quasar | hxxps://www[.]shorturl[.]at/CRDfY

Analysis

max time kernel
50s
max time network
49s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
07-01-2025 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.shorturl.at/CRDfY

Score

10^/10

quasar nmw discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

NMW

nm111-20223.portmap.host:20223

Mutex

0cf74134-5c38-42d6-bb49-4c83c1e37344

Attributes

encryption_key
F7F619EE7207F0CE79B19EAEA54D81315C5AE97B
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Exm Tweaks
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002e0000000461bc-47.dat	family_quasar
behavioral1/memory/4780-67-0x0000000000310000-0x000000000069E000-memory.dmp	family_quasar

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 9 IoCs

pid	Process
4780	Exm Premium.exe
4904	Client.exe
376	Exm Premium.exe
824	Client.exe
376	Exm Premium.exe
2824	Client.exe
4748	Client.exe
2368	Client.exe
3620	Client.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4672	PING.EXE
3220	PING.EXE
2372	PING.EXE
4600	PING.EXE
4780	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133807444582351934"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	chrome.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
4600	PING.EXE
4780	PING.EXE
4672	PING.EXE
3220	PING.EXE
2372	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1132	schtasks.exe
2408	schtasks.exe
1016	schtasks.exe
5076	schtasks.exe
1544	schtasks.exe
4740	schtasks.exe
4636	schtasks.exe
1544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2036	chrome.exe
2036	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2036	chrome.exe
2036	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 4888	2036	chrome.exe	84
PID 2036 wrote to memory of 4888	2036	chrome.exe	84
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 224	2036	chrome.exe	85
PID 2036 wrote to memory of 2632	2036	chrome.exe	86
PID 2036 wrote to memory of 2632	2036	chrome.exe	86
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87
PID 2036 wrote to memory of 1620	2036	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.shorturl.at/CRDfY
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffdfa43cc40,0x7ffdfa43cc4c,0x7ffdfa43cc58
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2052,i,5815281745992761970,15670740381127979840,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1864,i,5815281745992761970,15670740381127979840,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,5815281745992761970,15670740381127979840,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2384 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,5815281745992761970,15670740381127979840,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,5815281745992761970,15670740381127979840,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4800,i,5815281745992761970,15670740381127979840,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5108,i,5815281745992761970,15670740381127979840,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5132,i,5815281745992761970,15670740381127979840,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4868,i,5815281745992761970,15670740381127979840,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:2180

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1116

C:\Users\Admin\Downloads\Exm Premium.exe
"C:\Users\Admin\Downloads\Exm Premium.exe"
1⤵
- Executes dropped EXE
PID:4780
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1544
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4904
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fHrVnCfasqEB.bat" "
    3⤵
    PID:4648
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3204
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4672
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:4748
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4740
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3bKflmRZhqa6.bat" "
        5⤵
        
        PID:2320
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1856
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4600

C:\Users\Admin\Downloads\Exm Premium.exe
"C:\Users\Admin\Downloads\Exm Premium.exe"
1⤵
- Executes dropped EXE
PID:376
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2408
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:824
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5PtPKJ7wXAD8.bat" "
    3⤵
    PID:2224
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4548
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3220
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2368
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4636
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BH0YucjfWOUd.bat" "
        5⤵
        
        PID:4136
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3468
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4780

C:\Users\Admin\Downloads\Exm Premium.exe
"C:\Users\Admin\Downloads\Exm Premium.exe"
1⤵
- Executes dropped EXE
PID:376
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5076
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2824
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoGbLPRaLHMK.bat" "
    3⤵
    PID:376
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2368
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2372
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ebc04d10061f3bf66dd189c4cdde2007

SHA1
72bc531a0525f768e668f12cffff4fb37f65034a

SHA256
83fa51f90fba4b7dbdf98154ee4aced50d9a962c9342d5b2684ae8065603d2b5

SHA512
062d713621eb9f70bce7541bc86f350a99ddb7d20a09008a4af758a26c24568dce6d2ea7838dbfa3e7a87497cfd1621d71774b8e7b88565b00b2555ab45ca8d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6669e2db0cd89ccacbf646ec1d2ae7e4

SHA1
3bb0595fea48bb8d397cfee3621b4f230a00af5c

SHA256
1b1cb52eecf884356f4ace1924cfe55daad3adea09320e5ef2ec15af40288203

SHA512
2ec769ca8d4b89c82096460fbd9a42f1920de53602f92272e6321dc017cf1a8fe77009b190c5ebff84ceae6cc15a1576390f6f8a35f2b522d05a291994137a25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
26795445320dc33f4768ec19b3eaf3f3

SHA1
ccff981b918c7c82ba311b0d6ac089ba13426dd1

SHA256
e6935b066e7cc1f73edf3613287e8aa9a89b8740f3b5f7b82ab8c6dca00c488e

SHA512
77dcfdbab5d6d0e4be2fc61229a193c93b816539be72f6b1e781235bd6e2448d2fe045b2749e6f7f7ac735841a4da40e884748fe35e88bdb6214b94e1d628ada

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9615e3e94ae5b8b84dc1617f19eff8cd

SHA1
268065323bb3341f3bff0edfc47ca8aa10481442

SHA256
977e08cf7f8d3b73640ca2282a414dba88b4c819775ad2d06e6ecbcb5988301a

SHA512
9912010d7574b765cd8cd815949710077f67e84ae6d7f89bb8060a4ef3b0e2b030370134f8cc380a03b1913fe03c0e88ca16c48692da5f68544bdd40c3d561c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4d57ce50e49d38146a554dee3ef9255e

SHA1
63b40828551486352a841b8d748b8e377c510df0

SHA256
a1153ec0e2529fe64c0346f1d0310f7fa1a47c078373c40172a7022f8ddfe687

SHA512
6ca2f6d2212e0fb773e0419b423455a678911ca5bb6fe09fd4811ab25ac420cd7630ebf625237f16dc8d403cac195c0ab7f8c00738db954fef9eb3ab08bddcdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
9a52a8abcac21fa5f6a17a0d1f048544

SHA1
5346cf5552917936bb4c7c3896060a796e3c28e6

SHA256
96139b68805cacbbf05533fd0e02e94a1ecbcb7a87ed2b99c538cd9f0212a9dc

SHA512
87b1ff412c248763ed04612736e3609cac45e8cc9fbaeac7d3ea11317752994e404abab59f2ddb51f84dfd740aec663fd0cc1e8531cf196f0e6883a4a153e519

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
0d7d17e267080d56bcbddf5cbf532552

SHA1
d59166b9979b6e1b7888214dad21486f615a0053

SHA256
610c488a6be36ab3492592ffb96e14c9daa3c644e225bd0ca60be39b74268c20

SHA512
0e967b4b1ddc0f3de00ec93f6b7ef8420dd45b23d36a35d19ccfa8ab71c37cda3c5d8afb0da552e4d864d2a0daa8611b313aa79273f3caa3d838afaf843c27c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
7787ce173dfface746f5a9cf5477883d

SHA1
4587d870e914785b3a8fb017fec0c0f1c7ec0004

SHA256
c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

SHA512
3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Exm Premium.exe.log

Filesize
1KB

MD5
b08c36ce99a5ed11891ef6fc6d8647e9

SHA1
db95af417857221948eb1882e60f98ab2914bf1d

SHA256
cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

SHA512
07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\3bKflmRZhqa6.bat

Filesize
207B

MD5
05e155233d84d6c1752ddcf16918b312

SHA1
4a950adbc96b7d246bf28a72fa715474125426ed

SHA256
dec7a76e168397d624ab18aed475c8a77298daf53661c12eb13a1109c4c0500b

SHA512
48a76abd62636826fed81ffbacccf84b8b72bb5ddcab909671e23216f737067442aab9067c2430f4cc0aec39f172c4ccdd2cb112e79aa590e171c23f9e2185b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5PtPKJ7wXAD8.bat

Filesize
207B

MD5
08b88908c3e6a65b2a57f65e5f0d6171

SHA1
37fcf1c72a5196e51b0aa2bfaba43eb54d49f0c8

SHA256
5d08141a5708f4dcdfdbc8dae4b09db52de38095d71b9a1d22eb50801a11b2a1

SHA512
82401ed8a65af4d605fbdfd62e292e1365dc03ce52176a2e09489b5e175465075bdb55a22be44174cf389ca0200f59a3f3dd19cd0b44c39c9f6a189826fa97f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BH0YucjfWOUd.bat

Filesize
207B

MD5
6f3690d25cb7956ad667c440065f61a8

SHA1
7cea2afc0c0b8623e99cc47ab46857c6bea75873

SHA256
cecc0e6b6aee28cb299fe5c27160d6f7904459eae80c9f4dc052a8919732aeb4

SHA512
e26213b8492793e8c7baf8f221d90499c3d3bce1f57a662d89d52fb7be39f48e540be8a02e0bc5a60bc9d02c387f0b5bbe7c01a01bf0853e335fcef6e1ffdd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoGbLPRaLHMK.bat

Filesize
207B

MD5
ce929509402b1a3a79ce17c897b10466

SHA1
7e173dd792226b35bc68acd809e24298cc918cd1

SHA256
a089b8d8dfc5063dc44b098a35318e5c314020353ab2b2b08e13e9f3a3fa4db3

SHA512
e43d3f44586e88d738af3bbc8b8541dd4b59f1edc23c8c4387903c5cbf8e54ccc78f221cb5ac5f8e94ccc3a8689a04ce9ae4d62ebeb4e86db18108351ef07fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fHrVnCfasqEB.bat

Filesize
207B

MD5
f0204a588a20ccac9ab07cd53d055b7b

SHA1
2f97c4f79d13edc66a550e9851081996b3a2015f

SHA256
8a1574d0a69844969c469a471c0efa3bcb347873c13fe6821f74418c81b3f662

SHA512
a2e1ba407ae9bfacc74c07d05fc29aea10eff594181be8d4967dddf29cb8751bd32aa5f2158c7bd92990e3eb1e15a9a7a66f3358c26eb031a5f0412f4df2e5d3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 77832.crdownload

Filesize
3.5MB

MD5
1e0a2e8cc5ce58715fc43c44004f637c

SHA1
f85ba3c4bd766e12ac11840939f5773ecc2f90f3

SHA256
4fb412dc8e1f77e2b47b1a677ca0475e5d25361d68e9e486c8aaf5148d635dfd

SHA512
75852941b8033d7f58e3819d5c7117f0f0cad5bb9b95aefef2e24eee63d2237c98072e823905e0d084659324bb54f020e163fd3310f3ee344a245051ac214859

Download Submit
memory/4780-71-0x00007FFDE41E0000-0x00007FFDE4CA2000-memory.dmp

Filesize
10.8MB

Download
memory/4780-68-0x00007FFDE41E0000-0x00007FFDE4CA2000-memory.dmp

Filesize
10.8MB

Download
memory/4780-67-0x0000000000310000-0x000000000069E000-memory.dmp

Filesize
3.6MB

Download
memory/4780-66-0x00007FFDE41E3000-0x00007FFDE41E5000-memory.dmp

Filesize
8KB

Download
memory/4904-73-0x000000001C8E0000-0x000000001C992000-memory.dmp

Filesize
712KB

Download
memory/4904-72-0x0000000002D00000-0x0000000002D50000-memory.dmp

Filesize
320KB

Download