quasar | d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4

Analysis

max time kernel
147s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4.exe
Size

3.1MB
MD5

03159c4b3d8d1c3e2058a44a5d4ffa4a
SHA1

109270f59115cc704501fbea1890abd7864cc83f
SHA256

d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4
SHA512

12f828d32a509a076f69896fcffdf6da50e4e8e23dd2230f8288dacbbbb2c4391c0e1663fc2efc21ab55cedd081e43f6143d84f7ae29977fe9da61a705394abd
SSDEEP

49152:fvHlL26AaNeWgPhlmVqvMQ7XSKuRRJ6ObR3LoGd8THHB72eh2NT:fvFL26AaNeWgPhlmVqkQ7XSKuRRJ6I

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

augustinevegas-31173.portmap.host:31173

Mutex

7d74883a-5879-4f61-8c23-fc7af453d7c2

Attributes

encryption_key
0B6DCD2BE4C82058601AFDA4AB9525FABE85A71D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/2640-1-0x0000000000A60000-0x0000000000D84000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016dc6-5.dat	family_quasar
behavioral1/memory/2652-8-0x0000000000090000-0x00000000003B4000-memory.dmp	family_quasar
behavioral1/memory/2140-22-0x0000000000F90000-0x00000000012B4000-memory.dmp	family_quasar
behavioral1/memory/2308-33-0x00000000011E0000-0x0000000001504000-memory.dmp	family_quasar
behavioral1/memory/2088-54-0x0000000000160000-0x0000000000484000-memory.dmp	family_quasar
behavioral1/memory/1736-65-0x00000000002E0000-0x0000000000604000-memory.dmp	family_quasar
behavioral1/memory/1768-78-0x0000000001170000-0x0000000001494000-memory.dmp	family_quasar
behavioral1/memory/2704-89-0x00000000011D0000-0x00000000014F4000-memory.dmp	family_quasar
behavioral1/memory/828-133-0x0000000001280000-0x00000000015A4000-memory.dmp	family_quasar
behavioral1/memory/832-145-0x0000000000010000-0x0000000000334000-memory.dmp	family_quasar
behavioral1/memory/612-156-0x00000000003F0000-0x0000000000714000-memory.dmp	family_quasar
behavioral1/memory/1316-167-0x00000000010E0000-0x0000000001404000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2652	Client.exe
2140	Client.exe
2308	Client.exe
264	Client.exe
2088	Client.exe
1736	Client.exe
1768	Client.exe
2704	Client.exe
2544	Client.exe
2052	Client.exe
1908	Client.exe
828	Client.exe
832	Client.exe
612	Client.exe
1316	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2768	PING.EXE
1720	PING.EXE
1072	PING.EXE
2444	PING.EXE
764	PING.EXE
2660	PING.EXE
2816	PING.EXE
1352	PING.EXE
3040	PING.EXE
2392	PING.EXE
932	PING.EXE
1220	PING.EXE
1604	PING.EXE
2396	PING.EXE
2436	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2816	PING.EXE
1352	PING.EXE
1720	PING.EXE
932	PING.EXE
2660	PING.EXE
2396	PING.EXE
1604	PING.EXE
2436	PING.EXE
3040	PING.EXE
2392	PING.EXE
764	PING.EXE
2768	PING.EXE
1072	PING.EXE
2444	PING.EXE
1220	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4.exe
Token: SeDebugPrivilege	2652	Client.exe
Token: SeDebugPrivilege	2140	Client.exe
Token: SeDebugPrivilege	2308	Client.exe
Token: SeDebugPrivilege	264	Client.exe
Token: SeDebugPrivilege	2088	Client.exe
Token: SeDebugPrivilege	1736	Client.exe
Token: SeDebugPrivilege	1768	Client.exe
Token: SeDebugPrivilege	2704	Client.exe
Token: SeDebugPrivilege	2544	Client.exe
Token: SeDebugPrivilege	2052	Client.exe
Token: SeDebugPrivilege	1908	Client.exe
Token: SeDebugPrivilege	828	Client.exe
Token: SeDebugPrivilege	832	Client.exe
Token: SeDebugPrivilege	612	Client.exe
Token: SeDebugPrivilege	1316	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2652	Client.exe
2140	Client.exe
2308	Client.exe
264	Client.exe
2088	Client.exe
1736	Client.exe
1768	Client.exe
2704	Client.exe
2544	Client.exe
2052	Client.exe
1908	Client.exe
828	Client.exe
832	Client.exe
612	Client.exe
1316	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2652	Client.exe
2140	Client.exe
2308	Client.exe
264	Client.exe
2088	Client.exe
1736	Client.exe
1768	Client.exe
2704	Client.exe
2544	Client.exe
2052	Client.exe
1908	Client.exe
828	Client.exe
832	Client.exe
612	Client.exe
1316	Client.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2652	Client.exe
2140	Client.exe
1736	Client.exe
2704	Client.exe
1908	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2652	2640	d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4.exe	31
PID 2640 wrote to memory of 2652	2640	d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4.exe	31
PID 2640 wrote to memory of 2652	2640	d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4.exe	31
PID 2652 wrote to memory of 2820	2652	Client.exe	32
PID 2652 wrote to memory of 2820	2652	Client.exe	32
PID 2652 wrote to memory of 2820	2652	Client.exe	32
PID 2820 wrote to memory of 2712	2820	cmd.exe	34
PID 2820 wrote to memory of 2712	2820	cmd.exe	34
PID 2820 wrote to memory of 2712	2820	cmd.exe	34
PID 2820 wrote to memory of 2660	2820	cmd.exe	35
PID 2820 wrote to memory of 2660	2820	cmd.exe	35
PID 2820 wrote to memory of 2660	2820	cmd.exe	35
PID 2820 wrote to memory of 2140	2820	cmd.exe	36
PID 2820 wrote to memory of 2140	2820	cmd.exe	36
PID 2820 wrote to memory of 2140	2820	cmd.exe	36
PID 2140 wrote to memory of 2892	2140	Client.exe	37
PID 2140 wrote to memory of 2892	2140	Client.exe	37
PID 2140 wrote to memory of 2892	2140	Client.exe	37
PID 2892 wrote to memory of 2916	2892	cmd.exe	39
PID 2892 wrote to memory of 2916	2892	cmd.exe	39
PID 2892 wrote to memory of 2916	2892	cmd.exe	39
PID 2892 wrote to memory of 1220	2892	cmd.exe	40
PID 2892 wrote to memory of 1220	2892	cmd.exe	40
PID 2892 wrote to memory of 1220	2892	cmd.exe	40
PID 2892 wrote to memory of 2308	2892	cmd.exe	41
PID 2892 wrote to memory of 2308	2892	cmd.exe	41
PID 2892 wrote to memory of 2308	2892	cmd.exe	41
PID 2308 wrote to memory of 1568	2308	Client.exe	42
PID 2308 wrote to memory of 1568	2308	Client.exe	42
PID 2308 wrote to memory of 1568	2308	Client.exe	42
PID 1568 wrote to memory of 2728	1568	cmd.exe	44
PID 1568 wrote to memory of 2728	1568	cmd.exe	44
PID 1568 wrote to memory of 2728	1568	cmd.exe	44
PID 1568 wrote to memory of 2816	1568	cmd.exe	45
PID 1568 wrote to memory of 2816	1568	cmd.exe	45
PID 1568 wrote to memory of 2816	1568	cmd.exe	45
PID 1568 wrote to memory of 264	1568	cmd.exe	46
PID 1568 wrote to memory of 264	1568	cmd.exe	46
PID 1568 wrote to memory of 264	1568	cmd.exe	46
PID 264 wrote to memory of 288	264	Client.exe	47
PID 264 wrote to memory of 288	264	Client.exe	47
PID 264 wrote to memory of 288	264	Client.exe	47
PID 288 wrote to memory of 2408	288	cmd.exe	49
PID 288 wrote to memory of 2408	288	cmd.exe	49
PID 288 wrote to memory of 2408	288	cmd.exe	49
PID 288 wrote to memory of 2768	288	cmd.exe	50
PID 288 wrote to memory of 2768	288	cmd.exe	50
PID 288 wrote to memory of 2768	288	cmd.exe	50
PID 288 wrote to memory of 2088	288	cmd.exe	51
PID 288 wrote to memory of 2088	288	cmd.exe	51
PID 288 wrote to memory of 2088	288	cmd.exe	51
PID 2088 wrote to memory of 1920	2088	Client.exe	52
PID 2088 wrote to memory of 1920	2088	Client.exe	52
PID 2088 wrote to memory of 1920	2088	Client.exe	52
PID 1920 wrote to memory of 1312	1920	cmd.exe	54
PID 1920 wrote to memory of 1312	1920	cmd.exe	54
PID 1920 wrote to memory of 1312	1920	cmd.exe	54
PID 1920 wrote to memory of 1604	1920	cmd.exe	55
PID 1920 wrote to memory of 1604	1920	cmd.exe	55
PID 1920 wrote to memory of 1604	1920	cmd.exe	55
PID 1920 wrote to memory of 1736	1920	cmd.exe	56
PID 1920 wrote to memory of 1736	1920	cmd.exe	56
PID 1920 wrote to memory of 1736	1920	cmd.exe	56
PID 1736 wrote to memory of 1652	1736	Client.exe	57

