Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-01-2025 18:04
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240903-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
9cd0c80ad619579b83e16f7afebf98b2
-
SHA1
e19f404fe2b5f2fa57af674c2993009ae13e29f8
-
SHA256
35cdd06575489ef146d2851a906eb542cddbfb9c94fd31b703dfee4944d8e36f
-
SHA512
fb2613be8e367893386497b1ee3aa52c608f0c9c539c0e0ac6738cb4333301ca3f6bbb63fbf2ea60d54884a7fce624e1ec9ecc0c70ed0fc114da2254cb05bc48
-
SSDEEP
49152:/v3lL26AaNeWgPhlmVqvMQ7XSKIrRJ6dbR3LoGdm0THHB72eh2NT:/v1L26AaNeWgPhlmVqkQ7XSKIrRJ6vW
Malware Config
Extracted
quasar
1.4.1
Office04
abc248597df-25592.portmap.host:25592:25592
837d4201-7565-459a-ad6a-d5ef54fa537b
-
encryption_key
A896862809BEA850DB21D754E127B53DD347664D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 14 IoCs
resource yara_rule behavioral1/memory/2648-1-0x0000000000270000-0x0000000000594000-memory.dmp family_quasar behavioral1/files/0x0008000000015dac-5.dat family_quasar behavioral1/memory/2804-9-0x0000000000340000-0x0000000000664000-memory.dmp family_quasar behavioral1/memory/2424-33-0x0000000001090000-0x00000000013B4000-memory.dmp family_quasar behavioral1/memory/1852-44-0x0000000000010000-0x0000000000334000-memory.dmp family_quasar behavioral1/memory/1016-56-0x0000000001270000-0x0000000001594000-memory.dmp family_quasar behavioral1/memory/1620-68-0x0000000000020000-0x0000000000344000-memory.dmp family_quasar behavioral1/memory/2496-79-0x0000000000B80000-0x0000000000EA4000-memory.dmp family_quasar behavioral1/memory/2864-91-0x0000000000B90000-0x0000000000EB4000-memory.dmp family_quasar behavioral1/memory/1388-102-0x0000000000F00000-0x0000000001224000-memory.dmp family_quasar behavioral1/memory/2120-124-0x00000000000A0000-0x00000000003C4000-memory.dmp family_quasar behavioral1/memory/2516-135-0x00000000013E0000-0x0000000001704000-memory.dmp family_quasar behavioral1/memory/2468-146-0x0000000000100000-0x0000000000424000-memory.dmp family_quasar behavioral1/memory/2760-158-0x0000000000F70000-0x0000000001294000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2804 Client.exe 1608 Client.exe 2424 Client.exe 1852 Client.exe 1016 Client.exe 1620 Client.exe 2496 Client.exe 2864 Client.exe 1388 Client.exe 1348 Client.exe 2120 Client.exe 2516 Client.exe 2468 Client.exe 2760 Client.exe 2544 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 356 PING.EXE 352 PING.EXE 2692 PING.EXE 1592 PING.EXE 1908 PING.EXE 944 PING.EXE 2112 PING.EXE 1592 PING.EXE 2692 PING.EXE 3000 PING.EXE 3056 PING.EXE 832 PING.EXE 2224 PING.EXE 2076 PING.EXE 2072 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1592 PING.EXE 352 PING.EXE 2072 PING.EXE 356 PING.EXE 832 PING.EXE 1908 PING.EXE 1592 PING.EXE 944 PING.EXE 3056 PING.EXE 2076 PING.EXE 2692 PING.EXE 2692 PING.EXE 2112 PING.EXE 2224 PING.EXE 3000 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2872 schtasks.exe 1532 schtasks.exe 2196 schtasks.exe 1400 schtasks.exe 1948 schtasks.exe 2244 schtasks.exe 1004 schtasks.exe 1460 schtasks.exe 2668 schtasks.exe 2792 schtasks.exe 2608 schtasks.exe 884 schtasks.exe 1740 schtasks.exe 1268 schtasks.exe 2544 schtasks.exe 1412 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2648 Client-built.exe Token: SeDebugPrivilege 2804 Client.exe Token: SeDebugPrivilege 1608 Client.exe Token: SeDebugPrivilege 2424 Client.exe Token: SeDebugPrivilege 1852 Client.exe Token: SeDebugPrivilege 1016 Client.exe Token: SeDebugPrivilege 1620 Client.exe Token: SeDebugPrivilege 2496 Client.exe Token: SeDebugPrivilege 2864 Client.exe Token: SeDebugPrivilege 1388 Client.exe Token: SeDebugPrivilege 1348 Client.exe Token: SeDebugPrivilege 2120 Client.exe Token: SeDebugPrivilege 2516 Client.exe Token: SeDebugPrivilege 2468 Client.exe Token: SeDebugPrivilege 2760 Client.exe Token: SeDebugPrivilege 2544 Client.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 2804 Client.exe 1608 Client.exe 2424 Client.exe 1852 Client.exe 1016 Client.exe 1620 Client.exe 2496 Client.exe 2864 Client.exe 1388 Client.exe 1348 Client.exe 2120 Client.exe 2516 Client.exe 2468 Client.exe 2760 Client.exe 2544 Client.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 2804 Client.exe 1608 Client.exe 2424 Client.exe 1852 Client.exe 1016 Client.exe 1620 Client.exe 2496 Client.exe 2864 Client.exe 1388 Client.exe 1348 Client.exe 2120 Client.exe 2516 Client.exe 2468 Client.exe 2760 Client.exe 2544 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2792 2648 Client-built.exe 30 PID 2648 wrote to memory of 2792 2648 Client-built.exe 30 PID 2648 wrote to memory of 2792 2648 Client-built.exe 30 PID 2648 wrote to memory of 2804 2648 Client-built.exe 32 PID 2648 wrote to memory of 2804 2648 Client-built.exe 32 PID 2648 wrote to memory of 2804 2648 Client-built.exe 32 PID 2804 wrote to memory of 2872 2804 Client.exe 33 PID 2804 wrote to memory of 2872 2804 Client.exe 33 PID 2804 wrote to memory of 2872 2804 Client.exe 33 PID 2804 wrote to memory of 2556 2804 Client.exe 35 PID 2804 wrote to memory of 2556 2804 Client.exe 35 PID 2804 wrote to memory of 2556 2804 Client.exe 35 PID 2556 wrote to memory of 3000 2556 cmd.exe 37 PID 2556 wrote to memory of 3000 2556 cmd.exe 37 PID 2556 wrote to memory of 3000 2556 cmd.exe 37 PID 2556 wrote to memory of 3056 2556 cmd.exe 38 PID 2556 wrote to memory of 3056 2556 cmd.exe 38 PID 2556 wrote to memory of 3056 2556 cmd.exe 38 PID 2556 wrote to memory of 1608 2556 cmd.exe 39 PID 2556 wrote to memory of 1608 2556 cmd.exe 39 PID 2556 wrote to memory of 1608 2556 cmd.exe 39 PID 1608 wrote to memory of 1948 1608 Client.exe 40 PID 1608 wrote to memory of 1948 1608 Client.exe 40 PID 1608 wrote to memory of 1948 1608 Client.exe 40 PID 1608 wrote to memory of 2176 1608 Client.exe 42 PID 1608 wrote to memory of 2176 1608 Client.exe 42 PID 1608 wrote to memory of 2176 1608 Client.exe 42 PID 2176 wrote to memory of 2088 2176 cmd.exe 44 PID 2176 wrote to memory of 2088 2176 cmd.exe 44 PID 2176 wrote to memory of 2088 2176 cmd.exe 44 PID 2176 wrote to memory of 1592 2176 cmd.exe 45 PID 2176 wrote to memory of 1592 2176 cmd.exe 45 PID 2176 wrote to memory of 1592 2176 cmd.exe 45 PID 2176 wrote to memory of 2424 2176 cmd.exe 46 PID 2176 wrote to memory of 2424 2176 cmd.exe 46 PID 2176 wrote to memory of 2424 2176 cmd.exe 46 PID 2424 wrote to memory of 2608 2424 Client.exe 47 PID 2424 wrote to memory of 2608 2424 Client.exe 47 PID 2424 wrote to memory of 2608 2424 Client.exe 47 PID 2424 wrote to memory of 2720 2424 Client.exe 49 PID 2424 wrote to memory of 2720 2424 Client.exe 49 PID 2424 wrote to memory of 2720 2424 Client.exe 49 PID 2720 wrote to memory of 2132 2720 cmd.exe 51 PID 2720 wrote to memory of 2132 2720 cmd.exe 51 PID 2720 wrote to memory of 2132 2720 cmd.exe 51 PID 2720 wrote to memory of 356 2720 cmd.exe 52 PID 2720 wrote to memory of 356 2720 cmd.exe 52 PID 2720 wrote to memory of 356 2720 cmd.exe 52 PID 2720 wrote to memory of 1852 2720 cmd.exe 53 PID 2720 wrote to memory of 1852 2720 cmd.exe 53 PID 2720 wrote to memory of 1852 2720 cmd.exe 53 PID 1852 wrote to memory of 2244 1852 Client.exe 54 PID 1852 wrote to memory of 2244 1852 Client.exe 54 PID 1852 wrote to memory of 2244 1852 Client.exe 54 PID 1852 wrote to memory of 2964 1852 Client.exe 56 PID 1852 wrote to memory of 2964 1852 Client.exe 56 PID 1852 wrote to memory of 2964 1852 Client.exe 56 PID 2964 wrote to memory of 2352 2964 cmd.exe 58 PID 2964 wrote to memory of 2352 2964 cmd.exe 58 PID 2964 wrote to memory of 2352 2964 cmd.exe 58 PID 2964 wrote to memory of 352 2964 cmd.exe 59 PID 2964 wrote to memory of 352 2964 cmd.exe 59 PID 2964 wrote to memory of 352 2964 cmd.exe 59 PID 2964 wrote to memory of 1016 2964 cmd.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2792
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2872
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YO7ZvJHcqxho.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3000
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3056
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:1948
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\GphgCMZP57l8.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2088
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1592
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2608
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\MZqeoHriAvWN.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2132
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:356
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2244
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Zh0nal1Dqftw.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2352
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:352
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1016 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1532
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8O0MfK4C0noo.bat" "11⤵PID:2948
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2056
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:832
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1620 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1268
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\aJQ6BiOlKfV2.bat" "13⤵PID:2972
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2468
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1908
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2496 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:884
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8pOOTSzmvmrC.bat" "15⤵PID:1768
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2792
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2692
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2864 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2544
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Hb3kIP5mw5p8.bat" "17⤵PID:3000
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2228
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2112
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1388 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2196
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\CUJPNDziOw1e.bat" "19⤵PID:1488
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:808
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1592
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1348 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:1004
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\NnvBxIYUretk.bat" "21⤵PID:2360
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1192
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2224
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2120 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1740
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\laiSPqih2hBL.bat" "23⤵PID:788
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2848
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:944
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2516 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1460
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\iDWXTK2hWTYw.bat" "25⤵PID:2012
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2824
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2076
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2468 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:1400
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6FIchrO0YS5X.bat" "27⤵PID:1156
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2500
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2072
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2760 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2668
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\jQ7KOyul2KpL.bat" "29⤵PID:1672
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2860
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2692
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2544 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:1412
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\r0V4urugqph3.bat" "31⤵PID:1392
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:908
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD55b33914b00bed5e18d23495b67f6f5e3
SHA12a8c87d91220880041fcff3ddd3899070cd412c3
SHA2561ff54a7897decf04e283a5fccf75a0496446a975962fbf686af5b53f68470c06
SHA512804d9dfdb1b142ad4ba9a66fb58164005f649075732be025a8f58d3922660d7d1e49b73d9e076d33a7b4cc94a06ba659ca65488ffd28338743e13f7d907f0fc1
-
Filesize
207B
MD5f239e6ed92fb55b4af7e4978963ff8f4
SHA13e7759a5267fed0a51806eaae46d12d555605d98
SHA256d732eee43e4c15bca1efd17eaf4ff4e3b97ad10de93e703c3fb89415bb83d78a
SHA512f1770e63a3e027f9e53bfd8e7eaa79fb75e45a5d6ce037b4ef3042ecf09705ac6790d0dc141cb8f3c3b4691eb9daa64a79330257d4b01f7b0af8c127b95bb219
-
Filesize
207B
MD536599d6bed4fa23c8b094e288f854720
SHA17e90d73a785ae5b6772f668953457e76aa4d0548
SHA2568974a11724099d757ce4162c6aa4b9555ed60fc760f39ddde41398cd6a8ecada
SHA51207fa75d9000146ab329f8f7f2794a842448abf1a4a49111d0fcc869f5fcedf5885b233e61a9ff175c48fe600173f63acc59f4db20a4e315bed8ec90ccb2e6f69
-
Filesize
207B
MD50b66d77907953d8d2fc65956ed2078ab
SHA1ba6ad7fae0f1a9d695c109eeac249d2b0c619312
SHA2568ca49c13a54727a523d6b4c4b446dfc5cd106cf51e10d517c8a5ca1e10011ee6
SHA51271f89b2e3776d033daba63036fdacfc44364a8ed0cb6df6ddcfde1dde689d2626a45eb7418522da040e29a637d01160161898b5a540f0c1454bccf0454df8f56
-
Filesize
207B
MD5489cfd0326efed7b4955a57d4aca9547
SHA1a29a76b6fc18d7f7200e33d98c7d5e02e40bcf7e
SHA256be31f9998692c928b7653255232cf06f4d897b17e2a9d99bac5a5c740fcdd7f6
SHA512a32cef3deba7dd7474abb6f4fd9a9f46c1fee73eb6fd70d11abced457ce8768ef8354f18940f4fb56b5b614d1e7cbcee7543278f36c3252834f8a2d0be839efc
-
Filesize
207B
MD55d23c42061f92a35656508685ae8bacf
SHA1c3e6a9d6abeb6567fcf4e73adfadb5fdd568a326
SHA256922e92aa3ca886dc8561ffb3bcd86cda2c92b82cf90fdd6a911edda62b10c07a
SHA51202aed45dba0337e7fb80e17ab46c89c0c9aadf1d36eca26833e3659956c40ba78466cd101ed963c9a741cfed67d14f1f2a17f79a85e8c4995581620e3ec4f130
-
Filesize
207B
MD56943a636bc8174d376dcdbcc391c40e6
SHA13be7d2c8e4d33a72f27ac0fd5ce9f683be629866
SHA256254496efadb9a96c498de95db9933847d3c1ddc0bce74b03971f39a291a26fef
SHA5123b10fe66274811ad156544f6e4a551331dd176290444bd515fe97b4acbb120f6c4768c07bd8a6523cd4e678373d90c917a78136db0ade01cf49ad3cffa42d2ff
-
Filesize
207B
MD5ae6cbe7d43e95bbb046bc307a2b6fb11
SHA15f371388aa6e31950ba54c6ff9c145de004673eb
SHA25685333ce95aac850c1d75df3bb5a01a18084f18fbb799b5f5318d16968a24b49b
SHA512621d18ba6ecdd0bc33d271ac80d3544702f8d33761f0a3de0c590eb97431a811cb2287501501dab6accbafaf7cb32579ed5ce6a1fced883b91e3d61d0decb91a
-
Filesize
207B
MD5007361c476e9bf9a34656bae588daf71
SHA1cb88febd2666f6095d024ec89712cbb51d9df66c
SHA256c4c5dd2eed7fc344c6c3341b6af69979fceb3faa19ef0a4fc86d81adc222af07
SHA512929f77909a9a303b40219e1722c07ffe36f65d7e4e17ea92074c76e2701ae73de03ed3ac483be8359578c6733df245a6f200ab54c20d1629cdc5f5cdf65e9cf0
-
Filesize
207B
MD52a6b9acdd8f1745076f33ce64e1364e8
SHA1fd2e66b10f1dc7eb61bae44ee2ab674e2bd1fd93
SHA2564bed7c48c10560fbf6323bf53d5850cca286090fb6e939aa27ea75192ddcad72
SHA5127af1c7056e066fde8c92fe01f8d17a4f53f0c71bdca4808875119f140e0277962612a4bd9f65b1bf4e3878f83a9ebeb3ae32cf77e4ca8b063d7f3e90b16f2990
-
Filesize
207B
MD5cf65f1f8b3c690f463954a3e8c23bff0
SHA128678c21f40ed5255380a0a1156a1cb3aa6f8c98
SHA256f73f16710067fcd7c61e24f9954e699268620ddf8cba422327f4ae9bc64a5ff5
SHA5120dff5cd35bd1290835fd2b87564bddd03f9e49a74843e70139aed54e5547fc2426e40ce99d5f8058d3aaf1c22c6369bcccb30209d7cc3903ae47dda480bf789a
-
Filesize
207B
MD5ae00bf565be043d19905418ad026ee97
SHA12fa97e072533578beb956cc074a8a08138782b36
SHA256ca01cb7e9c3e9e9dc37112ad9384658fc1f4ee5ce2a5d588065bb4c057ea0f25
SHA512212cdf8661e16c22a4a70989d3350534c72ee14a35a057207610df5628348c1305ac99b0065d9c35518f603527dc9c99bf9939a07be272a6936fe866aedc5237
-
Filesize
207B
MD524c1eccd93af025e3c7dcf4256a5b042
SHA144d0de29a9a939c203bf29946793ea826163e8af
SHA25652fb6372db0b589b21ef301417ca9863653ccca09ef9669fb73d78bc0766ab29
SHA512b56d72e44372ee78d3de411c301e3696a6aee8031fb4c3778d3a54998f00bc8e19f264d06a1b2f1639c7b8a21e75011a9007374d8085d2b10f42864a1649beba
-
Filesize
207B
MD575ecf310f1661f41873c76ce52482436
SHA1ea2265339210504a5c2127b75ccd9cc776cc7f84
SHA256b6c9110ccda90c15f2cbee20f5f0718d5bc35e508ecb0e857a6ae4188c991f5c
SHA51235d853a6014c48b718a259ae482f7de98f542b50d50801800a6aa4d85ecca887e47b917498790008f195b651dd3c58fd4bf4b9bd13d58861836177ed0fce3bbd
-
Filesize
207B
MD5cf58256875e417b398598ac72178e554
SHA189c206f7d0b74b5a2a53cceee87666c5414baff9
SHA256720e55a30bb3e91cc565472753955b8cec72bac1890212890a87b3c40a012dee
SHA51296da0303b493a52396af50117683c7b848bbc18f5854174e2efac23cfa28d23558f50ebad9197d9ca1bbe13f4334757faaa304a132ad24167da2897998239264
-
Filesize
3.1MB
MD59cd0c80ad619579b83e16f7afebf98b2
SHA1e19f404fe2b5f2fa57af674c2993009ae13e29f8
SHA25635cdd06575489ef146d2851a906eb542cddbfb9c94fd31b703dfee4944d8e36f
SHA512fb2613be8e367893386497b1ee3aa52c608f0c9c539c0e0ac6738cb4333301ca3f6bbb63fbf2ea60d54884a7fce624e1ec9ecc0c70ed0fc114da2254cb05bc48