quasar | 35cdd06575489ef146d2851a906eb542cddbfb9c94fd31b703dfee4944d8e36f

Analysis

max time kernel
145s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

9cd0c80ad619579b83e16f7afebf98b2
SHA1

e19f404fe2b5f2fa57af674c2993009ae13e29f8
SHA256

35cdd06575489ef146d2851a906eb542cddbfb9c94fd31b703dfee4944d8e36f
SHA512

fb2613be8e367893386497b1ee3aa52c608f0c9c539c0e0ac6738cb4333301ca3f6bbb63fbf2ea60d54884a7fce624e1ec9ecc0c70ed0fc114da2254cb05bc48
SSDEEP

49152:/v3lL26AaNeWgPhlmVqvMQ7XSKIrRJ6dbR3LoGdm0THHB72eh2NT:/v1L26AaNeWgPhlmVqkQ7XSKIrRJ6vW

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

abc248597df-25592.portmap.host:25592:25592

Mutex

837d4201-7565-459a-ad6a-d5ef54fa537b

Attributes

encryption_key
A896862809BEA850DB21D754E127B53DD347664D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/5004-1-0x0000000000E20000-0x0000000001144000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c87-4.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
5084	Client.exe
3744	Client.exe
1196	Client.exe
2424	Client.exe
2388	Client.exe
2888	Client.exe
4416	Client.exe
2696	Client.exe
3972	Client.exe
3180	Client.exe
3980	Client.exe
2712	Client.exe
1564	Client.exe
1040	Client.exe
3092	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3068	PING.EXE
3852	PING.EXE
1180	PING.EXE
2816	PING.EXE
412	PING.EXE
4712	PING.EXE
3624	PING.EXE
3020	PING.EXE
2396	PING.EXE
716	PING.EXE
428	PING.EXE
3940	PING.EXE
1164	PING.EXE
5048	PING.EXE
3936	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
4712	PING.EXE
428	PING.EXE
3936	PING.EXE
412	PING.EXE
2396	PING.EXE
2816	PING.EXE
3940	PING.EXE
3852	PING.EXE
716	PING.EXE
3068	PING.EXE
3624	PING.EXE
5048	PING.EXE
3020	PING.EXE
1164	PING.EXE
1180	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4484	schtasks.exe
2400	schtasks.exe
1628	schtasks.exe
1076	schtasks.exe
2596	schtasks.exe
4188	schtasks.exe
4004	schtasks.exe
3348	schtasks.exe
4320	schtasks.exe
1468	schtasks.exe
1072	schtasks.exe
1064	schtasks.exe
3936	schtasks.exe
2832	schtasks.exe
2308	schtasks.exe
4080	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	Client-built.exe
Token: SeDebugPrivilege	5084	Client.exe
Token: SeDebugPrivilege	3744	Client.exe
Token: SeDebugPrivilege	1196	Client.exe
Token: SeDebugPrivilege	2424	Client.exe
Token: SeDebugPrivilege	2388	Client.exe
Token: SeDebugPrivilege	2888	Client.exe
Token: SeDebugPrivilege	4416	Client.exe
Token: SeDebugPrivilege	2696	Client.exe
Token: SeDebugPrivilege	3972	Client.exe
Token: SeDebugPrivilege	3180	Client.exe
Token: SeDebugPrivilege	3980	Client.exe
Token: SeDebugPrivilege	2712	Client.exe
Token: SeDebugPrivilege	1564	Client.exe
Token: SeDebugPrivilege	1040	Client.exe
Token: SeDebugPrivilege	3092	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
5084	Client.exe
3744	Client.exe
1196	Client.exe
2424	Client.exe
2388	Client.exe
2888	Client.exe
4416	Client.exe
2696	Client.exe
3972	Client.exe
3180	Client.exe
3980	Client.exe
2712	Client.exe
1564	Client.exe
1040	Client.exe
3092	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
5084	Client.exe
3744	Client.exe
1196	Client.exe
2424	Client.exe
2388	Client.exe
2888	Client.exe
4416	Client.exe
2696	Client.exe
3972	Client.exe
3180	Client.exe
3980	Client.exe
2712	Client.exe
1564	Client.exe
1040	Client.exe
3092	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 3348	5004	Client-built.exe	83
PID 5004 wrote to memory of 3348	5004	Client-built.exe	83
PID 5004 wrote to memory of 5084	5004	Client-built.exe	85
PID 5004 wrote to memory of 5084	5004	Client-built.exe	85
PID 5084 wrote to memory of 2308	5084	Client.exe	86
PID 5084 wrote to memory of 2308	5084	Client.exe	86
PID 5084 wrote to memory of 2556	5084	Client.exe	88
PID 5084 wrote to memory of 2556	5084	Client.exe	88
PID 2556 wrote to memory of 3184	2556	cmd.exe	90
PID 2556 wrote to memory of 3184	2556	cmd.exe	90
PID 2556 wrote to memory of 1164	2556	cmd.exe	91
PID 2556 wrote to memory of 1164	2556	cmd.exe	91
PID 2556 wrote to memory of 3744	2556	cmd.exe	97
PID 2556 wrote to memory of 3744	2556	cmd.exe	97
PID 3744 wrote to memory of 4080	3744	Client.exe	101
PID 3744 wrote to memory of 4080	3744	Client.exe	101
PID 3744 wrote to memory of 4584	3744	Client.exe	103
PID 3744 wrote to memory of 4584	3744	Client.exe	103
PID 4584 wrote to memory of 3156	4584	cmd.exe	106
PID 4584 wrote to memory of 3156	4584	cmd.exe	106
PID 4584 wrote to memory of 412	4584	cmd.exe	107
PID 4584 wrote to memory of 412	4584	cmd.exe	107
PID 4584 wrote to memory of 1196	4584	cmd.exe	114
PID 4584 wrote to memory of 1196	4584	cmd.exe	114
PID 1196 wrote to memory of 1076	1196	Client.exe	115
PID 1196 wrote to memory of 1076	1196	Client.exe	115
PID 1196 wrote to memory of 368	1196	Client.exe	118
PID 1196 wrote to memory of 368	1196	Client.exe	118
PID 368 wrote to memory of 872	368	cmd.exe	120
PID 368 wrote to memory of 872	368	cmd.exe	120
PID 368 wrote to memory of 2396	368	cmd.exe	121
PID 368 wrote to memory of 2396	368	cmd.exe	121
PID 368 wrote to memory of 2424	368	cmd.exe	124
PID 368 wrote to memory of 2424	368	cmd.exe	124
PID 2424 wrote to memory of 1468	2424	Client.exe	125
PID 2424 wrote to memory of 1468	2424	Client.exe	125
PID 2424 wrote to memory of 5016	2424	Client.exe	128
PID 2424 wrote to memory of 5016	2424	Client.exe	128
PID 5016 wrote to memory of 4296	5016	cmd.exe	130
PID 5016 wrote to memory of 4296	5016	cmd.exe	130
PID 5016 wrote to memory of 3068	5016	cmd.exe	131
PID 5016 wrote to memory of 3068	5016	cmd.exe	131
PID 5016 wrote to memory of 2388	5016	cmd.exe	134
PID 5016 wrote to memory of 2388	5016	cmd.exe	134
PID 2388 wrote to memory of 2596	2388	Client.exe	135
PID 2388 wrote to memory of 2596	2388	Client.exe	135
PID 2388 wrote to memory of 4928	2388	Client.exe	138
PID 2388 wrote to memory of 4928	2388	Client.exe	138
PID 4928 wrote to memory of 3172	4928	cmd.exe	140
PID 4928 wrote to memory of 3172	4928	cmd.exe	140
PID 4928 wrote to memory of 3852	4928	cmd.exe	141
PID 4928 wrote to memory of 3852	4928	cmd.exe	141
PID 4928 wrote to memory of 2888	4928	cmd.exe	143
PID 4928 wrote to memory of 2888	4928	cmd.exe	143
PID 2888 wrote to memory of 1072	2888	Client.exe	144
PID 2888 wrote to memory of 1072	2888	Client.exe	144
PID 2888 wrote to memory of 2584	2888	Client.exe	146
PID 2888 wrote to memory of 2584	2888	Client.exe	146
PID 2584 wrote to memory of 2352	2584	cmd.exe	149
PID 2584 wrote to memory of 2352	2584	cmd.exe	149
PID 2584 wrote to memory of 716	2584	cmd.exe	150
PID 2584 wrote to memory of 716	2584	cmd.exe	150
PID 2584 wrote to memory of 4416	2584	cmd.exe	151
PID 2584 wrote to memory of 4416	2584	cmd.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3348
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qxQFUH9ZraQj.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3184
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1164
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dw8iXBYr0qxi.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4584
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3156
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:412
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O5FqfO0fkjj4.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2396
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYfpdfUzaTZZ.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hDjWhjOjqOEI.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3852
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqEiKXHSRNB2.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:716
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4416
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2BvAqtKLUtVF.bat" "
        15⤵
        
        PID:4708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1180
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2696
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkiPyg5wzlMB.bat" "
        17⤵
        
        PID:2144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4712
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3972
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2zpAQBKLsAHk.bat" "
        19⤵
        
        PID:2708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5048
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3180
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EHSpP9MWUwpQ.bat" "
        21⤵
        
        PID:3840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3980
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z7dfAF9xHhlm.bat" "
        23⤵
        
        PID:2736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:428
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2712
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j18drcv8yQni.bat" "
        25⤵
        
        PID:4016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3940
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1564
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mNA3ZOHpYEom.bat" "
        27⤵
        
        PID:3352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3624
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o41kA9feA7wC.bat" "
        29⤵
        
        PID:4812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3092
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kJN8QEajXq5J.bat" "
        31⤵
        
        PID:3164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BvAqtKLUtVF.bat

Filesize
207B

MD5
4c6bf90e1517780d503e22cdc5e4997a

SHA1
c177fa74e84c9721950b3af85050c7c4e7b2cd9c

SHA256
7aca1a7ba84cee7eb4de69e1389ddeb73c92b6e446e53b3838f7f43cfcdb7e90

SHA512
5ea05da1ff8541e21d53d15181835b6f6c983b344a99f68f6ae0585f423799d4fe181cfddb39aa16d548dbc07b37fdd3d27fcea308bedf370c6d0627b0f3c03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zpAQBKLsAHk.bat

Filesize
207B

MD5
cbcd475ea5a9435517fcf7d857812692

SHA1
2fa9cd9df66bdd913898cbeae1d3cc48669fdab2

SHA256
ea57d7ae7bd6bbceb5db257e43b795b2fdecd1ce95763b055af48f4cd04247f4

SHA512
af41071fc830b60c18f655261c9ca584e86daf0f60708cfb09694deebe7fc146272732b5b85e199b169694dec58b9ec3302d05b94dc6e9ce4b8435ba2035ed33

Download Submit
C:\Users\Admin\AppData\Local\Temp\EHSpP9MWUwpQ.bat

Filesize
207B

MD5
56e6799e3d07a97e68d560e6537790c9

SHA1
ba613ce25c324f09a7340e97141d18999916ac58

SHA256
30d17dd90d7e175b5f8c80b37a4d817197cf1106448fb935e3ed3434b88cc85e

SHA512
abe9965b03259deee3c2e893ad2253086565bf6c1b0d4b7ca09be115c7713bb88bd167ea1b717d660e32693b0fe2b1bf9cf7b91ef72ca27648fff329a88c59ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\NqEiKXHSRNB2.bat

Filesize
207B

MD5
9c303cc1336be380fedc3ec771f76d96

SHA1
e762a623b1d6efbe865e5b937373c4df7ffc90ef

SHA256
4c54fba41e5a8a14634ad5f1549fcf7f7ac826d8bb55382d2d5f22074f190691

SHA512
7034afc4e006e11e15882e3115c2568367ea07eb2ca53b4b973ce9b119ffffae166e04e160962feacdb785641fc0e5a6775bec2a7114187b95bd7569af296939

Download Submit
C:\Users\Admin\AppData\Local\Temp\O5FqfO0fkjj4.bat

Filesize
207B

MD5
7f627feeeb3817dc3e52565043ed9117

SHA1
af0d64057a1112bd802fcfab83d6ee012c309e7d

SHA256
fc10c9bc80f4b79273a301dcd0bec9c2781c0584962efc5a38d5601f1daf467a

SHA512
c51f334bf58737aeb0250fc413b8c32b4d73541153fb605ee7db37dbd7030f251be237c29881eac8f3d47f93a5fcb3332a9ee27bff4027db074b4520d9b1909b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z7dfAF9xHhlm.bat

Filesize
207B

MD5
8328fd29d88357c026ec5cb6b480a688

SHA1
b14e2330d6606d10727f3f544f7808f877472a4d

SHA256
a3c4897f8399d6eb83a8dbcc2abac40bdc20e762df992b4107dd715ca3af47db

SHA512
be4b7e4dc7cf6e7fef00c226b0dca09055fd436b973c2ddebbba4a0efa917da5871c25a69a1f051a19369097d4d36e6198110b255d0d5030e435374cbaf6c221

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYfpdfUzaTZZ.bat

Filesize
207B

MD5
f9b603c1d89a1e61a9fb01840de9cc70

SHA1
baa76e2f3cda77d22eaf7b8530bb6a9c0fcda1e4

SHA256
055dbfb82ada1fa910aac670c74ea4b8bc64c39a7d5e0a7b58e04c07324a803c

SHA512
cefad5445a32cfb1b998408ef615d3559129936f5fd9d31e0fb89729157020bb514c9059016c7d661a1aefdd07726ee08b83be816ecc820848fd8455ce385af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dw8iXBYr0qxi.bat

Filesize
207B

MD5
7bef5a68b2fc38b9807b8c79d421836c

SHA1
b6dce5f95f2ec800bc37c90ae8654ccf4c735247

SHA256
a5234586e8a361dcce17dd1dd41c9a0c6861d583bcdf5ffcab08865ae4bff375

SHA512
aaf1ac9b5251a63db7b83f6d14f87d3de4c219b8dfaf8824b479fcafc6c10179f6b4a60b00ec6ee74facaeba6946a3d255b2498fc59c9cf5d54d389dbcdfd174

Download Submit
C:\Users\Admin\AppData\Local\Temp\hDjWhjOjqOEI.bat

Filesize
207B

MD5
eae66d836ef93b7f5d08f0b063166bb7

SHA1
4c36a26cc279c83ce245339f23595210808ff24b

SHA256
bdded2f81d5e6305ac3a605e33bc02ebffa287c0192151abbb24442c95ab958a

SHA512
8b25ae48dc598a0c2a7b6c9bf5eeb78f74f48f7a4fb2a04cb0e7807459a8db31487b973f1f6cb25c5bea55da5afc32ca8b60ef69710a3174ac04a378c804ca18

Download Submit
C:\Users\Admin\AppData\Local\Temp\j18drcv8yQni.bat

Filesize
207B

MD5
2fa8883aff6e72a2a1cf9b018bb71eb4

SHA1
7fbd38951ea5e12b4af83642ee62ce7092dc8644

SHA256
84baca2183ae67da174e23cab3061362edacbe4ee55dee6f96242e2ba5578fb7

SHA512
0364097da193921b8ba3b2903bc4bac95758856910ef73f184bc980ff599f005ce512b28789829e0ef196d83671400e9e10a1be9df24401c43e224211b74c5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kJN8QEajXq5J.bat

Filesize
207B

MD5
bed6986c9aefbbda86ba68c0e195f496

SHA1
e2705e150494cac2646f2259f4fdce03b2a95341

SHA256
f152de58a01e6222deb56e7f2e0f8e40a816d0332535130e8252a3e44409e705

SHA512
4b1a14375074b77fa82e3672435ce9d3d55a16a3b94b87266259ef2153bfdf59d48c49d4658382de9b913d57a4693795c26117cfaef386c80e68fcbdcb68ab4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mNA3ZOHpYEom.bat

Filesize
207B

MD5
97c317f6e91531ba213d05b275f09254

SHA1
05447f4ab19075e6d3a1fd89e63778550b4a173e

SHA256
dc09fd4b8dee07d043d75bc7652ac3f31adc636c7e39cb13ec2ff9d2abe5b0eb

SHA512
cc0886d60cf2e2013452d40f67a4cd0dff1c4f821d96b9af4930546b29cebf7fa85cd0133127dc3501bd7b2b193f8ae9ed3876129dd885cd0b50734fecce8dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkiPyg5wzlMB.bat

Filesize
207B

MD5
d336d9e36067798e3a2ccb6698635fbb

SHA1
b3c2fad0c332dbb00b0a390b8a0a35d6a732f5f0

SHA256
f33cdc8f7862ba745138adb135fd2ef6a971800101510e9f1b9ba501951f7636

SHA512
d898afd20d8c72e16fcdd2c4772b6e388b1d5b0577c16a8fb2f5568d9b1afdfc60ccb5361b47655d130dbbe32791d34b737346f620350b27001e76d51ca59a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\o41kA9feA7wC.bat

Filesize
207B

MD5
a331cc74f7bb9b3bfce6719fdd8b17e0

SHA1
d2a3ad13dd625a6c1349963db236efaeb1d6816d

SHA256
b15af15f6b46ebc421014a6972139bb551c7d0cee62191491835ce35de0c8be5

SHA512
f2e736e4064dd12f7d068b0ed86923e6858513d5293a0a9e3af2dddfce2903296ae83ec970e13c8012774e3ba89516f779afacaf2ba16d7ae5860848a670362f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxQFUH9ZraQj.bat

Filesize
207B

MD5
cfebf31cc94c79aae99f7d641f14db34

SHA1
3085bb6ce820fea120ecf4eb5cf36571c67faa04

SHA256
f72a8d9eee11d50900d24becc405e341053a318474db1cc06579cbec70cf2985

SHA512
42c84808cfa425eaf5385610cd2af1638094e1753b2e4d4d3039ebddf61be95e13361a80778b367081ae3d846f2cdb7387ce843649cd835872cafcdc0bae1066

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
9cd0c80ad619579b83e16f7afebf98b2

SHA1
e19f404fe2b5f2fa57af674c2993009ae13e29f8

SHA256
35cdd06575489ef146d2851a906eb542cddbfb9c94fd31b703dfee4944d8e36f

SHA512
fb2613be8e367893386497b1ee3aa52c608f0c9c539c0e0ac6738cb4333301ca3f6bbb63fbf2ea60d54884a7fce624e1ec9ecc0c70ed0fc114da2254cb05bc48

Download Submit
memory/5004-0-0x00007FF8E8383000-0x00007FF8E8385000-memory.dmp

Filesize
8KB

Download
memory/5004-8-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/5004-2-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/5004-1-0x0000000000E20000-0x0000000001144000-memory.dmp

Filesize
3.1MB

Download
memory/5084-17-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/5084-12-0x000000001C200000-0x000000001C2B2000-memory.dmp

Filesize
712KB

Download
memory/5084-11-0x000000001C0F0000-0x000000001C140000-memory.dmp

Filesize
320KB

Download
memory/5084-10-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/5084-9-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads