quasar | 864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Test2.exe
Size

3.1MB
MD5

7f888b6cbd5062a7558eea61eb9a9ca2
SHA1

2acfb5c3e7b8e569ea52397154b9b3ffb44e7d87
SHA256

864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad
SHA512

7da70e844e0fce4b4bbc70db89503b95b6514cabf9ce9cf66fed643f6c11aafc5e7a8f385b5d16f7fa802cc47c9200bf486030834551d14c55078307ef7e93d8
SSDEEP

49152:/v2lL26AaNeWgPhlmVqvMQ7XSKKQSYmzwXoGdVTHHB72eh2NT:/v2L26AaNeWgPhlmVqkQ7XSKKQSq

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

llordiWasHere-55715.portmap.host:55715

Mutex

124c5996-13c0-46a2-804a-191042a109db

Attributes

encryption_key
5F48258CBD7D9014A9443146E8A3D837D1715CAE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4948-1-0x0000000000580000-0x00000000008A4000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b9c-7.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
2864	Client.exe
1044	Client.exe
3552	Client.exe
416	Client.exe
4128	Client.exe
2012	Client.exe
3316	Client.exe
3928	Client.exe
3756	Client.exe
604	Client.exe
1448	Client.exe
3548	Client.exe
3216	Client.exe
4900	Client.exe
1932	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3372	PING.EXE
4292	PING.EXE
1732	PING.EXE
4240	PING.EXE
4976	PING.EXE
5060	PING.EXE
2540	PING.EXE
996	PING.EXE
532	PING.EXE
1952	PING.EXE
3320	PING.EXE
3896	PING.EXE
4136	PING.EXE
5048	PING.EXE
2880	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3372	PING.EXE
3896	PING.EXE
4136	PING.EXE
2540	PING.EXE
996	PING.EXE
1732	PING.EXE
532	PING.EXE
5048	PING.EXE
1952	PING.EXE
5060	PING.EXE
4292	PING.EXE
2880	PING.EXE
4976	PING.EXE
4240	PING.EXE
3320	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	Test2.exe
Token: SeDebugPrivilege	2864	Client.exe
Token: SeDebugPrivilege	1044	Client.exe
Token: SeDebugPrivilege	3552	Client.exe
Token: SeDebugPrivilege	416	Client.exe
Token: SeDebugPrivilege	4128	Client.exe
Token: SeDebugPrivilege	3316	Client.exe
Token: SeDebugPrivilege	3928	Client.exe
Token: SeDebugPrivilege	3756	Client.exe
Token: SeDebugPrivilege	604	Client.exe
Token: SeDebugPrivilege	1448	Client.exe
Token: SeDebugPrivilege	3548	Client.exe
Token: SeDebugPrivilege	3216	Client.exe
Token: SeDebugPrivilege	4900	Client.exe
Token: SeDebugPrivilege	1932	Client.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
2864	Client.exe
1044	Client.exe
3552	Client.exe
416	Client.exe
4128	Client.exe
3316	Client.exe
3928	Client.exe
3756	Client.exe
604	Client.exe
1448	Client.exe
3548	Client.exe
3216	Client.exe
4900	Client.exe
1932	Client.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
2864	Client.exe
1044	Client.exe
3552	Client.exe
416	Client.exe
4128	Client.exe
3316	Client.exe
3928	Client.exe
3756	Client.exe
604	Client.exe
1448	Client.exe
3548	Client.exe
3216	Client.exe
4900	Client.exe
1932	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 2864	4948	Test2.exe	82
PID 4948 wrote to memory of 2864	4948	Test2.exe	82
PID 2864 wrote to memory of 1092	2864	Client.exe	83
PID 2864 wrote to memory of 1092	2864	Client.exe	83
PID 1092 wrote to memory of 3032	1092	cmd.exe	85
PID 1092 wrote to memory of 3032	1092	cmd.exe	85
PID 1092 wrote to memory of 532	1092	cmd.exe	86
PID 1092 wrote to memory of 532	1092	cmd.exe	86
PID 1092 wrote to memory of 1044	1092	cmd.exe	89
PID 1092 wrote to memory of 1044	1092	cmd.exe	89
PID 1044 wrote to memory of 4108	1044	Client.exe	92
PID 1044 wrote to memory of 4108	1044	Client.exe	92
PID 4108 wrote to memory of 3756	4108	cmd.exe	94
PID 4108 wrote to memory of 3756	4108	cmd.exe	94
PID 4108 wrote to memory of 1952	4108	cmd.exe	95
PID 4108 wrote to memory of 1952	4108	cmd.exe	95
PID 4108 wrote to memory of 3552	4108	cmd.exe	99
PID 4108 wrote to memory of 3552	4108	cmd.exe	99
PID 3552 wrote to memory of 4568	3552	Client.exe	100
PID 3552 wrote to memory of 4568	3552	Client.exe	100
PID 4568 wrote to memory of 3620	4568	cmd.exe	102
PID 4568 wrote to memory of 3620	4568	cmd.exe	102
PID 4568 wrote to memory of 3372	4568	cmd.exe	103
PID 4568 wrote to memory of 3372	4568	cmd.exe	103
PID 4568 wrote to memory of 416	4568	cmd.exe	106
PID 4568 wrote to memory of 416	4568	cmd.exe	106
PID 416 wrote to memory of 1032	416	Client.exe	107
PID 416 wrote to memory of 1032	416	Client.exe	107
PID 1032 wrote to memory of 1280	1032	cmd.exe	109
PID 1032 wrote to memory of 1280	1032	cmd.exe	109
PID 1032 wrote to memory of 3320	1032	cmd.exe	110
PID 1032 wrote to memory of 3320	1032	cmd.exe	110
PID 1032 wrote to memory of 4128	1032	cmd.exe	111
PID 1032 wrote to memory of 4128	1032	cmd.exe	111
PID 4128 wrote to memory of 1876	4128	Client.exe	112
PID 4128 wrote to memory of 1876	4128	Client.exe	112
PID 1876 wrote to memory of 912	1876	cmd.exe	114
PID 1876 wrote to memory of 912	1876	cmd.exe	114
PID 1876 wrote to memory of 3896	1876	cmd.exe	115
PID 1876 wrote to memory of 3896	1876	cmd.exe	115
PID 1876 wrote to memory of 2012	1876	cmd.exe	116
PID 1876 wrote to memory of 2012	1876	cmd.exe	116
PID 2684 wrote to memory of 1288	2684	cmd.exe	119
PID 2684 wrote to memory of 1288	2684	cmd.exe	119
PID 2684 wrote to memory of 4136	2684	cmd.exe	120
PID 2684 wrote to memory of 4136	2684	cmd.exe	120
PID 2684 wrote to memory of 3316	2684	cmd.exe	121
PID 2684 wrote to memory of 3316	2684	cmd.exe	121
PID 3316 wrote to memory of 4708	3316	Client.exe	122
PID 3316 wrote to memory of 4708	3316	Client.exe	122
PID 4708 wrote to memory of 400	4708	cmd.exe	124
PID 4708 wrote to memory of 400	4708	cmd.exe	124
PID 4708 wrote to memory of 2540	4708	cmd.exe	125
PID 4708 wrote to memory of 2540	4708	cmd.exe	125
PID 4708 wrote to memory of 3928	4708	cmd.exe	126
PID 4708 wrote to memory of 3928	4708	cmd.exe	126
PID 3928 wrote to memory of 2672	3928	Client.exe	127
PID 3928 wrote to memory of 2672	3928	Client.exe	127
PID 2672 wrote to memory of 2160	2672	cmd.exe	129
PID 2672 wrote to memory of 2160	2672	cmd.exe	129
PID 2672 wrote to memory of 996	2672	cmd.exe	130
PID 2672 wrote to memory of 996	2672	cmd.exe	130
PID 2672 wrote to memory of 3756	2672	cmd.exe	131
PID 2672 wrote to memory of 3756	2672	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\Test2.exe
"C:\Users\Admin\AppData\Local\Temp\Test2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c7HbNrpyR8E8.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3032
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:532
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YD7eOA6iRuXU.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4108
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3756
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1952
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYzoDrIfns4z.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3372
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0xg718uXYoKp.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3320
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8mJajw9nfYDS.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3896
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A9MXllXKO9Rc.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4136
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uhitjYnKCiOu.bat" "
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dFWi0OTt8H3G.bat" "
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGYxrZUxdTMV.bat" "
        19⤵
        
        PID:1628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4292
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aFivhHGGhVzY.bat" "
        21⤵
        
        PID:3572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5048
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NTpbVo7XwPbG.bat" "
        23⤵
        
        PID:1832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQjGcAsRQXed.bat" "
        25⤵
        
        PID:4768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4976
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIxEBDAmYfoF.bat" "
        27⤵
        
        PID:2556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4dTYX1yhjxK4.bat" "
        29⤵
        
        PID:2000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4240
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYfamvFal6gW.bat" "
        31⤵
        
        PID:2352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xg718uXYoKp.bat

Filesize
207B

MD5
dfab4170b2590a9f70f504ff89f4054c

SHA1
de0b0e94241dba8473eb798f166c692194dceffb

SHA256
f788607ea37086f05e15cbcabce5d9ce0892193082fbd84d71bcddcab743352c

SHA512
6504072a2eff60ee0c5ad5d2045b304c727de7b5a8e94b2c63f35a60b1e46a014f3683e692ff0701a11024d5b923cdba28f93140dbf73c278b2192b775bf47c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4dTYX1yhjxK4.bat

Filesize
207B

MD5
6e0428797621030a3ac57a0181a2e62c

SHA1
0ac476bc01bcb6a1852d3119110c0f2973aad4e4

SHA256
df840fad79c4346a815636e361527aa13c1c856cb5e1f22add6b98387f3b6347

SHA512
8ab8fd89d96a60cb39342f66a705824d73a3952bf78e587e31864d066d6725d3a6061c87b3d192d3b5422a35bf16313e0fe0103bee6817d0ac63ebf6627bd9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\8mJajw9nfYDS.bat

Filesize
207B

MD5
dbd3ee80b7365b66066b32f537936257

SHA1
054a49aa818d00a057c3323872b5ce311d9a7463

SHA256
afbda777b4c90ae5b3fb4f1a067a3e976095fb40119eaf33aa184fc10d1f2e23

SHA512
430c4cf314a1ffbd55371f2ced3d46dd84f4417e8f7f541ed8bc225215d21d0032d0c7b8ab60e188ba6191c88f6ae77b5a7e750fbbe38acfbb63dbdef5eef910

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYzoDrIfns4z.bat

Filesize
207B

MD5
8ccc7b2cb353b3b32e847ce83ae61042

SHA1
f38848e17d4f45bd141b9e4598e14ec04c699022

SHA256
d9c78c6f623fd678221edf22c19069c979da8d949359102410b53979b3d78fb3

SHA512
ba49e230b4efe79749d3e8aa32e0b4fc8ebaaab6ad414669b2425bbd56fc055647911b5155eb9252bfbb431fa64436a995b9d0bffa531ff340100852381287cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGYxrZUxdTMV.bat

Filesize
207B

MD5
36a4597cfe7981fed598c2e6091ab1d5

SHA1
95ded99ef9b85ae4bf26284e1275a91da3091a13

SHA256
5ef4a9974bd2e21caef1e59a1fb938db23a3540e322fba81f0a41c4db79f3a0e

SHA512
7b6e89f1cd0b685a5e47cdd62c9e70bf67ac1b20357dadf8e698b787bdf9d4256d53f16f1c8fa969c8ade657a08fe56f49051f4df030dbba6003186a87f5897f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIxEBDAmYfoF.bat

Filesize
207B

MD5
2fdb86f09df38b174bdf0f142514db4c

SHA1
e40a3b9f9551ffd77d0091c809cccb172a19574d

SHA256
72a5f73d1fc7afab225197b8ecb1985281de741bb05e3d2837dd47d72e8c3a34

SHA512
5cae88c8a918d61d9afac13bda9260cdc388d24f6098a9d8c2eef4ef70e2e58e73b32927e45cd83532ab5dd9d10fb8839bde1fbe4ac596f5d89407ea664f4b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTpbVo7XwPbG.bat

Filesize
207B

MD5
33e9108783923ed23a2674419f8c7665

SHA1
ea6651cff615ef3b43e56156b685d80f97716ed4

SHA256
bdd4563de4c07faafa579a45f5d9ba9d0c70c95c420e087010c2d098cdb95f68

SHA512
7fe28b24c6e6817301b5c98340cb53e8790f6da83facc9b04f8bc843a9a4271f9e4cc51fcd4aa1fc5d92ae5ddf4f00876f1e1e2d1d2e5b00faa30203b22c8b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQjGcAsRQXed.bat

Filesize
207B

MD5
f066cda2701f551598760e7feae6df46

SHA1
3a43b8af4937a7f8050f064505192bf998f1604c

SHA256
8f97a7df97befb13d95f41ecbf04533e521e6e67c6e3539f8802b379aef296b9

SHA512
55437a9e2d14564c152841e385e412713f19f06619e2df50aa1ac30e23dce643486b5a8c56b2d2c1ae0bef2dd31228ef03cd358bef963feb5a7b68ec1cde3e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YD7eOA6iRuXU.bat

Filesize
207B

MD5
5f38d969ac96c62a07ab3ca6f455e47f

SHA1
82a7345858879de900cbc09e78e7fd8fa13116e4

SHA256
81610a51d0f4fa877f13b96e44e1209e0dc863cce758758201dd20c699415420

SHA512
626e7bd7fa60dee527624c52fa2018fd2503a35b6a0f545e56f61489917a016760c7b5871a160178e3917351b42b583deb7b3a415403b339d20e1072fe083f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aFivhHGGhVzY.bat

Filesize
207B

MD5
486c630e159f97a66003c13fffce84e8

SHA1
6a7e9427f107b22ac4a6e5879f1fcfa951af66e9

SHA256
efff503ef027d6af345588712df20703dbc8be1ae066d207a1c5e3e25eea134c

SHA512
0557590ec0c883241a8804ea04a1663f2074842035d897ada2843b7b8c845f9c86a35e97e725c7c701c8045d0d61e7d05fe48194d97dc80e7f35b33fcea425ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7HbNrpyR8E8.bat

Filesize
207B

MD5
0a7ebb4e1f5a3769373874d9d88da325

SHA1
3a40e9da2c2088318c96b85f9110fa9a57f37f2c

SHA256
a9e94dd57ff558b8710bf310e8346bb1ba3b217bdb65c51ab0856275d0fc4d20

SHA512
842044a26d9471151bda58620482c6c09bf654c14b61bb6a4e977fe499e1d7afd99732a63b1756da9aff54eff0e20905cd4afe2ffda42d59a6c9cea7931f4632

Download Submit
C:\Users\Admin\AppData\Local\Temp\dFWi0OTt8H3G.bat

Filesize
207B

MD5
a909834ab4781b2dd9152d2e9fcc4173

SHA1
daf4c3a6b86b3e1bc23d9335ea8cec0b5c82bd78

SHA256
8fe2488e8e8fd63a3169ce2fcb60dbe5362b0d0e0978b24097971cfd78c3d01e

SHA512
794a14dce9c12a5be5b6242b9b1979d4dcf574e163ff457ca4103c2597e5e95fbb1e7e3a0e80da080050e9116e35d5ce7ffc7e42742c3415701fe32edb83fd76

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYfamvFal6gW.bat

Filesize
207B

MD5
610e7ca3964df84434e24835fa5221fe

SHA1
575b45ad134cbb4ec86f19477c1ba8bddf3bfab6

SHA256
123da3d727b0819498ba0b9f19d8466873bba9657c0f1c0857428b07c967410f

SHA512
b793dd855cc90f104489e8d00ed25bf8a30feb209897823f08fea75d79d9d02b52748c0f1fecf3cd8de38fb04ac26d489f188a5ed7935f66357416bff60a4c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhitjYnKCiOu.bat

Filesize
207B

MD5
45e7653cdf396f9e61df21cc2ab89b5e

SHA1
115ad9f4f015cccad36aebbfb21f775da1dc0190

SHA256
d887c7782d6544a501258e467221f9ed6721546e0fc1ad95380ca04c9a1c59fb

SHA512
278f7f63271976f10a0239df627a9ced2f2b66a6d2393e5ad0eeec5f16c50b4bb9cf85703e9564a33f17f15498a440c5cc431575b53c90a6de25d688b9f0e3df

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
7f888b6cbd5062a7558eea61eb9a9ca2

SHA1
2acfb5c3e7b8e569ea52397154b9b3ffb44e7d87

SHA256
864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad

SHA512
7da70e844e0fce4b4bbc70db89503b95b6514cabf9ce9cf66fed643f6c11aafc5e7a8f385b5d16f7fa802cc47c9200bf486030834551d14c55078307ef7e93d8

Download Submit
memory/2864-11-0x00007FF982040000-0x00007FF982B01000-memory.dmp

Filesize
10.8MB

Download
memory/2864-12-0x000000001DF30000-0x000000001DF80000-memory.dmp

Filesize
320KB

Download
memory/2864-13-0x000000001E040000-0x000000001E0F2000-memory.dmp

Filesize
712KB

Download
memory/2864-9-0x00007FF982040000-0x00007FF982B01000-memory.dmp

Filesize
10.8MB

Download
memory/2864-18-0x00007FF982040000-0x00007FF982B01000-memory.dmp

Filesize
10.8MB

Download
memory/4948-10-0x00007FF982040000-0x00007FF982B01000-memory.dmp

Filesize
10.8MB

Download
memory/4948-0-0x00007FF982043000-0x00007FF982045000-memory.dmp

Filesize
8KB

Download
memory/4948-2-0x00007FF982040000-0x00007FF982B01000-memory.dmp

Filesize
10.8MB

Download
memory/4948-1-0x0000000000580000-0x00000000008A4000-memory.dmp

Filesize
3.1MB

Download