quasar | b8a2e41418a9b8a882cd0c4a43bc25835a07b273be2e3851aa57737bef0929b3

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Image Logger 3.5.exe
Size

3.4MB
MD5

55fed3c2f548f0a0beed666f20a01d97
SHA1

e2908aeb63e17405b95c05a06a886813e1d4d594
SHA256

cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e
SHA512

2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e
SSDEEP

49152:zvnI22SsaNYfdPBldt698dBcjHAKk1QmypoGd7aPTHHB72eh2NT:zvI22SsaNYfdPBldt6+dBcjHAKke

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

26.45.181.53:4782

Mutex

91fc011d-5bd3-41d0-82ab-84cdbb628ab4

Attributes

encryption_key
5E2CFB52ADC9AC8BBA82A6E18BBD8FE00311B8A0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/660-1-0x00000000007E0000-0x0000000000B46000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c9d-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
2956	Client.exe
5116	Client.exe
3984	Client.exe
1268	Client.exe
1500	Client.exe
2284	Client.exe
804	Client.exe
3952	Client.exe
1152	Client.exe
4452	Client.exe
3980	Client.exe
5032	Client.exe
3116	Client.exe
404	Client.exe
5048	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4732	PING.EXE
3520	PING.EXE
1648	PING.EXE
4032	PING.EXE
396	PING.EXE
2100	PING.EXE
4708	PING.EXE
5072	PING.EXE
3848	PING.EXE
2152	PING.EXE
3708	PING.EXE
1920	PING.EXE
1556	PING.EXE
2588	PING.EXE
1712	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3848	PING.EXE
3708	PING.EXE
1920	PING.EXE
2588	PING.EXE
4732	PING.EXE
3520	PING.EXE
1648	PING.EXE
2100	PING.EXE
1556	PING.EXE
5072	PING.EXE
396	PING.EXE
1712	PING.EXE
2152	PING.EXE
4032	PING.EXE
4708	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3432	schtasks.exe
2776	schtasks.exe
348	schtasks.exe
856	schtasks.exe
660	schtasks.exe
1384	schtasks.exe
3504	schtasks.exe
1508	schtasks.exe
2372	schtasks.exe
1124	schtasks.exe
1288	schtasks.exe
3132	schtasks.exe
3144	schtasks.exe
3972	schtasks.exe
4980	schtasks.exe
1748	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	660	Image Logger 3.5.exe
Token: SeDebugPrivilege	2956	Client.exe
Token: SeDebugPrivilege	5116	Client.exe
Token: SeDebugPrivilege	3984	Client.exe
Token: SeDebugPrivilege	1268	Client.exe
Token: SeDebugPrivilege	1500	Client.exe
Token: SeDebugPrivilege	2284	Client.exe
Token: SeDebugPrivilege	804	Client.exe
Token: SeDebugPrivilege	3952	Client.exe
Token: SeDebugPrivilege	1152	Client.exe
Token: SeDebugPrivilege	4452	Client.exe
Token: SeDebugPrivilege	3980	Client.exe
Token: SeDebugPrivilege	5032	Client.exe
Token: SeDebugPrivilege	3116	Client.exe
Token: SeDebugPrivilege	404	Client.exe
Token: SeDebugPrivilege	5048	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2956	Client.exe
5116	Client.exe
3984	Client.exe
1268	Client.exe
1500	Client.exe
2284	Client.exe
804	Client.exe
3952	Client.exe
1152	Client.exe
4452	Client.exe
3980	Client.exe
5032	Client.exe
3116	Client.exe
404	Client.exe
5048	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2956	Client.exe
5116	Client.exe
3984	Client.exe
1268	Client.exe
1500	Client.exe
2284	Client.exe
804	Client.exe
3952	Client.exe
1152	Client.exe
4452	Client.exe
3980	Client.exe
5032	Client.exe
3116	Client.exe
404	Client.exe
5048	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 3504	660	Image Logger 3.5.exe	83
PID 660 wrote to memory of 3504	660	Image Logger 3.5.exe	83
PID 660 wrote to memory of 2956	660	Image Logger 3.5.exe	85
PID 660 wrote to memory of 2956	660	Image Logger 3.5.exe	85
PID 2956 wrote to memory of 1508	2956	Client.exe	86
PID 2956 wrote to memory of 1508	2956	Client.exe	86
PID 2956 wrote to memory of 3192	2956	Client.exe	88
PID 2956 wrote to memory of 3192	2956	Client.exe	88
PID 3192 wrote to memory of 4324	3192	cmd.exe	90
PID 3192 wrote to memory of 4324	3192	cmd.exe	90
PID 3192 wrote to memory of 3848	3192	cmd.exe	91
PID 3192 wrote to memory of 3848	3192	cmd.exe	91
PID 3192 wrote to memory of 5116	3192	cmd.exe	99
PID 3192 wrote to memory of 5116	3192	cmd.exe	99
PID 5116 wrote to memory of 3132	5116	Client.exe	100
PID 5116 wrote to memory of 3132	5116	Client.exe	100
PID 5116 wrote to memory of 5112	5116	Client.exe	102
PID 5116 wrote to memory of 5112	5116	Client.exe	102
PID 5112 wrote to memory of 1432	5112	cmd.exe	105
PID 5112 wrote to memory of 1432	5112	cmd.exe	105
PID 5112 wrote to memory of 2152	5112	cmd.exe	106
PID 5112 wrote to memory of 2152	5112	cmd.exe	106
PID 5112 wrote to memory of 3984	5112	cmd.exe	114
PID 5112 wrote to memory of 3984	5112	cmd.exe	114
PID 3984 wrote to memory of 3432	3984	Client.exe	115
PID 3984 wrote to memory of 3432	3984	Client.exe	115
PID 3984 wrote to memory of 2864	3984	Client.exe	117
PID 3984 wrote to memory of 2864	3984	Client.exe	117
PID 2864 wrote to memory of 1188	2864	cmd.exe	120
PID 2864 wrote to memory of 1188	2864	cmd.exe	120
PID 2864 wrote to memory of 3708	2864	cmd.exe	121
PID 2864 wrote to memory of 3708	2864	cmd.exe	121
PID 2864 wrote to memory of 1268	2864	cmd.exe	125
PID 2864 wrote to memory of 1268	2864	cmd.exe	125
PID 1268 wrote to memory of 2372	1268	Client.exe	126
PID 1268 wrote to memory of 2372	1268	Client.exe	126
PID 1268 wrote to memory of 1660	1268	Client.exe	128
PID 1268 wrote to memory of 1660	1268	Client.exe	128
PID 1660 wrote to memory of 4864	1660	cmd.exe	131
PID 1660 wrote to memory of 4864	1660	cmd.exe	131
PID 1660 wrote to memory of 4732	1660	cmd.exe	132
PID 1660 wrote to memory of 4732	1660	cmd.exe	132
PID 1660 wrote to memory of 1500	1660	cmd.exe	135
PID 1660 wrote to memory of 1500	1660	cmd.exe	135
PID 1500 wrote to memory of 2776	1500	Client.exe	136
PID 1500 wrote to memory of 2776	1500	Client.exe	136
PID 1500 wrote to memory of 4128	1500	Client.exe	139
PID 1500 wrote to memory of 4128	1500	Client.exe	139
PID 4128 wrote to memory of 2348	4128	cmd.exe	141
PID 4128 wrote to memory of 2348	4128	cmd.exe	141
PID 4128 wrote to memory of 3520	4128	cmd.exe	142
PID 4128 wrote to memory of 3520	4128	cmd.exe	142
PID 4128 wrote to memory of 2284	4128	cmd.exe	144
PID 4128 wrote to memory of 2284	4128	cmd.exe	144
PID 2284 wrote to memory of 3144	2284	Client.exe	145
PID 2284 wrote to memory of 3144	2284	Client.exe	145
PID 2284 wrote to memory of 1832	2284	Client.exe	148
PID 2284 wrote to memory of 1832	2284	Client.exe	148
PID 1832 wrote to memory of 5072	1832	cmd.exe	150
PID 1832 wrote to memory of 5072	1832	cmd.exe	150
PID 1832 wrote to memory of 1920	1832	cmd.exe	151
PID 1832 wrote to memory of 1920	1832	cmd.exe	151
PID 1832 wrote to memory of 804	1832	cmd.exe	153
PID 1832 wrote to memory of 804	1832	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Image Logger 3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Image Logger 3.5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3504
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nHyD8BLIP7rA.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4324
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3848
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3132
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2hJJS6M15u3c.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5112
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1432
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2152
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wLm2uKQZasQ6.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1188
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3708
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tBP6PykaXyNe.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4732
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tjhSTenjWHBF.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3520
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ajjES3uIhBeh.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:5072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCXqeDDAdlCW.bat" "
        15⤵
        
        PID:4288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3952
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4Ab5mpuZROWv.bat" "
        17⤵
        
        PID:1140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1152
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6vFIupqfr2nb.bat" "
        19⤵
        
        PID:4304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4032
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4452
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bjzoLpOZCsu6.bat" "
        21⤵
        
        PID:2336
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3980
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VhBTcjSlYVGq.bat" "
        23⤵
        
        PID:764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3120
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5032
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esT5tG7ADyP8.bat" "
        25⤵
        
        PID:3288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:396
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3116
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WO9S3ySYLgc7.bat" "
        27⤵
        
        PID:2340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:404
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nj2icBil3OcB.bat" "
        29⤵
        
        PID:792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5048
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\spJEdwzpa6Pw.bat" "
        31⤵
        
        PID:3848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2hJJS6M15u3c.bat

Filesize
207B

MD5
ca12e2b81c7f4b6f39d6ce885120a41e

SHA1
810d4f8ae4b1ee3c1120d7d7bb7926da59fa05c6

SHA256
fc29c273e7e876c1df37b4e0f0b51e11d5d6b665845197df1fb8348975d79d20

SHA512
8ded9d868b0a217817ed669c72f6b1c81ae95e83b6fd34914c1553db3e96e3a22be2d5a14c32508fd030e8ff1adfa9618568c2021a1fc4e5ea77fff5496cdc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Ab5mpuZROWv.bat

Filesize
207B

MD5
af7cc7620e166951df66aa321903f059

SHA1
8f5e11c9bab246f325ee03ca8010e9d2697e01af

SHA256
738e0fb63c134b36ad720b80155ffa59e506d3ba33df57b3350cfc06b6b32652

SHA512
e23b677a75f48fe34a0c8991bd692639ef726c700584830d5e0bce81d0daa5f43c676d1cf3c2945b74ea565baadc0a7f07fea25b05fcea24d39247c9ce7a21da

Download Submit
C:\Users\Admin\AppData\Local\Temp\6vFIupqfr2nb.bat

Filesize
207B

MD5
2e13cfa8d91d52be189df59a6d867c76

SHA1
95b6ea09b31955dfbd982d8f16ff26f5d505d254

SHA256
de2925ca560df97f73b3e1df01f6dcc6fdabeae51f733fd198ff271b850b885f

SHA512
023c26d39bedfe5f32be2ea1801a7e9e10fcd9df9d6ee4d0a3dc352f80faf50f54b255dbca4d4a26ee33362a9a14cd79dbefcdcad90fc24799d0c907565eb4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nj2icBil3OcB.bat

Filesize
207B

MD5
fa656082db3b57c865aa3ba319b38bf9

SHA1
e4bd506097df24b3b8b7c8dc8199fd3d92e80fc1

SHA256
7c46bff5b70de0af10cada9abd1139ef67a3abe62aaa776256150a67cbefd307

SHA512
77388653564bd023f749c2c7f507b23e18fca6f67b634ea80acb62407e2ac16d6e2cbdb4f962dc101be66ec9bbbc0c588176dac3a40d7692fa5d9132c6b3c225

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhBTcjSlYVGq.bat

Filesize
207B

MD5
4fa1d02167d7c958536894c1cbc6fdf5

SHA1
608e3bc5db7a0c13cedf58cc01e16d2074d6b8e8

SHA256
50499feffa8f8ea0500beec9aeaa3a4b81a197a9612b5a1a684955b64e8feaff

SHA512
8458eb65a4d22a33b0ef731768be041eb1688893659328b35ce0202af9579125923e4876c97b813a2ebe468cd752a807b7bde1d22d628ff60bd3c263dca7aeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WO9S3ySYLgc7.bat

Filesize
207B

MD5
efd9be97d3212b69628b118de627dedc

SHA1
36fcf58ebfe0ed735ccf8a07b21df16c409322dd

SHA256
21d16b5e57b5e4e0e62c176e0a87268dbc45c5cf7b0dcf11c9de5685ecdee49c

SHA512
829bf90559c2e47a14f100614991f14a3fe2fbd3978eeef481714f88d0a37fcde6645ed2fb1bfdb3ac31429bafd3ffd77135fcdf42728df70ec203ab71d62b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajjES3uIhBeh.bat

Filesize
207B

MD5
17f55c1a1334fd2413f669583b93da66

SHA1
25fff7adbbf3698ad03653d3b3fa57fd5bdfd515

SHA256
62974282bfe71635296456072808f828389f76bfc9eb8bfe45eba9a0a2b741c8

SHA512
dcb517abf7c6cfc28e87853b21c41fbb4f298550efa5fd55714fa18addb7a8ab6650ba9f84562d46650f15b11e44ca26e1a81bff73b42081ee1da1dc64a0a624

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjzoLpOZCsu6.bat

Filesize
207B

MD5
4fda71e13b3bf5bd9ade002b6b5a995a

SHA1
7a1471351675791f4364b75d589d789ab06f98cd

SHA256
fdb51510e40ddd6b43ac748037c3a6d9d36f354cb85055b08454cd580ba1c52b

SHA512
4cf1c55f69842e5917d06c4d56c65b6659484f0da43d9af3a7fa2373967df7dafae844c8c8e4f7e02f6c7863b19aec2ae1d1719abddc4df7fc8119ff0bfea4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\esT5tG7ADyP8.bat

Filesize
207B

MD5
a842a5efe03a75038dece35abea269b1

SHA1
8c1e1b124c9fcf2f49c8b852e1ff196307a43c8f

SHA256
4de188e98c636f5407582ef0a5fc6bb38e28419095806af3f364840fbc40158a

SHA512
6237b5cb0617e496a53f45514c5845526965c2ba4bc53d713777bce3adb3237b582928fdc202713cd7e60238337bd115f035381c8109159ead4348256dac2b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nHyD8BLIP7rA.bat

Filesize
207B

MD5
d29a1ef2a560d8b04eb00552158f42e7

SHA1
70bb7e43b2f895fca9f0da33fd4e74cac2fb3f6b

SHA256
b863d5a9b0310ca17179bf44dbfb80e59746caacd330990ee164110a5b867666

SHA512
274c9da683671a7e21980857e493ac63348e544cc9fd2b74840cc8545b791042923059bc14894949ed47b3cd20041325608d7f63a13a2abb02c56a3aab979d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\spJEdwzpa6Pw.bat

Filesize
207B

MD5
c595045366b4575b71a4c9e67671012f

SHA1
26bdf3af23af217c3bce5b9905d58466e0b14fa1

SHA256
80f68c2f31043dafa3009e6214996fad94b9cea3a579f133169802f5c77b0285

SHA512
8be88d0263cf31d7c125b10bcd3e253216fb5d1dea417f533ac5784730fcfa705cf529ec2d1bbb39fb2eb02ab771775efbdb5e6db36a59371fd5157f19a28296

Download Submit
C:\Users\Admin\AppData\Local\Temp\tBP6PykaXyNe.bat

Filesize
207B

MD5
ab8709a50d2d0f5f411f3581d5272fde

SHA1
059642a867c2c7c35b55c8f34ec1f5f00e36fcbb

SHA256
308eb15aee2776b4ff0b75dd3311599697683ae80ab87239cda3eb09c5f692a0

SHA512
aed453d34346c9959808e053b9bfe122510bf7c1cfbe373719f957600e886a58bd5123cffd8035479b789d013850ee66777c6f1c84e636b1a4f4770b48d17b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjhSTenjWHBF.bat

Filesize
207B

MD5
0a31b18ab54801499da3f87c7466eab8

SHA1
fc1a593063d1d1daf04f8f921e8140b7f04c658e

SHA256
804d5b5b078e3a20f626fb8b38c3ac6271d88bfe66f54c4b1f26482748a15283

SHA512
4e15a3caa85e0960354a8efa00b7acdc0c274fb5e950c3883e89de1b256cc0e715bd221dfc37a897accf6c73f1320485cd1c5ba7d44e9bbf2f1450d88d35a223

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCXqeDDAdlCW.bat

Filesize
207B

MD5
3f65d3931110024a85bc85e1372c082c

SHA1
cd8404ef70c6c8fd896788d10805ca807d3f1f87

SHA256
e4eaffa451b716a2446f406e04a99ae15a8f44ad5a350fa1e0815bdefbef1e0a

SHA512
ace5c95ec495fd14961928a67e9a99e3458ba6bce0f33749dc0b275964625f8a400312e88fd15f4f5a59385843bd29b5c5bf56c83001ddb180f6bc0cf68afa1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wLm2uKQZasQ6.bat

Filesize
207B

MD5
b8729b26708a91e473460ee65abf5191

SHA1
81c8a1bdb5e7c77d077c5e012091216f54c0889e

SHA256
14615cf33f4bfd4e4935f8c1dbb185480af3e2be6200b0c32b819a9a7323ef96

SHA512
6c4be7a338b0b31cbde74738bb9ff05cf5280015b61adb209e115003d2a655ce57431d2fec0a0361abb240716efbca419582208ffc55588887b23aeec2e0ed24

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.4MB

MD5
55fed3c2f548f0a0beed666f20a01d97

SHA1
e2908aeb63e17405b95c05a06a886813e1d4d594

SHA256
cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e

SHA512
2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e

Download Submit
memory/660-0-0x00007FFCD4143000-0x00007FFCD4145000-memory.dmp

Filesize
8KB

Download
memory/660-2-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

Filesize
10.8MB

Download
memory/660-9-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

Filesize
10.8MB

Download
memory/660-1-0x00000000007E0000-0x0000000000B46000-memory.dmp

Filesize
3.4MB

Download
memory/2956-18-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

Filesize
10.8MB

Download
memory/2956-13-0x000000001C060000-0x000000001C112000-memory.dmp

Filesize
712KB

Download
memory/2956-12-0x000000001B6A0000-0x000000001B6F0000-memory.dmp

Filesize
320KB

Download
memory/2956-11-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

Filesize
10.8MB

Download
memory/2956-10-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads