quasar | 4fb412dc8e1f77e2b47b1a677ca0475e5d25361d68e9e486c8aaf5148d635dfd

Analysis

max time kernel
143s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExmPremium.exe
Size

3.5MB
MD5

1e0a2e8cc5ce58715fc43c44004f637c
SHA1

f85ba3c4bd766e12ac11840939f5773ecc2f90f3
SHA256

4fb412dc8e1f77e2b47b1a677ca0475e5d25361d68e9e486c8aaf5148d635dfd
SHA512

75852941b8033d7f58e3819d5c7117f0f0cad5bb9b95aefef2e24eee63d2237c98072e823905e0d084659324bb54f020e163fd3310f3ee344a245051ac214859
SSDEEP

49152:Pv4t62XlaSFNWPjljiFa2RoUYIdZRJ65bR3LoGd6THHB72eh2NTH:PvU62XlaSFNWPjljiFXRoUYIdZRJ677

Score

10^/10

quasar nmw discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

NMW

nm111-20223.portmap.host:20223

Mutex

0cf74134-5c38-42d6-bb49-4c83c1e37344

Attributes

encryption_key
F7F619EE7207F0CE79B19EAEA54D81315C5AE97B
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Exm Tweaks
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 14 IoCs

resource	yara_rule
behavioral1/memory/2544-1-0x00000000001D0000-0x000000000055E000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016d46-6.dat	family_quasar
behavioral1/memory/2516-10-0x0000000000110000-0x000000000049E000-memory.dmp	family_quasar
behavioral1/memory/2588-23-0x00000000003E0000-0x000000000076E000-memory.dmp	family_quasar
behavioral1/memory/1380-34-0x0000000000970000-0x0000000000CFE000-memory.dmp	family_quasar
behavioral1/memory/2764-46-0x0000000000E20000-0x00000000011AE000-memory.dmp	family_quasar
behavioral1/memory/1036-57-0x0000000001040000-0x00000000013CE000-memory.dmp	family_quasar
behavioral1/memory/3028-69-0x0000000000330000-0x00000000006BE000-memory.dmp	family_quasar
behavioral1/memory/2452-80-0x0000000000BD0000-0x0000000000F5E000-memory.dmp	family_quasar
behavioral1/memory/2628-102-0x0000000000CD0000-0x000000000105E000-memory.dmp	family_quasar
behavioral1/memory/1384-113-0x00000000001A0000-0x000000000052E000-memory.dmp	family_quasar
behavioral1/memory/2624-124-0x0000000000A50000-0x0000000000DDE000-memory.dmp	family_quasar
behavioral1/memory/1612-136-0x00000000011B0000-0x000000000153E000-memory.dmp	family_quasar
behavioral1/memory/2868-168-0x00000000003B0000-0x000000000073E000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2516	Client.exe
2588	Client.exe
1380	Client.exe
2764	Client.exe
1036	Client.exe
3028	Client.exe
2452	Client.exe
2896	Client.exe
2628	Client.exe
1384	Client.exe
2624	Client.exe
1612	Client.exe
2952	Client.exe
2496	Client.exe
2868	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1592	PING.EXE
1084	PING.EXE
1520	PING.EXE
844	PING.EXE
2920	PING.EXE
628	PING.EXE
2776	PING.EXE
1108	PING.EXE
2008	PING.EXE
2208	PING.EXE
2816	PING.EXE
2316	PING.EXE
1756	PING.EXE
1632	PING.EXE
2692	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2776	PING.EXE
1084	PING.EXE
844	PING.EXE
2920	PING.EXE
2816	PING.EXE
2316	PING.EXE
1756	PING.EXE
1592	PING.EXE
1520	PING.EXE
2008	PING.EXE
628	PING.EXE
2692	PING.EXE
2208	PING.EXE
1108	PING.EXE
1632	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2120	schtasks.exe
2760	schtasks.exe
1204	schtasks.exe
1516	schtasks.exe
2784	schtasks.exe
2716	schtasks.exe
2980	schtasks.exe
1704	schtasks.exe
668	schtasks.exe
2840	schtasks.exe
1716	schtasks.exe
2604	schtasks.exe
2152	schtasks.exe
2504	schtasks.exe
2664	schtasks.exe
1256	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	ExmPremium.exe
Token: SeDebugPrivilege	2516	Client.exe
Token: SeDebugPrivilege	2588	Client.exe
Token: SeDebugPrivilege	1380	Client.exe
Token: SeDebugPrivilege	2764	Client.exe
Token: SeDebugPrivilege	1036	Client.exe
Token: SeDebugPrivilege	3028	Client.exe
Token: SeDebugPrivilege	2452	Client.exe
Token: SeDebugPrivilege	2896	Client.exe
Token: SeDebugPrivilege	2628	Client.exe
Token: SeDebugPrivilege	1384	Client.exe
Token: SeDebugPrivilege	2624	Client.exe
Token: SeDebugPrivilege	1612	Client.exe
Token: SeDebugPrivilege	2952	Client.exe
Token: SeDebugPrivilege	2496	Client.exe
Token: SeDebugPrivilege	2868	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 1716	2544	ExmPremium.exe	31
PID 2544 wrote to memory of 1716	2544	ExmPremium.exe	31
PID 2544 wrote to memory of 1716	2544	ExmPremium.exe	31
PID 2544 wrote to memory of 2516	2544	ExmPremium.exe	33
PID 2544 wrote to memory of 2516	2544	ExmPremium.exe	33
PID 2544 wrote to memory of 2516	2544	ExmPremium.exe	33
PID 2516 wrote to memory of 2716	2516	Client.exe	34
PID 2516 wrote to memory of 2716	2516	Client.exe	34
PID 2516 wrote to memory of 2716	2516	Client.exe	34
PID 2516 wrote to memory of 1108	2516	Client.exe	36
PID 2516 wrote to memory of 1108	2516	Client.exe	36
PID 2516 wrote to memory of 1108	2516	Client.exe	36
PID 1108 wrote to memory of 2620	1108	cmd.exe	38
PID 1108 wrote to memory of 2620	1108	cmd.exe	38
PID 1108 wrote to memory of 2620	1108	cmd.exe	38
PID 1108 wrote to memory of 2776	1108	cmd.exe	39
PID 1108 wrote to memory of 2776	1108	cmd.exe	39
PID 1108 wrote to memory of 2776	1108	cmd.exe	39
PID 1108 wrote to memory of 2588	1108	cmd.exe	40
PID 1108 wrote to memory of 2588	1108	cmd.exe	40
PID 1108 wrote to memory of 2588	1108	cmd.exe	40
PID 2588 wrote to memory of 2664	2588	Client.exe	41
PID 2588 wrote to memory of 2664	2588	Client.exe	41
PID 2588 wrote to memory of 2664	2588	Client.exe	41
PID 2588 wrote to memory of 1656	2588	Client.exe	43
PID 2588 wrote to memory of 1656	2588	Client.exe	43
PID 2588 wrote to memory of 1656	2588	Client.exe	43
PID 1656 wrote to memory of 1852	1656	cmd.exe	45
PID 1656 wrote to memory of 1852	1656	cmd.exe	45
PID 1656 wrote to memory of 1852	1656	cmd.exe	45
PID 1656 wrote to memory of 2816	1656	cmd.exe	46
PID 1656 wrote to memory of 2816	1656	cmd.exe	46
PID 1656 wrote to memory of 2816	1656	cmd.exe	46
PID 1656 wrote to memory of 1380	1656	cmd.exe	47
PID 1656 wrote to memory of 1380	1656	cmd.exe	47
PID 1656 wrote to memory of 1380	1656	cmd.exe	47
PID 1380 wrote to memory of 1256	1380	Client.exe	48
PID 1380 wrote to memory of 1256	1380	Client.exe	48
PID 1380 wrote to memory of 1256	1380	Client.exe	48
PID 1380 wrote to memory of 1780	1380	Client.exe	50
PID 1380 wrote to memory of 1780	1380	Client.exe	50
PID 1380 wrote to memory of 1780	1380	Client.exe	50
PID 1780 wrote to memory of 1248	1780	cmd.exe	52
PID 1780 wrote to memory of 1248	1780	cmd.exe	52
PID 1780 wrote to memory of 1248	1780	cmd.exe	52
PID 1780 wrote to memory of 1592	1780	cmd.exe	53
PID 1780 wrote to memory of 1592	1780	cmd.exe	53
PID 1780 wrote to memory of 1592	1780	cmd.exe	53
PID 1780 wrote to memory of 2764	1780	cmd.exe	54
PID 1780 wrote to memory of 2764	1780	cmd.exe	54
PID 1780 wrote to memory of 2764	1780	cmd.exe	54
PID 2764 wrote to memory of 2980	2764	Client.exe	55
PID 2764 wrote to memory of 2980	2764	Client.exe	55
PID 2764 wrote to memory of 2980	2764	Client.exe	55
PID 2764 wrote to memory of 2184	2764	Client.exe	57
PID 2764 wrote to memory of 2184	2764	Client.exe	57
PID 2764 wrote to memory of 2184	2764	Client.exe	57
PID 2184 wrote to memory of 2236	2184	cmd.exe	59
PID 2184 wrote to memory of 2236	2184	cmd.exe	59
PID 2184 wrote to memory of 2236	2184	cmd.exe	59
PID 2184 wrote to memory of 1084	2184	cmd.exe	60
PID 2184 wrote to memory of 1084	2184	cmd.exe	60
PID 2184 wrote to memory of 1084	2184	cmd.exe	60
PID 2184 wrote to memory of 1036	2184	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ExmPremium.exe
"C:\Users\Admin\AppData\Local\Temp\ExmPremium.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1716
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2716
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\AI4UWLz6IfjN.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2620
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2776
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2664
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gLrPUkYrQafr.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1852
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2816
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1256
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VcCUBocMyMHM.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2980
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\apIUhdU501rV.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2236
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1084
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1204
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CduR6CDpyt6d.bat" "
        11⤵
        
        PID:984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2120
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4ghLzCO3azvt.bat" "
        13⤵
        
        PID:1916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1516
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4fIDUhT7bRRz.bat" "
        15⤵
        
        PID:1576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2784
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lWZJK6e2uoyl.bat" "
        17⤵
        
        PID:1928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1108
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2604
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Dk45PEpsEHHP.bat" "
        19⤵
        
        PID:1648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1704
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eOmJte2WwWgL.bat" "
        21⤵
        
        PID:1664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2152
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oLj4GQwplecc.bat" "
        23⤵
        
        PID:3024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:628
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:668
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Nmy9TvkiyVHJ.bat" "
        25⤵
        
        PID:2064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2840
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MmyyGVzm4EWc.bat" "
        27⤵
        
        PID:2288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2504
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RqqbryrkeAhR.bat" "
        29⤵
        
        PID:1040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2760
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sP3q3S601LBW.bat" "
        31⤵
        
        PID:1564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4fIDUhT7bRRz.bat

Filesize
207B

MD5
a9e44ec1a1c08e025fb6b7f4c61ec8bc

SHA1
b5b7303c11fc8c55dc89961cdadd275d342352e8

SHA256
04946401eec88ff62088e063858e849f89df7a40647054e8d4d9ee63c52b67b9

SHA512
a32b2a56b87b9c011df835e481ecbe0806233aaa9f232b28d97bcabfe201ed5a702482882aa38bd6c952151fab6aa43b699844b1459d717d83635ef31b0138bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ghLzCO3azvt.bat

Filesize
207B

MD5
19fd1150e265348a18808560f5726f16

SHA1
d2811666a6864826980a90796ac9953b659d5102

SHA256
60bd43cce328a1280ab8091560a76db10b75068ff6b9866423ea5a182a29c28c

SHA512
c81e744aea2a61d96689f9510b886a84e598dedb1e770615a2fbb7d6fcead673ec769b7debd3ca3e8d564ba0f77a0a79c819915d8ff95a06a5d0610dde2301ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI4UWLz6IfjN.bat

Filesize
207B

MD5
25ec35a6f3ff953c6e34cd9b3f898f8f

SHA1
b18fb5931f5efd4ffe066f4934610f88fc21c355

SHA256
31a2835bd32f1c54d9ea90801634ce951d464c9ffb3fa0b5e55a5f0eee07d153

SHA512
4b038401e3d57a56453b8085719d915dd75409dfa9bb012dab9d74da89dae3efc09c67697885d61068f68d688f1e4797395ad55bee2f49a400699b1e288758cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CduR6CDpyt6d.bat

