quasar | d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2025, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xeno+.exe
Size

3.1MB
MD5

03159c4b3d8d1c3e2058a44a5d4ffa4a
SHA1

109270f59115cc704501fbea1890abd7864cc83f
SHA256

d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4
SHA512

12f828d32a509a076f69896fcffdf6da50e4e8e23dd2230f8288dacbbbb2c4391c0e1663fc2efc21ab55cedd081e43f6143d84f7ae29977fe9da61a705394abd
SSDEEP

49152:fvHlL26AaNeWgPhlmVqvMQ7XSKuRRJ6ObR3LoGd8THHB72eh2NT:fvFL26AaNeWgPhlmVqkQ7XSKuRRJ6I

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

augustinevegas-31173.portmap.host:31173

Mutex

7d74883a-5879-4f61-8c23-fc7af453d7c2

Attributes

encryption_key
0B6DCD2BE4C82058601AFDA4AB9525FABE85A71D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/1168-1-0x0000000000120000-0x0000000000444000-memory.dmp	family_quasar
behavioral1/files/0x0007000000023c85-5.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
4824	Client.exe
2192	Client.exe
2600	Client.exe
432	Client.exe
3420	Client.exe
2300	Client.exe
4540	Client.exe
3628	Client.exe
4452	Client.exe
1696	Client.exe
4692	Client.exe
3272	Client.exe
2112	Client.exe
2776	Client.exe
3492	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1520	PING.EXE
3324	PING.EXE
516	PING.EXE
2864	PING.EXE
4812	PING.EXE
1764	PING.EXE
4700	PING.EXE
844	PING.EXE
2112	PING.EXE
4456	PING.EXE
868	PING.EXE
3252	PING.EXE
2224	PING.EXE
4992	PING.EXE
4092	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1520	PING.EXE
516	PING.EXE
844	PING.EXE
868	PING.EXE
3252	PING.EXE
4092	PING.EXE
1764	PING.EXE
4700	PING.EXE
2224	PING.EXE
4992	PING.EXE
3324	PING.EXE
2112	PING.EXE
4812	PING.EXE
4456	PING.EXE
2864	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1168	xeno+.exe
Token: SeDebugPrivilege	4824	Client.exe
Token: SeDebugPrivilege	2192	Client.exe
Token: SeDebugPrivilege	2600	Client.exe
Token: SeDebugPrivilege	432	Client.exe
Token: SeDebugPrivilege	3420	Client.exe
Token: SeDebugPrivilege	2300	Client.exe
Token: SeDebugPrivilege	4540	Client.exe
Token: SeDebugPrivilege	3628	Client.exe
Token: SeDebugPrivilege	4452	Client.exe
Token: SeDebugPrivilege	1696	Client.exe
Token: SeDebugPrivilege	4692	Client.exe
Token: SeDebugPrivilege	3272	Client.exe
Token: SeDebugPrivilege	2112	Client.exe
Token: SeDebugPrivilege	2776	Client.exe
Token: SeDebugPrivilege	3492	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
4824	Client.exe
2192	Client.exe
2600	Client.exe
432	Client.exe
3420	Client.exe
2300	Client.exe
4540	Client.exe
3628	Client.exe
4452	Client.exe
1696	Client.exe
4692	Client.exe
3272	Client.exe
2112	Client.exe
2776	Client.exe
3492	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4824	Client.exe
2192	Client.exe
2600	Client.exe
432	Client.exe
3420	Client.exe
2300	Client.exe
4540	Client.exe
3628	Client.exe
4452	Client.exe
1696	Client.exe
4692	Client.exe
3272	Client.exe
2112	Client.exe
2776	Client.exe
3492	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 4824	1168	xeno+.exe	85
PID 1168 wrote to memory of 4824	1168	xeno+.exe	85
PID 4824 wrote to memory of 3168	4824	Client.exe	86
PID 4824 wrote to memory of 3168	4824	Client.exe	86
PID 3168 wrote to memory of 3440	3168	cmd.exe	88
PID 3168 wrote to memory of 3440	3168	cmd.exe	88
PID 3168 wrote to memory of 2112	3168	cmd.exe	89
PID 3168 wrote to memory of 2112	3168	cmd.exe	89
PID 3168 wrote to memory of 2192	3168	cmd.exe	100
PID 3168 wrote to memory of 2192	3168	cmd.exe	100
PID 2192 wrote to memory of 4816	2192	Client.exe	102
PID 2192 wrote to memory of 4816	2192	Client.exe	102
PID 4816 wrote to memory of 644	4816	cmd.exe	104
PID 4816 wrote to memory of 644	4816	cmd.exe	104
PID 4816 wrote to memory of 4812	4816	cmd.exe	105
PID 4816 wrote to memory of 4812	4816	cmd.exe	105
PID 4816 wrote to memory of 2600	4816	cmd.exe	110
PID 4816 wrote to memory of 2600	4816	cmd.exe	110
PID 2600 wrote to memory of 4624	2600	Client.exe	112
PID 2600 wrote to memory of 4624	2600	Client.exe	112
PID 4624 wrote to memory of 4968	4624	cmd.exe	114
PID 4624 wrote to memory of 4968	4624	cmd.exe	114
PID 4624 wrote to memory of 3252	4624	cmd.exe	115
PID 4624 wrote to memory of 3252	4624	cmd.exe	115
PID 4624 wrote to memory of 432	4624	cmd.exe	120
PID 4624 wrote to memory of 432	4624	cmd.exe	120
PID 432 wrote to memory of 4808	432	Client.exe	122
PID 432 wrote to memory of 4808	432	Client.exe	122
PID 4808 wrote to memory of 4184	4808	cmd.exe	124
PID 4808 wrote to memory of 4184	4808	cmd.exe	124
PID 4808 wrote to memory of 2224	4808	cmd.exe	125
PID 4808 wrote to memory of 2224	4808	cmd.exe	125
PID 4808 wrote to memory of 3420	4808	cmd.exe	127
PID 4808 wrote to memory of 3420	4808	cmd.exe	127
PID 3420 wrote to memory of 2060	3420	Client.exe	129
PID 3420 wrote to memory of 2060	3420	Client.exe	129
PID 2060 wrote to memory of 3472	2060	cmd.exe	131
PID 2060 wrote to memory of 3472	2060	cmd.exe	131
PID 2060 wrote to memory of 4992	2060	cmd.exe	132
PID 2060 wrote to memory of 4992	2060	cmd.exe	132
PID 2060 wrote to memory of 2300	2060	cmd.exe	134
PID 2060 wrote to memory of 2300	2060	cmd.exe	134
PID 2300 wrote to memory of 1184	2300	Client.exe	136
PID 2300 wrote to memory of 1184	2300	Client.exe	136
PID 1184 wrote to memory of 412	1184	cmd.exe	138
PID 1184 wrote to memory of 412	1184	cmd.exe	138
PID 1184 wrote to memory of 4456	1184	cmd.exe	139
PID 1184 wrote to memory of 4456	1184	cmd.exe	139
PID 1184 wrote to memory of 4540	1184	cmd.exe	144
PID 1184 wrote to memory of 4540	1184	cmd.exe	144
PID 4540 wrote to memory of 2036	4540	Client.exe	146
PID 4540 wrote to memory of 2036	4540	Client.exe	146
PID 2036 wrote to memory of 4964	2036	cmd.exe	148
PID 2036 wrote to memory of 4964	2036	cmd.exe	148
PID 2036 wrote to memory of 4092	2036	cmd.exe	149
PID 2036 wrote to memory of 4092	2036	cmd.exe	149
PID 2036 wrote to memory of 3628	2036	cmd.exe	150
PID 2036 wrote to memory of 3628	2036	cmd.exe	150
PID 3628 wrote to memory of 844	3628	Client.exe	152
PID 3628 wrote to memory of 844	3628	Client.exe	152
PID 844 wrote to memory of 1884	844	cmd.exe	154
PID 844 wrote to memory of 1884	844	cmd.exe	154
PID 844 wrote to memory of 1764	844	cmd.exe	155
PID 844 wrote to memory of 1764	844	cmd.exe	155

C:\Users\Admin\AppData\Local\Temp\xeno+.exe
"C:\Users\Admin\AppData\Local\Temp\xeno+.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QDNqI2JPvNHR.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3440
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2112
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ca0Dmm8eM9tF.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4816
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:644
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4812
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YP570zwczAa9.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3252
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P8OF7Jaz4hoL.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2224
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4tNZaCJwDzmG.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4992
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\De8Lzg1nwsgS.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4456
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naDSa7qisjx5.bat" "
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4092
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E9tcwo2Pj2BP.bat" "
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cLGn2sznA7PT.bat" "
        19⤵
        
        PID:3596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9keg5QOXVup7.bat" "
        21⤵
        
        PID:3812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3324
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rj3kZ0rKuVZf.bat" "
        23⤵
        
        PID:2272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:516
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zl8wKzz7Pqat.bat" "
        25⤵
        
        PID:4748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4700
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAKZCKW6QCct.bat" "
        27⤵
        
        PID:3536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2NhhmLr4wUnb.bat" "
        29⤵
        
        PID:4792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:868
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZljcliHC62dG.bat" "
        31⤵
        
        PID:4800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2NhhmLr4wUnb.bat

Filesize
207B

MD5
db94791e6040b1de20182394f6a85b92

SHA1
9d3c6e2303bb0382e96539fb0b471d4dedda1468

SHA256
a1724a912baf2a83673dbd83833a4f07297d548578a583cfff0d843ad90de7ab

SHA512
4739a39d9ec3e42691269c5e76c5877351d2a481adcf94dfab7d1c52c01ee448a22af3026bd80e2aec1d28ccaa0f7221c1382a927d6339ed89c6266c7660de79

Download Submit
C:\Users\Admin\AppData\Local\Temp\4tNZaCJwDzmG.bat

Filesize
207B

MD5
6da072ddf28c4651af557a396a93e6ba

SHA1
14ed3ee5a0f59d49215c6e8183f7b6e087bf55cc

SHA256
bd19373743666a4f25ff4d7192f16858fa858559d3507e826cb742b58943118e

SHA512
fdf8c7d5e6d0d996529f1bb0a963f0d82a54c0005c523de8e093c6cc0e0caa9f75830d28369625a3b34350fc805ae840610f67768eea02001b53d963fad3c4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9keg5QOXVup7.bat

Filesize
207B

MD5
42343aa322a73ee001657afed1463470

SHA1
848439f1c47b87586f81230baa22492f5728378c

SHA256
b5900453baf84548b09b7a4d00b2c0173c48089106ba2d7ef587af069deeeca0

SHA512
1be4da29db3ede53ff117da71f53b17d5e33b370a6810bf648c0d006192902bd7a046842e1d88f3a8fa53161719b0a33b662d545fbccbc2b5abe8afd7a3ae3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAKZCKW6QCct.bat

Filesize
207B

MD5
bb136dfc0910dde0331eb51dab17acda

SHA1
a38b64a5a55e811047bffe655edebd0f560936ff

SHA256
9b1ee645b2ac5c7c25f25d9bbbc16cca0c9d11af6ca36808c7ba6b3a5406b1bd

SHA512
11eeff289f1e0445d04dc471f36c6fbcdfafc8f75f7da8a4461286c8102957f6917e272fd66866e49af94e2171210ecb8f083c6c5797bccd19d03188f372db6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ca0Dmm8eM9tF.bat

Filesize
207B

MD5
96f421a5caa88f56bd53100aecf6b271

SHA1
d2fa140d3307360ed91e6f1d5f0f91145f1ddbbe

SHA256
84fb2f7927a8b48abc5743cbf670e8cac5b6c73bd85573fa1ff83bd0e04a2d09

SHA512
5bc9b6ac703f6cc19e58f7b4f554b437a88c61f9c4a4cae0d9ca4d807219350aea6a309e9274c03a0412bdd260cbabf27654cbde5fb13ca6906a8b2271003890

Download Submit
C:\Users\Admin\AppData\Local\Temp\De8Lzg1nwsgS.bat

Filesize
207B

MD5
cde69aaba1d5781fac3b33f6aac6cb15

SHA1
7c7239175798955cf8560ae7273f1f0badd28317

SHA256
94bd73e1068e258cc168e7ac5b83b5da5be04e347916453195d8d48e1a0bae1a

SHA512
49e96a2ea977c75b41475f83c468a9e1a08cbe0e01b93387d9c9403e36a810a89e5c67ec393b09d9de203bfe204f8317d0af8a5facc927be46e54b51983fb393

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9tcwo2Pj2BP.bat

Filesize
207B

MD5
7d24122704775d8352af0ec107406750

SHA1
e8cb70e009771149f56e04a5a3a2053d317120a4

SHA256
46a5663e5bf8534a6835f864754a7907f05e423e5c5b26631e1723636bf65df1

SHA512
1041f85b406fd3f0926c2d1600db6b305bae7e5878c4683b5dc7631d58decdc95bfb69e5f133c6439866ad4a8e30dc5d9a8a9be351b6f696587fdba667ba8fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\P8OF7Jaz4hoL.bat

Filesize
207B

MD5
0b67746fbccd065ceabfa92e08d03315

SHA1
f230ba5e67ac30b4cd6b33d5598e33e8bc5b8003

SHA256
83427aaf81ef52168e40abcf843c18d9222830269f81bff31c2d45fd7b0efba6

SHA512
708d33008aeb082f8d0b41658ba27e07dcdf7d879c4bb427855945763c62f81893ca97b36388e6b3f68613f27b2d56cac1d07e089fb15d9719e7e66ff4b1b5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QDNqI2JPvNHR.bat

Filesize
207B

MD5
589566a332b8c9b555482043025ceea6

SHA1
0bb8c8543e43f7ad83266d53fa045408afe8935a

SHA256
df4a5384fa498fe2671eff770acd46d5b1b99178e2c799b70382cb7be7d6f857

SHA512
dc7c3e53d3f6759ca56ea7c128523b166b819468cfb472f6da2a72208a1e78a6dc40ce7472ebd04b2166f00c5aada285fb563ad66df9f9ce4b91a56fcc232784

Download Submit
C:\Users\Admin\AppData\Local\Temp\YP570zwczAa9.bat

Filesize
207B

MD5
291d7e28c0e25b97b193ededd29b5b70

SHA1
0e43e11a657c03961f601ef0b78df8a523947b03

SHA256
8628bee2526e448783592db083d8e6ec2f2ecb4302a5be6b9eda52770177f6c6

SHA512
1f22406ccd5605f47a8f7429ab9b1bc81f7b47b259e68304a668133723460e7b163dd08660607ef04be9862dc6c6312dbc84e5a236dec2ce75d1485bbf875ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zl8wKzz7Pqat.bat

Filesize
207B

MD5
c71a0e786bf3ec76c617f2d066281435

SHA1
e804c4a7ba3b8392f49ef2ba6a86b5be5758b265

SHA256
3399ddd9d10d8c4db2e7a1458789dfcf3ed1b5f82053e2ae6ab599383e24aa1e

SHA512
189914d8e7714fdda0a5bd3c076ccf71e5adea93ea41722568705e40946158ef09bc2ec5ec6c788b9347cc516626e9ea47d661732e2548304f890dde2119518f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZljcliHC62dG.bat

Filesize
207B

MD5
546198c1a1e0af7c061ac4af08e2440b

SHA1
a8d70377a34978f11f9c0e8a793c64bf7aa1d353

SHA256
81b7ba7a751d9112a4f42472b3c9b4060962008f313a020d99667a40a0dde1a8

SHA512
3cc429d3732fc37afbb27fa388dfc01f738788438ffee182c6cd71503baca0766ce367fc7b4b691c830aa1b81ddb4f0910ecbceb90e2b8f4dc021626d4eb3b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\cLGn2sznA7PT.bat

Filesize
207B

MD5
7ba4159a431ad47bc229cd1b5a328585

SHA1
d0ac30a23601c4ef26739b3e49fd8f741dabce41

SHA256
ee3a7311b80f3fdde58c8ea39a103fd1a698c437f7cef4bd2bc41555b7b4f435

SHA512
ecfa67288bc4f42ff5f54eadd37e20dddb409497ec0518c404555437bbb145cf10d65224275a522fd0f71dcc462cbe2c7a5cba956694c697c75233e187096614

Download Submit
C:\Users\Admin\AppData\Local\Temp\naDSa7qisjx5.bat

Filesize
207B

MD5
7a99ad7a3b1b78d7efb79565cd837f76

SHA1
7ce1f5d145c56ac92b9e376ed4bbfde6de07a00d

SHA256
ee051e06111b8044283fdec4343089da3a69baf0ff58b5e3fb1460dd07c298a5

SHA512
9fc3a775eeb1dc347135b88c82cb94cc7eb92b589477d688d476bd0bf3420e4a6fe119550cbf441d006f1982817c78c88dd3095f75484788e500a4805c189719

Download Submit
C:\Users\Admin\AppData\Local\Temp\rj3kZ0rKuVZf.bat

Filesize
207B

MD5
1791d0cafce3e1d7b5f4187efbd5672b

SHA1
151bab652fbab7514579fd43a182fa34aed51499

SHA256
e9aa89e58e14f5e49153cef2f673561f38ba6a7fca4477a60e0da3d799179a5c

SHA512
03e6c86d425f4218c9678a67d872e16183afc0f18df5ed5e82fc890d3a99fec093d7fbda1a241d2f56c557c12152ea20adbb5f6225def6727d1cd4dfe1a20bdf

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
03159c4b3d8d1c3e2058a44a5d4ffa4a

SHA1
109270f59115cc704501fbea1890abd7864cc83f

SHA256
d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4

SHA512
12f828d32a509a076f69896fcffdf6da50e4e8e23dd2230f8288dacbbbb2c4391c0e1663fc2efc21ab55cedd081e43f6143d84f7ae29977fe9da61a705394abd

Download Submit
memory/1168-9-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

Filesize
10.8MB

Download
memory/1168-2-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

Filesize
10.8MB

Download
memory/1168-0-0x00007FF8BE393000-0x00007FF8BE395000-memory.dmp

Filesize
8KB

Download
memory/1168-1-0x0000000000120000-0x0000000000444000-memory.dmp

Filesize
3.1MB

Download
memory/4824-10-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

Filesize
10.8MB

Download
memory/4824-8-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

Filesize
10.8MB

Download
memory/4824-12-0x000000001C990000-0x000000001CA42000-memory.dmp

Filesize
712KB

Download
memory/4824-11-0x000000001C880000-0x000000001C8D0000-memory.dmp

Filesize
320KB

Download
memory/4824-17-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

Filesize
10.8MB

Download