C:\Users\Admin\AppData\Local\Temp\d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4.exe
"C:\Users\Admin\AppData\Local\Temp\d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\durbDizJ0WzN.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2712
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2660
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2140
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OZR6GvgSzxqX.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2916
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1220
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oasj6b7xNCjT.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eVg2YDOIDWB1.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2768
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3lXZcuYBGRMJ.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kSZXKNBKuDAK.bat" "
        13⤵
        
        PID:1652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2396
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1768
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mGC2cYBzIXYt.bat" "
        15⤵
        
        PID:2336
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Wop3winYWAQl.bat" "
        17⤵
        
        PID:2812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1352
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2544
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dBQbukvt6WcG.bat" "
        19⤵
        
        PID:2928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2052
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gKePwm8JA3NJ.bat" "
        21⤵
        
        PID:928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAFuFidmwt7W.bat" "
        23⤵
        
        PID:1464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:828
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lNFDAkg821yV.bat" "
        25⤵
        
        PID:2056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1072
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GKcrQjeWpoaY.bat" "
        27⤵
        
        PID:2172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:932
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xmJlawtclQFR.bat" "
        29⤵
        
        PID:888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1316
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\shGGBOXC8rq0.bat" "
        31⤵
        
        PID:2776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1188
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3lXZcuYBGRMJ.bat

Filesize
207B

MD5
97f66b5b9d3151a4de24fcbaf07ebfe6

SHA1
f8bf5869d50013a4965901bfd83c40729873a984

SHA256
0c5179dcd61ce333a2b6907874bc493c414de0b1d26a98843f93cb9d87eb5f84

SHA512
2f0eecd1f6da14659682bcb2f4d84c9908d21026d2684321d5630be5bf0fc5c9d72ca435093ccf2f2f20d455405456b294f69673bcf0034f8af4056d447f968c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKcrQjeWpoaY.bat

Filesize
207B

MD5
276ae808d1924e060b726d344534be7c

SHA1
20f8831ae8159073df5e1f67edc2aa243097aa1e

SHA256
664a7d26a4838617c62484b0fad6847d77e1ad3ef4e4636f2292360839536bf5

SHA512
15611dd57a38bc8b21121202b17596110ceb26d8613e6e3a5af4c9f180749cef16164e637368c8a64d2416524272384ad835c97317505fd9bb1b8028c9f6cbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAFuFidmwt7W.bat

Filesize
207B

MD5
32ef2e7acb11b12c60eba27127fe1699

SHA1
844b67ceeee551477c45b4a4f3ac5be4580ef2ec

SHA256
1530f40dd9509d7675918be0ab05ec50bb03e6febb1e95f98b447506c984693b

SHA512
e2f35b967947358d1836a79e9790dbe8b6205b0f8be1d048c88e5b6eca7eb1dd9443a5d3feaee0ebafab5e83808cbb8414ce8b46fc86162a21529df92ee0baa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OZR6GvgSzxqX.bat

Filesize
207B

MD5
ce461a26edae933edd8178a37ffa4284

SHA1
1521d2cbe1f15d416b9fff3c3937a324e8f6b285

SHA256
1d0776ee1e6a1fdaa01d3850487860fbf290519c9fd8db655ab054ca2cb29c66

SHA512
8b14b0aeea7b67d00dd38803a566695538f06d7c20ab5e769d8f743c7ca90648a6527c8575a38277182a041c262f09c55b407254dc9e199ca59e4c42bff4aaed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wop3winYWAQl.bat

Filesize
207B

MD5
549179d20f35f6ebc8923c1660240159

SHA1
b1934de3fc4f7085adfbf2a1811e0bc820d746bd

SHA256
4ad5aed545d0c868fac83ceee65917ee65577737614cb4ca8f9b5656fe15fa35

SHA512
b2a0c21ad60c9f072ca6b17fe3adc7ee95ce4899d06617b8c029430cbccabe235c4aec02cf06bbf917aef1034d29be7a389ba30a43aa074c82dabae59c2b05e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dBQbukvt6WcG.bat

Filesize
207B

MD5
bd0ad864929343c5916295af1a85e3a0

SHA1
67c8c79664a8f6be62eb9821e016bcc7b93a20ff

SHA256
b4c4d60fe53c2b20e6863da0546b131be48ee9da2bc8741eba9aa62a77cb7205

SHA512
3496c68cfbf49a51e704f77bd2c66267aaa0a8b81ea5620bd17830713b163a8b2e73a65ae3ddba9df1c95b5cb28552a4f58ccd9f4f27d50a14eb6a63c6406f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\durbDizJ0WzN.bat

Filesize
207B

MD5
c6e9557d5de710aaf161fc8622285258

SHA1
96ab14dba9acaef7913bb8cdd8563ae7ae219e42

SHA256
b06a666eec1eec5c95d6fffd2790f3d4fec3fc4b96be3f4cc005e1fd36d71802

SHA512
4dddfb93aeb651903f9ad209c79db04a3c9e0e9abec3599978024d57dca63ba91c4cd1cb86ff63c5d87e3f295e703e6f2f0bef46d869d49366658d68ea402eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\eVg2YDOIDWB1.bat

Filesize
207B

MD5
75661ddce6a4877113c381c479084fdb

SHA1
3149093d39791e01241cee61a211102542d6265e

SHA256
038dd05041de61efb34e8114dd778567489387d9662ef64de56be9fe2bca5617

SHA512
85fdb74939ed06d72fb2a4ee5a3dafbbf0857ebd5d6918de4c9d1b187bd33ba4cf023f52dcefe192546769b584330777b3d94a6b02d2dfa8f3684a5a49b6e1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gKePwm8JA3NJ.bat

Filesize
207B

MD5
c9511ee3e90dded445141a6e26fd261b

SHA1
f9b13feb2eea09084bd41832663dbe456d6b43b8

SHA256
a9475e378eee3b58a4bfe84bb3621f1c9597ad45c68fdaeaf36e95116cb57966

SHA512
f6e8b9ead71b2bbf91f4591677348f7e4b95799baf11392dc97232c808ad457782963d7013c6b33644cbb035f7b4269d79bd8bd4d50c0a330a1cbc7be8e5944d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kSZXKNBKuDAK.bat

Filesize
207B

MD5
a3c1868a57f8c34f8f13440a64fc161c

SHA1
46a28cb8a5e2ea24a869a1b82c2aa2f213bda929

SHA256
c9f833ff5802d248736f1b906aa8da9c03be5a9c73e94ac008b9717db0dc065d

SHA512
ffb956ddfaa9e9af1ceedcb58c95667e0ec8cd99913d65fb05a836313a9a243d7069087c78fce8f4e3d32cb3a59ded8d9da4a74d09456fb4fb50cb98002c5b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lNFDAkg821yV.bat

Filesize
207B

MD5
0a567f016b4fbea68fef41604962cb83

SHA1
b556dc81dfa679a3de610064e8491b904789ed83

SHA256
dea12bdb7d1fcbeb3bcd1d81f275546474cb7897d52807decf6430cdc31d7de1

SHA512
315585932e657635a413e934dd63d19514a78a0c79037d0a37c1b487a493334a3b6974de724db23dd32d988111dd30c6db223abebeecb3642e526b9cd8dd95f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mGC2cYBzIXYt.bat

Filesize
207B

MD5
bfa14d42bc8147dad499d97e4efcd6da

SHA1
f4e1694fcc2cd3c91a0a4df3e9840f902f470bf3

SHA256
7ebd12e0f5dea0f5bcdc7109e54b7893632618a8104f2092cb7e771d52b751d9

SHA512
c8e4d94ddd40014c074a4370c2a5f86b291cbd586b222946ee6de098e3c0aa7cfdb7efc8f690a74ecff32c18ee51935d33cba2d3ed35140c724715e43e6c42b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oasj6b7xNCjT.bat

Filesize
207B

MD5
47089cf6ca8707def96c9bf90125fa6e

SHA1
154b20429c296bd47a8a5e95d35d7f41b872301f

SHA256
c9b243c963511cf9926b7212d8b9797529bab0e3e364581fbe6e61bcef535e0c

SHA512
ec6e6d7bb7f5c350c471a092f85bddc4c0714f3001a64a3e55cd5ab372ff0b9005749a696cb17a2eab9f9c489461a74ce2f3804e503d572dad665bb3c7b677d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\shGGBOXC8rq0.bat

Filesize
207B

MD5
d550ed3af4b60dd5c9bda4c626bfa3af

SHA1
73bc0645d44c988a864ef104c6ef6b0ef1f143b4

SHA256
69c735f16c00a163c00848b2a2e2deb2c977636a8f4c7cad44287e2fb3a234c2

SHA512
aed81d6de11c24b440176058dd34307ea69c019266aebbe465300e722ce21438a0e81b0288207f4e9752679404aad434aec233ed1d3f33000c3bc2a3957dc81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmJlawtclQFR.bat

Filesize
207B

MD5
b2ef5ff2f646cc17d56f08e72b2567b5

SHA1
d83f3f9f55a57e542cb9c928d0dc14a377fbef2b

SHA256
aee253c67a525ca6c1cdf6f0a42cc1c465fa287ac8a0103530ce5e76edbcab20

SHA512
c47477eb3728f0934ee740e3fb9e974cb3b8707eeeea27494f46ea2aaf1802c3632e5ed4702a4780256a853c244e3058841c3957a563c8e68a9f570ec6699529

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
03159c4b3d8d1c3e2058a44a5d4ffa4a

SHA1
109270f59115cc704501fbea1890abd7864cc83f

SHA256
d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4

SHA512
12f828d32a509a076f69896fcffdf6da50e4e8e23dd2230f8288dacbbbb2c4391c0e1663fc2efc21ab55cedd081e43f6143d84f7ae29977fe9da61a705394abd

Download Submit
memory/612-156-0x00000000003F0000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/828-133-0x0000000001280000-0x00000000015A4000-memory.dmp

Filesize
3.1MB

Download
memory/832-145-0x0000000000010000-0x0000000000334000-memory.dmp

Filesize
3.1MB

Download
memory/1316-167-0x00000000010E0000-0x0000000001404000-memory.dmp

Filesize
3.1MB

Download
memory/1736-65-0x00000000002E0000-0x0000000000604000-memory.dmp

Filesize
3.1MB

Download
memory/1768-78-0x0000000001170000-0x0000000001494000-memory.dmp

Filesize
3.1MB

Download
memory/2088-54-0x0000000000160000-0x0000000000484000-memory.dmp

Filesize
3.1MB

Download
memory/2140-22-0x0000000000F90000-0x00000000012B4000-memory.dmp

Filesize
3.1MB

Download
memory/2308-33-0x00000000011E0000-0x0000000001504000-memory.dmp

Filesize
3.1MB

Download
memory/2640-2-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2640-9-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2640-0-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

Filesize
4KB

Download
memory/2640-1-0x0000000000A60000-0x0000000000D84000-memory.dmp

Filesize
3.1MB

Download
memory/2652-10-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-19-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-7-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-8-0x0000000000090000-0x00000000003B4000-memory.dmp

Filesize
3.1MB

Download
memory/2704-89-0x00000000011D0000-0x00000000014F4000-memory.dmp

Filesize
3.1MB

Download