Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 06:36
Behavioral task
behavioral1
Sample
CondoGenerator.exe
Resource
win7-20241023-en
General
-
Target
CondoGenerator.exe
-
Size
3.1MB
-
MD5
5da0a355dcd44b29fdd27a5eba904d8d
-
SHA1
1099e489937a644376653ab4b5921da9527f50a9
-
SHA256
e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f
-
SHA512
289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6
-
SSDEEP
49152:3viI22SsaNYfdPBldt698dBcjHFfRJ6fbR3LoGd5THHB72eh2NT:3vv22SsaNYfdPBldt6+dBcjHFfRJ6x
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.79:4782
956eafb2-7482-407b-bff4-d2b57a1c3d75
-
encryption_key
EFEBD005E03B8B8669985D9A167E2BEF9FFCA477
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/708-1-0x0000000000F50000-0x0000000001274000-memory.dmp family_quasar behavioral2/files/0x000c000000023b97-8.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 15 IoCs
pid Process 3232 Client.exe 656 Client.exe 1864 Client.exe 640 Client.exe 2712 Client.exe 4256 Client.exe 1848 Client.exe 1876 Client.exe 4564 Client.exe 920 Client.exe 3324 Client.exe 1964 Client.exe 1504 Client.exe 4216 Client.exe 2212 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2352 PING.EXE 4280 PING.EXE 1512 PING.EXE 3968 PING.EXE 1752 PING.EXE 1048 PING.EXE 1800 PING.EXE 1920 PING.EXE 2456 PING.EXE 1752 PING.EXE 3004 PING.EXE 3776 PING.EXE 952 PING.EXE 2340 PING.EXE 2816 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1512 PING.EXE 952 PING.EXE 2352 PING.EXE 3968 PING.EXE 1048 PING.EXE 1920 PING.EXE 4280 PING.EXE 3004 PING.EXE 1752 PING.EXE 1800 PING.EXE 2816 PING.EXE 2456 PING.EXE 1752 PING.EXE 3776 PING.EXE 2340 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4712 schtasks.exe 4844 schtasks.exe 3796 schtasks.exe 920 schtasks.exe 4520 schtasks.exe 1108 schtasks.exe 3636 schtasks.exe 4284 schtasks.exe 1092 schtasks.exe 2456 schtasks.exe 2668 schtasks.exe 2612 schtasks.exe 1976 schtasks.exe 4456 schtasks.exe 2552 schtasks.exe 4816 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 708 CondoGenerator.exe Token: SeDebugPrivilege 3232 Client.exe Token: SeDebugPrivilege 656 Client.exe Token: SeDebugPrivilege 1864 Client.exe Token: SeDebugPrivilege 640 Client.exe Token: SeDebugPrivilege 2712 Client.exe Token: SeDebugPrivilege 4256 Client.exe Token: SeDebugPrivilege 1848 Client.exe Token: SeDebugPrivilege 1876 Client.exe Token: SeDebugPrivilege 4564 Client.exe Token: SeDebugPrivilege 920 Client.exe Token: SeDebugPrivilege 3324 Client.exe Token: SeDebugPrivilege 1964 Client.exe Token: SeDebugPrivilege 1504 Client.exe Token: SeDebugPrivilege 4216 Client.exe Token: SeDebugPrivilege 2212 Client.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 3232 Client.exe 656 Client.exe 1864 Client.exe 640 Client.exe 2712 Client.exe 4256 Client.exe 1848 Client.exe 1876 Client.exe 4564 Client.exe 920 Client.exe 3324 Client.exe 1964 Client.exe 1504 Client.exe 4216 Client.exe 2212 Client.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 3232 Client.exe 656 Client.exe 1864 Client.exe 640 Client.exe 2712 Client.exe 4256 Client.exe 1848 Client.exe 1876 Client.exe 4564 Client.exe 920 Client.exe 3324 Client.exe 1964 Client.exe 1504 Client.exe 4216 Client.exe 2212 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 708 wrote to memory of 4816 708 CondoGenerator.exe 85 PID 708 wrote to memory of 4816 708 CondoGenerator.exe 85 PID 708 wrote to memory of 3232 708 CondoGenerator.exe 87 PID 708 wrote to memory of 3232 708 CondoGenerator.exe 87 PID 3232 wrote to memory of 3796 3232 Client.exe 88 PID 3232 wrote to memory of 3796 3232 Client.exe 88 PID 3232 wrote to memory of 3496 3232 Client.exe 90 PID 3232 wrote to memory of 3496 3232 Client.exe 90 PID 3496 wrote to memory of 4520 3496 cmd.exe 92 PID 3496 wrote to memory of 4520 3496 cmd.exe 92 PID 3496 wrote to memory of 2352 3496 cmd.exe 93 PID 3496 wrote to memory of 2352 3496 cmd.exe 93 PID 3496 wrote to memory of 656 3496 cmd.exe 103 PID 3496 wrote to memory of 656 3496 cmd.exe 103 PID 656 wrote to memory of 4844 656 Client.exe 104 PID 656 wrote to memory of 4844 656 Client.exe 104 PID 656 wrote to memory of 1508 656 Client.exe 107 PID 656 wrote to memory of 1508 656 Client.exe 107 PID 1508 wrote to memory of 1608 1508 cmd.exe 111 PID 1508 wrote to memory of 1608 1508 cmd.exe 111 PID 1508 wrote to memory of 2456 1508 cmd.exe 112 PID 1508 wrote to memory of 2456 1508 cmd.exe 112 PID 1508 wrote to memory of 1864 1508 cmd.exe 113 PID 1508 wrote to memory of 1864 1508 cmd.exe 113 PID 1864 wrote to memory of 4712 1864 Client.exe 114 PID 1864 wrote to memory of 4712 1864 Client.exe 114 PID 1864 wrote to memory of 2168 1864 Client.exe 116 PID 1864 wrote to memory of 2168 1864 Client.exe 116 PID 2168 wrote to memory of 4072 2168 cmd.exe 119 PID 2168 wrote to memory of 4072 2168 cmd.exe 119 PID 2168 wrote to memory of 4280 2168 cmd.exe 120 PID 2168 wrote to memory of 4280 2168 cmd.exe 120 PID 2168 wrote to memory of 640 2168 cmd.exe 125 PID 2168 wrote to memory of 640 2168 cmd.exe 125 PID 640 wrote to memory of 4284 640 Client.exe 126 PID 640 wrote to memory of 4284 640 Client.exe 126 PID 640 wrote to memory of 2972 640 Client.exe 128 PID 640 wrote to memory of 2972 640 Client.exe 128 PID 2972 wrote to memory of 3636 2972 cmd.exe 131 PID 2972 wrote to memory of 3636 2972 cmd.exe 131 PID 2972 wrote to memory of 3968 2972 cmd.exe 132 PID 2972 wrote to memory of 3968 2972 cmd.exe 132 PID 2972 wrote to memory of 2712 2972 cmd.exe 134 PID 2972 wrote to memory of 2712 2972 cmd.exe 134 PID 2712 wrote to memory of 920 2712 Client.exe 135 PID 2712 wrote to memory of 920 2712 Client.exe 135 PID 2712 wrote to memory of 3772 2712 Client.exe 137 PID 2712 wrote to memory of 3772 2712 Client.exe 137 PID 3772 wrote to memory of 2940 3772 cmd.exe 140 PID 3772 wrote to memory of 2940 3772 cmd.exe 140 PID 3772 wrote to memory of 1752 3772 cmd.exe 141 PID 3772 wrote to memory of 1752 3772 cmd.exe 141 PID 3772 wrote to memory of 4256 3772 cmd.exe 143 PID 3772 wrote to memory of 4256 3772 cmd.exe 143 PID 4256 wrote to memory of 1092 4256 Client.exe 144 PID 4256 wrote to memory of 1092 4256 Client.exe 144 PID 4256 wrote to memory of 4300 4256 Client.exe 146 PID 4256 wrote to memory of 4300 4256 Client.exe 146 PID 4300 wrote to memory of 1300 4300 cmd.exe 149 PID 4300 wrote to memory of 1300 4300 cmd.exe 149 PID 4300 wrote to memory of 3004 4300 cmd.exe 150 PID 4300 wrote to memory of 3004 4300 cmd.exe 150 PID 4300 wrote to memory of 1848 4300 cmd.exe 152 PID 4300 wrote to memory of 1848 4300 cmd.exe 152 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CondoGenerator.exe"C:\Users\Admin\AppData\Local\Temp\CondoGenerator.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4816
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwkZZfH6nkgj.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4520
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2352
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I4gi7sJbzjmk.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1608
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2456
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\24Fcq0DJCkj3.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:4072
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4280
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:4284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z9Pki9a8K0PM.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3636
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3968
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQIo4244YURM.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2940
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1752
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p3GkWv0oICOx.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1300
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3004
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1848 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2Yki0zj0Ku4a.bat" "15⤵PID:1620
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:1088
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3776
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1876 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwvjPDjBQAqN.bat" "17⤵PID:1176
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1744
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1512
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4564 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ktrV3FqVnNQd.bat" "19⤵PID:3652
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:464
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:952
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:920 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:4520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIKcAOamt3t0.bat" "21⤵PID:3096
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:4852
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1752
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3324 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSrYs1Ue4Uv1.bat" "23⤵PID:400
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2596
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2340
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1964 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:4456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q3hktTCh1ths.bat" "25⤵PID:4428
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1660
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1048
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1504 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:1108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\94Awynm4iAkl.bat" "27⤵PID:4752
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2044
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1800
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4216 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:3636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VvHOMCgtfRQz.bat" "29⤵PID:2572
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:1896
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1920
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2212 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yo3wevKJ3x68.bat" "31⤵PID:2284
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:3092
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
207B
MD537835cc2a2adc9fff424b64a131d5c1a
SHA1784e25d999bd06128d7da24412b0c4ad8cdaf7fd
SHA256624d361091467532ed2d3511fcea2f6c6ccba68563ec5add05447744f56644a1
SHA512e0a9f0156447450374238fc365d1cf4e32c43b7f69b2282612da640c4aba66cb0c31ced60a62ecb5939c17076fdd6681c4b04d8a5853cd246a7abdda4d8e4611
-
Filesize
207B
MD5c1baf61a27ba53c975e90144e8ad0c15
SHA16e44f81f1c0f6b653908fc4003d8226d21716788
SHA2561621da9a73d724b5cff1ac8cdf3e57f56a880507f7e2efd0e332844a3c902bf5
SHA512dd95f102abf4c12742f50f583256dc05ca978c2c342e00aab7683ee98e6108de73e8eb34c39d097dbcf5ea25c88346f8d0bb021f38f7a99b8920e1786a68810a
-
Filesize
207B
MD5f5d950c41fa7a52027cc2f8317095ae8
SHA17bebc2d66a8738779f319452cae97f9820e2b082
SHA256eef0d3bdb9dba5be0a2b10148820ea323131074c1769ea0a317007e39ef7aa59
SHA51276c7413bf019e1308756f1f572e2fbab84cc49f2bae26d5cb72375e786eade00a68406a6203e0e6afe7a4f1879a8974847ca3b16b6d54e1daedf14f64da1a0d3
-
Filesize
207B
MD5efc997f79275d27f9b14fc22ecc0b5ae
SHA149dd6b272b208b96f68f98787a8c40184619aa5f
SHA256ee4620948f5678a80da2704287bb1f21548f4b2e43b084ce68bcc37171592f08
SHA512c14a37e0b032aebac09a6d2dbda6d94b777b61a8b97af6918b857b887694f6a33e1782dd4a4f41081e77ae845b1ece31c9b6a4672bc899074bf475901f7cc484
-
Filesize
207B
MD5e32aacb1444f5c0b450fe73fd14fa3a7
SHA18c45db07f48f98696808b0b32a0405891b01d5a7
SHA2562ac0371f42ee49c029eef3367d2cd3185279f1fe2f35cc988d4cfec7447b3aab
SHA51215312c7dd614f90a5d2852f860702744567f1654165c8328ba41797f0c4339268d1cfe84dac3930fd276723e38c34f68e129e2a2f2ad78b92ef7c19fe586fcf7
-
Filesize
207B
MD5daf6d5314d3d1209b9f674e1c2b1d378
SHA1e47f57cd4d5c2dd290a84f8ca498290b89ebdbad
SHA2568c2b0f4f694db2dcdb6bbf7f8ba076d4fe8b2fa6c40812577a0206686391a659
SHA5122d4c4cf5d0d352c2328c3ffc086a6691f938ec4f2555508c7b7cc83058fba097f65c72dc7f2d3504e563206d9ef25b0ec91d1c13b6f8a7d97058c5b20a55fd29
-
Filesize
207B
MD51998ff28b9b16b64d4417fc10a753b3a
SHA1a4358e656cc1dcceb8779f367d248f3dbfb30238
SHA2564b4baa53e45000eb86613dba64b7ed56b2e76dc172cede8d2a297f64c9868468
SHA5120b11fbec76203f5c72a0a5d107b10b513ff6edeb2b62d752a734df5c0fe7473621563a5b59f6c68c98be46587bd311b1833ff985af3fd728e34c3364b4383e89
-
Filesize
207B
MD597a25704c921fc63adbbf65027f3aaf2
SHA1e2ddd6e83c368c64093dfb49602e717cc3b09aaa
SHA256c96e92403e360eed31f1716aa62e0bbba9aab1b56b17b09928d8396a1459ae5c
SHA51207896aa2715ec4951e97a1aa94f396e03690b8f0a5d0e7f5b3f4c9248b849e710f041b48cec005345362b418809993b224ba11e5d2e015ca7b5697d94f308acb
-
Filesize
207B
MD52e832c7a512985c9f082a08abdc5a9f5
SHA186058444ac92658ce40a57f06d2c2d7d4e9d1dee
SHA256ce949685ea11f5b771e5e7ca4ee2a37a54edf6cb59824a909e901f831e1e4373
SHA512df60e42c4875fe295d1a493899628bccdd3e4bfe1dc82f7265462b040497b30ce467c679c046571a0ac9e4707a76dfe7a3de10884e076a8b36457a28d577db43
-
Filesize
207B
MD5da884c32c03f8977fe076f992ab96f6b
SHA1d9c74972a7e7783b2ffa1f1bfe79867957cba615
SHA256c02d8c6b48a7bbb90c9c0004466241b4f6f5cc3c6eaac0d198da5ba36477cf50
SHA5121d7519e3bae00bc3af6204c979dfc66a6cc5854422b356a5eab92b75f0ca5c30c167be80a311061802b759875d76685d9aabd80f216c37d177dc151ed53befde
-
Filesize
207B
MD522863b7b4290bbc5695358a066f55898
SHA1735b2e73c7f6f9bf8ddc15a8730f569dee9eba17
SHA256ed56c154494178a353cd777edeb8a572e09dcc87e73324081bc2edecb66922d8
SHA5121592646c1c38a898a61a9d944b724c371a52ccfab8b8d5f641e622d6927af7e4a205d24bba783e8df0b38f39c4b2205d2a3d4ef6eb63301f1b81291749b98044
-
Filesize
207B
MD575d432aada37a0883c6ee89ad78638fe
SHA1325f02cbc68948394e2807b84d3d2ba5abb9f05f
SHA256af037f448edfe5b22769bfd65bbada0344ecaa304e3993a0b390bb62a723bac4
SHA5129c20c0fdcece39c60ed2804f751fb726a5a9b4e84331b986623eb2386a849e5de427169bf3d930837cc5d5e7b5f6b67dcf412bf29fa23a7b095966ce9c657983
-
Filesize
207B
MD5cbbc711004b9b26eedfdd3cee7f00c8f
SHA137114fce9aeaff0b4abb0ae3de8eacd3bf8ee1d2
SHA25692146b6a231305eadf2e0d98f31fc8f79444fd4d8e831c3b60cfc76d62411107
SHA5125ca5d708e6baa218cd3acc0b2d3639d7db4835c0040e93d3ed47e2f548c2ff7bd6dc43fdfb93a5517da80d26cc6608488a14fd687786a5ce55a308e053b8fd77
-
Filesize
207B
MD59fccac1f859073183afaf04638e7e5c6
SHA10b0899ea4634054f6d21b9a114ad84819ce55343
SHA256feec8aba9aa07444bff867be28d2ecfdbcae483f645c06ec44826a68109d1836
SHA512057fc9375960d203e3b11508d0a76d81b0d3e0cb20edbd6019c5f142e79ac59760c60142f568f534962a1c150d96d0817b4594681d6fa5feb910e3dcfe9cc782
-
Filesize
207B
MD51523636adf1aeccda3dfd22b89c3d5cb
SHA13abd11847aff13c0360a9e68f60dd3f1e5c35616
SHA256b9a1e20cc8362c0e7e89d52109a32face35eaeb5d14a171355bc37792da5991b
SHA512538e7d887770594cd1fda92e0e8b43ae2dba6ea8a24451d689ae66456c4cdc2a33107b84417f8ab87ef8fa907b94682106354cfdb742c6c7bd64cddd66a9a849
-
Filesize
3.1MB
MD55da0a355dcd44b29fdd27a5eba904d8d
SHA11099e489937a644376653ab4b5921da9527f50a9
SHA256e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f
SHA512289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6