Filesize
207B

MD5
9bd34aec7b7b1deb42f5eadc98361c86

SHA1
f943d6659aa50c6fae693a4e0bb60d4318ff10a4

SHA256
bb80cf3ec30c447d9eb63ce392a00f90ef6f05a33887891002ffc4b9e22c82ec

SHA512
cf9059d3f21c997dc76d556094fa60b26911b17a38c9fb5a2e8dbf3bff7fdd31d61cee13fcca1ed09c827692e6fdf63d30fdd59db6c1a6e06036025643c51222

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dk45PEpsEHHP.bat

Filesize
207B

MD5
36bba0b82a54e361bb3a0caaa195b054

SHA1
0ef282d6418c0dcebb7bc18d09d1325506df4042

SHA256
2748a709ac8b492bf427f670a77ac5d28f9b132d68c1b21dde8bc950f9ec181d

SHA512
541b81d56ff67738ef7fb6f521d25741e308587af016df98a81b82a0300522b1d9a4ad9d319627780e9af988d10d9c9c071908da8978621fad7e7e99c089cae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MmyyGVzm4EWc.bat

Filesize
207B

MD5
fa0f031cbf49bc1c4bf444395837797f

SHA1
b60cbc41a9938f3ecfd6019ae6db8e8a1825e30b

SHA256
ef330fa7cfe9c7756a7e2da31a90b8bf18fb132b06242017f7f63f13adb9f975

SHA512
a322720025cf59791ffb4564265aab9c11f1366f50b5466344f18bc9bfdeeb81f4dcf379db543c074138d1ed73c028f7f5d3381c7cf41b4c13dfdae93fc6062d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nmy9TvkiyVHJ.bat

Filesize
207B

MD5
d4feea168c33dda088ce345e72b9ff65

SHA1
91f41e21226db8ee1424111de5d230f1a990592c

SHA256
4320b589dae2abc2f525941bca016c7963799368a5059dab30e359421afb2b39

SHA512
3b763928c57c03d5bc99dabb0e1a6f50209444af08a90d427bc76b7439d5e5117391915e031c53d6c08cd398884b8368af41494223399d3b006923d6cf9684e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RqqbryrkeAhR.bat

Filesize
207B

MD5
dcae509534b7ed8731d2a41ad2617875

SHA1
ddb92abcea71418c8a5cec16782ce5393ebf2e57

SHA256
9c0b1bb5c5ccb8c8e85d69533360940c1f70816f8ad04d905ce2a2e0f834a1e8

SHA512
3d1dd708945fe069e5d16c6d75a505dace34dff07f35cf71e284df8f012710c414fb4f96bc46905b4ecce16470dcd9828e1ede058bbb29951714eecda6069b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\VcCUBocMyMHM.bat

Filesize
207B

MD5
e1c7f4977de87aa208c162c335de2d0f

SHA1
34cf94dd06d060ab5a49930f63d79c6a0c098894

SHA256
5b1c124b897216c1f498713337ea49da4b949eb3308fd76f3e073806be607845

SHA512
0ce95ac88866781ecee3e577dc309ecee1178705e75a7013717a3959ce090ed513f62e088801c3413df8919cc0d8a83ec7eee2c03e545a3c37fb04a25f5e77d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\apIUhdU501rV.bat

Filesize
207B

MD5
7aa759c31d2ab2efc01aeb372c6c70c6

SHA1
91da6df2b4a4ccf954de86d8a32c565a7948be6e

SHA256
ae57351bece559dfbef19178eed50c7215be914a6bb4aeff7084e4afa7bd9ff9

SHA512
2e4fbb92f69af759c9a21a75c40f6121ec3ee723eb74cb76cb2b7657a473c9fc0788c88dac20f5e7c26014e6f9cae5c3969275d538e6d51d981a0a9923a144b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eOmJte2WwWgL.bat

Filesize
207B

MD5
9c52e2d719121650b80bc564efc2079b

SHA1
b87ac4575469e6ae95a948926d04fedeb69eef76

SHA256
97299ff8fc9b3d55ea61579f13b81b71279147ceb426127a3e570f57b9b212a2

SHA512
bc99deb180c444717e459a53ec7618763ed3de17dc085edc2bbfe224bc2acc9f24a306b8d7f4e5530722b9f1e669215776d71f3c36b18c06db855dfde7b9967b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gLrPUkYrQafr.bat

Filesize
207B

MD5
da29eb26e98b87cf3e3f16551fcb7697

SHA1
5d3de491ef80ebacfc0ff4ea36424767fa1b1a1c

SHA256
f96a0e616fba343d7b8327440952334c6b3c3b350dd44ea32244a2ccec69ac2d

SHA512
9747500dd71633865e9bc30001235577d86387278eaa92ab880019d705a5fbe6aae4f37405851101bb074872e78d5fac9cad616726ca13205051fe93e64dbfcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lWZJK6e2uoyl.bat

Filesize
207B

MD5
6d6acbd684a70ad2aca38d18dfcc93a2

SHA1
f4258bed5261b44a2518647d06d76fc5d6290e64

SHA256
6f19ca76d9a9e6ab25f83cb48fd22fff52bfe3aa54cba56f17158b7a1974fe2d

SHA512
9f90bd5edcd0e47e8d2dc2ae1a382e75e703edd4b51424a4e0bc3248a5178274d4f19d79b2f30e8bbb18083b7bfeb15a1d99751e77d92fbca81724c409d69504

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLj4GQwplecc.bat

Filesize
207B

MD5
3a7d15cf89d4def3a91489cc09076565

SHA1
c66e1f2f8ac0bebfe2b8f36bf4ebde64c57b9420

SHA256
1f799869babbcd2cfda93694a868de1f944280444bbcffb96882661601deaa13

SHA512
778e0d99193c945ccc6dbca5c4fa17797acf7537dcae7b840db42c8af96aff24e0e48094c2c84d76a5769fc73f3867ced2a45126c9d82a4551064e0d5e2abe1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sP3q3S601LBW.bat

Filesize
207B

MD5
dfa4e100ba157c65bf57e2980218ebf6

SHA1
464d5809f972eb8cde63042fa45a81f8ebc0a0d4

SHA256
8522d628d60fbff6db54fd6da46b5e06aed6799cfd5572bd27d5de226d0a3c86

SHA512
778b21d2ee1547f8b673a3fc9c0385eef585894f386b29e73332ff07e9fc56962a63547b5193fa535ea023f012aa36e01df21a71584e4db12bf16508ad56417a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.5MB

MD5
1e0a2e8cc5ce58715fc43c44004f637c

SHA1
f85ba3c4bd766e12ac11840939f5773ecc2f90f3

SHA256
4fb412dc8e1f77e2b47b1a677ca0475e5d25361d68e9e486c8aaf5148d635dfd

SHA512
75852941b8033d7f58e3819d5c7117f0f0cad5bb9b95aefef2e24eee63d2237c98072e823905e0d084659324bb54f020e163fd3310f3ee344a245051ac214859

Download Submit
memory/1036-57-0x0000000001040000-0x00000000013CE000-memory.dmp

Filesize
3.6MB

Download
memory/1380-34-0x0000000000970000-0x0000000000CFE000-memory.dmp

Filesize
3.6MB

Download
memory/1384-113-0x00000000001A0000-0x000000000052E000-memory.dmp

Filesize
3.6MB

Download
memory/1612-136-0x00000000011B0000-0x000000000153E000-memory.dmp

Filesize
3.6MB

Download
memory/2452-80-0x0000000000BD0000-0x0000000000F5E000-memory.dmp

Filesize
3.6MB

Download
memory/2516-9-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-20-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-11-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-10-0x0000000000110000-0x000000000049E000-memory.dmp

Filesize
3.6MB

Download
memory/2544-0-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

Filesize
4KB

Download
memory/2544-8-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2544-2-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2544-1-0x00000000001D0000-0x000000000055E000-memory.dmp

Filesize
3.6MB

Download
memory/2588-23-0x00000000003E0000-0x000000000076E000-memory.dmp

Filesize
3.6MB

Download
memory/2624-124-0x0000000000A50000-0x0000000000DDE000-memory.dmp

Filesize
3.6MB

Download
memory/2628-102-0x0000000000CD0000-0x000000000105E000-memory.dmp

Filesize
3.6MB

Download
memory/2764-46-0x0000000000E20000-0x00000000011AE000-memory.dmp

Filesize
3.6MB

Download
memory/2868-168-0x00000000003B0000-0x000000000073E000-memory.dmp

Filesize
3.6MB

Download
memory/3028-69-0x0000000000330000-0x00000000006BE000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads