quasar | 35cdd06575489ef146d2851a906eb542cddbfb9c94fd31b703dfee4944d8e36f

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

9cd0c80ad619579b83e16f7afebf98b2
SHA1

e19f404fe2b5f2fa57af674c2993009ae13e29f8
SHA256

35cdd06575489ef146d2851a906eb542cddbfb9c94fd31b703dfee4944d8e36f
SHA512

fb2613be8e367893386497b1ee3aa52c608f0c9c539c0e0ac6738cb4333301ca3f6bbb63fbf2ea60d54884a7fce624e1ec9ecc0c70ed0fc114da2254cb05bc48
SSDEEP

49152:/v3lL26AaNeWgPhlmVqvMQ7XSKIrRJ6dbR3LoGdm0THHB72eh2NT:/v1L26AaNeWgPhlmVqkQ7XSKIrRJ6vW

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

abc248597df-25592.portmap.host:25592:25592

Mutex

837d4201-7565-459a-ad6a-d5ef54fa537b

Attributes

encryption_key
A896862809BEA850DB21D754E127B53DD347664D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1484-1-0x0000000000E90000-0x00000000011B4000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c8a-7.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
4212	Client.exe
932	Client.exe
2668	Client.exe
3780	Client.exe
4936	Client.exe
3228	Client.exe
1744	Client.exe
1384	Client.exe
3520	Client.exe
1460	Client.exe
1976	Client.exe
4272	Client.exe
4432	Client.exe
4512	Client.exe
2372	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2368	PING.EXE
2308	PING.EXE
4148	PING.EXE
448	PING.EXE
4040	PING.EXE
3676	PING.EXE
3336	PING.EXE
3888	PING.EXE
2356	PING.EXE
452	PING.EXE
4112	PING.EXE
2972	PING.EXE
2324	PING.EXE
1052	PING.EXE
456	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2368	PING.EXE
448	PING.EXE
3676	PING.EXE
2972	PING.EXE
4040	PING.EXE
456	PING.EXE
2356	PING.EXE
1052	PING.EXE
2308	PING.EXE
4112	PING.EXE
3336	PING.EXE
452	PING.EXE
2324	PING.EXE
3888	PING.EXE
4148	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1916	schtasks.exe
4340	schtasks.exe
836	schtasks.exe
4264	schtasks.exe
872	schtasks.exe
1048	schtasks.exe
3796	schtasks.exe
4020	schtasks.exe
4616	schtasks.exe
4312	schtasks.exe
1368	schtasks.exe
3624	schtasks.exe
2384	schtasks.exe
3240	schtasks.exe
592	schtasks.exe
1592	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1484	Client-built.exe
Token: SeDebugPrivilege	4212	Client.exe
Token: SeDebugPrivilege	932	Client.exe
Token: SeDebugPrivilege	2668	Client.exe
Token: SeDebugPrivilege	3780	Client.exe
Token: SeDebugPrivilege	4936	Client.exe
Token: SeDebugPrivilege	3228	Client.exe
Token: SeDebugPrivilege	1744	Client.exe
Token: SeDebugPrivilege	1384	Client.exe
Token: SeDebugPrivilege	3520	Client.exe
Token: SeDebugPrivilege	1460	Client.exe
Token: SeDebugPrivilege	1976	Client.exe
Token: SeDebugPrivilege	4272	Client.exe
Token: SeDebugPrivilege	4432	Client.exe
Token: SeDebugPrivilege	4512	Client.exe
Token: SeDebugPrivilege	2372	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
4212	Client.exe
932	Client.exe
2668	Client.exe
3780	Client.exe
4936	Client.exe
3228	Client.exe
1744	Client.exe
1384	Client.exe
3520	Client.exe
1460	Client.exe
1976	Client.exe
4272	Client.exe
4432	Client.exe
4512	Client.exe
2372	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4212	Client.exe
932	Client.exe
2668	Client.exe
3780	Client.exe
4936	Client.exe
3228	Client.exe
1744	Client.exe
1384	Client.exe
3520	Client.exe
1460	Client.exe
1976	Client.exe
4272	Client.exe
4432	Client.exe
4512	Client.exe
2372	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 4312	1484	Client-built.exe	83
PID 1484 wrote to memory of 4312	1484	Client-built.exe	83
PID 1484 wrote to memory of 4212	1484	Client-built.exe	85
PID 1484 wrote to memory of 4212	1484	Client-built.exe	85
PID 4212 wrote to memory of 3796	4212	Client.exe	86
PID 4212 wrote to memory of 3796	4212	Client.exe	86
PID 4212 wrote to memory of 384	4212	Client.exe	88
PID 4212 wrote to memory of 384	4212	Client.exe	88
PID 384 wrote to memory of 3112	384	cmd.exe	90
PID 384 wrote to memory of 3112	384	cmd.exe	90
PID 384 wrote to memory of 1052	384	cmd.exe	91
PID 384 wrote to memory of 1052	384	cmd.exe	91
PID 384 wrote to memory of 932	384	cmd.exe	92
PID 384 wrote to memory of 932	384	cmd.exe	92
PID 932 wrote to memory of 4020	932	Client.exe	93
PID 932 wrote to memory of 4020	932	Client.exe	93
PID 932 wrote to memory of 2004	932	Client.exe	95
PID 932 wrote to memory of 2004	932	Client.exe	95
PID 2004 wrote to memory of 3820	2004	cmd.exe	98
PID 2004 wrote to memory of 3820	2004	cmd.exe	98
PID 2004 wrote to memory of 452	2004	cmd.exe	99
PID 2004 wrote to memory of 452	2004	cmd.exe	99
PID 2004 wrote to memory of 2668	2004	cmd.exe	101
PID 2004 wrote to memory of 2668	2004	cmd.exe	101
PID 2668 wrote to memory of 1916	2668	Client.exe	104
PID 2668 wrote to memory of 1916	2668	Client.exe	104
PID 2668 wrote to memory of 1820	2668	Client.exe	106
PID 2668 wrote to memory of 1820	2668	Client.exe	106
PID 1820 wrote to memory of 3664	1820	cmd.exe	109
PID 1820 wrote to memory of 3664	1820	cmd.exe	109
PID 1820 wrote to memory of 2368	1820	cmd.exe	110
PID 1820 wrote to memory of 2368	1820	cmd.exe	110
PID 1820 wrote to memory of 3780	1820	cmd.exe	123
PID 1820 wrote to memory of 3780	1820	cmd.exe	123
PID 3780 wrote to memory of 3240	3780	Client.exe	124
PID 3780 wrote to memory of 3240	3780	Client.exe	124
PID 3780 wrote to memory of 3676	3780	Client.exe	127
PID 3780 wrote to memory of 3676	3780	Client.exe	127
PID 3676 wrote to memory of 976	3676	cmd.exe	129
PID 3676 wrote to memory of 976	3676	cmd.exe	129
PID 3676 wrote to memory of 2308	3676	cmd.exe	130
PID 3676 wrote to memory of 2308	3676	cmd.exe	130
PID 3676 wrote to memory of 4936	3676	cmd.exe	132
PID 3676 wrote to memory of 4936	3676	cmd.exe	132
PID 4936 wrote to memory of 592	4936	Client.exe	133
PID 4936 wrote to memory of 592	4936	Client.exe	133
PID 4936 wrote to memory of 3716	4936	Client.exe	135
PID 4936 wrote to memory of 3716	4936	Client.exe	135
PID 3716 wrote to memory of 3344	3716	cmd.exe	138
PID 3716 wrote to memory of 3344	3716	cmd.exe	138
PID 3716 wrote to memory of 448	3716	cmd.exe	139
PID 3716 wrote to memory of 448	3716	cmd.exe	139
PID 3716 wrote to memory of 3228	3716	cmd.exe	140
PID 3716 wrote to memory of 3228	3716	cmd.exe	140
PID 3228 wrote to memory of 4340	3228	Client.exe	141
PID 3228 wrote to memory of 4340	3228	Client.exe	141
PID 3228 wrote to memory of 2964	3228	Client.exe	144
PID 3228 wrote to memory of 2964	3228	Client.exe	144
PID 2964 wrote to memory of 3224	2964	cmd.exe	146
PID 2964 wrote to memory of 3224	2964	cmd.exe	146
PID 2964 wrote to memory of 4112	2964	cmd.exe	147
PID 2964 wrote to memory of 4112	2964	cmd.exe	147
PID 2964 wrote to memory of 1744	2964	cmd.exe	149
PID 2964 wrote to memory of 1744	2964	cmd.exe	149

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4312
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vF8Rs4Vmep7e.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3112
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1052
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:932
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4020
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOHTmlKRywO9.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3820
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:452
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x26o6882aocO.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h8L6shcecQx7.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0UiGqksib8Cl.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IP1E3LKOTQUl.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4112
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1744
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMh0bhOCAWyR.bat" "
        15⤵
        
        PID:2196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1384
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q3YD60uEsQem.bat" "
        17⤵
        
        PID:4476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4040
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3520
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQwT1EfgLcSn.bat" "
        19⤵
        
        PID:2840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3676
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NNsSHViU4rJZ.bat" "
        21⤵
        
        PID:2060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2324
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Px6IF0m0Y02z.bat" "
        23⤵
        
        PID:3248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3888
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4272
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xTt5IgKTS6KU.bat" "
        25⤵
        
        PID:2812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3336
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4432
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3ahnNlrAfWTs.bat" "
        27⤵
        
        PID:2496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:456
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4512
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WP74IbKPhIBk.bat" "
        29⤵
        
        PID:4012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4148
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2372
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i5oWhEHGLysn.bat" "
        31⤵
        
        PID:2344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0UiGqksib8Cl.bat

Filesize
207B

MD5
0807bd0bb4258286a2365d41f075be03

SHA1
5999994b35a6c6e350a6e1dec646976319bd56c3

SHA256
8a45d81c9e19d16453e2e822cf0babf3914df32dfd4731cc760028db641bb466

SHA512
de9992884d5b0b468c934c80731b29f719a4a1364c289df998ca36f9138a50339550d58aa895915641c193dad56e4d046176f27c37f470b543070ddf97183b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ahnNlrAfWTs.bat

Filesize
207B

MD5
20d7f37403cb0e1c1686fb56274febe1

SHA1
5ae622d5c048d5fe8bd14a292709d0f61e77b922

SHA256
41555fd46f2e2624ef7d373a995c3fdb6ce5a7091256984e35bcdd856117547b

SHA512
e43d9b596a16583a4a68118e3ff31c59b864411352bf0876583b779163266666eb9a0db040440b9c5f134d34202d855201f526b8ccb52ef5465ca70e859189a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IP1E3LKOTQUl.bat

Filesize
207B

MD5
c278b19e24973e36e758a3e1970caf83

SHA1
a9509d7925e3e8f8bc35c9ae3194fd233919b4a0

SHA256
cfde4eeb42f0da666adff56f38bd6b1eeb973d80ba7ce4b7682adb6b55231352

SHA512
e7d6461530816ea1390bb06ab711d668e2507016f1809d80a1ff1012b5523b9d14fa6fb8293bece41838167a494b92524434416a65f9220ea89dbf64cffa6157

Download Submit
C:\Users\Admin\AppData\Local\Temp\NNsSHViU4rJZ.bat

Filesize
207B

MD5
29758ac8c501db96e83eb0169cb6e436

SHA1
f0394ba9f0cd442869a6b273cdaf9db5fde16e18

SHA256
77fed35cbeacf62d9fdda49f7424684504794a7a291370f4b10fc85bfd470d7f

SHA512
c9814f13b0d961de49eef6b66cfc8d3472581561805d860fa35c2289fec5de9723bff82d4c6cd4671320a8e47789643a35306c9cff937913f3e993edcfa361d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Px6IF0m0Y02z.bat

Filesize
207B

MD5
93d0d3f6d1add44e585c16f5c8c2a228

SHA1
9a2e1ace3581a8dcfb36690b31dc6134838ffde7

SHA256
99a701440f613dcc4932feadbb3a37ab0b7389452d581f8343dfe6e71347fef4

SHA512
662cb52725822ff5f1f2307105397a8e74872d7e3e5e623955a490959b0a38666015b2540345fc4d0891d8bf672975986630a2948f7a3b691e6e5e21f38410e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q3YD60uEsQem.bat

Filesize
207B

MD5
5066c8cf33e7e2d42b288604c90ae3ca

SHA1
d41a43d488e16ced5d56c4b1061c415645c6d934

SHA256
088f61390a2ed7ee4d39f117640d181f14aeff1a04756284a2e955fc12176c1e

SHA512
e059961151bc0985ca163bdeaa68c88fd9eea8fa49d14c3725848c1c883eaad4179ba84911b17b3b5fd5234877bd0190af091be41a406b8539df5f659218b274

Download Submit
C:\Users\Admin\AppData\Local\Temp\WP74IbKPhIBk.bat

Filesize
207B

MD5
27230275533a9fe02bf0fcd24e532c85

SHA1
b2e7f6dd6b4e4c61d688d4f0539a20b9fa75aaac

SHA256
3a0a12c479de34bfe7ed19afce2ab30a021181d341be9e10f707735b785b49b3

SHA512
61acd55cbfc3f54b9fae3835ebc6375ff7dd8b4dc0fe68cf1f202c4ba8d983e055a7bafb1f1b80ce10221fda9a0a77ed3f13643d34f7f08cba40fd4c15e93b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQwT1EfgLcSn.bat

Filesize
207B

MD5
eccc42c87a585bea521a65e57c36173c

SHA1
f1482daba97069170fd361b696c0750dc5c76bce

SHA256
e91bebba073754efbcecbb2cccd850098ce7c3b8b978d621939f3829e00baf55

SHA512
56831b1961ec5b9f05ee3992f3e447d0de9ba615c9f35712db4f77bf8944b7e3e8f321d64ae1c3db754fe563eb4e5ea8713ef119fcdc3312c4355e2f64448d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8L6shcecQx7.bat

Filesize
207B

MD5
aeb2822306b5d7c9a0dbe7e6d2dfedac

SHA1
31e9fb3791480010f7103fcb5a4e9e16a76f617b

SHA256
beaf18c5cee2cf51c267e9269b93690d8ccea69e3d8c0feab6507e615425daad

SHA512
47adaf040f7a0b95910739838f62868d2428660d0e4f442cd73deff474068a012cd6ee4defb1116388a943c4b25514e00af20c0a6bf8ea0e097a6d724bdc3700

Download Submit
C:\Users\Admin\AppData\Local\Temp\i5oWhEHGLysn.bat

Filesize
207B

MD5
bdb4e7c4b573aebbca48e84cb0210d58

SHA1
d5e0f55924153d9c42db404c8c0503a9d56542e0

SHA256
8b8af9e60d0cf03197c0a062e28e527b8f9cff71e7fe7b69a6d39338cfbdee0c

SHA512
f8c730bc8f3ae73f530affec5167d8b95641a5c34d95279bac3854749eb8cda3c58d8d1cafc97b9e1642d9d80d88e579c913323de09fd61014801a180d9f4ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOHTmlKRywO9.bat

Filesize
207B

MD5
c050959971b2514d4c3a6eb2220c8f24

SHA1
b721096233f71921b843154a7b21c64fa3c78c49

SHA256
3eb6b2028ce33f7b256eed0c80b6b981a89a2ec75dc941f5ee0d9b2ee0f04006

SHA512
f9d57d844e1a556583bcdf24ce57f86eb6290c6658b70c89e0937503e8cb6ca5004f3289345d07db37aedb422281a7e71044d36f4885a7a9267732df8bee2c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\vF8Rs4Vmep7e.bat

Filesize
207B

MD5
e37cb043e7c2083718bdbfc72f776c58

SHA1
c850d06954adc259010feb21973e4ca4f1879ef4

SHA256
f879fafff092a085f4f0fa32a038b44a6ff4e7d370ea254e8e147d7dcc8ecf70

SHA512
0a48b9837c84e7c0fb38ecf86e88be42236a225b0e647d62caecdf10ebfe950380e3aeab56410cd564452d5fb9c6bc7c8db5d7a4dc58e2f6023ef4513d86d44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMh0bhOCAWyR.bat

Filesize
207B

MD5
69dfc18d16f7239e6c3d0d2b0926f3ca

SHA1
73681359ef5751283284640bd975ae5bb250b1e8

SHA256
3982fa705d14d32a3198677db53c95b432d0e066f2ce10f78da115b26d9595c9

SHA512
2d5fbd4a355d9fe5170aee63bf5e4b12220044b2ac0ba955c5c15e63726329e385abdfe3e5eb8a440412b26e4ccda78e3fc95ace47ab980aaf8550cd85e29a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x26o6882aocO.bat

Filesize
207B

MD5
d611d17beeaaaf3e57fcd2d83d35d928

SHA1
22d07912ecae7202da6ec71ac755f3204e1b5ade

SHA256
cef6d2066c704defb998127a66a41831cf66a833b0aeb6b3cc82a43dea708cc4

SHA512
ea80a921ec82d13f6def92a0765e1e93e325483c1eea6d19154f80513db70bf3b9c9bcf07dac87f8cbbfa1f6c3799e9b059085c3d01b17a059834527a60b58bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xTt5IgKTS6KU.bat

Filesize
207B

MD5
3436d40cec1e7c8b0bb9561a5c9f6b8d

SHA1
827f4a59a44b3b3b97eda73e450225db84fd3e42

SHA256
ba6f9b15a8bf293aa19b16680b36c3dce63ad2a711f7e40cc2919381314a41aa

SHA512
911ad1c56e97946fe68a9ca666fec8c01eec819f6193d3e705e14f7a20f646dd79c882c8bd1c35c31187f4cc42eb269e25f990240e3d1a52af0d80fb9dffe000

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
9cd0c80ad619579b83e16f7afebf98b2

SHA1
e19f404fe2b5f2fa57af674c2993009ae13e29f8

SHA256
35cdd06575489ef146d2851a906eb542cddbfb9c94fd31b703dfee4944d8e36f

SHA512
fb2613be8e367893386497b1ee3aa52c608f0c9c539c0e0ac6738cb4333301ca3f6bbb63fbf2ea60d54884a7fce624e1ec9ecc0c70ed0fc114da2254cb05bc48

Download Submit
memory/1484-1-0x0000000000E90000-0x00000000011B4000-memory.dmp

Filesize
3.1MB

Download
memory/1484-2-0x00007FFC9E500000-0x00007FFC9EFC1000-memory.dmp

Filesize
10.8MB

Download
memory/1484-0-0x00007FFC9E503000-0x00007FFC9E505000-memory.dmp

Filesize
8KB

Download
memory/1484-8-0x00007FFC9E500000-0x00007FFC9EFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4212-11-0x000000001BD10000-0x000000001BD60000-memory.dmp

Filesize
320KB

Download
memory/4212-9-0x00007FFC9E500000-0x00007FFC9EFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4212-10-0x00007FFC9E500000-0x00007FFC9EFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4212-12-0x000000001BE20000-0x000000001BED2000-memory.dmp

Filesize
712KB

Download
memory/4212-18-0x00007FFC9E500000-0x00007FFC9EFC1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads