Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/01/2025, 21:31
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240903-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
7dbac71bcc7920b66e8c4fc04fbc30dd
-
SHA1
c746b4358c2a15765a010c1890979239f152d6f7
-
SHA256
ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd
-
SHA512
56ffa2c92d97ef6b247db44225f659d8894f0c4c1134a8376346eb8f0a36bbb3331803752b8e24ada28dc554ef14d2098627ae751152b9eba956bb5e4d7c0c24
-
SSDEEP
49152:bvylL26AaNeWgPhlmVqvMQ7XSKB4RJ6kbR3LoGdXdTHHB72eh2NT:bvqL26AaNeWgPhlmVqkQ7XSKB4RJ6uH
Malware Config
Extracted
quasar
1.4.1
Office04
hojex31104-23437.portmap.host:23437
de505f8f-b6d9-44cb-b9ce-7e2f491eb29e
-
encryption_key
D9C52C486698B9297B9AC8B87A65EA67135BE386
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 13 IoCs
resource yara_rule behavioral1/memory/2956-1-0x0000000000A40000-0x0000000000D64000-memory.dmp family_quasar behavioral1/files/0x0008000000016eca-5.dat family_quasar behavioral1/memory/2204-8-0x0000000000D00000-0x0000000001024000-memory.dmp family_quasar behavioral1/memory/2704-22-0x00000000003C0000-0x00000000006E4000-memory.dmp family_quasar behavioral1/memory/792-34-0x0000000000020000-0x0000000000344000-memory.dmp family_quasar behavioral1/memory/2876-46-0x0000000001070000-0x0000000001394000-memory.dmp family_quasar behavioral1/memory/2224-57-0x00000000002E0000-0x0000000000604000-memory.dmp family_quasar behavioral1/memory/1324-69-0x00000000003B0000-0x00000000006D4000-memory.dmp family_quasar behavioral1/memory/1552-80-0x0000000000EF0000-0x0000000001214000-memory.dmp family_quasar behavioral1/memory/2356-103-0x0000000000240000-0x0000000000564000-memory.dmp family_quasar behavioral1/memory/2088-116-0x0000000000E00000-0x0000000001124000-memory.dmp family_quasar behavioral1/memory/396-139-0x00000000000A0000-0x00000000003C4000-memory.dmp family_quasar behavioral1/memory/2228-150-0x0000000001240000-0x0000000001564000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2204 Client.exe 2704 Client.exe 792 Client.exe 2876 Client.exe 2224 Client.exe 1324 Client.exe 1552 Client.exe 2956 Client.exe 2356 Client.exe 2088 Client.exe 2404 Client.exe 396 Client.exe 2228 Client.exe 3008 Client.exe 1028 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2364 PING.EXE 2016 PING.EXE 2256 PING.EXE 2424 PING.EXE 2416 PING.EXE 2248 PING.EXE 2812 PING.EXE 2652 PING.EXE 868 PING.EXE 1484 PING.EXE 276 PING.EXE 1684 PING.EXE 936 PING.EXE 2684 PING.EXE 1756 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2812 PING.EXE 2424 PING.EXE 1484 PING.EXE 936 PING.EXE 1684 PING.EXE 2684 PING.EXE 2652 PING.EXE 2016 PING.EXE 276 PING.EXE 2416 PING.EXE 1756 PING.EXE 2248 PING.EXE 2364 PING.EXE 2256 PING.EXE 868 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2544 schtasks.exe 2068 schtasks.exe 2740 schtasks.exe 2500 schtasks.exe 2112 schtasks.exe 992 schtasks.exe 2248 schtasks.exe 276 schtasks.exe 2752 schtasks.exe 2264 schtasks.exe 2468 schtasks.exe 2208 schtasks.exe 1056 schtasks.exe 496 schtasks.exe 2820 schtasks.exe 2360 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2956 Client-built.exe Token: SeDebugPrivilege 2204 Client.exe Token: SeDebugPrivilege 2704 Client.exe Token: SeDebugPrivilege 792 Client.exe Token: SeDebugPrivilege 2876 Client.exe Token: SeDebugPrivilege 2224 Client.exe Token: SeDebugPrivilege 1324 Client.exe Token: SeDebugPrivilege 1552 Client.exe Token: SeDebugPrivilege 2956 Client.exe Token: SeDebugPrivilege 2356 Client.exe Token: SeDebugPrivilege 2088 Client.exe Token: SeDebugPrivilege 2404 Client.exe Token: SeDebugPrivilege 396 Client.exe Token: SeDebugPrivilege 2228 Client.exe Token: SeDebugPrivilege 3008 Client.exe Token: SeDebugPrivilege 1028 Client.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 2204 Client.exe 2704 Client.exe 792 Client.exe 2876 Client.exe 2224 Client.exe 1324 Client.exe 1552 Client.exe 2956 Client.exe 2356 Client.exe 2088 Client.exe 2404 Client.exe 396 Client.exe 2228 Client.exe 3008 Client.exe 1028 Client.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 2204 Client.exe 2704 Client.exe 792 Client.exe 2876 Client.exe 2224 Client.exe 1324 Client.exe 1552 Client.exe 2956 Client.exe 2356 Client.exe 2088 Client.exe 2404 Client.exe 396 Client.exe 2228 Client.exe 3008 Client.exe 1028 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2204 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2248 2956 Client-built.exe 31 PID 2956 wrote to memory of 2248 2956 Client-built.exe 31 PID 2956 wrote to memory of 2248 2956 Client-built.exe 31 PID 2956 wrote to memory of 2204 2956 Client-built.exe 33 PID 2956 wrote to memory of 2204 2956 Client-built.exe 33 PID 2956 wrote to memory of 2204 2956 Client-built.exe 33 PID 2204 wrote to memory of 2208 2204 Client.exe 34 PID 2204 wrote to memory of 2208 2204 Client.exe 34 PID 2204 wrote to memory of 2208 2204 Client.exe 34 PID 2204 wrote to memory of 2660 2204 Client.exe 36 PID 2204 wrote to memory of 2660 2204 Client.exe 36 PID 2204 wrote to memory of 2660 2204 Client.exe 36 PID 2660 wrote to memory of 2900 2660 cmd.exe 38 PID 2660 wrote to memory of 2900 2660 cmd.exe 38 PID 2660 wrote to memory of 2900 2660 cmd.exe 38 PID 2660 wrote to memory of 2652 2660 cmd.exe 39 PID 2660 wrote to memory of 2652 2660 cmd.exe 39 PID 2660 wrote to memory of 2652 2660 cmd.exe 39 PID 2660 wrote to memory of 2704 2660 cmd.exe 40 PID 2660 wrote to memory of 2704 2660 cmd.exe 40 PID 2660 wrote to memory of 2704 2660 cmd.exe 40 PID 2704 wrote to memory of 2544 2704 Client.exe 41 PID 2704 wrote to memory of 2544 2704 Client.exe 41 PID 2704 wrote to memory of 2544 2704 Client.exe 41 PID 2704 wrote to memory of 2508 2704 Client.exe 43 PID 2704 wrote to memory of 2508 2704 Client.exe 43 PID 2704 wrote to memory of 2508 2704 Client.exe 43 PID 2508 wrote to memory of 320 2508 cmd.exe 45 PID 2508 wrote to memory of 320 2508 cmd.exe 45 PID 2508 wrote to memory of 320 2508 cmd.exe 45 PID 2508 wrote to memory of 2364 2508 cmd.exe 46 PID 2508 wrote to memory of 2364 2508 cmd.exe 46 PID 2508 wrote to memory of 2364 2508 cmd.exe 46 PID 2508 wrote to memory of 792 2508 cmd.exe 47 PID 2508 wrote to memory of 792 2508 cmd.exe 47 PID 2508 wrote to memory of 792 2508 cmd.exe 47 PID 792 wrote to memory of 2068 792 Client.exe 48 PID 792 wrote to memory of 2068 792 Client.exe 48 PID 792 wrote to memory of 2068 792 Client.exe 48 PID 792 wrote to memory of 1944 792 Client.exe 50 PID 792 wrote to memory of 1944 792 Client.exe 50 PID 792 wrote to memory of 1944 792 Client.exe 50 PID 1944 wrote to memory of 1440 1944 cmd.exe 52 PID 1944 wrote to memory of 1440 1944 cmd.exe 52 PID 1944 wrote to memory of 1440 1944 cmd.exe 52 PID 1944 wrote to memory of 2016 1944 cmd.exe 53 PID 1944 wrote to memory of 2016 1944 cmd.exe 53 PID 1944 wrote to memory of 2016 1944 cmd.exe 53 PID 1944 wrote to memory of 2876 1944 cmd.exe 54 PID 1944 wrote to memory of 2876 1944 cmd.exe 54 PID 1944 wrote to memory of 2876 1944 cmd.exe 54 PID 2876 wrote to memory of 2740 2876 Client.exe 55 PID 2876 wrote to memory of 2740 2876 Client.exe 55 PID 2876 wrote to memory of 2740 2876 Client.exe 55 PID 2876 wrote to memory of 1668 2876 Client.exe 57 PID 2876 wrote to memory of 1668 2876 Client.exe 57 PID 2876 wrote to memory of 1668 2876 Client.exe 57 PID 1668 wrote to memory of 1328 1668 cmd.exe 59 PID 1668 wrote to memory of 1328 1668 cmd.exe 59 PID 1668 wrote to memory of 1328 1668 cmd.exe 59 PID 1668 wrote to memory of 2256 1668 cmd.exe 60 PID 1668 wrote to memory of 2256 1668 cmd.exe 60 PID 1668 wrote to memory of 2256 1668 cmd.exe 60 PID 1668 wrote to memory of 2224 1668 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2248
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2208
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\fyNOMULB4cls.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2900
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2652
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2544
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\L9zXF19ZOnOf.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:320
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2364
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2068
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\lVHDMU8T2mDY.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1440
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2016
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2740
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zcXCt0QT3Lmy.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1328
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2256
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2224 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:276
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\o0R4N92AxMaP.bat" "11⤵PID:1572
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1520
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2424
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1324 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1056
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4DgNOA8COcc5.bat" "13⤵PID:2296
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1728
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1684
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1552 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2500
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gjsJQkzrfY6H.bat" "15⤵PID:2856
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:1368
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2684
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2956 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2820
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\bNfXFmAhPYlT.bat" "17⤵PID:1276
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2376
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:868
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2356 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2752
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\JrvC18H6Rwtn.bat" "19⤵PID:2068
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:484
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1484
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2088 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2360
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BtBKODOSzJA5.bat" "21⤵PID:2572
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2428
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2416
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2404 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2112
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\CrEbev4LIig6.bat" "23⤵PID:1668
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:932
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:276
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:396 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:992
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XeFFqBorwtBl.bat" "25⤵PID:2288
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2232
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1756
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2228 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2264
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\OzUTh62K8vkV.bat" "27⤵PID:1508
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1632
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:936
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3008 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:496
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7m24ZvginIrB.bat" "29⤵PID:3056
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:1256
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2248
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1028 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2468
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\wfuAAz1GP88v.bat" "31⤵PID:2684
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2832
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5126498ddc162b72417e43aec125df530
SHA1e73d80e956b8d12559f4badd9955f943bf9e16bc
SHA25661ba972de895637a7c2e774c0bf04d7523e89c18ac3dd3930ece0a3c32f595fd
SHA5128684155ff38f4856605b33446b4a509a2f81031bdcfe5ab97fe37bc7382dc52e2a93c7e518fc9fdead9d2d751123600c7a7d6d3807651f608262cb1470618f87
-
Filesize
207B
MD57d0ac6809355c9fc6a6248e659bec89a
SHA1662bfce830e8c2bc057a65d96a94be1b2ab66653
SHA2566996a99d59d745fc78f54725f6e41fea4138ebd288eb736461d0dba8282e4d10
SHA512f644d3a1b908bb69153677255d24716205874cb51e82db097ec52c9ebc4dc50769196873ec67e5271ca39119ad62e50a28ab17698ff1cef43b56ae38b7b5180d
-
Filesize
207B
MD5a806453026d7da0305230a9317f3fbb6
SHA1047bfa08c581d8cc5c02262584b3431129a0492a
SHA256fcf5669ca851e7dfe315dd659f67f6e812c58932d3747dd66862f786935ef03c
SHA512713605382285b5534b5b9ea8c32660607b2355503501fa36972cb6be3793e8afbaa7cc6fd065b8411bf927e01a8d37a3665505759711bb2c9e90618de08da57f
-
Filesize
207B
MD5447151e7774eece8d16403270a517458
SHA1ae5765775e7deef8adb59001a7baa523df3abe29
SHA256a8df1c317e84531cf0184ec91f15cbb1f2fac964788f6070398154fa82bb398b
SHA512315df272c933bd4466db6a1bc5559fdea6aba2d81724f13c8760a99713f4ff17a1453ac9690e0414594dd682e61cdd63427a1799b6f2583b9280a7b43484a95d
-
Filesize
207B
MD5ad445c8a6765c543d1556f86094d164f
SHA10d18817474c9a05c6a7596bb72043b310d57ee2b
SHA256088ce6944c6b91503f8c6ba76329b30a4b94ed67706c03b20771c419785ee282
SHA51251398e250ab6da70724eb5d5a1b8041c7e128d66b6228ad9eedec20e26c879b01f0575dceffbbac7de4c0f37f42bfa5630478f6c3222c0d56ca9711925cd28b4
-
Filesize
207B
MD5986d9fd8805cd52bf88fa7c9bf78da87
SHA1e7e92753d0e4eb721be8df1ab3f8a941572d5fe0
SHA256f29905ed2b71e16c296de1796a8684970a53bdf9e3accce62374f4645ebc9db8
SHA5126b4dfe1f5affef710ac19021ac5e605b703239c793e7d0514777c223cc1c99d584955833c873ba146c4baa067e4cebc3e149d2de877df297b46f78cddac69146
-
Filesize
207B
MD52191cd48a03533bddb782702d981488c
SHA1a097edbbe557c9f0108f1b6205677d7437e244c1
SHA256bbc5c52f2b32ece6dd774a0296dda5917a99b7fce38695775ad6c1a9a8b12363
SHA512be614b3c225f8a5f6dd6f8a35b3e7808d001a150d798f8b6aeaf05f6d99530fb191a09ed33eecdb1710c14d2253ec9863a47e8d145aff27fccc509cd81b5625f
-
Filesize
207B
MD588913c5c0a0f045ba3eaf9400df305ca
SHA1db6f6e3fd1cc3846a23b6c31299190be331ed785
SHA2565ee45b6e35e76f4adaec1e82c048fb36d8729cfe1db06ddf70a80ed9c932c530
SHA51295fa15e5f5d673fbd467bb24afcb031223f6d845e9d8c4ecf0b04b7b7b9394ac71510a4e84e5aab571970bc64f62cc4b5b7a8d9f0817847a617bf22507721ecb
-
Filesize
207B
MD53ed6c30ca21f9d71d27254b48093f0fc
SHA12d8b05dc2bcceaed38fe629b4a1896de2c826b8d
SHA256b7bb75e662a07be114e7b01ae30c6832b0691e2b7f96cff73c4b24ccdbd9eb5d
SHA512012246621903ef7268bc998b3f58c8ab165a19a7bd83d5215ec11ebef3770d80ebb674590e16fd7869ace7e248e11ae10effd10ed49c9f178ed90d5b30098ae2
-
Filesize
207B
MD569280cbb34551b584b6e9aa3164e1b88
SHA1a974862a2cbb10d843ee59fa8d19e9bbfffc3be6
SHA25656eed181a6fb63a557330f740a4f08380bc1eb564f2d0f44c0d5466e13aef44f
SHA5122ff924f2093b4de73be1388fd9fd9712be2d11f71a2f0f8efc6110f4f620b48301016f1e675e4505ef9b48df83d155a2947356b9f10228e71dfb596fcf130634
-
Filesize
207B
MD538eb74a331de03c1ee36f6a21ce62837
SHA1c5968541ba8658c0c52ca5ac96c5e13321847f82
SHA256429c383b58de8d481a47d758cf50b6efe84535e4c21c955e10186a0926d809ef
SHA5124684db58bea213f4bec3e2efedbe0091a8ac5022071cfeb3be2395aec0611aae8a3d29ff5589efb2a31f0163c601bdfeabee6b6174b957d0c6b87e6ca37761f9
-
Filesize
207B
MD5538fca467389de2324bc937dff9a91af
SHA1623064370b0d9434ab8acb7da1b2e515674d2e0c
SHA2565f8ede5875957d8e4727098c7dfbacd69cdb334c8f382f41e2457eec746ad794
SHA512e4fd96bc339c71de3ac0768a9bc264a74a5b6e9bfac1f8dcc87cf1c17a8730461379e4ac53ded44703293a8c2440a77582f72b822ce51f8e4f5d7c89380eeaec
-
Filesize
207B
MD5682dae9f489db0da2e8263aabe4da7d7
SHA1f482e34c2b67e9145dee7287a790600497eceec9
SHA256f215fb32f6e34e9bf13532003cd4b36de7bf039a783aeea8537c4397255ae7af
SHA512a7aa887f9ec3eda82bedff7fcc5a237fd1845cf9a49fcbfb28d7862c15ed32f65c003ea0a255b8b656078bb8045337bb2b098f206aafd4d6778bddedf565470d
-
Filesize
207B
MD5b89bd0220827bf046d280ade8a9f354d
SHA1d9b9cd7b4845fa70a2dabf02cabdb4b938924260
SHA256b82b98eab4645a256db026acebc11163bcd3dbb550d5782a8ebd35b9498a0998
SHA512950440d3388ab33651107c31b30b19d80ce6accc69327ac9a65f97570d091e592dbccb090500efc13ebe08c1abad279c2060d15c5283601d9f17204e0de90b71
-
Filesize
207B
MD51802036401542a782ff0fb8a309c55f0
SHA185d6b2c189983b43205c6e39120d0b8f178da545
SHA2564005816791a08380effc7f275533e90e2d890671923e8b5ecdbd57b0d3349ba6
SHA512091c85a492b7bf6d38534bb684253a9d448049055ac3b254013c7be16416a6392116f7373f73e1172a878eea2d20b969ba82de5afe72f6b5a18960b3a9ffe883
-
Filesize
3.1MB
MD57dbac71bcc7920b66e8c4fc04fbc30dd
SHA1c746b4358c2a15765a010c1890979239f152d6f7
SHA256ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd
SHA51256ffa2c92d97ef6b247db44225f659d8894f0c4c1134a8376346eb8f0a36bbb3331803752b8e24ada28dc554ef14d2098627ae751152b9eba956bb5e4d7c0c24