quasar | 35cdd06575489ef146d2851a906eb542cddbfb9c94fd31b703dfee4944d8e36f

Analysis

max time kernel
145s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

9cd0c80ad619579b83e16f7afebf98b2
SHA1

e19f404fe2b5f2fa57af674c2993009ae13e29f8
SHA256

35cdd06575489ef146d2851a906eb542cddbfb9c94fd31b703dfee4944d8e36f
SHA512

fb2613be8e367893386497b1ee3aa52c608f0c9c539c0e0ac6738cb4333301ca3f6bbb63fbf2ea60d54884a7fce624e1ec9ecc0c70ed0fc114da2254cb05bc48
SSDEEP

49152:/v3lL26AaNeWgPhlmVqvMQ7XSKIrRJ6dbR3LoGdm0THHB72eh2NT:/v1L26AaNeWgPhlmVqkQ7XSKIrRJ6vW

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

abc248597df-25592.portmap.host:25592:25592

Mutex

837d4201-7565-459a-ad6a-d5ef54fa537b

Attributes

encryption_key
A896862809BEA850DB21D754E127B53DD347664D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/memory/2068-1-0x0000000000990000-0x0000000000CB4000-memory.dmp	family_quasar
behavioral1/files/0x0007000000019441-5.dat	family_quasar
behavioral1/memory/2012-8-0x00000000011A0000-0x00000000014C4000-memory.dmp	family_quasar
behavioral1/memory/536-43-0x0000000000050000-0x0000000000374000-memory.dmp	family_quasar
behavioral1/memory/2144-55-0x0000000000C90000-0x0000000000FB4000-memory.dmp	family_quasar
behavioral1/memory/1868-66-0x00000000013E0000-0x0000000001704000-memory.dmp	family_quasar
behavioral1/memory/2604-99-0x0000000000230000-0x0000000000554000-memory.dmp	family_quasar
behavioral1/memory/484-110-0x00000000002D0000-0x00000000005F4000-memory.dmp	family_quasar
behavioral1/memory/2300-122-0x0000000001240000-0x0000000001564000-memory.dmp	family_quasar
behavioral1/memory/2772-165-0x0000000001200000-0x0000000001524000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2012	Client.exe
3020	Client.exe
1968	Client.exe
536	Client.exe
2144	Client.exe
1868	Client.exe
1732	Client.exe
2120	Client.exe
2604	Client.exe
484	Client.exe
2300	Client.exe
2996	Client.exe
2336	Client.exe
2824	Client.exe
2772	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2944	PING.EXE
2624	PING.EXE
2020	PING.EXE
2176	PING.EXE
1608	PING.EXE
1984	PING.EXE
1712	PING.EXE
2928	PING.EXE
2228	PING.EXE
1804	PING.EXE
2388	PING.EXE
720	PING.EXE
1812	PING.EXE
848	PING.EXE
1632	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1712	PING.EXE
2624	PING.EXE
2176	PING.EXE
720	PING.EXE
1608	PING.EXE
2388	PING.EXE
848	PING.EXE
1632	PING.EXE
2928	PING.EXE
2020	PING.EXE
1812	PING.EXE
1984	PING.EXE
1804	PING.EXE
2228	PING.EXE
2944	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1152	schtasks.exe
1552	schtasks.exe
1684	schtasks.exe
720	schtasks.exe
2648	schtasks.exe
1948	schtasks.exe
2636	schtasks.exe
2152	schtasks.exe
2824	schtasks.exe
2572	schtasks.exe
1772	schtasks.exe
2760	schtasks.exe
2936	schtasks.exe
2800	schtasks.exe
1668	schtasks.exe
1816	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	Client-built.exe
Token: SeDebugPrivilege	2012	Client.exe
Token: SeDebugPrivilege	3020	Client.exe
Token: SeDebugPrivilege	1968	Client.exe
Token: SeDebugPrivilege	536	Client.exe
Token: SeDebugPrivilege	2144	Client.exe
Token: SeDebugPrivilege	1868	Client.exe
Token: SeDebugPrivilege	1732	Client.exe
Token: SeDebugPrivilege	2120	Client.exe
Token: SeDebugPrivilege	2604	Client.exe
Token: SeDebugPrivilege	484	Client.exe
Token: SeDebugPrivilege	2300	Client.exe
Token: SeDebugPrivilege	2996	Client.exe
Token: SeDebugPrivilege	2336	Client.exe
Token: SeDebugPrivilege	2824	Client.exe
Token: SeDebugPrivilege	2772	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2012	Client.exe
3020	Client.exe
1968	Client.exe
536	Client.exe
2144	Client.exe
1868	Client.exe
1732	Client.exe
2120	Client.exe
2604	Client.exe
484	Client.exe
2300	Client.exe
2996	Client.exe
2336	Client.exe
2824	Client.exe
2772	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2012	Client.exe
3020	Client.exe
1968	Client.exe
536	Client.exe
2144	Client.exe
1868	Client.exe
1732	Client.exe
2120	Client.exe
2604	Client.exe
484	Client.exe
2300	Client.exe
2996	Client.exe
2336	Client.exe
2824	Client.exe
2772	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2800	2068	Client-built.exe	30
PID 2068 wrote to memory of 2800	2068	Client-built.exe	30
PID 2068 wrote to memory of 2800	2068	Client-built.exe	30
PID 2068 wrote to memory of 2012	2068	Client-built.exe	32
PID 2068 wrote to memory of 2012	2068	Client-built.exe	32
PID 2068 wrote to memory of 2012	2068	Client-built.exe	32
PID 2012 wrote to memory of 2760	2012	Client.exe	33
PID 2012 wrote to memory of 2760	2012	Client.exe	33
PID 2012 wrote to memory of 2760	2012	Client.exe	33
PID 2012 wrote to memory of 2548	2012	Client.exe	35
PID 2012 wrote to memory of 2548	2012	Client.exe	35
PID 2012 wrote to memory of 2548	2012	Client.exe	35
PID 2548 wrote to memory of 2620	2548	cmd.exe	37
PID 2548 wrote to memory of 2620	2548	cmd.exe	37
PID 2548 wrote to memory of 2620	2548	cmd.exe	37
PID 2548 wrote to memory of 1984	2548	cmd.exe	38
PID 2548 wrote to memory of 1984	2548	cmd.exe	38
PID 2548 wrote to memory of 1984	2548	cmd.exe	38
PID 2548 wrote to memory of 3020	2548	cmd.exe	39
PID 2548 wrote to memory of 3020	2548	cmd.exe	39
PID 2548 wrote to memory of 3020	2548	cmd.exe	39
PID 3020 wrote to memory of 1684	3020	Client.exe	40
PID 3020 wrote to memory of 1684	3020	Client.exe	40
PID 3020 wrote to memory of 1684	3020	Client.exe	40
PID 3020 wrote to memory of 2584	3020	Client.exe	42
PID 3020 wrote to memory of 2584	3020	Client.exe	42
PID 3020 wrote to memory of 2584	3020	Client.exe	42
PID 2584 wrote to memory of 2408	2584	cmd.exe	44
PID 2584 wrote to memory of 2408	2584	cmd.exe	44
PID 2584 wrote to memory of 2408	2584	cmd.exe	44
PID 2584 wrote to memory of 1712	2584	cmd.exe	45
PID 2584 wrote to memory of 1712	2584	cmd.exe	45
PID 2584 wrote to memory of 1712	2584	cmd.exe	45
PID 2584 wrote to memory of 1968	2584	cmd.exe	46
PID 2584 wrote to memory of 1968	2584	cmd.exe	46
PID 2584 wrote to memory of 1968	2584	cmd.exe	46
PID 1968 wrote to memory of 1668	1968	Client.exe	47
PID 1968 wrote to memory of 1668	1968	Client.exe	47
PID 1968 wrote to memory of 1668	1968	Client.exe	47
PID 1968 wrote to memory of 2852	1968	Client.exe	49
PID 1968 wrote to memory of 2852	1968	Client.exe	49
PID 1968 wrote to memory of 2852	1968	Client.exe	49
PID 2852 wrote to memory of 2740	2852	cmd.exe	51
PID 2852 wrote to memory of 2740	2852	cmd.exe	51
PID 2852 wrote to memory of 2740	2852	cmd.exe	51
PID 2852 wrote to memory of 1804	2852	cmd.exe	52
PID 2852 wrote to memory of 1804	2852	cmd.exe	52
PID 2852 wrote to memory of 1804	2852	cmd.exe	52
PID 2852 wrote to memory of 536	2852	cmd.exe	53
PID 2852 wrote to memory of 536	2852	cmd.exe	53
PID 2852 wrote to memory of 536	2852	cmd.exe	53
PID 536 wrote to memory of 2152	536	Client.exe	54
PID 536 wrote to memory of 2152	536	Client.exe	54
PID 536 wrote to memory of 2152	536	Client.exe	54
PID 536 wrote to memory of 1708	536	Client.exe	56
PID 536 wrote to memory of 1708	536	Client.exe	56
PID 536 wrote to memory of 1708	536	Client.exe	56
PID 1708 wrote to memory of 1492	1708	cmd.exe	58
PID 1708 wrote to memory of 1492	1708	cmd.exe	58
PID 1708 wrote to memory of 1492	1708	cmd.exe	58
PID 1708 wrote to memory of 2388	1708	cmd.exe	59
PID 1708 wrote to memory of 2388	1708	cmd.exe	59
PID 1708 wrote to memory of 2388	1708	cmd.exe	59
PID 1708 wrote to memory of 2144	1708	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2800
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2760
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\H9mRNPHkXRcq.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2620
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1984
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1684
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JJE0Y54a4tw8.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2408
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1712
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1668
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9Iunjnar2Lbg.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1804
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2152
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GzVCwzqyMgB8.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2388
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2144
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:720
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dukrADsytBJe.bat" "
        11⤵
        
        PID:2104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1868
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1816
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AlYVVbAYzvYn.bat" "
        13⤵
        
        PID:2196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:848
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1732
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2824
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Eqj6KozTb5AZ.bat" "
        15⤵
        
        PID:1576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2120
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2572
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Z0K3uuN41UPi.bat" "
        17⤵
        
        PID:2664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2604
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2648
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cSByfF14pcOX.bat" "
        19⤵
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:484
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1948
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\amsG3bASCg3d.bat" "
        21⤵
        
        PID:2844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2300
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1152
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8spADqI1wf7f.bat" "
        23⤵
        
        PID:1708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:720
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2996
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1772
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dAOyFZGZxYb0.bat" "
        25⤵
        
        PID:1016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1812
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2336
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2636
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YCG4q8jEKXdl.bat" "
        27⤵
        
        PID:3052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2824
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1552
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bnpvITIGV8ob.bat" "
        29⤵
        
        PID:1228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2772
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5MqGg1dN2oIZ.bat" "
        31⤵
        
        PID:2544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5MqGg1dN2oIZ.bat

Filesize
207B

MD5
1608a888aa43a815e82c055df686f026

SHA1
50bca1aae415c568215f74ea0421594a92293632

SHA256
4ddd8f6b35fd3a15ffa3c0ff0cb3f6c6f7ce11c36d19c4e06b475a4f312a6120

SHA512
32ecf9dfe5caa2d9bff896ce86d45aa8e9376038e9d6748cbfe0ec13a033edfcf8ae5a624381383dee4b403a549226ba57e27a5d28bea1ed2481e9f915f822d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8spADqI1wf7f.bat

Filesize
207B

MD5
b32aaec64210736db311d18b5b2bcf71

SHA1
d309d258357bdf1c06c4a244535f9e4271a283ba

SHA256
ed59b5422a548768b53846fb482b51420f54aaad9d9ad1f5efc6f9d419c71e88

SHA512
30eb1845b08204d9c3d24faaf806e1a1a10754ebc05989505f9969154d284b12e08e0bb78d765acb669b1645bf96d2c09e041519328ac3373d333c10618a3a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Iunjnar2Lbg.bat

Filesize
207B

MD5
b2493ce6b4edeebb6028b2a45a9c6fff

SHA1
6f8b9201845ccacae7406f7714d8de1daf48a598

SHA256
93e7e85737d6a03750f06ce5898e45c65bd8af3e0a733a46c33ad6dffdef35bd

SHA512
d9be564d94315931b66e89157c860c6f66a8e37625d11ce596fbf91299047512a0b722c1ca073f18e7ec76e0fc5fddb3b1c95dd3097662ad2f0d99a99fa2a82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AlYVVbAYzvYn.bat

Filesize
207B

MD5
86eb6317c528026bb6e447827c6b77fc

SHA1
4aebde40f74e44d4608ca190a661f23738a19c04

SHA256
8ff9d13ca968c33a49485c1077f1a83d70c1662fdfad380bb2fb18c7c49dd8a0

SHA512
c64030d99e1533a5993a3e32b5ffbd68c4d419235fdaaf1408ca85ae3e1f1948e2dd908085308a5f5542821f3a20119337512aa3c0833244a1931b76b299d9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eqj6KozTb5AZ.bat

Filesize
207B

MD5
4e5459252190749e6c791debd55281ed

SHA1
bedb2ad7cf71fd3f8e40b650ff77a2164863bf49

SHA256
312c9134b27226a62842cb5e3ec640aa8fa866655c916d0436b6c7cc120b1eb5

SHA512
fd4f6f0e0ffbc7ff59fbee2ce11e1dc2a9d768cac76e8814cb1abbb9cb9446a3ea195d8ba9952fd10669cff1f28dd05adab57de593d7d1bb0eb123cbbcb6deaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzVCwzqyMgB8.bat

Filesize
207B

MD5
bf9c09e297e04148abec144e8b79bdb1

SHA1
00ed3bb3954b0ef24cd1f445d8b785becc74c209

SHA256
eb7dc085e2a70d29c6a68ae1224778994f9603a7e26eb3b1fd62bf19012db5c2

SHA512
b8aaa37d47b9de520106af7fb1e76ff1dc665f7af3785ae78cb8f924ff8821d31b12a496bb8824ca381cf79b439de8bdf9e4febcb253bd5953b77cca1ac1aa13

Download Submit
C:\Users\Admin\AppData\Local\Temp\H9mRNPHkXRcq.bat

Filesize
207B

MD5
3cd7551bd771d06f76b2a8a9e5eb4427

SHA1
03ac80022a9945f9411e0c946d4f62645b3e2b32

SHA256
1118a193244c3929035724f63396db2e81a147cb4c52af612abf8ff3966f49d8

SHA512
0d7a5057f9251d63ab133f746ddebdb94d275b246a04a515259075122051ea37ab3bcd78670b4c3bba8ec78865b8e7ca3ee8f14d4c6f17f90b9153ef9f53546e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJE0Y54a4tw8.bat

Filesize
207B

MD5
bf11c6827af102bafdae9d3a352e7631

SHA1
d804431bc3f23e92e217d616e69c9f03bbe7b3f9

SHA256
0b16a5ae08659c11f0bd44d115968a9f947fbf2324d32d61694d72c12b07c720

SHA512
403b0ee7e1e5bbb4020f024db36cf3cc4f31797223d859b80902db20b15581f949f408991e2432097953c733ff8778bd73ac75e681e1ba65d372cd8e1afcfa1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YCG4q8jEKXdl.bat

Filesize
207B

MD5
e230a11e427d072cd16de91b9550aa20

SHA1
743ec09fc1b11bc48bd49115500937c74607171a

SHA256
21258725194bffa6f38536b8492477224e3767b780d465a5002ae1fb08a4ca68

SHA512
3d00938dda77bc1c22520faf7023b75b94e30fcb43a352bc14916be2ddef95227fa886917c434b118f6fffdcaaa6cef70a7560a4d8cf58f71d0e323d040c2f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z0K3uuN41UPi.bat

Filesize
207B

MD5
0d0e5d3bbc9fd6754c04bead5578bc62

SHA1
30b431a25e39758b8276bfd6aa272c28a430296e

SHA256
148f40a22458faaceafae45f315f6538b1ddf6c0d2cce6c06b8893cb77dc3838

SHA512
b50774501a26dc1be41a7c21847cf9baf382b1bd9d77abb57d3b8cfc1f67efbc2cec6b91f513bfbc7e91543c7120246de47107691957b0c707cd1c244dbacafd

Download Submit
C:\Users\Admin\AppData\Local\Temp\amsG3bASCg3d.bat

Filesize
207B

MD5
c400914fef3789e923d8d938469f5477

SHA1
c5a4cf1138c814ed40f6280cc222cbf3ba9634ea

SHA256
b3974715f2eba452b8317717b8b00783e63968dba6c9fe08121882653a7a466b

SHA512
ad45e58aaf8b17ab77461f9359523b1bab0dda5d1d8b6a6bcf5e87c593d049146d4ae55d75171fe84467a4320d086309cf242842845ec7e92dba38ad8592e0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnpvITIGV8ob.bat

Filesize
207B

MD5
08433351ae761122212bc5d2a652abe3

SHA1
1942ca3836e7eb3e8f670555444d7cd3f4bc6204

SHA256
5628ee768cd4ade2cfd92d0ca73db1d2e6f0b202454869bcea9a2f8ef3e36de8

SHA512
fab2e9d1cc4ae47d81eadc4e24e5f36bd1c743d05e1d7f641b7012495d69d69d4d991b32a6ff03ecc7c4de825ddb594ed3f42ce011ab3ee7a7d2ee8c4ed9c82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cSByfF14pcOX.bat

Filesize
207B

MD5
5645c30977dfe44ae72dc0976e7a0e53

SHA1
650bab3593d9f0fc781d9c9d4f1460467674da0a

SHA256
5b7e6c87643f2868d3a5df9e0588c534d744aa5d268775bed53dae6553aa6c23

SHA512
677f8720303c19f2d41f884834f3ac1b3a7f08eb0afe51c3b8ad8fe7d83b2d78731d457dc08e3ef07823afda65b74a4f97d4a8a72c274282b3db5138573350e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAOyFZGZxYb0.bat

Filesize
207B

MD5
ff2fb1a5cb5718165e828a239f5ea435

SHA1
83d857b75244b11a1920b81b433eb1f55ba89dac

SHA256
673c1b8d514f155428afbabf7c409fd5d896ad18351e3bcc06f3b6aea836ebf0

SHA512
c8bfc0a0bf3596424fedae98872602139cceaab6cffa2d91051bf24c54c2c5cc6c919749e0bb8070b6eb3ce80f28944ca48fae66f25d7b5d3e816b62d9111132

Download Submit
C:\Users\Admin\AppData\Local\Temp\dukrADsytBJe.bat

Filesize
207B

MD5
ea7df4d47dfdf8f038c865d163d0d402

SHA1
8f49f3e7164664084b52b1307436d32f23e6c52b

SHA256
c2433f3ea532f64dd6254b10225fcb0317ccad5a1fae899f0b5d9b1b777009cd

SHA512
1c7958ae89540790f0957498c9e84e134197cc655b96b17345e4ca5651750d4f9f12ebe1a8f1f252db8c2f248004817e44b723f5d08fb9cd251c7180171d31b4

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
9cd0c80ad619579b83e16f7afebf98b2

SHA1
e19f404fe2b5f2fa57af674c2993009ae13e29f8

SHA256
35cdd06575489ef146d2851a906eb542cddbfb9c94fd31b703dfee4944d8e36f

SHA512
fb2613be8e367893386497b1ee3aa52c608f0c9c539c0e0ac6738cb4333301ca3f6bbb63fbf2ea60d54884a7fce624e1ec9ecc0c70ed0fc114da2254cb05bc48

Download Submit
memory/484-110-0x00000000002D0000-0x00000000005F4000-memory.dmp

Filesize
3.1MB

Download
memory/536-43-0x0000000000050000-0x0000000000374000-memory.dmp

Filesize
3.1MB

Download
memory/1868-66-0x00000000013E0000-0x0000000001704000-memory.dmp

Filesize
3.1MB

Download
memory/2012-8-0x00000000011A0000-0x00000000014C4000-memory.dmp

Filesize
3.1MB

Download
memory/2012-19-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2012-7-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2012-10-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2068-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/2068-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2068-9-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2068-1-0x0000000000990000-0x0000000000CB4000-memory.dmp

Filesize
3.1MB

Download
memory/2144-55-0x0000000000C90000-0x0000000000FB4000-memory.dmp

Filesize
3.1MB

Download
memory/2300-122-0x0000000001240000-0x0000000001564000-memory.dmp

Filesize
3.1MB

Download
memory/2604-99-0x0000000000230000-0x0000000000554000-memory.dmp

Filesize
3.1MB

Download
memory/2772-165-0x0000000001200000-0x0000000001524000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads