c9d638d715044ab27c73e1c45052

SHA256
e6cbeb45405d7b55884cebbc5f80244a69d9153def791789701e039b3e4cba3b

SHA512
ca0122c26d56266fb24fdf1dd5479bc39b6ad1e371bf784d825e5f6841dc2d6845cfb92ad20242054bd126f9d6201ee174a352360fa13dd7d0876fa87ee8e5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpqTz8wOBy84.bat

Filesize
208B

MD5
c8e43fe0b06816a43dd419c77a6cd4f2

SHA1
22f6a62f50d3531def6ee61750d34539f7ed1120

SHA256
639c99c58a801253c96e6b589f147e42cf03c5ada3408f608cf3708240c5d53e

SHA512
f7ac23610ff3a21e4d6854698dafa7b8face611f9f8e496bf15f20f9d9adb681c4fbfc98d0a19bb16efa9da3dd3d318e440ba82cb0b6e3db2a6d01430e953431

Download Submit
C:\Users\Admin\AppData\Local\Temp\azo6QfuZz7mK.bat

Filesize
208B

MD5
604b3263b4412c3219501ea4072d491a

SHA1
4c2fc9b7c4d947c57abae38535b09bf828078dcb

SHA256
95dbac140ee1c4d7b9265bcf029fe3e87cf839c429237beaf58961a08efff10f

SHA512
55695eb1c4a293d0c73a8032ad0eada4e587d102c7d92504e1219cbda3aae774c5c61735cc9e71bd75634564708cf7ee576b205f2f5b0789f76b43729820c7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnAzSg2k2T96.bat

Filesize
208B

MD5
2ccf4e6e23ff9dd9c04413ac00a845b2

SHA1
c33a6a66d90daab44523b493634157a3cb75f196

SHA256
3b85fa6cd86e52bee60077a7dc672536f4f55b6f5d34cddb942341d53924fa4e

SHA512
6a51fbe1fc954cb5252c384b8e4b24412e016d5927e5f151b87182f4ff76aeab295d9e43e7411a5bc96191bbde9dc1f89006237847c083af6aa22d644f207e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\dJBR2sqhcn5p.bat

Filesize
208B

MD5
bcad41441fa3afc8062075e82f22d6de

SHA1
cafc51cf5a00f709b939b942c4c45444bf14d687

SHA256
6378e16a49d544a1d75deaecf7e4590f4ebeae95c5e63c54941a476a9edf756b

SHA512
b9f2c3bee12a2d7e9ef59d4c38243da72124ba754e8bd457d0f43137731cce7ba16e7daf35b097b71fe3b3e47ae8dfc7a6cc40730c0ffdfd9cbf5dc4a4d025a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYSgxE1Bd9Ih.bat

Filesize
208B

MD5
d3dd74ce9ce3b45e04d1b0f2771a38b5

SHA1
e21a4e255c6870ab98ea0ba9bea93a40eb9b91f9

SHA256
146738d8026e2ef15813ac264ec61f4e5a37b2107a8d1d9c93245d0db96c8ebe

SHA512
f6334e95d3980df630b074aa801144d818b80f01f9fbe4bb489f7329b3aa66cd08a03d118d184ece7b2aee92652a1ec68c91d4ad997b34d742aa8a73a6833c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwJ3QSD4xgNy.bat

Filesize
208B

MD5
0151e53ba708bc8433bed51b9d3f46c4

SHA1
cbcf5167034e74f014f51224c9e23a2b3c84b56b

SHA256
6af0781f373c48bf5115ca4e421634e17e1b8b6f9ee27ff67a33a370174c0e9a

SHA512
64dfd2e50a59c37a7c11326cc3611a75a2cdceccb37f4f61462e8aa695e208552857f3f47dda9ce1ef86eb0a93512439b213e47b324e4a7272fc31c06011d4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qZkJigPzMpw5.bat

Filesize
208B

MD5
80c9ae5b6d94c3f5165bfc2afe05975f

SHA1
4aa00f6be4915d789c1aa6612776b2e876016dc7

SHA256
5df4d8c72d376f09685c643a087b6a02b9ca6d92750db6506c8450f25b46fa65

SHA512
cfbe8eb3a8383f74d8a9cd4e9cd623f475fddbe3b064c2a3edd8896f01a3bbec55c6805603903a245563a69325743df3b3d643a2ef715978e7067d5e51503613

Download Submit
C:\Users\Admin\AppData\Local\Temp\wCNC1F1HcmTG.bat

Filesize
208B

MD5
83a1db8c595a82fce1e6a9898dddf9b3

SHA1
b5650f99c1b4206fe7d414e851b0e43ca565627c

SHA256
d7e4d4efe038f81ec1845e9b8bb9d9c9d50ae4c8fd2f3e9f894f87f48b59f98e

SHA512
b8f1140d8170cb6ae812b7995802a4d7915207ba596f4debb15840eab8eeee76e777518a9ae2a8ecb2980a9565d3031f96cbcb5c39624ca8377fc98bd68bf60f

Download Submit
memory/1624-15-0x00007FFD8D800000-0x00007FFD8E2C1000-memory.dmp

Filesize
10.8MB

Download
memory/1624-11-0x00007FFD8D800000-0x00007FFD8E2C1000-memory.dmp

Filesize
10.8MB

Download
memory/1624-9-0x00007FFD8D803000-0x00007FFD8D805000-memory.dmp

Filesize
8KB

Download
memory/4768-0-0x00007FFD8D483000-0x00007FFD8D485000-memory.dmp

Filesize
8KB

Download
memory/4768-7-0x00007FFD8D480000-0x00007FFD8DF41000-memory.dmp

Filesize
10.8MB

Download
memory/4768-2-0x00007FFD8D480000-0x00007FFD8DF41000-memory.dmp

Filesize
10.8MB

Download
memory/4768-1-0x0000000000D40000-0x0000000001064000-memory.dmp

Filesize
3.1MB

Download