quasar | cc4c02376c24053d287c965105bb92c236bbefea2dcff15cdf1c45b183246a8f

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

740d9f35b37dd1557744d0d1df0ae2a6
SHA1

fe55e2e2dc057298018a0ed7211096de0c014e0e
SHA256

cc4c02376c24053d287c965105bb92c236bbefea2dcff15cdf1c45b183246a8f
SHA512

8b7fb45bc4c44245f157225431aea64e8d600ee5441c3e8d0197d2ba366bf7ffc6c9a321323ba704b46f5f104d9f5d645c1f680223d38022605fbf182cf4e0cd
SSDEEP

49152:HvAG42pda6D+/PjlLOlg6yQipV3eRJ6/bR3LoGdtTHHB72eh2NT:HvD42pda6D+/PjlLOlZyQipV3eRJ6R

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

https://stable-notably-hound.ngrok-free.app:4782

Mutex

59d0faf1-ae3f-4d2f-9c0f-631501d0027c

Attributes

encryption_key
A5F0EE2DBE7A3009387617912AFB48C127E2B576
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4572-1-0x0000000000B00000-0x0000000000E24000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client-built.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Client-built.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1056	PING.EXE
4244	PING.EXE
4232	PING.EXE
180	PING.EXE
1592	PING.EXE
3504	PING.EXE
1016	PING.EXE
2228	PING.EXE
4100	PING.EXE
3984	PING.EXE
992	PING.EXE
1876	PING.EXE
216	PING.EXE
1844	PING.EXE
3008	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3504	PING.EXE
992	PING.EXE
4244	PING.EXE
1016	PING.EXE
3984	PING.EXE
4232	PING.EXE
4100	PING.EXE
1056	PING.EXE
180	PING.EXE
216	PING.EXE
1844	PING.EXE
3008	PING.EXE
1876	PING.EXE
1592	PING.EXE
2228	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4572	Client-built.exe
Token: SeDebugPrivilege	1296	Client-built.exe
Token: SeDebugPrivilege	848	Client-built.exe
Token: SeDebugPrivilege	2384	Client-built.exe
Token: SeDebugPrivilege	4696	Client-built.exe
Token: SeDebugPrivilege	3184	Client-built.exe
Token: SeDebugPrivilege	3280	Client-built.exe
Token: SeDebugPrivilege	4384	Client-built.exe
Token: SeDebugPrivilege	2700	Client-built.exe
Token: SeDebugPrivilege	2168	Client-built.exe
Token: SeDebugPrivilege	3672	Client-built.exe
Token: SeDebugPrivilege	1684	Client-built.exe
Token: SeDebugPrivilege	2316	Client-built.exe
Token: SeDebugPrivilege	2164	Client-built.exe
Token: SeDebugPrivilege	1376	Client-built.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
4572	Client-built.exe
1296	Client-built.exe
848	Client-built.exe
2384	Client-built.exe
4696	Client-built.exe
3184	Client-built.exe
3280	Client-built.exe
4384	Client-built.exe
2700	Client-built.exe
2168	Client-built.exe
3672	Client-built.exe
1684	Client-built.exe
2316	Client-built.exe
2164	Client-built.exe
1376	Client-built.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4572	Client-built.exe
1296	Client-built.exe
848	Client-built.exe
2384	Client-built.exe
4696	Client-built.exe
3184	Client-built.exe
3280	Client-built.exe
4384	Client-built.exe
2700	Client-built.exe
2168	Client-built.exe
3672	Client-built.exe
1684	Client-built.exe
2316	Client-built.exe
2164	Client-built.exe
1376	Client-built.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 3928	4572	Client-built.exe	83
PID 4572 wrote to memory of 3928	4572	Client-built.exe	83
PID 3928 wrote to memory of 1072	3928	cmd.exe	85
PID 3928 wrote to memory of 1072	3928	cmd.exe	85
PID 3928 wrote to memory of 180	3928	cmd.exe	86
PID 3928 wrote to memory of 180	3928	cmd.exe	86
PID 3928 wrote to memory of 1296	3928	cmd.exe	97
PID 3928 wrote to memory of 1296	3928	cmd.exe	97
PID 1296 wrote to memory of 2076	1296	Client-built.exe	102
PID 1296 wrote to memory of 2076	1296	Client-built.exe	102
PID 2076 wrote to memory of 916	2076	cmd.exe	104
PID 2076 wrote to memory of 916	2076	cmd.exe	104
PID 2076 wrote to memory of 1016	2076	cmd.exe	105
PID 2076 wrote to memory of 1016	2076	cmd.exe	105
PID 2076 wrote to memory of 848	2076	cmd.exe	107
PID 2076 wrote to memory of 848	2076	cmd.exe	107
PID 848 wrote to memory of 3676	848	Client-built.exe	109
PID 848 wrote to memory of 3676	848	Client-built.exe	109
PID 3676 wrote to memory of 4856	3676	cmd.exe	111
PID 3676 wrote to memory of 4856	3676	cmd.exe	111
PID 3676 wrote to memory of 1592	3676	cmd.exe	112
PID 3676 wrote to memory of 1592	3676	cmd.exe	112
PID 3676 wrote to memory of 2384	3676	cmd.exe	116
PID 3676 wrote to memory of 2384	3676	cmd.exe	116
PID 2384 wrote to memory of 2556	2384	Client-built.exe	118
PID 2384 wrote to memory of 2556	2384	Client-built.exe	118
PID 2556 wrote to memory of 940	2556	cmd.exe	120
PID 2556 wrote to memory of 940	2556	cmd.exe	120
PID 2556 wrote to memory of 3984	2556	cmd.exe	121
PID 2556 wrote to memory of 3984	2556	cmd.exe	121
PID 2556 wrote to memory of 4696	2556	cmd.exe	123
PID 2556 wrote to memory of 4696	2556	cmd.exe	123
PID 4696 wrote to memory of 3872	4696	Client-built.exe	125
PID 4696 wrote to memory of 3872	4696	Client-built.exe	125
PID 3872 wrote to memory of 4904	3872	cmd.exe	127
PID 3872 wrote to memory of 4904	3872	cmd.exe	127
PID 3872 wrote to memory of 2228	3872	cmd.exe	128
PID 3872 wrote to memory of 2228	3872	cmd.exe	128
PID 3872 wrote to memory of 3184	3872	cmd.exe	130
PID 3872 wrote to memory of 3184	3872	cmd.exe	130
PID 3184 wrote to memory of 4312	3184	Client-built.exe	132
PID 3184 wrote to memory of 4312	3184	Client-built.exe	132
PID 4312 wrote to memory of 4896	4312	cmd.exe	134
PID 4312 wrote to memory of 4896	4312	cmd.exe	134
PID 4312 wrote to memory of 3504	4312	cmd.exe	135
PID 4312 wrote to memory of 3504	4312	cmd.exe	135
PID 4312 wrote to memory of 3280	4312	cmd.exe	138
PID 4312 wrote to memory of 3280	4312	cmd.exe	138
PID 3280 wrote to memory of 516	3280	Client-built.exe	139
PID 3280 wrote to memory of 516	3280	Client-built.exe	139
PID 516 wrote to memory of 1784	516	cmd.exe	142
PID 516 wrote to memory of 1784	516	cmd.exe	142
PID 516 wrote to memory of 216	516	cmd.exe	143
PID 516 wrote to memory of 216	516	cmd.exe	143
PID 516 wrote to memory of 4384	516	cmd.exe	145
PID 516 wrote to memory of 4384	516	cmd.exe	145
PID 4384 wrote to memory of 2128	4384	Client-built.exe	147
PID 4384 wrote to memory of 2128	4384	Client-built.exe	147
PID 2128 wrote to memory of 64	2128	cmd.exe	149
PID 2128 wrote to memory of 64	2128	cmd.exe	149
PID 2128 wrote to memory of 992	2128	cmd.exe	150
PID 2128 wrote to memory of 992	2128	cmd.exe	150
PID 2128 wrote to memory of 2700	2128	cmd.exe	152
PID 2128 wrote to memory of 2700	2128	cmd.exe	152

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0rbZTAIzEGV8.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1072
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:180
- - C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcZtjgGs1EsC.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:916
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1016
    - - C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:848
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VFi2LrAxhMqu.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0ZyC2a5oQKJT.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwNPofwzUJsi.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8rpKnUunuatn.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcer9cex4oVh.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qb0Sa5bCxSj1.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:64
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I8Y8XTWHHiVn.bat" "
        18⤵
        
        PID:940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7cBIYZ8pUBCo.bat" "
        20⤵
        
        PID:796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUYiCm5bQ5Cu.bat" "
        22⤵
        
        PID:2136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIgDyY6Z7Hsa.bat" "
        24⤵
        
        PID:4060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hLOGR0mNpYfw.bat" "
        26⤵
        
        PID:4900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgfuRrW2NcRL.bat" "
        28⤵
        
        PID:2880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
        29⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ayf7NgizsBCz.bat" "
        30⤵
        
        PID:2740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ZyC2a5oQKJT.bat

Filesize
209B

MD5
71f2ea9d74aedf3127756b0ea7e3e05e

SHA1
29316ae5b3318cce1a785f14eec830c74e648009

SHA256
b726acc8d5cc176fb89da02a6d410984d653bf19ee12df0cb7d9c5292f0a9950

SHA512
4dc9d5ae2c33d72a514f6a28b20f155572dd5ca55249240223f563b8927b2616dc40d5a8a4782a866cac9ceb97192fdee27632dab7c5807cedaac06526fed1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rbZTAIzEGV8.bat

Filesize
209B

MD5
e7d45adebea68ae850001301e08d119a

SHA1
dee0eb51e650538a9cf3466541fbf7e9d4083e03

SHA256
ce0a31c9a5ef2a15845c654c4dcdd7c66c87c601212794e912a251a097edb515

SHA512
746516f145341eb78d93ecbd76996f2d3e97d413215e6faefce4b29e67e7110c625862b435722e79e99263db1b7fe073901f970712656c9ac885f31cbb392331

Download Submit
C:\Users\Admin\AppData\Local\Temp\7cBIYZ8pUBCo.bat

Filesize
209B

MD5
aa60dbc893c37fc351f34683b00869b1

SHA1
a7569a763dc3ba27e91e52fa377c5319c76229e3

SHA256
fa18a471c86ddc321fc3fa3ca9dd734a3965647db031d92c347e838865c9d431

SHA512
1061a5110e13da2afdf6e551fd332661d570179424c253ca610eba4b386f54235938f64525b3a5ee6e700ded0f29b26ce6a3f18681a17ecbda43a35eff6b87e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8rpKnUunuatn.bat

Filesize
209B

MD5
1024f50da5484ab58055b9be8d6a5682

SHA1
3296c2dda74ea225b7fae6ceb0642991b63b04b4

SHA256
0d682005c9a0e01dbeeb258682f2bc248adc86ade1ca9c73e9e618f29327e8f8

SHA512
bf07e32c167855d79d37fcdc37413813943096a003da5aaee6929e32086353ab10f85be2aec23e2ea6d376fdf55381d73c34442dad56ebc306434951bb2607ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ayf7NgizsBCz.bat

Filesize
209B

MD5
13261fc763b25176b22975136c699863

SHA1
50302f07b17dae0c6d55bad0cd6ba1096674638c

SHA256
12107570d6bb7a40fc92a20627f9dc902273e421dcde2c4e87ba41657ac47726

SHA512
4c6b4bdfeffda2a2e1e8795d775e12dba6d795cc029ac083a3a7af263ca370ed4d0d4cad3265de479b3caa2ef92784b7601e6e7996ec8acff5588557778ada77

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwNPofwzUJsi.bat

Filesize
209B

MD5
15e0f4a15a751124d5206b94fea9ba30

SHA1
462be0ca9420518d942f4a3a16e0ff79bc1e988c

SHA256
0477db29414533925cbd995af4094fc40eb90d6f3d82d52c7a5c0ab4a211b513

SHA512
e4eb4e2878ae63de37472b7576a9b2de9548ad03974b41a4d4d5eaf7959cc809d676c9030e9e539d892a913e2f3b664ddbaa2c5ceafa71f0a7f03447cd0364af

Download Submit
C:\Users\Admin\AppData\Local\Temp\I8Y8XTWHHiVn.bat

Filesize
209B

MD5
dead1832881b6f50beb535eae8981351

SHA1
50a3cd0c000d233fa26b7f5b6151304cd28c035b

SHA256
93964ae3670cc2190384ec05247d6cebc5348142d1b43d6a0129d70ac3f74a39

SHA512
52ec3016b4d1ba928f618d074222579a0b1db20d91e5654c25a6a2acb0e80798f1c363eac16e553c8e40243d8330168e4e118d2c8f8a342cd6686462874d16ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgfuRrW2NcRL.bat

Filesize
209B

MD5
4e791505431e7e3251fbbed51ad612b3

SHA1
8ce9c5529ea31534c0cb11eba9a32fa20763fa90

SHA256
df8016a92c1687e7b8266b4cc1662af7d3d5742c8f560c37da64b5c08d521b9c

SHA512
134a7bc1674e657a26aff45e3612d6550892263cce0d4927da3971ab04346253583e0973d45fdd3b2c26f025f4a878cc4ced679509cdf6a22116c7d310d9678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qb0Sa5bCxSj1.bat

Filesize
209B

MD5
27515b48e9c503d3f2d4823d2fe74e73

SHA1
0b3a7e669ac7273a3fdc9ab995ae9c7322e0a457

SHA256
71b9a180628e82582fba42a1defbcef86675a78d734be744b17417bb842966a1

SHA512
f08b408cf9621634799ebfa01c084f13ecd28019f312b29fe84290b54273468cc129156f45a7fb807f464b2c0b7979b691150d8dd5d56828ffbb455a041d167d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VFi2LrAxhMqu.bat

Filesize
209B

MD5
90c2cd8906bd6c81f22afdc87106bf52

SHA1
972b011195740eab40b2da58c8aa9f51cb43f5fe

SHA256
7fa4aa2f1f2011b67ee29b4b8d0d1175937af6be927d6ce1899459814e2fae22

SHA512
e47c40dc46675730d735a46d585e9938c78b0ced9e6b1fa42313d49367a5e823181f718b97a015821a3f2e15d059aa77aad76b21f81eba2d07a056ed45f97923

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUYiCm5bQ5Cu.bat

Filesize
209B

MD5
bedcd7e1514463b1a562d7b0e9c5ee88

SHA1
071f41d72856ae6325ec565dbf9a48d8711511b5

SHA256
85e0182f71216d8ac3ab64ef332e0dfea659c8263f9b6a270fa332d633f09fc7

SHA512
a83fae6ff258ab3d79aacb0c1f60da1f006f65d65ac84427efdebe6f2943ad44226300b2ae13713c815b7973ce21a3edc13d72d28fb17fd6baecb110442174c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hLOGR0mNpYfw.bat

Filesize
209B

MD5
63aba5f93f95a408030cb917c4d4dbd6

SHA1
0eb4081834321009aa1214f992c6e9ebafa6549d

SHA256
d97aa08f65c908b78f261e43a388bcee29b7dc9f99d19244cbefa13c2aa193a5

SHA512
3c3ef677f0fb1345728556655d39555a665ff51c15fb46839b443c6b4558081fb9b3b23355100b000c2b19c6c3ffac76753406512ccb53a977a45e7d763281a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIgDyY6Z7Hsa.bat

Filesize
209B

MD5
c2485e6345577875dde004e465025f50

SHA1
0b384ab0f3346aa994c2a3ee2a26c82f50502440

SHA256
ea4eab983aebb4f483345927c5dc9ff98b2d33e22c80e1a4cf218b182355c6cd

SHA512
64f0d190253c2af3dc850f7788e1a11bf0ea1a37ee8d00b2eb74c48e1495032b3d00ee0770338dfd68f614dc18444c056e789fb5b9cfae085a85292de2b31cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcZtjgGs1EsC.bat

Filesize
209B

MD5
d2a3c452b94155f04e1727881ca80631

SHA1
0cc79163e25fa6f9e6e6c74bb7dc3ffe31e41daf

SHA256
0f8718183772d8a68559f175a05390670608890c5523f6abe9d076b4812cc251

SHA512
b63923d9fa49ef0663f83852c4e97e3cedc38489fceadf7fa40d3351da11b0b744f992b8674b8031d70ef897ca6234230e071eacf0845c6c7a7420cd8c0be73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcer9cex4oVh.bat

Filesize
209B

MD5
48f44b6d0ec6d6fe686fa6eba9764206

SHA1
6e211bcf20c722ae8b600d33bbd0746796b45247

SHA256
8a04952c3af2a3f18af47189a95b6326e0cd0a51ac63d9fa7fa1af2c327d65e5

SHA512
fe94d193c1f4991edd4ae7353c0c15577ee5e4d2453059ac13b1bca9de11781da4051357941a5316848e0eb7bafabc12a22a677f5c351588af6d7b6b03f28a29

Download Submit
memory/1296-12-0x00007FFF76960000-0x00007FFF77421000-memory.dmp

Filesize
10.8MB

Download
memory/1296-13-0x00007FFF76960000-0x00007FFF77421000-memory.dmp

Filesize
10.8MB

Download
memory/1296-17-0x00007FFF76960000-0x00007FFF77421000-memory.dmp

Filesize
10.8MB

Download
memory/4572-3-0x000000001C520000-0x000000001C570000-memory.dmp

Filesize
320KB

Download
memory/4572-2-0x00007FFF769F0000-0x00007FFF774B1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-0-0x00007FFF769F3000-0x00007FFF769F5000-memory.dmp

Filesize
8KB

Download
memory/4572-4-0x000000001C630000-0x000000001C6E2000-memory.dmp

Filesize
712KB

Download
memory/4572-9-0x00007FFF769F0000-0x00007FFF774B1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-1-0x0000000000B00000-0x0000000000E24000-memory.dmp

Filesize
3.1MB

Download