quasar | 0fa8e2b1073b28e1941150d9ff1651b4dfce15cb1a0ccdcd33d5caca3af20db0

Analysis

max time kernel
142s
max time network
143s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04-11-2024 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox exploit 2024.7z
Size

922KB
MD5

b83419ff541c2f78be5921c4c150aa2f
SHA1

2b0a73d56cf4af03d0b1eb51d7e2092f320972f0
SHA256

0fa8e2b1073b28e1941150d9ff1651b4dfce15cb1a0ccdcd33d5caca3af20db0
SHA512

d9faa15debc5bcae1d391f8cf6f713f2bf8996c64ca4b05f1bddb5f47a7c3980dbc5b784d4791f3a41739b8443fce6a224bcb7ee3654761698f02918b7c5f6a8
SSDEEP

24576:uc92iZi0TVp6x0W7GjN59lfzlPRdAeqoeTy4x3kNp6k:um2iZnV8x0W+Npko0ny1

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Inversin-43597.portmap.host:43597

Mutex

80329fd2-f063-4b06-9c7e-8dbc6278c2a3

Attributes

encryption_key
744EA1A385FEBC6DA96387411B7000D77E66B075
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java updater
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00280000000450e6-3.dat	family_quasar
behavioral1/memory/4792-5-0x0000000000A20000-0x0000000000D44000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 22 IoCs

Processes:

Client-built.exeClient.exeClient.exeClient.exeClient.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient.exeClient.exeClient-built.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	Process
4792	Client-built.exe
1408	Client.exe
3452	Client.exe
324	Client.exe
2448	Client.exe
3044	Client-built.exe
4464	Client-built.exe
2092	Client-built.exe
5060	Client-built.exe
2972	Client-built.exe
4924	Client.exe
1852	Client.exe
1924	Client-built.exe
3256	Client.exe
4608	Client.exe
2900	Client.exe
2748	Client.exe
3600	Client.exe
4272	Client.exe
1236	Client.exe
3924	Client.exe
712	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
1632	PING.EXE
4524	PING.EXE
4272	PING.EXE
4588	PING.EXE
4568	PING.EXE
4824	PING.EXE
3868	PING.EXE
4336	PING.EXE
2840	PING.EXE
2436	PING.EXE
4972	PING.EXE
1460	PING.EXE
1208	PING.EXE

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4336	PING.EXE
1632	PING.EXE
4524	PING.EXE
4272	PING.EXE
2840	PING.EXE
4588	PING.EXE
4972	PING.EXE
1208	PING.EXE
4824	PING.EXE
2436	PING.EXE
1460	PING.EXE
3868	PING.EXE
4568	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2972	schtasks.exe
2360	schtasks.exe
4616	schtasks.exe
4492	schtasks.exe
220	schtasks.exe
1368	schtasks.exe
4936	schtasks.exe
2168	schtasks.exe
3848	schtasks.exe
4064	schtasks.exe
880	schtasks.exe
3432	schtasks.exe
3064	schtasks.exe
1588	schtasks.exe
4932	schtasks.exe
2664	schtasks.exe
4524	schtasks.exe
640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Client-built.exe

pid	Process
5060	Client-built.exe
5060	Client-built.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
460	7zFM.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

7zFM.exeClient-built.exeClient.exeClient.exeClient.exeClient.exeClient-built.exeClient-built.exeClient-built.exeClient-built.exeClient.exeClient-built.exeClient-built.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	Process
Token: SeRestorePrivilege	460	7zFM.exe
Token: 35	460	7zFM.exe
Token: SeSecurityPrivilege	460	7zFM.exe
Token: SeDebugPrivilege	4792	Client-built.exe
Token: SeDebugPrivilege	1408	Client.exe
Token: SeDebugPrivilege	3452	Client.exe
Token: SeDebugPrivilege	324	Client.exe
Token: SeDebugPrivilege	2448	Client.exe
Token: SeDebugPrivilege	3044	Client-built.exe
Token: SeDebugPrivilege	4464	Client-built.exe
Token: SeDebugPrivilege	2092	Client-built.exe
Token: SeDebugPrivilege	5060	Client-built.exe
Token: SeDebugPrivilege	4924	Client.exe
Token: SeDebugPrivilege	2972	Client-built.exe
Token: SeDebugPrivilege	1924	Client-built.exe
Token: SeDebugPrivilege	1852	Client.exe
Token: SeDebugPrivilege	3256	Client.exe
Token: SeDebugPrivilege	4608	Client.exe
Token: SeDebugPrivilege	2900	Client.exe
Token: SeDebugPrivilege	2748	Client.exe
Token: SeDebugPrivilege	3600	Client.exe
Token: SeDebugPrivilege	4272	Client.exe
Token: SeDebugPrivilege	1236	Client.exe
Token: SeDebugPrivilege	3924	Client.exe
Token: SeDebugPrivilege	712	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

7zFM.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	Process
460	7zFM.exe
460	7zFM.exe
1408	Client.exe
3452	Client.exe
324	Client.exe
2448	Client.exe
3256	Client.exe
4608	Client.exe
2900	Client.exe
2748	Client.exe
3600	Client.exe
4272	Client.exe
1236	Client.exe
3924	Client.exe
712	Client.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	Process
1408	Client.exe
3452	Client.exe
324	Client.exe
2448	Client.exe
3256	Client.exe
4608	Client.exe
2900	Client.exe
2748	Client.exe
3600	Client.exe
4272	Client.exe
1236	Client.exe
3924	Client.exe
712	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client-built.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient-built.exeClient-built.exeClient-built.exeClient.exeClient.execmd.exe

description	pid	Process	procid_target
PID 4792 wrote to memory of 220	4792	Client-built.exe	91
PID 4792 wrote to memory of 220	4792	Client-built.exe	91
PID 4792 wrote to memory of 1408	4792	Client-built.exe	93
PID 4792 wrote to memory of 1408	4792	Client-built.exe	93
PID 1408 wrote to memory of 2972	1408	Client.exe	94
PID 1408 wrote to memory of 2972	1408	Client.exe	94
PID 1408 wrote to memory of 3384	1408	Client.exe	97
PID 1408 wrote to memory of 3384	1408	Client.exe	97
PID 3384 wrote to memory of 1924	3384	cmd.exe	99
PID 3384 wrote to memory of 1924	3384	cmd.exe	99
PID 3384 wrote to memory of 4336	3384	cmd.exe	100
PID 3384 wrote to memory of 4336	3384	cmd.exe	100
PID 3384 wrote to memory of 3452	3384	cmd.exe	102
PID 3384 wrote to memory of 3452	3384	cmd.exe	102
PID 3452 wrote to memory of 2360	3452	Client.exe	103
PID 3452 wrote to memory of 2360	3452	Client.exe	103
PID 3452 wrote to memory of 724	3452	Client.exe	105
PID 3452 wrote to memory of 724	3452	Client.exe	105
PID 724 wrote to memory of 4056	724	cmd.exe	107
PID 724 wrote to memory of 4056	724	cmd.exe	107
PID 724 wrote to memory of 1632	724	cmd.exe	108
PID 724 wrote to memory of 1632	724	cmd.exe	108
PID 724 wrote to memory of 324	724	cmd.exe	110
PID 724 wrote to memory of 324	724	cmd.exe	110
PID 324 wrote to memory of 880	324	Client.exe	111
PID 324 wrote to memory of 880	324	Client.exe	111
PID 324 wrote to memory of 4644	324	Client.exe	113
PID 324 wrote to memory of 4644	324	Client.exe	113
PID 4644 wrote to memory of 752	4644	cmd.exe	115
PID 4644 wrote to memory of 752	4644	cmd.exe	115
PID 4644 wrote to memory of 4524	4644	cmd.exe	116
PID 4644 wrote to memory of 4524	4644	cmd.exe	116
PID 4644 wrote to memory of 2448	4644	cmd.exe	117
PID 4644 wrote to memory of 2448	4644	cmd.exe	117
PID 2448 wrote to memory of 1368	2448	Client.exe	118
PID 2448 wrote to memory of 1368	2448	Client.exe	118
PID 2448 wrote to memory of 640	2448	Client.exe	120
PID 2448 wrote to memory of 640	2448	Client.exe	120
PID 640 wrote to memory of 2748	640	cmd.exe	122
PID 640 wrote to memory of 2748	640	cmd.exe	122
PID 640 wrote to memory of 4272	640	cmd.exe	123
PID 640 wrote to memory of 4272	640	cmd.exe	123
PID 3044 wrote to memory of 4616	3044	Client-built.exe	127
PID 3044 wrote to memory of 4616	3044	Client-built.exe	127
PID 4464 wrote to memory of 4936	4464	Client-built.exe	130
PID 4464 wrote to memory of 4936	4464	Client-built.exe	130
PID 2092 wrote to memory of 2664	2092	Client-built.exe	132
PID 2092 wrote to memory of 2664	2092	Client-built.exe	132
PID 3044 wrote to memory of 4924	3044	Client-built.exe	135
PID 3044 wrote to memory of 4924	3044	Client-built.exe	135
PID 4464 wrote to memory of 1852	4464	Client-built.exe	136
PID 4464 wrote to memory of 1852	4464	Client-built.exe	136
PID 4924 wrote to memory of 2168	4924	Client.exe	138
PID 4924 wrote to memory of 2168	4924	Client.exe	138
PID 640 wrote to memory of 3256	640	cmd.exe	140
PID 640 wrote to memory of 3256	640	cmd.exe	140
PID 3256 wrote to memory of 3432	3256	Client.exe	141
PID 3256 wrote to memory of 3432	3256	Client.exe	141
PID 3256 wrote to memory of 4528	3256	Client.exe	143
PID 3256 wrote to memory of 4528	3256	Client.exe	143
PID 4528 wrote to memory of 3876	4528	cmd.exe	145
PID 4528 wrote to memory of 3876	4528	cmd.exe	145
PID 4528 wrote to memory of 2840	4528	cmd.exe	146
PID 4528 wrote to memory of 2840	4528	cmd.exe	146

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Roblox exploit 2024.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:460

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:220
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V4znp5Irj0VF.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3384
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1924
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4336
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3452
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2360
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M30ZLdKBsr2O.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:724
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4056
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1632
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x8g0BLbKmF2C.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4524
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEOP6uAXu8m2.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4272
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m5ivkQAm1wyu.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4608
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tdNzNwtJzz2x.bat" "
        13⤵
        
        PID:4440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4588
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2900
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V5dmnuZI7h3p.bat" "
        15⤵
        
        PID:3360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2748
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yJVHAvhnzs9o.bat" "
        17⤵
        
        PID:5084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4972
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3600
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryFomOkghKv3.bat" "
        19⤵
        
        PID:2972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1460
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4272
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OjTQvDlYn4a8.bat" "
        21⤵
        
        PID:1180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3124
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1208
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1236
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zJ7UA985iCj0.bat" "
        23⤵
        
        PID:4056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4824
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssdTbMzUhhiy.bat" "
        25⤵
        
        PID:2520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3868
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:712
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0vkZSZNOTQVW.bat" "
        27⤵
        
        PID:4616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4568

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4616
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2168

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4936
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1852

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2664

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

Filesize
1KB

MD5
b08c36ce99a5ed11891ef6fc6d8647e9

SHA1
db95af417857221948eb1882e60f98ab2914bf1d

SHA256
cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

SHA512
07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
7787ce173dfface746f5a9cf5477883d

SHA1
4587d870e914785b3a8fb017fec0c0f1c7ec0004

SHA256
c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

SHA512
3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\0vkZSZNOTQVW.bat

Filesize
207B

MD5
6f31857c447d462860ad4a3261205a13

SHA1
82560af1c1f5257e03bd968d73805791f8e7f715

SHA256
d3c83af66bfeb695f03f38860540902d160f019505cd4fc0d1f4357e8c88ed4f

SHA512
af1a55d427372628acd32ae044fecae91110bb7afe63026059df5c4d1d97015521de2fdcfc83dcc5a142906c7432fc8f51ba53a13098de48fe822de74a53ce41

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEOP6uAXu8m2.bat

Filesize
207B

MD5
fb34e8dfd2416c366d46a1e411b90721

SHA1
cf60986261d9f6ca838418553dfa1dbbd22b5080

SHA256
413bbc41373c2c84e3b56902ad0ef2bd5f0a6cfaca889af70efa41e695d2e9f6

SHA512
4d6f522cbf979743935f62125ce6df5b3cb57f625796ebcab932f449bf25f55778113cad795f838f7a8d74666e74f4f41a04916548edab6d496965b4cfbb66e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\M30ZLdKBsr2O.bat

Filesize
207B

MD5
38612b3dcc453af9a82a4e4069a3577d

SHA1
aa2435e89050531bf04d4565cdc9e6b2d9ce9b71

SHA256
e05f870378a69d5fe15720e5a1062962835bd96ea353cd2897ee6d6e4882c0f9

SHA512
7a36b41e94a4aaacab9b62aa24cdc89010556659aabf679d8587228d7b20cb383831bee37e50ad63fe40617cfa0323671d4c3c8137a57b7c6b0705f0d3b4a66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OjTQvDlYn4a8.bat

Filesize
207B

MD5
8423156eeb83244a40725dc4b92b675d

SHA1
fd91f3d2ac8c1ba06a6202321e37e257e50ae006

SHA256
9d4c8c4dcc79a112a2ad2748b00b388593de19fe728687b14a92d7d4c8bc4d98

SHA512
bb73ef03f13d2a78f1832bc224dcc540972a6682655be235feea6d56108e20bf5b9a654279364f6972a49580bf411b25ee828113f1f24c51b46310a0a77e0c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\V4znp5Irj0VF.bat

Filesize
207B

MD5
f483d0d757ad2beb8911f55a2ddd2a26

SHA1
4938116267d3ffdcbb9fb854eec959422aab1b67

SHA256
92ac34097f6f5d7772768b9376eabf1f566893124e4a32d35ae7df9003629a37

SHA512
a1c7af1ad85cff6ea3206a9051e610bf680279fa8bc42878f51fa9fd0c4ef26aba13545137a85ed7e4555ec38f589d5ad3336aa5a613dbf3ea3459183d2d5537

Download Submit
C:\Users\Admin\AppData\Local\Temp\V5dmnuZI7h3p.bat

Filesize
207B

MD5
4b13aec36731359f0b4f0486ee0a1870

SHA1
0bb4bf693d3cd06bb14e4b869aa3feef73f30f26

SHA256
7aa98153d47693f6b963b187422c80b3b8dedd245553e3bf461dd70c7b1710f9

SHA512
3a771043d9a97008fa08be5ca223a116d8f58f650eba3b39728140e16772d12c289c8bef1dba563d905a12524b2e421e14699b4b6e3e3b9d1a4393de15caf9e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\m5ivkQAm1wyu.bat

Filesize
207B

MD5
6718e63335aa3057947943823245c2e0

SHA1
1197da49bd1c88d96398fa216aa2e7056ea3e990

SHA256
09b14c1e581d6643228e303a707d1d5ffdf4296e5389441cfdda5f79d6422bfa

SHA512
add62b6c8de1175ca359d90343c29cf181acc54bee2b53f97b05b86aa95f46eb89af2ec82c16b5ecbe43b46b6749885175586113550cb2d26001c9daf78fb596

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryFomOkghKv3.bat

Filesize
207B

MD5
5f6921f84c5538462f201fedab4c2e65

SHA1
c375a89101c50508fa72f47746f6663b9c93b6fa

SHA256
08b13c08f66669815550f58263b699b0169657d302dfeb50766ddd89bc4d1bc9

SHA512
09b3d0b9485441417b7245be76ef04eb2d5f67d84291536cf4ca96ca807bcbdbaafc253e06093bff3ebbf1f92aec1bb1f0e2fa154c796e01a9449ffb148a1d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssdTbMzUhhiy.bat

Filesize
207B

MD5
e6b34c9bd5646b77c4b79fb4c6e28689

SHA1
c55fa4f29a958e6a2d2d59a244c21bcd61933653

SHA256
77f925c3985a77be72d25df9eb83476ada07aa3306da49e0e0281912e71069f0

SHA512
1c8ca26fcfb900b89fc4889a899742733d54626a564545503b2b3350094ba45449ba1bca4f0ead298c3bebac14cd37253c2801c355853bba70cb33513135bc65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdNzNwtJzz2x.bat

Filesize
207B

MD5
3662a32b1c79b4687c5979b01f69f625

SHA1
800e5840b6148b08981c3a771ea32fcfbe903aa1

SHA256
bbdae36b9d4e78ebc0efb9657ccc4b3a445eb8a597ff09b8327f1702710c6b11

SHA512
7d24b6d401f586ca6c51905784cedbbf59aa91c63acaad93beaf5b04ef20a790d901e58c78d738654055ec84d38eec1c636ca3d47c1c4b16679d723be4c98935

Download Submit
C:\Users\Admin\AppData\Local\Temp\x8g0BLbKmF2C.bat

Filesize
207B

MD5
a56d3669ac95bd1ab26e0cc8d0ad3ad1

SHA1
bb04891e4dd83505e937109c96819ed6ee827696

SHA256
41101272878c04d937be74f3c2f3bf5e6b24f8e49a3aa1a96d2f441032ce77a3

SHA512
883c90040c7ac6c76006a375ad9e8bcd48f6f1090edebc2f2a7bd0d5cf863791790cfd58e020e4bda4e421c3d522f17287f004fb97df1f1f095dc1d1537ed123

Download Submit
C:\Users\Admin\AppData\Local\Temp\yJVHAvhnzs9o.bat

Filesize
207B

MD5
484f8dd339d18a0f28b8f21067114bad

SHA1
b63b5ffce37276e41f2cdb3a20b8145b94177d8d

SHA256
63904939d5fc502e0458a5d1e403f086f06f2a6c243dfe4800beb5772bdc90fa

SHA512
8cd5c3f68a19abc688a381848e693a1f9fd52e8f1c7cbc05a1abbe6379f555a224d8b299703e37acaa70092bad111686a89dcfefd00e006f1090239e09431e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zJ7UA985iCj0.bat

Filesize
207B

MD5
219448b235f93fdb20be689ba6208f9b

SHA1
c921a22eca8eb857feff9bb67da8f6862b9a5153

SHA256
b6accc374212855aa40c3ba7474d891d365d514422d583ab0908e087fd08dd0f

SHA512
afbc17fc50e42a51e71fb6f0eb0e5e041bf234a1220dd354d4ce74e669cd1319eef01e0d4ee3d4efaf3f7066b17dbcfe44840ff11bc9b9bb6581992e19333c73

Download Submit
C:\Users\Admin\Desktop\Client-built.exe

Filesize
3.1MB

MD5
f5b93af3ee1b64dacd2bac9ba4af9b27

SHA1
1f2a038199a71a2b917dca4dff2f5fac5e840978

SHA256
48d4fde21b28f0614fdf124f83f5594bddc13292f21b775da58b017385a49b01

SHA512
83703b0f567723abe3d6b34bd419be5df3475e049ae8893993fec017da9a420cd875184c570bdffbfc0bccac662762991885dea8ebcc2af172b3aac2fb00a302

Download Submit
memory/1408-11-0x000000001D4B0000-0x000000001D562000-memory.dmp

Filesize
712KB

Download
memory/1408-10-0x000000001D3A0000-0x000000001D3F0000-memory.dmp

Filesize
320KB

Download
memory/4792-9-0x00007FFD38DA0000-0x00007FFD39862000-memory.dmp

Filesize
10.8MB

Download
memory/4792-6-0x00007FFD38DA0000-0x00007FFD39862000-memory.dmp

Filesize
10.8MB

Download
memory/4792-5-0x0000000000A20000-0x0000000000D44000-memory.dmp

Filesize
3.1MB

Download
memory/4792-4-0x00007FFD38DA3000-0x00007FFD38DA5000-memory.dmp

Filesize
8KB

Download