quasar | 55fd96a344bf6ccbf74dc7408f77f1080158fc2a0a20903b20e77a9cee2983d1

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/01/2025, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xenonew.exe
Size

3.1MB
MD5

2d60a76ce3357eecb47f10d21ba01fb0
SHA1

1798a8dee078e7bd72296e79bbd2c2061d584fd7
SHA256

55fd96a344bf6ccbf74dc7408f77f1080158fc2a0a20903b20e77a9cee2983d1
SHA512

184f946295c7669f46a8fb878cb68bea943ed09c74cbd3588d4d7572295668edc8ba098f4e8c2deb21977d08ecc4b1f8e34376c4bb3074073e889864f04852e8
SSDEEP

49152:fvelL26AaNeWgPhlmVqvMQ7XSK1NRJ6XbR3LoGduTHHB72eh2NT:fvOL26AaNeWgPhlmVqkQ7XSK1NRJ6p

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

augustinevegas-31173.portmap.host:31173

Mutex

7d74883a-5879-4f61-8c23-fc7af453d7c2

Attributes

encryption_key
0B6DCD2BE4C82058601AFDA4AB9525FABE85A71D
install_name
Client.exe
log_directory
Logs
reconnect_delay
1
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/2708-1-0x0000000000F00000-0x0000000001224000-memory.dmp	family_quasar
behavioral1/files/0x00080000000174bf-6.dat	family_quasar
behavioral1/memory/2652-9-0x0000000001100000-0x0000000001424000-memory.dmp	family_quasar
behavioral1/memory/772-33-0x0000000001350000-0x0000000001674000-memory.dmp	family_quasar
behavioral1/memory/620-54-0x0000000000010000-0x0000000000334000-memory.dmp	family_quasar
behavioral1/memory/1784-66-0x0000000000A10000-0x0000000000D34000-memory.dmp	family_quasar
behavioral1/memory/2960-87-0x0000000000F60000-0x0000000001284000-memory.dmp	family_quasar
behavioral1/memory/2024-99-0x00000000001F0000-0x0000000000514000-memory.dmp	family_quasar
behavioral1/memory/1696-111-0x0000000000330000-0x0000000000654000-memory.dmp	family_quasar
behavioral1/memory/828-123-0x0000000000FB0000-0x00000000012D4000-memory.dmp	family_quasar
behavioral1/memory/3052-145-0x0000000000FF0000-0x0000000001314000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2652	Client.exe
2420	Client.exe
772	Client.exe
2392	Client.exe
620	Client.exe
1784	Client.exe
1440	Client.exe
2960	Client.exe
2024	Client.exe
1696	Client.exe
828	Client.exe
2308	Client.exe
3052	Client.exe
1016	Client.exe
2556	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2768	PING.EXE
2076	PING.EXE
2336	PING.EXE
2508	PING.EXE
1680	PING.EXE
2444	PING.EXE
1492	PING.EXE
2228	PING.EXE
2976	PING.EXE
2808	PING.EXE
1444	PING.EXE
2180	PING.EXE
2516	PING.EXE
2784	PING.EXE
1884	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2180	PING.EXE
2784	PING.EXE
2768	PING.EXE
2444	PING.EXE
2076	PING.EXE
2336	PING.EXE
1492	PING.EXE
2508	PING.EXE
2976	PING.EXE
2808	PING.EXE
2516	PING.EXE
1444	PING.EXE
1680	PING.EXE
2228	PING.EXE
1884	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2600	schtasks.exe
3064	schtasks.exe
2440	schtasks.exe
2880	schtasks.exe
888	schtasks.exe
2932	schtasks.exe
2972	schtasks.exe
680	schtasks.exe
1276	schtasks.exe
2772	schtasks.exe
804	schtasks.exe
1096	schtasks.exe
2140	schtasks.exe
2124	schtasks.exe
1268	schtasks.exe
1528	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	xenonew.exe
Token: SeDebugPrivilege	2652	Client.exe
Token: SeDebugPrivilege	2420	Client.exe
Token: SeDebugPrivilege	772	Client.exe
Token: SeDebugPrivilege	2392	Client.exe
Token: SeDebugPrivilege	620	Client.exe
Token: SeDebugPrivilege	1784	Client.exe
Token: SeDebugPrivilege	1440	Client.exe
Token: SeDebugPrivilege	2960	Client.exe
Token: SeDebugPrivilege	2024	Client.exe
Token: SeDebugPrivilege	1696	Client.exe
Token: SeDebugPrivilege	828	Client.exe
Token: SeDebugPrivilege	2308	Client.exe
Token: SeDebugPrivilege	3052	Client.exe
Token: SeDebugPrivilege	1016	Client.exe
Token: SeDebugPrivilege	2556	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2652	Client.exe
2420	Client.exe
772	Client.exe
2392	Client.exe
620	Client.exe
1784	Client.exe
1440	Client.exe
2960	Client.exe
2024	Client.exe
1696	Client.exe
828	Client.exe
2308	Client.exe
3052	Client.exe
1016	Client.exe
2556	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2652	Client.exe
2420	Client.exe
772	Client.exe
2392	Client.exe
620	Client.exe
1784	Client.exe
1440	Client.exe
2960	Client.exe
2024	Client.exe
1696	Client.exe
828	Client.exe
2308	Client.exe
3052	Client.exe
1016	Client.exe
2556	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2880	2708	xenonew.exe	30
PID 2708 wrote to memory of 2880	2708	xenonew.exe	30
PID 2708 wrote to memory of 2880	2708	xenonew.exe	30
PID 2708 wrote to memory of 2652	2708	xenonew.exe	32
PID 2708 wrote to memory of 2652	2708	xenonew.exe	32
PID 2708 wrote to memory of 2652	2708	xenonew.exe	32
PID 2652 wrote to memory of 2600	2652	Client.exe	33
PID 2652 wrote to memory of 2600	2652	Client.exe	33
PID 2652 wrote to memory of 2600	2652	Client.exe	33
PID 2652 wrote to memory of 1920	2652	Client.exe	35
PID 2652 wrote to memory of 1920	2652	Client.exe	35
PID 2652 wrote to memory of 1920	2652	Client.exe	35
PID 1920 wrote to memory of 860	1920	cmd.exe	37
PID 1920 wrote to memory of 860	1920	cmd.exe	37
PID 1920 wrote to memory of 860	1920	cmd.exe	37
PID 1920 wrote to memory of 2768	1920	cmd.exe	38
PID 1920 wrote to memory of 2768	1920	cmd.exe	38
PID 1920 wrote to memory of 2768	1920	cmd.exe	38
PID 1920 wrote to memory of 2420	1920	cmd.exe	39
PID 1920 wrote to memory of 2420	1920	cmd.exe	39
PID 1920 wrote to memory of 2420	1920	cmd.exe	39
PID 2420 wrote to memory of 888	2420	Client.exe	40
PID 2420 wrote to memory of 888	2420	Client.exe	40
PID 2420 wrote to memory of 888	2420	Client.exe	40
PID 2420 wrote to memory of 1196	2420	Client.exe	42
PID 2420 wrote to memory of 1196	2420	Client.exe	42
PID 2420 wrote to memory of 1196	2420	Client.exe	42
PID 1196 wrote to memory of 1580	1196	cmd.exe	44
PID 1196 wrote to memory of 1580	1196	cmd.exe	44
PID 1196 wrote to memory of 1580	1196	cmd.exe	44
PID 1196 wrote to memory of 2444	1196	cmd.exe	45
PID 1196 wrote to memory of 2444	1196	cmd.exe	45
PID 1196 wrote to memory of 2444	1196	cmd.exe	45
PID 1196 wrote to memory of 772	1196	cmd.exe	46
PID 1196 wrote to memory of 772	1196	cmd.exe	46
PID 1196 wrote to memory of 772	1196	cmd.exe	46
PID 772 wrote to memory of 680	772	Client.exe	47
PID 772 wrote to memory of 680	772	Client.exe	47
PID 772 wrote to memory of 680	772	Client.exe	47
PID 772 wrote to memory of 1684	772	Client.exe	49
PID 772 wrote to memory of 1684	772	Client.exe	49
PID 772 wrote to memory of 1684	772	Client.exe	49
PID 1684 wrote to memory of 1864	1684	cmd.exe	51
PID 1684 wrote to memory of 1864	1684	cmd.exe	51
PID 1684 wrote to memory of 1864	1684	cmd.exe	51
PID 1684 wrote to memory of 2076	1684	cmd.exe	52
PID 1684 wrote to memory of 2076	1684	cmd.exe	52
PID 1684 wrote to memory of 2076	1684	cmd.exe	52
PID 1684 wrote to memory of 2392	1684	cmd.exe	53
PID 1684 wrote to memory of 2392	1684	cmd.exe	53
PID 1684 wrote to memory of 2392	1684	cmd.exe	53
PID 2392 wrote to memory of 3064	2392	Client.exe	54
PID 2392 wrote to memory of 3064	2392	Client.exe	54
PID 2392 wrote to memory of 3064	2392	Client.exe	54
PID 2392 wrote to memory of 1704	2392	Client.exe	56
PID 2392 wrote to memory of 1704	2392	Client.exe	56
PID 2392 wrote to memory of 1704	2392	Client.exe	56
PID 1704 wrote to memory of 2092	1704	cmd.exe	58
PID 1704 wrote to memory of 2092	1704	cmd.exe	58
PID 1704 wrote to memory of 2092	1704	cmd.exe	58
PID 1704 wrote to memory of 2336	1704	cmd.exe	59
PID 1704 wrote to memory of 2336	1704	cmd.exe	59
PID 1704 wrote to memory of 2336	1704	cmd.exe	59
PID 1704 wrote to memory of 620	1704	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\xenonew.exe
"C:\Users\Admin\AppData\Local\Temp\xenonew.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2880
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2600
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUBxM8Hcp5rL.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:860
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2768
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2420
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:888
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lgJS4WhDui7O.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1580
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2444
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:680
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\H2CbiesxPEMv.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3064
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uGLCXm1GbBPC.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:620
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2440
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\u1xuERc08BX1.bat" "
        11⤵
        
        PID:2260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1784
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2932
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZJjerLfCjPSU.bat" "
        13⤵
        
        PID:1720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2508
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1440
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2140
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tJzYgKLadmfc.bat" "
        15⤵
        
        PID:2476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2960
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1276
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\X5BImzjuZ0tX.bat" "
        17⤵
        
        PID:2372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2976
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2024
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2124
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1XjNSUfjyk6S.bat" "
        19⤵
        
        PID:576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2808
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1696
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2772
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HC8vdxgb2gPc.bat" "
        21⤵
        
        PID:2076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2200
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:828
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:804
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\u1ztFZzKngLR.bat" "
        23⤵
        
        PID:2908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2516
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2308
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1268
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gN5QOxqnohu5.bat" "
        25⤵
        
        PID:2100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2236
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3052
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1096
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OdV1Kx7gUxEP.bat" "
        27⤵
        
        PID:3060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1444
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1016
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1528
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SF9N06x3xDRe.bat" "
        29⤵
        
        PID:2600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2784
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2556
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2972
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iBwzt7ERzP15.bat" "
        31⤵
        
        PID:2052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1XjNSUfjyk6S.bat

Filesize
207B

MD5
d8880342d37330cbec413997c1ed5fab

SHA1
b0f23fea279c6dc9d0c7a496a471323a85cc508c

SHA256
2b03e8f3762f3640b63af4667df9c04d56d87a890e78c816353346e1eb020bf4

SHA512
0bf21acd823e19772f53f1667148f44c968f8278992f574c822e33102361c42c9f7c79c6a97acb900ab8a354644889971c2d476d72e4694e2d0871e81c3fc7b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\H2CbiesxPEMv.bat

Filesize
207B

MD5
538503df1bf9fe52641cd78990e919ec

SHA1
3baca5faddf552c280306cefdaaa7aef67ea563d

SHA256
c1949507143b5ada2b328557273bdbac9f0311be1174d67e40dfdb1c3ab03413

SHA512
b14493698f9dedcb663d9c22d87be9002c38a40cf6efe1fea00da15fe6ea33ec75bac1dfd87f9cec3df88f219f5370c64d7ca374c4eed8aa4118e05ba4f68c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\HC8vdxgb2gPc.bat

Filesize
207B

MD5
163c3708007bc7c92d84ff538595ae44

SHA1
ce92ac7fbf545bbc83e9774219233e7418dc21e6

SHA256
e6e583f6d393f50b496422d92a8cb865827957fc53534e66aff5e78b2ad1d0b4

SHA512
ff69cde8d3bc02c3ac030987c6fdcda83435d383807d7b2b2dcc573ac2e20f256754c5deb3fe25d3d8d182b514b8aaa1b48f60cc3fb8b65dc91e19daf5a92c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\OdV1Kx7gUxEP.bat

Filesize
207B

MD5
9cd9831db478ae955ade3e110e6b2086

SHA1
ea78aef0e8879978449cf36a074bac7f467062ea

SHA256
55adb47ab7d2d4c558b9e1516bbd3362c69805422ee6f65f4b5f1f729a8616f1

SHA512
b51cf54f0927d73a36919d466ec412a200fa875fdb7f1939807e889fe8d46dcd7fcfed8dc23fd9eafb485523891f6c942098c10ad47538b47ee25f8c23b2c136

Download Submit
C:\Users\Admin\AppData\Local\Temp\SF9N06x3xDRe.bat

Filesize
207B

MD5
086cd221efeb4c7bef4d33679600b09b

SHA1
363057459fbd12f16dc165bd200fed15e72c5f97

SHA256
771860edad58d51d0b142787386d94db000f6716e4b645cfb8d03d4e2fd5629b

SHA512
f12f69802084a74298f9699977df21f7d00bb3954580ecd6351a4b8277b200083c9d3fee0693170504b2a9e6f977ea1cb35d0b1efb43fbf897a3fdc38987435b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5BImzjuZ0tX.bat

Filesize
207B

MD5
0c494269a82e95037613c5265ce90fea

SHA1
09d01fa6522587a4899a40a9b0f0c2c9ed097531

SHA256
ef8f9cb8ce51e2f1b113aeb4f0ecf8b71b695d7935fa4ac7ad1147ebf3e44a32

SHA512
5afa64a1930e066a1fe5b6c9109cbf05246178e314d29d602277ef65a508f3bd73ac7642e774db0580a099d6b35618b480d7057285216e4c76aba853c7e2f0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZJjerLfCjPSU.bat

Filesize
207B

MD5
c96f458258a0103e5926b47c20ecbb62

SHA1
51199e3122f860888a7fae5cb521fac78fdd8104

SHA256
a8f55c8bfbe869bbce239b52937b24892e239425956ff296637a5e2aca01e7f5

SHA512
693fc24b5279c118e6c3d2345345fd6a824b89c13a2b0f40887ea0eb73500df7721f400eed5cfd932c144de57b759fc3f0302dbd6103eca414a358463b9a0cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gN5QOxqnohu5.bat

Filesize
207B

MD5
30bb5050887b6aaf2ff9c70c92790b0c

SHA1
df42e36943cab04e55072a0274c6ce8f1a6eee25

SHA256
700ab435a2387e84dde64653af36d90cb8b21d3501767f0f85989acc1acf0739

SHA512
da9d75d3136613542d7f5ad3ecd2eb6f088b302e985ec7eb1c44c5cf7222dedb3b1718e75865ae0c508a5cc230d62e42e55ae9b16cb5490787ecdc6a8aa712d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUBxM8Hcp5rL.bat

Filesize
207B

MD5
d694e2c655618d2d70fac08dd7d2d87a

SHA1
ffd69af336c3badeff378875874a2e803630b5a7

SHA256
73adf5a91a5d5ff8fedc4486835167c49bd2bb8588a73ee4d937552fa1478824

SHA512
459ce4d6c4cd170493689edeb9cbd307e9c2b726d727cee05d5dc3eed2c54b7a6cfe727a434ca6c6a1edb503663bf1f7aa2443840b49b709a6f31f4818416ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\iBwzt7ERzP15.bat

Filesize
207B

MD5
06fd09e2534e325197115cb940da2ed7

SHA1
156824c8e814c8c2d2343cd6e556c6c6f4fe8597

SHA256
412e7580e648db2d1119961210e875e4d99925ef63d42e63a646a0251808adcb

SHA512
9f6636c12ba55a61d70757b8bc7986815b526f23e302caa50d22ccc689af43a0045f15dd97cc8f4e9832cd4bda864b2486293976ec580f169deabcc5e317939e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgJS4WhDui7O.bat

Filesize
207B

MD5
054b9cac69e39c9da172c8e621df83dc

SHA1
bbb01986f281119a809c81172f11edd8bf680bde

SHA256
bdb2dcc1d3cadd5810bd6c101e35f30627742b306cd0cc09768f44046ad4ae1b

SHA512
1887ecc7c839875428f5e8e165e4b64b571932263594750d6228b0fcfd79996fb8f737e7c1e62b8c63d64a84f3dfee882a9c6d3f116bf5b4e74f9d2e89f5b891

Download Submit
C:\Users\Admin\AppData\Local\Temp\tJzYgKLadmfc.bat

Filesize
207B

MD5
847cfc04ec7eb63a045029bbf9cfbcce

SHA1
2d679517cba5899435f983d7a3fe73adf3cc6b8b

SHA256
651cebbe164ab86abf3108cf33e266a5000c82cf2c388c989aec9bd631a9879f

SHA512
d5406949e7d9c5451bbed8df08ac1b26cec0cd95d0d71752d1b8079d353f7deecee40005feb12abc921f571dab5fb7b9fb4d312a188b6dc1206740f95961e646

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1xuERc08BX1.bat

Filesize
207B

MD5
edb3f0a792c5084e65e3587b7c4b3479

SHA1
20928d8b426e4cce8a6e3dd26ae715832356856c

SHA256
3796683d60a05ef26fff3dce45952ccd0c53d129312a5ad8c37df001917bf33b

SHA512
f44a517bec71f0c3be8257432d0803d929d45c0d4747157584f5aecb06c00095a9e0c33f2891d666a00338a947550b0c9c5e920a3abb1585130f355e354de927

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1ztFZzKngLR.bat

Filesize
207B

MD5
70a64d1324b96bd488d068f74d6a1780

SHA1
d9e787a138a39725579215baf54ecf90d62629e7

SHA256
67e800b4d75316f3cf0fdecf90201c68f21e38a518ba409eab88553da64c8531

SHA512
e7f5d8b29d7fc2f6c3d418cc6c659323773b2e1d8da758bb2a8fc400e4cc2264edc743b43df90a7f789cd4fc65c39e99e5e649fc2e222958b72acf406a3678c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uGLCXm1GbBPC.bat

Filesize
207B

MD5
b762debb59e2138e3ac0549d227f0def

SHA1
729a2aa341a9723ee5b3c04cbac34c1212c2f97f

SHA256
bac365dee88564fcaac91ba66c83dc36a58929065f2250b42dad0d199bc4e47e

SHA512
e4089bb681178c1f2c7b134b0b1b5549e80b9370d70554b521901bebda0c19362fd41616b7f45ba7102b05a350a3e78a956cdca88b72bdd0ff435e8e073c1c48

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
2d60a76ce3357eecb47f10d21ba01fb0

SHA1
1798a8dee078e7bd72296e79bbd2c2061d584fd7

SHA256
55fd96a344bf6ccbf74dc7408f77f1080158fc2a0a20903b20e77a9cee2983d1

SHA512
184f946295c7669f46a8fb878cb68bea943ed09c74cbd3588d4d7572295668edc8ba098f4e8c2deb21977d08ecc4b1f8e34376c4bb3074073e889864f04852e8

Download Submit
memory/620-54-0x0000000000010000-0x0000000000334000-memory.dmp

Filesize
3.1MB

Download
memory/772-33-0x0000000001350000-0x0000000001674000-memory.dmp

Filesize
3.1MB

Download
memory/828-123-0x0000000000FB0000-0x00000000012D4000-memory.dmp

Filesize
3.1MB

Download
memory/1696-111-0x0000000000330000-0x0000000000654000-memory.dmp

Filesize
3.1MB

Download
memory/1784-66-0x0000000000A10000-0x0000000000D34000-memory.dmp

Filesize
3.1MB

Download
memory/2024-99-0x00000000001F0000-0x0000000000514000-memory.dmp

Filesize
3.1MB

Download
memory/2652-21-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2652-11-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2652-9-0x0000000001100000-0x0000000001424000-memory.dmp

Filesize
3.1MB

Download
memory/2652-8-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2708-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/2708-10-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2708-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2708-1-0x0000000000F00000-0x0000000001224000-memory.dmp

Filesize
3.1MB

Download
memory/2960-87-0x0000000000F60000-0x0000000001284000-memory.dmp

Filesize
3.1MB

Download
memory/3052-145-0x0000000000FF0000-0x0000000001314000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads