quasar | 864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad

Analysis

max time kernel
142s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad.exe
Size

3.1MB
MD5

7f888b6cbd5062a7558eea61eb9a9ca2
SHA1

2acfb5c3e7b8e569ea52397154b9b3ffb44e7d87
SHA256

864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad
SHA512

7da70e844e0fce4b4bbc70db89503b95b6514cabf9ce9cf66fed643f6c11aafc5e7a8f385b5d16f7fa802cc47c9200bf486030834551d14c55078307ef7e93d8
SSDEEP

49152:/v2lL26AaNeWgPhlmVqvMQ7XSKKQSYmzwXoGdVTHHB72eh2NT:/v2L26AaNeWgPhlmVqkQ7XSKKQSq

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

llordiWasHere-55715.portmap.host:55715

Mutex

124c5996-13c0-46a2-804a-191042a109db

Attributes

encryption_key
5F48258CBD7D9014A9443146E8A3D837D1715CAE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3680-1-0x0000000000A60000-0x0000000000D84000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b73-6.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 14 IoCs

pid	Process
3080	Client.exe
1072	Client.exe
2600	Client.exe
4160	Client.exe
2332	Client.exe
4692	Client.exe
4544	Client.exe
4948	Client.exe
5048	Client.exe
4600	Client.exe
2416	Client.exe
8	Client.exe
4552	Client.exe
1076	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3088	PING.EXE
2084	PING.EXE
4244	PING.EXE
4744	PING.EXE
1048	PING.EXE
4008	PING.EXE
3460	PING.EXE
836	PING.EXE
3672	PING.EXE
3720	PING.EXE
4128	PING.EXE
2536	PING.EXE
1200	PING.EXE
3864	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
3460	PING.EXE
4128	PING.EXE
836	PING.EXE
1048	PING.EXE
2536	PING.EXE
3720	PING.EXE
3864	PING.EXE
2084	PING.EXE
4744	PING.EXE
4244	PING.EXE
3672	PING.EXE
3088	PING.EXE
1200	PING.EXE
4008	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3680	864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad.exe
Token: SeDebugPrivilege	3080	Client.exe
Token: SeDebugPrivilege	1072	Client.exe
Token: SeDebugPrivilege	2600	Client.exe
Token: SeDebugPrivilege	4160	Client.exe
Token: SeDebugPrivilege	2332	Client.exe
Token: SeDebugPrivilege	4692	Client.exe
Token: SeDebugPrivilege	4544	Client.exe
Token: SeDebugPrivilege	4948	Client.exe
Token: SeDebugPrivilege	5048	Client.exe
Token: SeDebugPrivilege	4600	Client.exe
Token: SeDebugPrivilege	2416	Client.exe
Token: SeDebugPrivilege	8	Client.exe
Token: SeDebugPrivilege	4552	Client.exe
Token: SeDebugPrivilege	1076	Client.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
3080	Client.exe
1072	Client.exe
2600	Client.exe
4160	Client.exe
2332	Client.exe
4692	Client.exe
4544	Client.exe
4948	Client.exe
5048	Client.exe
4600	Client.exe
2416	Client.exe
8	Client.exe
4552	Client.exe
1076	Client.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
3080	Client.exe
1072	Client.exe
2600	Client.exe
4160	Client.exe
2332	Client.exe
4692	Client.exe
4544	Client.exe
4948	Client.exe
5048	Client.exe
4600	Client.exe
2416	Client.exe
8	Client.exe
4552	Client.exe
1076	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 3080	3680	864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad.exe	82
PID 3680 wrote to memory of 3080	3680	864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad.exe	82
PID 3080 wrote to memory of 4880	3080	Client.exe	83
PID 3080 wrote to memory of 4880	3080	Client.exe	83
PID 4880 wrote to memory of 2228	4880	cmd.exe	85
PID 4880 wrote to memory of 2228	4880	cmd.exe	85
PID 4880 wrote to memory of 3460	4880	cmd.exe	86
PID 4880 wrote to memory of 3460	4880	cmd.exe	86
PID 4880 wrote to memory of 1072	4880	cmd.exe	92
PID 4880 wrote to memory of 1072	4880	cmd.exe	92
PID 1072 wrote to memory of 3636	1072	Client.exe	93
PID 1072 wrote to memory of 3636	1072	Client.exe	93
PID 3636 wrote to memory of 3216	3636	cmd.exe	95
PID 3636 wrote to memory of 3216	3636	cmd.exe	95
PID 3636 wrote to memory of 4128	3636	cmd.exe	96
PID 3636 wrote to memory of 4128	3636	cmd.exe	96
PID 3636 wrote to memory of 2600	3636	cmd.exe	99
PID 3636 wrote to memory of 2600	3636	cmd.exe	99
PID 2600 wrote to memory of 4808	2600	Client.exe	100
PID 2600 wrote to memory of 4808	2600	Client.exe	100
PID 4808 wrote to memory of 1836	4808	cmd.exe	102
PID 4808 wrote to memory of 1836	4808	cmd.exe	102
PID 4808 wrote to memory of 3088	4808	cmd.exe	103
PID 4808 wrote to memory of 3088	4808	cmd.exe	103
PID 4808 wrote to memory of 4160	4808	cmd.exe	106
PID 4808 wrote to memory of 4160	4808	cmd.exe	106
PID 4160 wrote to memory of 2564	4160	Client.exe	107
PID 4160 wrote to memory of 2564	4160	Client.exe	107
PID 2564 wrote to memory of 4952	2564	cmd.exe	109
PID 2564 wrote to memory of 4952	2564	cmd.exe	109
PID 2564 wrote to memory of 836	2564	cmd.exe	110
PID 2564 wrote to memory of 836	2564	cmd.exe	110
PID 2564 wrote to memory of 2332	2564	cmd.exe	111
PID 2564 wrote to memory of 2332	2564	cmd.exe	111
PID 2332 wrote to memory of 3924	2332	Client.exe	112
PID 2332 wrote to memory of 3924	2332	Client.exe	112
PID 3924 wrote to memory of 4388	3924	cmd.exe	114
PID 3924 wrote to memory of 4388	3924	cmd.exe	114
PID 3924 wrote to memory of 2084	3924	cmd.exe	115
PID 3924 wrote to memory of 2084	3924	cmd.exe	115
PID 3924 wrote to memory of 4692	3924	cmd.exe	116
PID 3924 wrote to memory of 4692	3924	cmd.exe	116
PID 4692 wrote to memory of 3356	4692	Client.exe	117
PID 4692 wrote to memory of 3356	4692	Client.exe	117
PID 3356 wrote to memory of 4556	3356	cmd.exe	119
PID 3356 wrote to memory of 4556	3356	cmd.exe	119
PID 3356 wrote to memory of 4744	3356	cmd.exe	120
PID 3356 wrote to memory of 4744	3356	cmd.exe	120
PID 3356 wrote to memory of 4544	3356	cmd.exe	121
PID 3356 wrote to memory of 4544	3356	cmd.exe	121
PID 4544 wrote to memory of 2228	4544	Client.exe	122
PID 4544 wrote to memory of 2228	4544	Client.exe	122
PID 2228 wrote to memory of 2448	2228	cmd.exe	124
PID 2228 wrote to memory of 2448	2228	cmd.exe	124
PID 2228 wrote to memory of 1048	2228	cmd.exe	125
PID 2228 wrote to memory of 1048	2228	cmd.exe	125
PID 2228 wrote to memory of 4948	2228	cmd.exe	126
PID 2228 wrote to memory of 4948	2228	cmd.exe	126
PID 4948 wrote to memory of 1956	4948	Client.exe	127
PID 4948 wrote to memory of 1956	4948	Client.exe	127
PID 1956 wrote to memory of 3652	1956	cmd.exe	129
PID 1956 wrote to memory of 3652	1956	cmd.exe	129
PID 1956 wrote to memory of 2536	1956	cmd.exe	130
PID 1956 wrote to memory of 2536	1956	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad.exe
"C:\Users\Admin\AppData\Local\Temp\864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOGS8kh1MfCT.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2228
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3460
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaDZUKl7Xjve.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3636
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3216
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4128
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysOQkVfrqgU3.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3088
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMrArcZRPt9o.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:836
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MZBu2LnxRvvW.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIfEUShROUMN.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4744
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGrRurapiLDY.bat" "
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3xeJoJDU4VYr.bat" "
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EbThTbsTzlZY.bat" "
        19⤵
        
        PID:1512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1200
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yXBxN37TBYZD.bat" "
        21⤵
        
        PID:2824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4244
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8s3eDT4KsZSE.bat" "
        23⤵
        
        PID:2264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2200
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3672
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:8
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eZdB0DKNQcA0.bat" "
        25⤵
        
        PID:4852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3720
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C61Cjjia09De.bat" "
        27⤵
        
        PID:4824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4008
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OFPTHGW2KPHl.bat" "
        29⤵
        
        PID:1876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xeJoJDU4VYr.bat

Filesize
207B

MD5
aebca0b793623716cb6067e3c51eadb0

SHA1
ac3abd7a2d41d52342b40556ec146afcd3737df1

SHA256
63746e8b1368af478c6e1a3fe79adb04398c540470aeeae370f4fd3ad06ce9f0

SHA512
18c0549dd242be783c88631dd68e66c1b6c405d874f504947be82d1c3e0232261be8f6018c62b4571be2a6154e6568accee56f796cceb4c9cb9c5f5d8ea0c61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8s3eDT4KsZSE.bat

Filesize
207B

MD5
8244920eb8d3b6e9837ef604cf1339af

SHA1
59c69e18461b6b582e5cbda51358139c3185e53a

SHA256
4ff1d743ed400d820283c2b90ba7bbc4bb6d152318356f66b9aa695e1cb362d8

SHA512
2f9bf5e900e0769d8f78220793fd647a3d0deef29f76c09217e6b34b477a1fdd9060a2bd50fa5514b11318bbda44115600c373218322caba9d78652ff28036d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AGrRurapiLDY.bat

Filesize
207B

MD5
530653ae8e4ee7b02ee68fd6807afe09

SHA1
edc20ace023b3a69aded4125760f768ef9c5df2c

SHA256
376124f2b9eb589b918273b1b858835f308308d0b9878f859d9780d5c996f2e0

SHA512
2ceafa0cfc1f18c451a0fedc11ebe2ba2e79dd1365956801738edbcf05e1daa98d04b95cef25e193ca42aa151bad5d9af3cf10814c29ed2f9e141dcdc8b0b214

Download Submit
C:\Users\Admin\AppData\Local\Temp\C61Cjjia09De.bat

Filesize
207B

MD5
e04b8906931e993d29e5988237f0f5cf

SHA1
ce50955bbbc327f5375de7ac819ad0cd07d6f36f

SHA256
cd412e756693f514eaa3ee5421ab0b1b4cd42e2fa095ba14cab0b07e7c587b3a

SHA512
76384cb95b3d4ddc5504941f6e3de013f3fc500e557138857c5f4ba7559ed50944772e19dfc9fca1de2ebf203ed8b012763102ad6ec49bedcc8318b506c99e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIfEUShROUMN.bat

Filesize
207B

MD5
ff09af9d1506eb9bdd60b79178c71f81

SHA1
ea6058cd7533547721e07fa5dee2430d46bde303

SHA256
ff810abbd3f0282516af14135140155d409c657c4423ade55740a487072aa17a

SHA512
4b78776a990ea5d14d3600796786bc3d1b587868eacd937d1040d1ba7d371dcb583342eaf5d0a0ad476d629a4b20846abf95d34d05311a0ab322346a61385f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\EbThTbsTzlZY.bat

Filesize
207B

MD5
66a9eee87cb0c7f2c7821c5331889a77

SHA1
dddaa9872947d0ff71919561f3085721a4645b7f

SHA256
0ef1f3ef731f24f137ba31479610772be19be1e3796acafc860e3cac5d189062

SHA512
128dd1e75301cecbc6ae3cbf207dcfcc817e99a79d0319b50524d9427b3ea8bba699c44a89e09a505b585ad445936e6526fafc11c77d174f60ad7e6dd85ccf8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MZBu2LnxRvvW.bat

Filesize
207B

MD5
469bd4a092347c5e3fadb2430bbaf1d5

SHA1
e904b7645d23b394832ca879eb2f8d6a831ecfb7

SHA256
850fa04a33d0c37076e8421b80ff3489981175589af7307fba7244c3efbe9f83

SHA512
bcc3e04a503d0c9acb10c7c854b90e49ef61c2341b0d99f4dfb70a967d438a51ae9aa2b60ec9d7a78fc71cea1a2d82ffa82da9d341b97e54c8b92d20dfb274e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MaDZUKl7Xjve.bat

Filesize
207B

MD5
2cfe6f5001b51503e14899327ff2063d

SHA1
77e2348efed29bfa926591cc6cddacbe98647dbd

SHA256
522b956565654cc65b1cc9f28dc7ece05ec3f6f45589eb700b11a24a078863de

SHA512
8172c74b86ef927d83ea0edbacaa5f7ec05a88d41f26611042f59c58679d2924b0132ed50be841a268ea5bdde4c5110031cb1d73ca0d23106b311093a40fb99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OFPTHGW2KPHl.bat

Filesize
207B

MD5
b13637179a277da066c2c1f3ee3fc8d6

SHA1
d4bc8e503fe43becfb61b517045a1c3edad73a8b

SHA256
4f0c02f56ae7a3503074caa84508c408ed66a8bcd45236747ebdcb19ea107809

SHA512
1194309a7890f6c49b64f6843a761ded82c8e0bc4f0a39d533707b4a3611ddc8670d79342f6ca4def3d20a0ded81beeaa98eb92a5a78d0f0eb4264687a21dff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMrArcZRPt9o.bat

Filesize
207B

MD5
43a1dec2e11ac7d2bf912cd9e8990c0a

SHA1
778cfb2192e44bec0ddddefa2a942c26b9cedb60

SHA256
9f55d8853de13567dd63b86d063847b41146c28d00f0db11cb11adb2f9d2be5d

SHA512
97866c8cb0c84bd258b64c96df4abad1db47223cb26e6428bbbc5d9ec89e2943b41de74036c194a7bd8adf9127d512dd9bc6892e4f349b8745309d665617ba05

Download Submit
C:\Users\Admin\AppData\Local\Temp\eZdB0DKNQcA0.bat

Filesize
207B

MD5
d80e65688f46866e342e22ffdce6f1cb

SHA1
eccc7a5ad91adcad819cbefad970b39305aa8e28

SHA256
98d77b8bb903be2a2ee8ca5b5bb98081b9ea09b4e44ec258fccd8f40bdc193e7

SHA512
70034407e3aa12fdd3ab4a65c49c6b6026463b5ebb26fbd2c6747a6a2e03e85629aa80d9ad48a3fa3a1bf1e5e9c5c359bfe7b42c1374977abd55b0546e4c40d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xOGS8kh1MfCT.bat

Filesize
207B

MD5
8f16a884484c87cc6ab39c6b65b9d181

SHA1
55ca308acb32cdccc51bd6f424a306e7bc147535

SHA256
1138b83438a7ee2e8c32f634094330ccaac40c36044fdcc5c879a117d96277c8

SHA512
e4f931f9a67b68599a17f39f4425ba5bfb0c837635cde7ccf016ac97f8e8b3d04316cc99a8d8e0a22e297d6da7468f9b8e331e49105264b3e6c44639f0759f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXBxN37TBYZD.bat

Filesize
207B

MD5
e566c6ecfd6c975b9d18dcf3cb1a8ead

SHA1
030fb6e6960120c1bdaca4fdafd020525deebc3e

SHA256
74054fd9f47b9acd4243a969745d289da937ed77708f390b0c08f56b1295eebf

SHA512
6ee0b3a6d1d42129b03bfb63caec83393c8a33a8dab17837ce011eabb442489a1620d03a8d6a2ab9661ecfdbd902d784d4ef4dbeccd1b352e0d5d38d82892f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysOQkVfrqgU3.bat

Filesize
207B

MD5
588ba407e256094889394b6171cca812

SHA1
653c77fc162c45b0d8c771c37f3fddb8016151c3

SHA256
b8a9ae639409169af7d2885d2ecd5694432ff9f566ee5a572790d7704d681227

SHA512
5686340c7c309a1581b17afae477ccefb7829396a614ca55d8cba46138fe0d8136b72ae069c4f033ce8c5569da8c177987d0ce06a1200dcfd6d09f5eb5bde549

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
7f888b6cbd5062a7558eea61eb9a9ca2

SHA1
2acfb5c3e7b8e569ea52397154b9b3ffb44e7d87

SHA256
864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad

SHA512
7da70e844e0fce4b4bbc70db89503b95b6514cabf9ce9cf66fed643f6c11aafc5e7a8f385b5d16f7fa802cc47c9200bf486030834551d14c55078307ef7e93d8

Download Submit
memory/3080-13-0x000000001C0C0000-0x000000001C172000-memory.dmp

Filesize
712KB

Download
memory/3080-12-0x000000001BFB0000-0x000000001C000000-memory.dmp

Filesize
320KB

Download
memory/3080-11-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/3080-18-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/3080-9-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/3680-10-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/3680-2-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/3680-1-0x0000000000A60000-0x0000000000D84000-memory.dmp

Filesize
3.1MB

Download
memory/3680-0-0x00007FFDBF313000-0x00007FFDBF315000-memory.dmp

Filesize
8KB

Download