quasar | 4fb412dc8e1f77e2b47b1a677ca0475e5d25361d68e9e486c8aaf5148d635dfd

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExmPremium.exe
Size

3.5MB
MD5

1e0a2e8cc5ce58715fc43c44004f637c
SHA1

f85ba3c4bd766e12ac11840939f5773ecc2f90f3
SHA256

4fb412dc8e1f77e2b47b1a677ca0475e5d25361d68e9e486c8aaf5148d635dfd
SHA512

75852941b8033d7f58e3819d5c7117f0f0cad5bb9b95aefef2e24eee63d2237c98072e823905e0d084659324bb54f020e163fd3310f3ee344a245051ac214859
SSDEEP

49152:Pv4t62XlaSFNWPjljiFa2RoUYIdZRJ65bR3LoGd6THHB72eh2NTH:PvU62XlaSFNWPjljiFXRoUYIdZRJ677

Score

10^/10

quasar nmw discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

NMW

nm111-20223.portmap.host:20223

Mutex

0cf74134-5c38-42d6-bb49-4c83c1e37344

Attributes

encryption_key
F7F619EE7207F0CE79B19EAEA54D81315C5AE97B
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Exm Tweaks
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3660-1-0x0000000000750000-0x0000000000ADE000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c67-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
2996	Client.exe
2572	Client.exe
2532	Client.exe
3448	Client.exe
4492	Client.exe
1036	Client.exe
2940	Client.exe
728	Client.exe
2864	Client.exe
1632	Client.exe
2188	Client.exe
2372	Client.exe
2604	Client.exe
4984	Client.exe
3344	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
228	PING.EXE
2676	PING.EXE
2964	PING.EXE
1040	PING.EXE
4844	PING.EXE
1440	PING.EXE
4824	PING.EXE
4228	PING.EXE
844	PING.EXE
1124	PING.EXE
3184	PING.EXE
860	PING.EXE
3696	PING.EXE
2320	PING.EXE
2104	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3696	PING.EXE
2104	PING.EXE
3184	PING.EXE
860	PING.EXE
4228	PING.EXE
844	PING.EXE
1040	PING.EXE
2964	PING.EXE
1440	PING.EXE
1124	PING.EXE
228	PING.EXE
4844	PING.EXE
2320	PING.EXE
4824	PING.EXE
2676	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4476	schtasks.exe
3124	schtasks.exe
1596	schtasks.exe
2284	schtasks.exe
3792	schtasks.exe
4056	schtasks.exe
2792	schtasks.exe
4472	schtasks.exe
3276	schtasks.exe
5024	schtasks.exe
4276	schtasks.exe
1472	schtasks.exe
4704	schtasks.exe
2740	schtasks.exe
1644	schtasks.exe
3212	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3660	ExmPremium.exe
Token: SeDebugPrivilege	2996	Client.exe
Token: SeDebugPrivilege	2572	Client.exe
Token: SeDebugPrivilege	2532	Client.exe
Token: SeDebugPrivilege	3448	Client.exe
Token: SeDebugPrivilege	4492	Client.exe
Token: SeDebugPrivilege	1036	Client.exe
Token: SeDebugPrivilege	2940	Client.exe
Token: SeDebugPrivilege	728	Client.exe
Token: SeDebugPrivilege	2864	Client.exe
Token: SeDebugPrivilege	1632	Client.exe
Token: SeDebugPrivilege	2188	Client.exe
Token: SeDebugPrivilege	2372	Client.exe
Token: SeDebugPrivilege	2604	Client.exe
Token: SeDebugPrivilege	4984	Client.exe
Token: SeDebugPrivilege	3344	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 3212	3660	ExmPremium.exe	83
PID 3660 wrote to memory of 3212	3660	ExmPremium.exe	83
PID 3660 wrote to memory of 2996	3660	ExmPremium.exe	85
PID 3660 wrote to memory of 2996	3660	ExmPremium.exe	85
PID 2996 wrote to memory of 4276	2996	Client.exe	86
PID 2996 wrote to memory of 4276	2996	Client.exe	86
PID 2996 wrote to memory of 4616	2996	Client.exe	88
PID 2996 wrote to memory of 4616	2996	Client.exe	88
PID 4616 wrote to memory of 4156	4616	cmd.exe	90
PID 4616 wrote to memory of 4156	4616	cmd.exe	90
PID 4616 wrote to memory of 3184	4616	cmd.exe	91
PID 4616 wrote to memory of 3184	4616	cmd.exe	91
PID 4616 wrote to memory of 2572	4616	cmd.exe	99
PID 4616 wrote to memory of 2572	4616	cmd.exe	99
PID 2572 wrote to memory of 3792	2572	Client.exe	100
PID 2572 wrote to memory of 3792	2572	Client.exe	100
PID 2572 wrote to memory of 4240	2572	Client.exe	103
PID 2572 wrote to memory of 4240	2572	Client.exe	103
PID 4240 wrote to memory of 4020	4240	cmd.exe	105
PID 4240 wrote to memory of 4020	4240	cmd.exe	105
PID 4240 wrote to memory of 1040	4240	cmd.exe	106
PID 4240 wrote to memory of 1040	4240	cmd.exe	106
PID 4240 wrote to memory of 2532	4240	cmd.exe	114
PID 4240 wrote to memory of 2532	4240	cmd.exe	114
PID 2532 wrote to memory of 4476	2532	Client.exe	115
PID 2532 wrote to memory of 4476	2532	Client.exe	115
PID 2532 wrote to memory of 4228	2532	Client.exe	118
PID 2532 wrote to memory of 4228	2532	Client.exe	118
PID 4228 wrote to memory of 2184	4228	cmd.exe	120
PID 4228 wrote to memory of 2184	4228	cmd.exe	120
PID 4228 wrote to memory of 228	4228	cmd.exe	121
PID 4228 wrote to memory of 228	4228	cmd.exe	121
PID 4228 wrote to memory of 3448	4228	cmd.exe	125
PID 4228 wrote to memory of 3448	4228	cmd.exe	125
PID 3448 wrote to memory of 2792	3448	Client.exe	126
PID 3448 wrote to memory of 2792	3448	Client.exe	126
PID 3448 wrote to memory of 2004	3448	Client.exe	129
PID 3448 wrote to memory of 2004	3448	Client.exe	129
PID 2004 wrote to memory of 4596	2004	cmd.exe	131
PID 2004 wrote to memory of 4596	2004	cmd.exe	131
PID 2004 wrote to memory of 2676	2004	cmd.exe	132
PID 2004 wrote to memory of 2676	2004	cmd.exe	132
PID 2004 wrote to memory of 4492	2004	cmd.exe	133
PID 2004 wrote to memory of 4492	2004	cmd.exe	133
PID 4492 wrote to memory of 3124	4492	Client.exe	134
PID 4492 wrote to memory of 3124	4492	Client.exe	134
PID 4492 wrote to memory of 2180	4492	Client.exe	137
PID 4492 wrote to memory of 2180	4492	Client.exe	137
PID 2180 wrote to memory of 1416	2180	cmd.exe	139
PID 2180 wrote to memory of 1416	2180	cmd.exe	139
PID 2180 wrote to memory of 4844	2180	cmd.exe	140
PID 2180 wrote to memory of 4844	2180	cmd.exe	140
PID 2180 wrote to memory of 1036	2180	cmd.exe	142
PID 2180 wrote to memory of 1036	2180	cmd.exe	142
PID 1036 wrote to memory of 4472	1036	Client.exe	143
PID 1036 wrote to memory of 4472	1036	Client.exe	143
PID 1036 wrote to memory of 2852	1036	Client.exe	146
PID 1036 wrote to memory of 2852	1036	Client.exe	146
PID 2852 wrote to memory of 3336	2852	cmd.exe	148
PID 2852 wrote to memory of 3336	2852	cmd.exe	148
PID 2852 wrote to memory of 860	2852	cmd.exe	149
PID 2852 wrote to memory of 860	2852	cmd.exe	149
PID 2852 wrote to memory of 2940	2852	cmd.exe	151
PID 2852 wrote to memory of 2940	2852	cmd.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ExmPremium.exe
"C:\Users\Admin\AppData\Local\Temp\ExmPremium.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3212
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kFxfvwGZeV4a.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4156
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3184
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3792
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fj2xZg94FTbF.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4240
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4020
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1040
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7TVGo0ShfIh0.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:228
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCRINmxZziSN.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2676
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQfu4gFvmbae.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4844
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9FCpF0FQMZnU.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ojRLefKcoXUS.bat" "
        15⤵
        
