quasar | f1bcf4d98fef3665492ca5fbf5296fa06a4adb2b3b9681b110a148f56ed1aaf6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wawenoKey.exe
Size

348KB
MD5

19cde915d18709c0de2e5acd6acc41ce
SHA1

5478e37f33533ccb57b73c94e613f39f95db3e06
SHA256

f1bcf4d98fef3665492ca5fbf5296fa06a4adb2b3b9681b110a148f56ed1aaf6
SHA512

a1bba884336a8e7a370b218ae70427d791587c25e2e9f52ee59459df1cf60bf7ef8a488e1d159c9b501329d7049349637a23d5b2e5fbe32e4a6fd1884c0b068d
SSDEEP

6144:pX6bPXhLApfpuCmvXtjghbSS4JmtD15FJYa8O:JmhApePt0J4JmlbFJY3O

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

Client2:4782

Mutex

QSR_MUTEX_RH6ctD844WCagY5nuM

Attributes

encryption_key
nyassPD33yuypk3HMAZZ
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	76	ip-api.com	Process not Found
	12	ip-api.com	Process not Found
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wawenoKey.exe
	56	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4600-1-0x00000000007C0000-0x000000000081E000-memory.dmp	family_quasar
behavioral2/files/0x000e000000023bd7-10.dat	family_quasar

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 11 IoCs

pid	Process
4344	Client.exe
3340	Client.exe
3504	Client.exe
548	Client.exe
4392	Client.exe
1640	Client.exe
4872	Client.exe
2968	Client.exe
3364	Client.exe
1116	Client.exe
4960	Client.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com
56	ip-api.com
76	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wawenoKey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1856	PING.EXE
2296	PING.EXE
4280	PING.EXE
4076	PING.EXE
4016	PING.EXE
5096	PING.EXE
3092	PING.EXE
4444	PING.EXE
3668	PING.EXE
1748	PING.EXE
412	PING.EXE

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
4280	PING.EXE
4076	PING.EXE
2296	PING.EXE
412	PING.EXE
4444	PING.EXE
3668	PING.EXE
1748	PING.EXE
1856	PING.EXE
4016	PING.EXE
5096	PING.EXE
3092	PING.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4600	wawenoKey.exe
Token: SeDebugPrivilege	4344	Client.exe
Token: SeDebugPrivilege	3340	Client.exe
Token: SeDebugPrivilege	3504	Client.exe
Token: SeDebugPrivilege	548	Client.exe
Token: SeDebugPrivilege	4392	Client.exe
Token: SeDebugPrivilege	1640	Client.exe
Token: SeDebugPrivilege	4872	Client.exe
Token: SeDebugPrivilege	2968	Client.exe
Token: SeDebugPrivilege	3364	Client.exe
Token: SeDebugPrivilege	1116	Client.exe
Token: SeDebugPrivilege	4960	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 4344	4600	wawenoKey.exe	83
PID 4600 wrote to memory of 4344	4600	wawenoKey.exe	83
PID 4600 wrote to memory of 4344	4600	wawenoKey.exe	83
PID 4344 wrote to memory of 3192	4344	Client.exe	84
PID 4344 wrote to memory of 3192	4344	Client.exe	84
PID 4344 wrote to memory of 3192	4344	Client.exe	84
PID 3192 wrote to memory of 4160	3192	cmd.exe	86
PID 3192 wrote to memory of 4160	3192	cmd.exe	86
PID 3192 wrote to memory of 4160	3192	cmd.exe	86
PID 3192 wrote to memory of 4280	3192	cmd.exe	87
PID 3192 wrote to memory of 4280	3192	cmd.exe	87
PID 3192 wrote to memory of 4280	3192	cmd.exe	87
PID 3192 wrote to memory of 3340	3192	cmd.exe	92
PID 3192 wrote to memory of 3340	3192	cmd.exe	92
PID 3192 wrote to memory of 3340	3192	cmd.exe	92
PID 3340 wrote to memory of 2784	3340	Client.exe	95
PID 3340 wrote to memory of 2784	3340	Client.exe	95
PID 3340 wrote to memory of 2784	3340	Client.exe	95
PID 2784 wrote to memory of 3296	2784	cmd.exe	97
PID 2784 wrote to memory of 3296	2784	cmd.exe	97
PID 2784 wrote to memory of 3296	2784	cmd.exe	97
PID 2784 wrote to memory of 1856	2784	cmd.exe	98
PID 2784 wrote to memory of 1856	2784	cmd.exe	98
PID 2784 wrote to memory of 1856	2784	cmd.exe	98
PID 2784 wrote to memory of 3504	2784	cmd.exe	99
PID 2784 wrote to memory of 3504	2784	cmd.exe	99
PID 2784 wrote to memory of 3504	2784	cmd.exe	99
PID 3504 wrote to memory of 2900	3504	Client.exe	101
PID 3504 wrote to memory of 2900	3504	Client.exe	101
PID 3504 wrote to memory of 2900	3504	Client.exe	101
PID 2900 wrote to memory of 4756	2900	cmd.exe	103
PID 2900 wrote to memory of 4756	2900	cmd.exe	103
PID 2900 wrote to memory of 4756	2900	cmd.exe	103
PID 2900 wrote to memory of 4076	2900	cmd.exe	104
PID 2900 wrote to memory of 4076	2900	cmd.exe	104
PID 2900 wrote to memory of 4076	2900	cmd.exe	104
PID 2900 wrote to memory of 548	2900	cmd.exe	105
PID 2900 wrote to memory of 548	2900	cmd.exe	105
PID 2900 wrote to memory of 548	2900	cmd.exe	105
PID 548 wrote to memory of 4960	548	Client.exe	107
PID 548 wrote to memory of 4960	548	Client.exe	107
PID 548 wrote to memory of 4960	548	Client.exe	107
PID 4960 wrote to memory of 1912	4960	cmd.exe	109
PID 4960 wrote to memory of 1912	4960	cmd.exe	109
PID 4960 wrote to memory of 1912	4960	cmd.exe	109
PID 4960 wrote to memory of 4016	4960	cmd.exe	110
PID 4960 wrote to memory of 4016	4960	cmd.exe	110
PID 4960 wrote to memory of 4016	4960	cmd.exe	110
PID 4960 wrote to memory of 4392	4960	cmd.exe	111
PID 4960 wrote to memory of 4392	4960	cmd.exe	111
PID 4960 wrote to memory of 4392	4960	cmd.exe	111
PID 4392 wrote to memory of 884	4392	Client.exe	112
PID 4392 wrote to memory of 884	4392	Client.exe	112
PID 4392 wrote to memory of 884	4392	Client.exe	112
PID 884 wrote to memory of 772	884	cmd.exe	114
PID 884 wrote to memory of 772	884	cmd.exe	114
PID 884 wrote to memory of 772	884	cmd.exe	114
PID 884 wrote to memory of 5096	884	cmd.exe	115
PID 884 wrote to memory of 5096	884	cmd.exe	115
PID 884 wrote to memory of 5096	884	cmd.exe	115
PID 884 wrote to memory of 1640	884	cmd.exe	116
PID 884 wrote to memory of 1640	884	cmd.exe	116
PID 884 wrote to memory of 1640	884	cmd.exe	116
PID 1640 wrote to memory of 368	1640	Client.exe	117

C:\Users\Admin\AppData\Local\Temp\wawenoKey.exe
"C:\Users\Admin\AppData\Local\Temp\wawenoKey.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Es6knSV6llLE.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:4160
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4280
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fL4YPqG8To7H.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3296
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1856
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOXTHXfypm2a.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4076
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2c72xaTynTSl.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4016
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a7hJ9SYdX8cd.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5096
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ME706c8wnBVb.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3092
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CLKRrXsXa26U.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4444
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYDVbXVhCKWY.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3668
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T6QNqLJzhwq9.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p3QdumIdCD1O.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIQjxUxvDnjF.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Client.exe.log

Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c72xaTynTSl.bat

Filesize
207B

MD5
939c99c412938d323fa3f75b8d57e750

SHA1
0969c6d970db0d85b764dd77d0fffac92d187550

SHA256
b019e21123666f34d0d968f823ded6e1793e06b6d3025a96f729c0df2c6b58a7

SHA512
4392ee3ecc9deb6244dda82bdcc24a4fbf5c2814a8d4f3e9fbf72e142bfda092f0f11cb61b52dac386a167493b7430ccf0776f630c3632411db372975fc3408b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLKRrXsXa26U.bat

Filesize
207B

MD5
99e2eaff4f2112ad81554527f0fd82b1

SHA1
afed70476390adc5a8e53670783de4e6bc33cc3d

SHA256
d7a3b43d73aae6545b3c2b1872baa9205b14b241850f244f4f06b3f2c2f80fdb

SHA512
3aeb1af4a8560b9a4014b908ba46f935c2d3825e6b02e94bbfeb3167afcf3d7f27d356fd61e63b46bcdfb05b618b204cf0553a8182bcadb301e09f6af41fdaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYDVbXVhCKWY.bat

Filesize
207B

MD5
2c0aa97ca6a2f54686675f7f61185c5e

SHA1
a3ade2bbc5a793814f254953100603a3cc07f4ca

SHA256
e36ba54f3beac0edff5f4528ffdd1634cdefbf58ac8ad0508fb651fda2f81a79

SHA512
c177953ee8fc413d1158eb9fe2958341feb447339be04d59fdc45c781487725fcef97b7aa775e28cfdb34c8b096cc6966de8c190ce00b14251fb61e5c703cc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Es6knSV6llLE.bat

Filesize
207B

MD5
aa85410145e28d21409b69cb621334b4

SHA1
672b0baaf5fcd6c89b4bf630bb2da7d5d99fe7c4

SHA256
708625de7fba8b3648c30b246686b504a3f2a3ce406171ac8f57993cb9b4e148

SHA512
ebe988ba8d7a3ae91954154d2ce1288c556571019bcbf177d3858f1d0c538d1c4a012a02e2583d3433dfa979d5f1d331e12c09f5c1bfb1cb22331098f7dc1b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ME706c8wnBVb.bat

Filesize
207B

MD5
aaeba93bef4307d27f387298120b2f61

SHA1
6aad6811617e70726da7cfe5bd5fb3d5ad9cdf79

SHA256
8224f49017c50104c76e9b5b7b39bcf768d316d623343569ab590c7d6eb7b122

SHA512
a09837949ab061c152f6134936442e676888b6472377e8e8ab1c12768d4489e5f05bfc629929c7939b4f4f917c7f4c50981f5b24331f909e5f63716d15efd9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\T6QNqLJzhwq9.bat

Filesize
207B

MD5
6774405946dc9e59404baf19cca8728d

SHA1
6fabd2ae41dadfb2567d7d936b4ca06f80ddfc72

SHA256
7d319f38370acdfa2b1382b911a55756c472516526cfb43edb3c6b8d9de3011c

SHA512
ca2e7b655b47c3cedd88100cc4852056168849ac9d7bbed6856aca247cc79b9efaeb173cf3c750ad5783d58644e89731495c442ad947cf408687ab98eac05936

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOXTHXfypm2a.bat

Filesize
207B

MD5
3f69d7efafee588379e98eb083c78359

SHA1
138c25fbb2e2543916f9e4366e226bc602a202b0

SHA256
c72cf70c6812ddc2500eb4d3ceb31aa4bfed31203284409ed6936607b970cc97

SHA512
6811def54160e6de2bd9733b8cc0bd4649d0bf93126cc244e4c738d1f08823ff345bde8111d23b669691cc3479ed17258e2cdedbff8a058a23c20a0b38a02ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7hJ9SYdX8cd.bat

Filesize
207B

MD5
f537dca53769e8a6340d31a248b28172

SHA1
0d8a6927c98cbbac5c094483e06ba46b5b207590

SHA256
1ea6ea9f7da2a9855f93207dd8294176eb8fcec50cbbb66c7915c1595e74f222

SHA512
485b3938c7e4036700f1a606446f0e9503ab6f0637be6628d82b03024e05dd3486fc7d7227106b025325ac56a15c0dfb7e832dc299665fb33887f355d45bf069

Download Submit
C:\Users\Admin\AppData\Local\Temp\fL4YPqG8To7H.bat

Filesize
207B

MD5
562fda4574f34624e2a806313002ab73

SHA1
fd83cf62aee65171897ca98c3c7cd1c7da8cc455

SHA256
8e840ce2b80406630823e54c5ea57c379fce5276da8df21278f103605f039bae

SHA512
e3b4d944e96583cb29abe75f8b490bd66c6286ec5befc5aef0bede93506138d00bb03e60d96645cc1c05b3c1fa10863f6478c34585c163fc1f58ce27dcc6230c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIQjxUxvDnjF.bat

Filesize
207B

MD5
8b6028399fc0ad471e4552a658bf809d

SHA1
b031fc0f915108083f9af65bd9fe5cb8f0d22c02

SHA256
3bc0e03f62efff186d697be57d85f0e72baf3fff82cd0ea5839201e88d8b01e0

SHA512
04f3694842b3cd6ce96b8e9486bec551ad9f7ec7ff652ba8ffc72a31e5f3241b7b47f9d5abecc50d5f2ed67bed7d2aed2a583202fea555fdc6c7636f26a18904

Download Submit
C:\Users\Admin\AppData\Local\Temp\p3QdumIdCD1O.bat

Filesize
207B

MD5
a4517acbb6a02b5719910dde0248f5df

SHA1
68c22c2296854598871a4cda757038855b017867

SHA256
26507b4e73618cd3b97f139b1d616a5ea07993b4de646a209023ec4d37a8e546

SHA512
15742bf9dfb79fad0b2758fa58d5d4e6d8d47fde6b26ca053f985831c309df708d8aef85dadf9f4ca262ca00a13c89de0e4b6e949c37c6e501cb3d1ffd36dcb2

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
348KB

MD5
19cde915d18709c0de2e5acd6acc41ce

SHA1
5478e37f33533ccb57b73c94e613f39f95db3e06

SHA256
f1bcf4d98fef3665492ca5fbf5296fa06a4adb2b3b9681b110a148f56ed1aaf6

SHA512
a1bba884336a8e7a370b218ae70427d791587c25e2e9f52ee59459df1cf60bf7ef8a488e1d159c9b501329d7049349637a23d5b2e5fbe32e4a6fd1884c0b068d

Download Submit
memory/4344-20-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4344-15-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4344-12-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4600-0-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

Filesize
4KB

Download
memory/4600-14-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4600-7-0x0000000006580000-0x00000000065BC000-memory.dmp

Filesize
240KB

Download
memory/4600-6-0x0000000006040000-0x0000000006052000-memory.dmp

Filesize
72KB

Download
memory/4600-5-0x0000000005310000-0x0000000005376000-memory.dmp

Filesize
408KB

Download
memory/4600-4-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4600-3-0x0000000005270000-0x0000000005302000-memory.dmp

Filesize
584KB

Download
memory/4600-2-0x00000000056F0000-0x0000000005C94000-memory.dmp

Filesize
5.6MB

Download
memory/4600-1-0x00000000007C0000-0x000000000081E000-memory.dmp

Filesize
376KB

Download