Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/01/2025, 21:03
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240903-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
7dbac71bcc7920b66e8c4fc04fbc30dd
-
SHA1
c746b4358c2a15765a010c1890979239f152d6f7
-
SHA256
ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd
-
SHA512
56ffa2c92d97ef6b247db44225f659d8894f0c4c1134a8376346eb8f0a36bbb3331803752b8e24ada28dc554ef14d2098627ae751152b9eba956bb5e4d7c0c24
-
SSDEEP
49152:bvylL26AaNeWgPhlmVqvMQ7XSKB4RJ6kbR3LoGdXdTHHB72eh2NT:bvqL26AaNeWgPhlmVqkQ7XSKB4RJ6uH
Malware Config
Extracted
quasar
1.4.1
Office04
hojex31104-23437.portmap.host:23437
de505f8f-b6d9-44cb-b9ce-7e2f491eb29e
-
encryption_key
D9C52C486698B9297B9AC8B87A65EA67135BE386
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 14 IoCs
resource yara_rule behavioral1/memory/2384-1-0x0000000000ED0000-0x00000000011F4000-memory.dmp family_quasar behavioral1/files/0x000a000000015d79-5.dat family_quasar behavioral1/memory/2328-8-0x00000000002A0000-0x00000000005C4000-memory.dmp family_quasar behavioral1/memory/2716-22-0x0000000001010000-0x0000000001334000-memory.dmp family_quasar behavioral1/memory/2916-45-0x0000000000190000-0x00000000004B4000-memory.dmp family_quasar behavioral1/memory/3040-56-0x0000000001300000-0x0000000001624000-memory.dmp family_quasar behavioral1/memory/2564-79-0x00000000000D0000-0x00000000003F4000-memory.dmp family_quasar behavioral1/memory/2764-91-0x00000000000B0000-0x00000000003D4000-memory.dmp family_quasar behavioral1/memory/2892-103-0x00000000012F0000-0x0000000001614000-memory.dmp family_quasar behavioral1/memory/584-114-0x0000000000270000-0x0000000000594000-memory.dmp family_quasar behavioral1/memory/1912-135-0x0000000000020000-0x0000000000344000-memory.dmp family_quasar behavioral1/memory/1512-147-0x0000000001360000-0x0000000001684000-memory.dmp family_quasar behavioral1/memory/1632-158-0x0000000001380000-0x00000000016A4000-memory.dmp family_quasar behavioral1/memory/2632-170-0x00000000000E0000-0x0000000000404000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2328 Client.exe 2716 Client.exe 1744 Client.exe 2916 Client.exe 3040 Client.exe 2208 Client.exe 2564 Client.exe 2764 Client.exe 2892 Client.exe 584 Client.exe 2288 Client.exe 1912 Client.exe 1512 Client.exe 1632 Client.exe 2632 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1784 PING.EXE 2812 PING.EXE 1648 PING.EXE 2064 PING.EXE 1900 PING.EXE 1892 PING.EXE 2440 PING.EXE 2640 PING.EXE 896 PING.EXE 2656 PING.EXE 2072 PING.EXE 2628 PING.EXE 1288 PING.EXE 2920 PING.EXE 1600 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2640 PING.EXE 1900 PING.EXE 2072 PING.EXE 2440 PING.EXE 2812 PING.EXE 1648 PING.EXE 1784 PING.EXE 896 PING.EXE 2656 PING.EXE 2064 PING.EXE 2920 PING.EXE 1892 PING.EXE 1600 PING.EXE 2628 PING.EXE 1288 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1604 schtasks.exe 2816 schtasks.exe 2952 schtasks.exe 3068 schtasks.exe 2656 schtasks.exe 2948 schtasks.exe 1528 schtasks.exe 1304 schtasks.exe 1884 schtasks.exe 2512 schtasks.exe 948 schtasks.exe 2688 schtasks.exe 2576 schtasks.exe 1548 schtasks.exe 2704 schtasks.exe 620 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2384 Client-built.exe Token: SeDebugPrivilege 2328 Client.exe Token: SeDebugPrivilege 2716 Client.exe Token: SeDebugPrivilege 1744 Client.exe Token: SeDebugPrivilege 2916 Client.exe Token: SeDebugPrivilege 3040 Client.exe Token: SeDebugPrivilege 2208 Client.exe Token: SeDebugPrivilege 2564 Client.exe Token: SeDebugPrivilege 2764 Client.exe Token: SeDebugPrivilege 2892 Client.exe Token: SeDebugPrivilege 584 Client.exe Token: SeDebugPrivilege 2288 Client.exe Token: SeDebugPrivilege 1912 Client.exe Token: SeDebugPrivilege 1512 Client.exe Token: SeDebugPrivilege 1632 Client.exe Token: SeDebugPrivilege 2632 Client.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 2328 Client.exe 2716 Client.exe 1744 Client.exe 2916 Client.exe 3040 Client.exe 2208 Client.exe 2564 Client.exe 2764 Client.exe 2892 Client.exe 584 Client.exe 2288 Client.exe 1912 Client.exe 1512 Client.exe 1632 Client.exe 2632 Client.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 2328 Client.exe 2716 Client.exe 1744 Client.exe 2916 Client.exe 3040 Client.exe 2208 Client.exe 2564 Client.exe 2764 Client.exe 2892 Client.exe 584 Client.exe 2288 Client.exe 1912 Client.exe 1512 Client.exe 1632 Client.exe 2632 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2328 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2384 wrote to memory of 3068 2384 Client-built.exe 30 PID 2384 wrote to memory of 3068 2384 Client-built.exe 30 PID 2384 wrote to memory of 3068 2384 Client-built.exe 30 PID 2384 wrote to memory of 2328 2384 Client-built.exe 32 PID 2384 wrote to memory of 2328 2384 Client-built.exe 32 PID 2384 wrote to memory of 2328 2384 Client-built.exe 32 PID 2328 wrote to memory of 1304 2328 Client.exe 33 PID 2328 wrote to memory of 1304 2328 Client.exe 33 PID 2328 wrote to memory of 1304 2328 Client.exe 33 PID 2328 wrote to memory of 2736 2328 Client.exe 35 PID 2328 wrote to memory of 2736 2328 Client.exe 35 PID 2328 wrote to memory of 2736 2328 Client.exe 35 PID 2736 wrote to memory of 2884 2736 cmd.exe 37 PID 2736 wrote to memory of 2884 2736 cmd.exe 37 PID 2736 wrote to memory of 2884 2736 cmd.exe 37 PID 2736 wrote to memory of 2640 2736 cmd.exe 38 PID 2736 wrote to memory of 2640 2736 cmd.exe 38 PID 2736 wrote to memory of 2640 2736 cmd.exe 38 PID 2736 wrote to memory of 2716 2736 cmd.exe 40 PID 2736 wrote to memory of 2716 2736 cmd.exe 40 PID 2736 wrote to memory of 2716 2736 cmd.exe 40 PID 2716 wrote to memory of 2656 2716 Client.exe 41 PID 2716 wrote to memory of 2656 2716 Client.exe 41 PID 2716 wrote to memory of 2656 2716 Client.exe 41 PID 2716 wrote to memory of 1288 2716 Client.exe 43 PID 2716 wrote to memory of 1288 2716 Client.exe 43 PID 2716 wrote to memory of 1288 2716 Client.exe 43 PID 1288 wrote to memory of 992 1288 cmd.exe 45 PID 1288 wrote to memory of 992 1288 cmd.exe 45 PID 1288 wrote to memory of 992 1288 cmd.exe 45 PID 1288 wrote to memory of 1900 1288 cmd.exe 46 PID 1288 wrote to memory of 1900 1288 cmd.exe 46 PID 1288 wrote to memory of 1900 1288 cmd.exe 46 PID 1288 wrote to memory of 1744 1288 cmd.exe 47 PID 1288 wrote to memory of 1744 1288 cmd.exe 47 PID 1288 wrote to memory of 1744 1288 cmd.exe 47 PID 1744 wrote to memory of 2576 1744 Client.exe 48 PID 1744 wrote to memory of 2576 1744 Client.exe 48 PID 1744 wrote to memory of 2576 1744 Client.exe 48 PID 1744 wrote to memory of 2840 1744 Client.exe 50 PID 1744 wrote to memory of 2840 1744 Client.exe 50 PID 1744 wrote to memory of 2840 1744 Client.exe 50 PID 2840 wrote to memory of 640 2840 cmd.exe 52 PID 2840 wrote to memory of 640 2840 cmd.exe 52 PID 2840 wrote to memory of 640 2840 cmd.exe 52 PID 2840 wrote to memory of 2920 2840 cmd.exe 53 PID 2840 wrote to memory of 2920 2840 cmd.exe 53 PID 2840 wrote to memory of 2920 2840 cmd.exe 53 PID 2840 wrote to memory of 2916 2840 cmd.exe 54 PID 2840 wrote to memory of 2916 2840 cmd.exe 54 PID 2840 wrote to memory of 2916 2840 cmd.exe 54 PID 2916 wrote to memory of 2948 2916 Client.exe 55 PID 2916 wrote to memory of 2948 2916 Client.exe 55 PID 2916 wrote to memory of 2948 2916 Client.exe 55 PID 2916 wrote to memory of 2052 2916 Client.exe 57 PID 2916 wrote to memory of 2052 2916 Client.exe 57 PID 2916 wrote to memory of 2052 2916 Client.exe 57 PID 2052 wrote to memory of 2984 2052 cmd.exe 59 PID 2052 wrote to memory of 2984 2052 cmd.exe 59 PID 2052 wrote to memory of 2984 2052 cmd.exe 59 PID 2052 wrote to memory of 1784 2052 cmd.exe 60 PID 2052 wrote to memory of 1784 2052 cmd.exe 60 PID 2052 wrote to memory of 1784 2052 cmd.exe 60 PID 2052 wrote to memory of 3040 2052 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3068
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1304
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yQNjTWnkpJaS.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2884
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2640
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2656
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\bH0KLHErsuHF.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:992
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1900
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2576
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yHxhw0a8FlWh.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:640
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2920
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2948
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\C4km4suULeEI.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2984
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1784
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3040 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1548
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9zYId8aoWQuI.bat" "11⤵PID:988
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2296
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1892
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2208 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1528
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\AgMeITocxg90.bat" "13⤵PID:1152
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1988
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:896
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2564 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1604
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\MAsfDnFB6G3W.bat" "15⤵PID:1904
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2804
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2812
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2764 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2816
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\NXoFPI2HY2Gs.bat" "17⤵PID:2912
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2192
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2656
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2892 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1884
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\xFAxFKMIun0V.bat" "19⤵PID:1900
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1316
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1648
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:584 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2704
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\hRwsXV0gqIbz.bat" "21⤵PID:2056
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2144
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2064
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2288 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:620
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\w7YLHXJNKhAP.bat" "23⤵PID:376
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2968
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2072
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1912 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2952
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FQqj2ePxKssb.bat" "25⤵PID:1268
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1064
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2440
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1512 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2688
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\a2eEV37UjMoH.bat" "27⤵PID:3068
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:708
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1600
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1632 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2512
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\hAY48madBkpe.bat" "29⤵PID:2712
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2860
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2628
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2632 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:948
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\HbeSVSq5GKsy.bat" "31⤵PID:2720
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2664
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5f1238fd08789700e12521de7810c6b01
SHA1edc5966d8da5da7cae7eeb122e1aa29cf57284f5
SHA256c9dd6d00333a204fa7dbaa53aa925cd4f5942c8695d51ffb2fb37b5a1fab8704
SHA5122d781f62aacef996dcdc192a724a176387bebf8d001fe0a12be4ccb04ecb27b31a6056adccff366856d61b99ebe88289da4eb94f40e716f2508a0ed49fcac97f
-
Filesize
207B
MD54bb0fa98dce786678a415bbced99ef79
SHA1f34f821c6fa45d3d6c246398e3038fa250616416
SHA256386b399872717d7dec01990cceb1a3eb18a213b1e23413701e59fcb42f0cf396
SHA5128451226cfb1719dea62ad44f8112a96b877bfae0646c44b444a47dc0d4086ee5efe528626f5b728431fe977103acae2ea06d5f75abbbe59efbf61d09d47316f3
-
Filesize
207B
MD5528693b6394afc87d70c80c1c79a5e43
SHA178e9914f4554d3dc7173410d3aeeb2f446cccac5
SHA256543d0ab01b91ad634aafaaf13c523e93e7433122877b3296c486a47d456c87d7
SHA512d69871f2921db04b516002d1b0bc1b304caa52c4c4015f6d8aad5413e8245b4f8a4de1599241384da08dd664f99e511b696cbf50f2577cddebb53ca99d0d692f
-
Filesize
207B
MD5b91e917a4d0c243c121b25eb9986f885
SHA1b336ebdeb2b906519193ed97865f7a5e32c7bf4b
SHA2561d4aba2d82487605c40936b896a6dd03730b54129764d00c99ecd92e8c42481e
SHA5129b054575bf0b49acb40a504a403774b241bbefdfe83598cd3582bb1f174d7f4aed85130095bf3f1e3a9a2499b91706e9dade57e039ef1a3bb17d4d2f31f09f70
-
Filesize
207B
MD5d112aec804ffd46fb2d616501ae87d1f
SHA1d3441ca051f3c49621ca781046966b805a4261eb
SHA2563b58da91faaf904ea6f99269f034c8c6200043a577dc041e720221272dd4c437
SHA512bedfe1489c96c55b523ae949351120ab185b72d4bf50b5bd23a9185f41a42737572c3308faf5ab023439887c2be987c3f88dd89250eb9383606c16d8891cb48d
-
Filesize
207B
MD5b38fb362958d0bada75113624cbec7fe
SHA1ee774bfde5494991b9c5d02aaaed7239441a33df
SHA2566ecae11212f6c5c4da51b8ab00705153f8527de4f7728942ce7e367c2cf1ce8d
SHA512283de5475b12774a5265760aa83f6df878ed822e41b9841b3f48dcff7d2381552d1a295ba19b0b8765e4f6748b58d7bd8fe0742c9d4ad8d0d42e7fa663595b63
-
Filesize
207B
MD55e94d8e68704fe9fd9618eaeae146731
SHA1c69637fab2c89d1beda1944bece55af56a3e32e4
SHA256323f04b6dd64087a02fd6e8d7f9c6988067760408d79d1622b484074456e4a1a
SHA5129f8112c236fcc6e383a6f6d2ea390645afbb6739abbedd03dfabe039dc5471347392ec18b00bf888e747508348428965e054020cdd3589036e4db1cfaf7bdd0f
-
Filesize
207B
MD5c3a5315de399eacd3159610fc77c1572
SHA1ec9f99dc9dc4c7f90547697926f765951bbb803e
SHA2565cebca389a1c1784b23453623a9a2e63ce96d8e363ce37f8705fa6d915a745e0
SHA51293113d64fe74bf09f2b52b2f59c77aa916fd44ad73767ef9c8e343689f0fbd9d648f2b3bd5f9ba6a058293b3acb2a62a30358412ea87307ce321355ba07f87b8
-
Filesize
207B
MD571d120c4767435d903adc87c05b76b4c
SHA15b88d95a3c7c2437f2abd4516aca838e2662f390
SHA256594d7c6baf9f6ac4d9fe8f86a9a5f6eca5dee2b3d156360153616bec8086ab5c
SHA512863176b773a9cf85d592858feb76cfda2abaa7971caee7634dd5a7cca39c7750e724d758f5fdcdad55f2ba9c1ecb225cc1a96d329f8a0d9e89d1f5754beba731
-
Filesize
207B
MD569444d9462ac5071d796b3f858522a36
SHA10a489c1ce38954368123997844d8634800616c42
SHA2565a2a3f587696d9a30bf5ecead77719f74a479075d586a7c7c8d6188a5a035ae9
SHA51232ec96ff5442068534245e23ccc2ace7d1b27b13fab0d07a8c36b3ba766f99f864c98e57246117825bf9f859a921e7735b9ec68be00b085e1951d46477e19067
-
Filesize
207B
MD5c2936c4b3f069c1b5a00ebf65c61a7be
SHA184fcf541f701262582fe466041caf298617f0841
SHA256aa037bb7707ec822815b02d96850b384fd32882724b02f104966853946ba48be
SHA512a86913b73b42068bc2964a26fd230e9f15f5e1fec15ad6d7c9f8c99c73fe199f452cb1332aa688c0b9221a588d7808bc45a503b4a8d523d4270e26106a658036
-
Filesize
207B
MD5fd5670d0fde3ec184eae52ebd0ec7274
SHA13f5e9be5809e953664b4801dca8ae8acb82b1e3a
SHA2566123c62a9a35c18aee589348521b32004466169de0060246e7410e6c1d325cbf
SHA5125def396ee104520ee2cbbf0577db40d7f084a2aa75e2a2d57060d8567490f9ae2c149f1e8f1a9da0143b883e9e2772d5676d65f0e936cb3439977fc55668acf5
-
Filesize
207B
MD593deab843294138d7b285019988a8e2b
SHA18b6c22cc6ddea18c6eefdfea427a07ef09639375
SHA256cdf8b61615ba12c7d4de0655919510a37390462859b033e36ded1767f64fbd1e
SHA512b016bd9ef9be5cb59ad773f39ffa01be1e215d754fc2186ff474eca7f3bd9a30630af41b9f637965c5fcc7283f57556e7b5ed8c086e7a4ffd83706a6f4793116
-
Filesize
207B
MD5c3795b3e9edf22a19332c46e0a34e337
SHA14ad53ad86d3b19cb752380aefce524addeb67d42
SHA2563a18b4d78588633bbafe0ab93a6d4073d3eb89ebd3e392f9e0742da44f2c8912
SHA51247fa3828d6038a822adc6122542239269770fe3b63f5656d89068b4d6bb2eca0528447debb254988b73df2f6790bbd653ab4fe078726ea822d947e20e64e8890
-
Filesize
207B
MD54b8ede4f636848b06f1dd4d983cd36f8
SHA1e7eeaee5045adc6203e3b6e0a65dc308f64ca2e9
SHA2563e30da67db840bea43dd3d6a0649ae1283e5abb049cf5bd7eccad4350188bdb4
SHA512704a7f08898966a7bb1290084b02f8801749e41f7c66274a6da55751f29e512e4f54bf1a1c8694ef69bed4be1e644bcabfccebd559e240754430a09f99ce0683
-
Filesize
3.1MB
MD57dbac71bcc7920b66e8c4fc04fbc30dd
SHA1c746b4358c2a15765a010c1890979239f152d6f7
SHA256ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd
SHA51256ffa2c92d97ef6b247db44225f659d8894f0c4c1134a8376346eb8f0a36bbb3331803752b8e24ada28dc554ef14d2098627ae751152b9eba956bb5e4d7c0c24