        PID:3620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:728
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XBUseYeCqKgs.bat" "
        17⤵
        
        PID:632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4228
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gx1qbg2rhRpH.bat" "
        19⤵
        
        PID:4432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qhzFw5wMMeUI.bat" "
        21⤵
        
        PID:4008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3696
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsFgq5iLJKIn.bat" "
        23⤵
        
        PID:4268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkV3CM1QukyH.bat" "
        25⤵
        
        PID:1568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3gmB5hGdrZDz.bat" "
        27⤵
        
        PID:1064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1124
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgXud8fCsoz5.bat" "
        29⤵
        
        PID:2432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1188
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3344
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Exm Tweaks" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z3gTliIzfKaG.bat" "
        31⤵
        
        PID:1364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3gmB5hGdrZDz.bat

Filesize
207B

MD5
182422abd6c2d8d6f37bd71130d14795

SHA1
a135cfcdad4d818b2fe3e34590cae59b4e1eb12a

SHA256
b01a6a070e4f9c3fa4418b71cbdfb1fc2ac4831d644e0fd8c3b624112beb1b80

SHA512
84a9ccb85f6257ab8afb5dd46bb387f5932b587b36f8a0f3d0b9a7dbae976fcc0b0435e8f49aaba798368e037cd156aef45883026b359781b473aefe4a2b9041

Download Submit
C:\Users\Admin\AppData\Local\Temp\7TVGo0ShfIh0.bat

Filesize
207B

MD5
c48a532cd80472c73baf773d456edbdc

SHA1
6e90a18aa5f4dbf801a3900e4ae359642abf811a

SHA256
3bfb10b824697ec444cb753b9ac9f1c2c27145728ea6201e2773e70d7f473d25

SHA512
e12d761b3528eac9dc4b7ea1cc296ff89fccf7ea0e71c458dac13f3cdf9f54d8daa3d918dcfe86176a0993150f872f636b44ca0c1e34dadf151847d2e9c38535

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FCpF0FQMZnU.bat

Filesize
207B

MD5
b65c5d92e1774ac87965cb20936ebd27

SHA1
ae49a62c72c163f60eca5ce61b26822bb6af661e

SHA256
65114bfe845cf55c3f77355b0f787213cbd8169b06207329baeb5a68d0c1d9e5

SHA512
29e320261afea2a6e53d4ebb8e5eee35518a6d0e8c3b442e697b501d71b0731b88ae5aed5c489a3c9457eb94eeef05b41bb8ec934b1b9988e5b3f57e4806ef5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCRINmxZziSN.bat

Filesize
207B

MD5
687e1cf50d206c4ce75306714d75a886

SHA1
ce859529c1b744a86acdb50468a206304b48829b

SHA256
55d70156b20de13d1250c919e645048c71a86b7a085ceaf62b6c8f9cc6f01d60

SHA512
0d6b2252557a2cd40fc590bd5d91b281345b020d3a84d562223c56af6d3bcd467389ca87a706f05f02cb7b1a9663101650493cf3711cd771e8c9f09508d6c198

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQfu4gFvmbae.bat

Filesize
207B

MD5
2c078c5d9ae2cbdaeff28fc88e85f548

SHA1
9ac56fefe90d2c431a9948bba1d00ab3baed8145

SHA256
0161cd0fb30559597cb84bf01c94c7fce66283bc9362d212802bd506eaf71ad4

SHA512
0a78630f94fd424ec33f45f1adc1f80b9fb50a591c1e269ef081dd826b7c6d6871d9320ff6049490963a55221b5f5ed72d9bc4d364661353d6986664fc423172

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBUseYeCqKgs.bat

Filesize
207B

MD5
373f7a80611def6a699408b63294450f

SHA1
9b4df9575ffffeff2bbb9aba3d647a9284f3886e

SHA256
9dfb4b3d933e7c8ff3cfb80efdd8e0abec2a0c0c3ec25cb18a1f62d9043a9ce5

SHA512
a67e28c286c70867a58e1f13d913bb2be28c3116eae8b4aeaf2c66dad3953bffc89e89db0f86415be4231375ffb413deefa2701c65d0ef676bff4146fc9921b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj2xZg94FTbF.bat

Filesize
207B

MD5
a7c3539047e3a79dfeeba5a51b942be0

SHA1
d0bbba6d111a2c69aa35acd7b1c435f9b858345b

SHA256
b93cac37f0e0045670484b1d9275d5ab5cf80918f20c0d7db2c75fac2ee83852

SHA512
e500dc0bfd3418ea89f9d5e7cde43d6320fb043f485981f720affbac794633938b1104f56604896cca37cf8dad2374d373170b7b4b5891208e3c3a2e29fe7cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\gx1qbg2rhRpH.bat

Filesize
207B

MD5
ad1333e5bb54d54a9e21b3ef910a121f

SHA1
ae82c7fee0c9b3c08b48d3ad2ae318d8d5524ff1

SHA256
39566bde932426dadf127a1a6f3255b54e87309c39f8d0062e1bbace8b0f37f5

SHA512
bc274144d6a2f4cb91595a925e3b59eb02b58a8f3798c9c9061ac8e38360765bddd8a911eafab1e0d622468bb6786a941ce0870255ad680a594b65ae137c8aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsFgq5iLJKIn.bat

Filesize
207B

MD5
df065004c8cff971150db770ceb73159

SHA1
63dbc7dccfa6287a131d4aa3275edfeb91cfcba1

SHA256
8555a998fb331bc4e42151abf65cd74b19c9f4fcef9c52b292290a84145d4348

SHA512
8e99b0bce0a7f8c529d392aea18753cfa994509b2e7ba2df8e548991ab49692f6f2ee0778946ea0bd1d283436fccde3f7fc0c5ee1ba4989e3f3e556a0f976f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkV3CM1QukyH.bat

Filesize
207B

MD5
a6516b13b02d9eca2e15488111617199

SHA1
cc4890e3d5dbc5c29c9f410680c3e403870974a3

SHA256
dfa7bdb28a0e9b9156f7d3207392dc5b168550390e6afd96582cbf420d0247c5

SHA512
89b9be4562f66b3f00f42a32c368f8569d9819d05f6cbea14835672b9472759b9eda13dbb745e87338bafecd308b8fe0c795a47b0234ab51d022153c531b6ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kFxfvwGZeV4a.bat

Filesize
207B

MD5
84946e82ed1707d6ac9aa7f856c6679e

SHA1
35409f4adb4531c4e437283e896bca991d19c54c

SHA256
8c3b11906eb65642cbe771ccbbbaa05ade490de12d1156551e742004a3d52010

SHA512
309584eae9ba6f6bdd76258ff0c21c2b488c76d52ea25fad19a84dbb900949af024547ea16ff91a70940b83c8860e4b66f3595ad4e2329f519d56cb79b44aba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojRLefKcoXUS.bat

Filesize
207B

MD5
8460c695131ee845447c13a60c10ff59

SHA1
1cb49639d5f45ee1c4b34979caa594f29a672368

SHA256
4dfd637836d640bfefa019a6be520fd939e5a6ad001f7a5f9fd11492e5987798

SHA512
10f9f388b99580376e5f049c025035034c4a673ff6d56f1eed41194c80194e785cfc488a33c701462ed7de932192dca33b5a7ac39e617537658953f47ef143ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhzFw5wMMeUI.bat

Filesize
207B

MD5
6badc9d1b88e3535ef276d738c3febbe

SHA1
21a15eb369b498c9b3b656777adc9b431bda3ec5

SHA256
310325aef8d026eba635c962a82cc29aab01752a716da29a3f3112f99c95771d

SHA512
2f0e1bac29012da7cfe5c894bd0506dfdd87e4c37500f716ad152c3da48d38c7e66a246d5b6d54dc700f9f405c5965c26949b9c42ceca3d350a802e390fa8d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgXud8fCsoz5.bat

Filesize
207B

MD5
de60635f6c764236bc1ae55009493177

SHA1
f3300cb85653bf6afb2a8a778796232e953141a4

SHA256
e4c6c1280379328314c300036312a20940f6b3520d06f2d4f64a6eccd5941bad

SHA512
60a79e61b2f528981c2eadceaefa82330f8a73e7f9de72a7aef2a62f95eed91599f9c9bf1099a9b56186327cb3cbb5860f8eea25049096c2126d182e7fc5d553

Download Submit
C:\Users\Admin\AppData\Local\Temp\z3gTliIzfKaG.bat

Filesize
207B

MD5
dc0eb16565188b1c9a81d0c7e93d325b

SHA1
437667124262d115e1a814fe7c1d608b8e5b8ff4

SHA256
d29fbc59df270ad2a988860cfe62e2e6d15f438b879ef262dc56a22addb06f85

SHA512
b4b52c82fd6de32ca4029cb083c57faca774d6e883dcfceab1079fa08ff6437a2b2e3808cf1b85fd5c1df47fae80f7728e7524f02b339aace56f1a0425ad10c6

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.5MB

MD5
1e0a2e8cc5ce58715fc43c44004f637c

SHA1
f85ba3c4bd766e12ac11840939f5773ecc2f90f3

SHA256
4fb412dc8e1f77e2b47b1a677ca0475e5d25361d68e9e486c8aaf5148d635dfd

SHA512
75852941b8033d7f58e3819d5c7117f0f0cad5bb9b95aefef2e24eee63d2237c98072e823905e0d084659324bb54f020e163fd3310f3ee344a245051ac214859

Download Submit
memory/2996-13-0x000000001BFD0000-0x000000001C082000-memory.dmp

Filesize
712KB

Download
memory/2996-9-0x00007FFAC2650000-0x00007FFAC3111000-memory.dmp

Filesize
10.8MB

Download
memory/2996-11-0x00007FFAC2650000-0x00007FFAC3111000-memory.dmp

Filesize
10.8MB

Download
memory/2996-12-0x000000001B790000-0x000000001B7E0000-memory.dmp

Filesize
320KB

Download
memory/2996-18-0x00007FFAC2650000-0x00007FFAC3111000-memory.dmp

Filesize
10.8MB

Download
memory/3660-2-0x00007FFAC2650000-0x00007FFAC3111000-memory.dmp

Filesize
10.8MB

Download
memory/3660-10-0x00007FFAC2650000-0x00007FFAC3111000-memory.dmp

Filesize
10.8MB

Download
memory/3660-0-0x00007FFAC2653000-0x00007FFAC2655000-memory.dmp

Filesize
8KB

Download
memory/3660-1-0x0000000000750000-0x0000000000ADE000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads