quasar | d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4.exe
Size

3.1MB
MD5

03159c4b3d8d1c3e2058a44a5d4ffa4a
SHA1

109270f59115cc704501fbea1890abd7864cc83f
SHA256

d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4
SHA512

12f828d32a509a076f69896fcffdf6da50e4e8e23dd2230f8288dacbbbb2c4391c0e1663fc2efc21ab55cedd081e43f6143d84f7ae29977fe9da61a705394abd
SSDEEP

49152:fvHlL26AaNeWgPhlmVqvMQ7XSKuRRJ6ObR3LoGd8THHB72eh2NT:fvFL26AaNeWgPhlmVqkQ7XSKuRRJ6I

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

augustinevegas-31173.portmap.host:31173

Mutex

7d74883a-5879-4f61-8c23-fc7af453d7c2

Attributes

encryption_key
0B6DCD2BE4C82058601AFDA4AB9525FABE85A71D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2324-1-0x0000000000790000-0x0000000000AB4000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b8b-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
1304	Client.exe
1408	Client.exe
732	Client.exe
2896	Client.exe
1508	Client.exe
1324	Client.exe
4496	Client.exe
1668	Client.exe
1988	Client.exe
4964	Client.exe
308	Client.exe
1420	Client.exe
4892	Client.exe
3620	Client.exe
4476	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1328	PING.EXE
2544	PING.EXE
1332	PING.EXE
2784	PING.EXE
2544	PING.EXE
2628	PING.EXE
4604	PING.EXE
2156	PING.EXE
4416	PING.EXE
2956	PING.EXE
4868	PING.EXE
4148	PING.EXE
4980	PING.EXE
5008	PING.EXE
2908	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1328	PING.EXE
2544	PING.EXE
2908	PING.EXE
4868	PING.EXE
2156	PING.EXE
2544	PING.EXE
4980	PING.EXE
1332	PING.EXE
2956	PING.EXE
4604	PING.EXE
4148	PING.EXE
5008	PING.EXE
4416	PING.EXE
2784	PING.EXE
2628	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4.exe
Token: SeDebugPrivilege	1304	Client.exe
Token: SeDebugPrivilege	1408	Client.exe
Token: SeDebugPrivilege	732	Client.exe
Token: SeDebugPrivilege	2896	Client.exe
Token: SeDebugPrivilege	1508	Client.exe
Token: SeDebugPrivilege	1324	Client.exe
Token: SeDebugPrivilege	4496	Client.exe
Token: SeDebugPrivilege	1668	Client.exe
Token: SeDebugPrivilege	1988	Client.exe
Token: SeDebugPrivilege	4964	Client.exe
Token: SeDebugPrivilege	308	Client.exe
Token: SeDebugPrivilege	1420	Client.exe
Token: SeDebugPrivilege	4892	Client.exe
Token: SeDebugPrivilege	3620	Client.exe
Token: SeDebugPrivilege	4476	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1304	Client.exe
1408	Client.exe
732	Client.exe
2896	Client.exe
1508	Client.exe
1324	Client.exe
4496	Client.exe
1668	Client.exe
1988	Client.exe
4964	Client.exe
308	Client.exe
1420	Client.exe
4892	Client.exe
3620	Client.exe
4476	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1304	Client.exe
1408	Client.exe
732	Client.exe
2896	Client.exe
1508	Client.exe
1324	Client.exe
4496	Client.exe
1668	Client.exe
1988	Client.exe
4964	Client.exe
308	Client.exe
1420	Client.exe
4892	Client.exe
3620	Client.exe
4476	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1304	2324	d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4.exe	82
PID 2324 wrote to memory of 1304	2324	d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4.exe	82
PID 1304 wrote to memory of 2216	1304	Client.exe	83
PID 1304 wrote to memory of 2216	1304	Client.exe	83
PID 2216 wrote to memory of 1412	2216	cmd.exe	85
PID 2216 wrote to memory of 1412	2216	cmd.exe	85
PID 2216 wrote to memory of 2156	2216	cmd.exe	86
PID 2216 wrote to memory of 2156	2216	cmd.exe	86
PID 2216 wrote to memory of 1408	2216	cmd.exe	92
PID 2216 wrote to memory of 1408	2216	cmd.exe	92
PID 1408 wrote to memory of 3588	1408	Client.exe	93
PID 1408 wrote to memory of 3588	1408	Client.exe	93
PID 3588 wrote to memory of 4072	3588	cmd.exe	95
PID 3588 wrote to memory of 4072	3588	cmd.exe	95
PID 3588 wrote to memory of 4148	3588	cmd.exe	96
PID 3588 wrote to memory of 4148	3588	cmd.exe	96
PID 3588 wrote to memory of 732	3588	cmd.exe	99
PID 3588 wrote to memory of 732	3588	cmd.exe	99
PID 732 wrote to memory of 3804	732	Client.exe	100
PID 732 wrote to memory of 3804	732	Client.exe	100
PID 3804 wrote to memory of 3516	3804	cmd.exe	102
PID 3804 wrote to memory of 3516	3804	cmd.exe	102
PID 3804 wrote to memory of 4980	3804	cmd.exe	103
PID 3804 wrote to memory of 4980	3804	cmd.exe	103
PID 3804 wrote to memory of 2896	3804	cmd.exe	105
PID 3804 wrote to memory of 2896	3804	cmd.exe	105
PID 2896 wrote to memory of 2784	2896	Client.exe	107
PID 2896 wrote to memory of 2784	2896	Client.exe	107
PID 2784 wrote to memory of 1192	2784	cmd.exe	109
PID 2784 wrote to memory of 1192	2784	cmd.exe	109
PID 2784 wrote to memory of 1328	2784	cmd.exe	110
PID 2784 wrote to memory of 1328	2784	cmd.exe	110
PID 2784 wrote to memory of 1508	2784	cmd.exe	111
PID 2784 wrote to memory of 1508	2784	cmd.exe	111
PID 1508 wrote to memory of 3524	1508	Client.exe	112
PID 1508 wrote to memory of 3524	1508	Client.exe	112
PID 3524 wrote to memory of 4708	3524	cmd.exe	114
PID 3524 wrote to memory of 4708	3524	cmd.exe	114
PID 3524 wrote to memory of 2544	3524	cmd.exe	115
PID 3524 wrote to memory of 2544	3524	cmd.exe	115
PID 3524 wrote to memory of 1324	3524	cmd.exe	116
PID 3524 wrote to memory of 1324	3524	cmd.exe	116
PID 1324 wrote to memory of 316	1324	Client.exe	117
PID 1324 wrote to memory of 316	1324	Client.exe	117
PID 316 wrote to memory of 220	316	cmd.exe	119
PID 316 wrote to memory of 220	316	cmd.exe	119
PID 316 wrote to memory of 5008	316	cmd.exe	120
PID 316 wrote to memory of 5008	316	cmd.exe	120
PID 316 wrote to memory of 4496	316	cmd.exe	121
PID 316 wrote to memory of 4496	316	cmd.exe	121
PID 4496 wrote to memory of 4312	4496	Client.exe	122
PID 4496 wrote to memory of 4312	4496	Client.exe	122
PID 4312 wrote to memory of 960	4312	cmd.exe	124
PID 4312 wrote to memory of 960	4312	cmd.exe	124
PID 4312 wrote to memory of 4416	4312	cmd.exe	125
PID 4312 wrote to memory of 4416	4312	cmd.exe	125
PID 4312 wrote to memory of 1668	4312	cmd.exe	126
PID 4312 wrote to memory of 1668	4312	cmd.exe	126
PID 1668 wrote to memory of 2200	1668	Client.exe	127
PID 1668 wrote to memory of 2200	1668	Client.exe	127
PID 2200 wrote to memory of 620	2200	cmd.exe	129
PID 2200 wrote to memory of 620	2200	cmd.exe	129
PID 2200 wrote to memory of 1332	2200	cmd.exe	130
PID 2200 wrote to memory of 1332	2200	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4.exe
"C:\Users\Admin\AppData\Local\Temp\d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aZRD05HUdvrV.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1412
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2156
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZrHFlsRTFn12.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3588
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4072
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4148
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSuivcDK8P4c.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4980
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaArVLADwc7c.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1328
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0soyMI5sDBJL.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7C02BPkVkAdq.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5008
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KbH9LEFCSxji.bat" "
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4416
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kxLblLvHF44k.bat" "
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1332
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\snklFhfjo1Mf.bat" "
        19⤵
        
        PID:3572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UVCctK5KGkLT.bat" "
        21⤵
        
        PID:792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAwhsXhpZFho.bat" "
        23⤵
        
        PID:1512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2784
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cPLY589h7M5Q.bat" "
        25⤵
        
        PID:380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5yyXHnjxmKGP.bat" "
        27⤵
        
        PID:220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4868
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T8bQolTIVQY2.bat" "
        29⤵
        
        PID:2980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xpn1wgxwHQle.bat" "
        31⤵
        
        PID:1980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0soyMI5sDBJL.bat

Filesize
207B

MD5
c0ea3ac7c52a50eb77b4634932b55c27

SHA1
b75d44d82aeaad0ee8efde38721c2e1264862010

SHA256
72af94a45076bce679c2318da6c271f97c893b3bac82634f3994cd76f896f9e5

SHA512
0be25a236c99f9b844ede6abc1df7f09d080d1c2fbf58f35aa1df1d6ba276b3aaaa5083cacf26e183d3f9114092a34684834d9fdb651e716d829bc9fd58241d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5yyXHnjxmKGP.bat

Filesize
207B

MD5
eda1bb4154b154f23dae41767dd4bc2d

SHA1
cd4b5965f0e07ca3f2295bb1a3ab88e3399ed5f5

SHA256
fe7534f05512bf0d0e442ecaff1f395e0f54daabf5b7a51cb793e14b3734eed5

SHA512
e7ab9e3b58126722977d80ede91154f5fd37771ee118f363c03ad9813b479f64007c5e99d63f89dce0f35dbd418c07e9f988152cedb7559fcd8673412e9b9aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C02BPkVkAdq.bat

Filesize
207B

MD5
b3132a54194edf1f6ede6781efe85666

SHA1
f141b0a26d284f35cda36fa61d434eed53a0491b

SHA256
6f14d7b940df7cb4569dc086c5d4deee3d592a8771def65118ca16ace71f0a54

SHA512
7f9119f9afd25147a43c20805cbdd410f59e4afafbd049b0fde0d1c2aa566dd8919b1f7331360ab1b8858f7bec1ef4bfedf6fadaee9699a06276da17e4e70301

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaArVLADwc7c.bat

Filesize
207B

MD5
77ee79021a35e4c4b2aa9badcdf56f29

SHA1
b9cf27416d4cd891c5237d0ceba7d54a1170ee1f

SHA256
53c0e908b0da602c3e03ebdff36306ea56c413adf6f2843956020363e806bf61

SHA512
cf3f88660a0b29197c9aa8048393c834b3c2ffc41491c47fd29c2ed14781933e93bca1fda143af61f2fa8d1c3d663cccf3bc3c54335d8121ec090b7d787f8ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KbH9LEFCSxji.bat

Filesize
207B

MD5
d4f418b1c4b21eb07f753ec1c3042d10

SHA1
cea33c37e0604e7a4d379d21b9dd63d572146d9d

SHA256
704eabd7b31768e415c66d14e368761533e528342e66be91115aafc7cff771d3

SHA512
f397649d3823ea15a4396be4a7b6f751417bb2f750679b5deae6980ab95a98e35e5f19953db48c01420162d060ff316750662e1a41a6f9a21e82edc72bdc99c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\T8bQolTIVQY2.bat

Filesize
207B

MD5
b70904eefa9a518f4303013c4b7bea56

SHA1
4f93689bb797e4e8b83532815359448a4e5d2b66

SHA256
fd1e55db2ec2d3f25d6b4ef53fdb41499953a297c0c34b6685cf30c16a5995a7

SHA512
f1929348a94b8e27af47ee390fbe2659d1392ab4f14c216ac11ace6ea5fa6e0b3181d5c1518b99b6618578657e760e5f42bbb5c4ba9cbe948a7afd6cab5f511f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UVCctK5KGkLT.bat

Filesize
207B

MD5
1c8ca976d1655d420b75ea6509cfcfe4

SHA1
9f1d7b7c5a7fff0747099b6a843f8af8cccbecbc

SHA256
5b9b39a7b0cb6f8b032ea9aea342b7d48ad49e611ed5a5b82f34547ac3ac2f42

SHA512
dbcef028b11c42529229cce0d6393d2aaa8b166921b38e311984df32b677839c45686043bdce71b59b783dc014977239300a692c02d0bedc9668eadefad84543

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZrHFlsRTFn12.bat

Filesize
207B

MD5
1c84dbad89438d397447a2d85db3bc42

SHA1
e7fd341c8a9a3749fe0eb2f04b481489760a410c

SHA256
4a390bf576d1dc006c6318e587f0e597e0fd0060a02011a389de8a147a3f40b2

SHA512
271da554e6d440543e8755d46b7b7cacbb557246de07010d28a37601425afc4c701ba667fbbbfd4f5f6ef106dbcaa286986f180d067f1465b15b46f91e99abbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\aZRD05HUdvrV.bat

Filesize
207B

MD5
a7daed8d3dbe4a9ff6fda25195a96f8b

SHA1
180a21a7e7f32792ee8595e16b45a06c021c3791

SHA256
b20523f263a8967db3159a70bdb12d13f2b2deb5272f7e96061e7f2654167c65

SHA512
eac43709d090eb77e6f7144eaf0e0ee6380361c0503da1184d0b5f4a0a94bf87464a19d403d566652c8e0473c19ec96b9f9dba961e29c49e6e74d9aa06841bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\cPLY589h7M5Q.bat

Filesize
207B

MD5
6e07a318c31afe3df826365aeec21a09

SHA1
6346e7867ac9c151b8e07f95903ce59e0d5491ca

SHA256
668803146ac7dc73a950820fa0814e41a40944900faedec13bb75d6d71264361

SHA512
5645b30d9cafbe07d614cc764daa0fb13e51afeb8a16cc008e15b9a4a70a260d39bbbb251907fa879508231129592b7eecf160cade3c7388188f6e15d1c80b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxLblLvHF44k.bat

Filesize
207B

MD5
0656873a38e7e328e8521f4d6099bbe4

SHA1
fc3630772f728bd38c5ba82513a533ada78559e2

SHA256
6a107e3b1a43db09ec23cd6b562517bb54c7ce32b727ea606ebe3aced55a996e

SHA512
ec076fec1c921d6a23e29365554b7ac1bccff6530739ecb424fe8ff9183aa97489109159f92b6d8c89a1989751ee110e6a0a8001b6c6983a1ea686249052c4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAwhsXhpZFho.bat

Filesize
207B

MD5
3423b5e295b7eceb34adba40208cc6e4

SHA1
64198a3213a05c6dddeef50c73d41a71124f3464

SHA256
76ba3ec004ff44723178a3996703801e41b09b5d0546c6caa58744372aae189b

SHA512
35787bca3ec9308a153f73c4fd99a37b6ccbd3846b46aa7612f40289587337adfb5fc74e25b80aff9c15e04dad80435c8310b532bd8dd225f2142cac8ccf4415

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSuivcDK8P4c.bat

Filesize
207B

MD5
55da6457268823c733ba3d80fc513cc6

SHA1
3e15364366df9464c2f609331aea63765e3317e9

SHA256
85f899f9effc71479e3590aca754cd42874ab3a5a7ad1346ed2422af5f97866b

SHA512
ecbec33298de317ae033df130aec33ff2b1a33414539cf8213306b7db99da884fc3ae77fc1b4117b0e992bb129235caef85082f33b5bc61f35b2f1a1cf1dec39

Download Submit
C:\Users\Admin\AppData\Local\Temp\snklFhfjo1Mf.bat

Filesize
207B

MD5
193f7f46b462f39299b8d6f1e8c0f2bd

SHA1
0c0091e9a634d7ac36b2398f65ca97e65f5ae945

SHA256
96a3d68aae75d659a2736a277dba66fb5c7c3f951fe9f64e8025c598b3ef2dcb

SHA512
e6efd75b03a81b6346a25e69a7131d1ea5144a30ae7b2834ab8b3acdd4895d3e6ef09dcccddb867da0996d7e25e37c42034b7fd68f77a3a132482b56be956319

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpn1wgxwHQle.bat

Filesize
207B

MD5
a55bb5c91c06afb9ea4439a9a1c30abf

SHA1
59416322a2e86bb3530a4605e907fd522e92119a

SHA256
95e4c0894748e628e13c1418de24e948aca3c3282979a2105f029e1907dbeef8

SHA512
4f71f755cb0a3e93048b76039c54e267cd5f51b9e513cbf99ecb2da819833847532c36a5052c123f9c642e6ddde3b66c432c8c344f51bb9ff2962fd3e3b6a0d6

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
03159c4b3d8d1c3e2058a44a5d4ffa4a

SHA1
109270f59115cc704501fbea1890abd7864cc83f

SHA256
d0808993597c7282681815789d64209ce8ccdf5dad41e4ea867ac81f14752ef4

SHA512
12f828d32a509a076f69896fcffdf6da50e4e8e23dd2230f8288dacbbbb2c4391c0e1663fc2efc21ab55cedd081e43f6143d84f7ae29977fe9da61a705394abd

Download Submit
memory/1304-11-0x000000001C1B0000-0x000000001C200000-memory.dmp

Filesize
320KB

Download
memory/1304-8-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/1304-9-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/1304-17-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/1304-12-0x000000001C2C0000-0x000000001C372000-memory.dmp

Filesize
712KB

Download
memory/2324-0-0x00007FFA73F03000-0x00007FFA73F05000-memory.dmp

Filesize
8KB

Download
memory/2324-10-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/2324-2-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/2324-1-0x0000000000790000-0x0000000000AB4000-memory.dmp

Filesize
3.1MB

Download