quasar | cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Image Logger 3.5.exe
Size

3.4MB
MD5

55fed3c2f548f0a0beed666f20a01d97
SHA1

e2908aeb63e17405b95c05a06a886813e1d4d594
SHA256

cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e
SHA512

2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e
SSDEEP

49152:zvnI22SsaNYfdPBldt698dBcjHAKk1QmypoGd7aPTHHB72eh2NT:zvI22SsaNYfdPBldt6+dBcjHAKke

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

26.45.181.53:4782

Mutex

91fc011d-5bd3-41d0-82ab-84cdbb628ab4

Attributes

encryption_key
5E2CFB52ADC9AC8BBA82A6E18BBD8FE00311B8A0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1932-1-0x0000000000A40000-0x0000000000DA6000-memory.dmp	family_quasar
behavioral2/files/0x0011000000023b07-6.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
3888	Client.exe
1928	Client.exe
1356	Client.exe
3524	Client.exe
3812	Client.exe
4452	Client.exe
5108	Client.exe
1072	Client.exe
1532	Client.exe
4748	Client.exe
748	Client.exe
3504	Client.exe
3532	Client.exe
1848	Client.exe
2808	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1476	PING.EXE
4164	PING.EXE
4880	PING.EXE
4388	PING.EXE
2136	PING.EXE
2792	PING.EXE
4016	PING.EXE
4880	PING.EXE
1428	PING.EXE
4268	PING.EXE
4728	PING.EXE
1524	PING.EXE
4972	PING.EXE
2732	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
1524	PING.EXE
4972	PING.EXE
4016	PING.EXE
2732	PING.EXE
2136	PING.EXE
4388	PING.EXE
4880	PING.EXE
1476	PING.EXE
4268	PING.EXE
4728	PING.EXE
4164	PING.EXE
2792	PING.EXE
4880	PING.EXE
1428	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2708	schtasks.exe
3412	schtasks.exe
1388	schtasks.exe
2172	schtasks.exe
1164	schtasks.exe
4872	schtasks.exe
4924	schtasks.exe
1580	schtasks.exe
1548	schtasks.exe
3480	schtasks.exe
1088	schtasks.exe
3780	schtasks.exe
4516	schtasks.exe
1936	schtasks.exe
4988	schtasks.exe
64	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	Image Logger 3.5.exe
Token: SeDebugPrivilege	3888	Client.exe
Token: SeDebugPrivilege	1928	Client.exe
Token: SeDebugPrivilege	1356	Client.exe
Token: SeDebugPrivilege	3524	Client.exe
Token: SeDebugPrivilege	3812	Client.exe
Token: SeDebugPrivilege	4452	Client.exe
Token: SeDebugPrivilege	5108	Client.exe
Token: SeDebugPrivilege	1072	Client.exe
Token: SeDebugPrivilege	1532	Client.exe
Token: SeDebugPrivilege	4748	Client.exe
Token: SeDebugPrivilege	748	Client.exe
Token: SeDebugPrivilege	3504	Client.exe
Token: SeDebugPrivilege	3532	Client.exe
Token: SeDebugPrivilege	1848	Client.exe
Token: SeDebugPrivilege	2808	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
3888	Client.exe
1928	Client.exe
1356	Client.exe
3524	Client.exe
3812	Client.exe
4452	Client.exe
5108	Client.exe
1072	Client.exe
1532	Client.exe
4748	Client.exe
748	Client.exe
3504	Client.exe
3532	Client.exe
1848	Client.exe
2808	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
3888	Client.exe
1928	Client.exe
1356	Client.exe
3524	Client.exe
3812	Client.exe
4452	Client.exe
5108	Client.exe
1072	Client.exe
1532	Client.exe
4748	Client.exe
748	Client.exe
3504	Client.exe
3532	Client.exe
1848	Client.exe
2808	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2708	1932	Image Logger 3.5.exe	86
PID 1932 wrote to memory of 2708	1932	Image Logger 3.5.exe	86
PID 1932 wrote to memory of 3888	1932	Image Logger 3.5.exe	88
PID 1932 wrote to memory of 3888	1932	Image Logger 3.5.exe	88
PID 3888 wrote to memory of 4872	3888	Client.exe	89
PID 3888 wrote to memory of 4872	3888	Client.exe	89
PID 3888 wrote to memory of 2032	3888	Client.exe	91
PID 3888 wrote to memory of 2032	3888	Client.exe	91
PID 2032 wrote to memory of 760	2032	cmd.exe	93
PID 2032 wrote to memory of 760	2032	cmd.exe	93
PID 2032 wrote to memory of 4972	2032	cmd.exe	94
PID 2032 wrote to memory of 4972	2032	cmd.exe	94
PID 2032 wrote to memory of 1928	2032	cmd.exe	96
PID 2032 wrote to memory of 1928	2032	cmd.exe	96
PID 1928 wrote to memory of 4516	1928	Client.exe	97
PID 1928 wrote to memory of 4516	1928	Client.exe	97
PID 1928 wrote to memory of 2068	1928	Client.exe	99
PID 1928 wrote to memory of 2068	1928	Client.exe	99
PID 2068 wrote to memory of 2416	2068	cmd.exe	101
PID 2068 wrote to memory of 2416	2068	cmd.exe	101
PID 2068 wrote to memory of 4016	2068	cmd.exe	102
PID 2068 wrote to memory of 4016	2068	cmd.exe	102
PID 2068 wrote to memory of 1356	2068	cmd.exe	103
PID 2068 wrote to memory of 1356	2068	cmd.exe	103
PID 1356 wrote to memory of 4924	1356	Client.exe	104
PID 1356 wrote to memory of 4924	1356	Client.exe	104
PID 1356 wrote to memory of 3904	1356	Client.exe	106
PID 1356 wrote to memory of 3904	1356	Client.exe	106
PID 3904 wrote to memory of 3392	3904	cmd.exe	108
PID 3904 wrote to memory of 3392	3904	cmd.exe	108
PID 3904 wrote to memory of 4880	3904	cmd.exe	109
PID 3904 wrote to memory of 4880	3904	cmd.exe	109
PID 3904 wrote to memory of 3524	3904	cmd.exe	112
PID 3904 wrote to memory of 3524	3904	cmd.exe	112
PID 3524 wrote to memory of 3412	3524	Client.exe	114
PID 3524 wrote to memory of 3412	3524	Client.exe	114
PID 3524 wrote to memory of 4432	3524	Client.exe	116
PID 3524 wrote to memory of 4432	3524	Client.exe	116
PID 4432 wrote to memory of 3996	4432	cmd.exe	118
PID 4432 wrote to memory of 3996	4432	cmd.exe	118
PID 4432 wrote to memory of 2732	4432	cmd.exe	119
PID 4432 wrote to memory of 2732	4432	cmd.exe	119
PID 4432 wrote to memory of 3812	4432	cmd.exe	120
PID 4432 wrote to memory of 3812	4432	cmd.exe	120
PID 3812 wrote to memory of 3480	3812	Client.exe	121
PID 3812 wrote to memory of 3480	3812	Client.exe	121
PID 3812 wrote to memory of 3040	3812	Client.exe	123
PID 3812 wrote to memory of 3040	3812	Client.exe	123
PID 3040 wrote to memory of 4456	3040	cmd.exe	125
PID 3040 wrote to memory of 4456	3040	cmd.exe	125
PID 3040 wrote to memory of 4388	3040	cmd.exe	126
PID 3040 wrote to memory of 4388	3040	cmd.exe	126
PID 3040 wrote to memory of 4452	3040	cmd.exe	127
PID 3040 wrote to memory of 4452	3040	cmd.exe	127
PID 4452 wrote to memory of 1580	4452	Client.exe	128
PID 4452 wrote to memory of 1580	4452	Client.exe	128
PID 4452 wrote to memory of 4224	4452	Client.exe	130
PID 4452 wrote to memory of 4224	4452	Client.exe	130
PID 4224 wrote to memory of 3780	4224	cmd.exe	132
PID 4224 wrote to memory of 3780	4224	cmd.exe	132
PID 4224 wrote to memory of 1428	4224	cmd.exe	133
PID 4224 wrote to memory of 1428	4224	cmd.exe	133
PID 4224 wrote to memory of 5108	4224	cmd.exe	134
PID 4224 wrote to memory of 5108	4224	cmd.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Image Logger 3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Image Logger 3.5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2708
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ozLdC0ZkXzMh.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:760
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4972
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4516
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqasXV6uMR7J.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2068
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2416
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4016
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gALF8mkBJaZ6.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4880
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tPE1e0NIzN5A.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2732
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boaB1R457nbK.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4388
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dTdpsmbyrWUX.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1428
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5108
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoP32BfQ7nXd.bat" "
        15⤵
        
        PID:4744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:5084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1072
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IX9AXBNQyN30.bat" "
        17⤵
        
        PID:1184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4268
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LlOh5ZoOUwtn.bat" "
        19⤵
        
        PID:4764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4880
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4748
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGHLKphyvV2T.bat" "
        21⤵
        
        PID:4160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4728
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:748
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j4kPnQYENWxI.bat" "
        23⤵
        
        PID:392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4164
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3504
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:64
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\obVTVGaWQhVG.bat" "
        25⤵
        
        PID:732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\96WsQeybAbtc.bat" "
        27⤵
        
        PID:2200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2UtN68XG00Bi.bat" "
        29⤵
        
        PID:1304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2808
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QL0LRWTe3YXr.bat" "
        31⤵
        
        PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2UtN68XG00Bi.bat

Filesize
207B

MD5
8e1bc7e0909d20dcf5d19b9bfabfeff9

SHA1
3c3d29995133dd50e99930ef2e63c2bb43a84ba2

SHA256
cddef336993b2446c422ed8c795ccd2b0e034fbf4bd35bb6a45d06a93dc67f6f

SHA512
503299b68d922a5a85fc50a4907229f4f361c3d5c73c12494281a5a6dafb4d1a12ec70e9b6e2301cec4a1132ab681ec0e0fad68d676068935692360d1809758f

Download Submit
C:\Users\Admin\AppData\Local\Temp\96WsQeybAbtc.bat

Filesize
207B

MD5
0d2c64b1e08c6b6f1a59421d585f0c32

SHA1
3f1c3903eb0bb937721aef972b77a9375c0a1598

SHA256
4d5447da8d6b045949b223c377f2e950f1de2ec4f3e4699361cd501e3b937e84

SHA512
d4cea23a72e5299a540e4707ad1f1b8d46a9cbf6ffb572f773db1b9e79ee2392f32d807ae971234609b1039f16087f13c4ac10b70565e156761e609eb5cb7afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IX9AXBNQyN30.bat

Filesize
207B

MD5
82b7435192791ea3445ad447884b0aa9

SHA1
82738188b540f87e57a520805de130a4aa1a8d6e

SHA256
a5ee745ce39ea0f239a04a723e7516f818a49df1a358f3ddb098d77f0b8d59e0

SHA512
0cb1ad1f9fe4762d39fad0a401ac0ab862039f11b6652efd66e587b7987a86ba559bab451bf77ac8f20ddbfabaa68420c10ad83204a36d3cdff82e010103a5ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\LlOh5ZoOUwtn.bat

Filesize
207B

MD5
2855ca329e8e5333c7c6238daca15b80

SHA1
44f6201c9b0d5f116651c744387b7e1aba4a0e9e

SHA256
f4517cf1b405c11c3d5f47d7ccf8c52fcf0ea0446a6e1b89427d17dd08b74dc3

SHA512
254599a6961810eecdb4c0be7f0b86a51ef1f34f3d1afab3ec6bdf6a7583748a710d26ce7d6253760e3c087c883fe4a13a7d5fc679eddf775a52343b803fdf83

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoP32BfQ7nXd.bat

Filesize
207B

MD5
b2a2da78b5980c665e6306ceebc1bae1

SHA1
24eb667ff00c76e2d5a08b12a18bea95da647f53

SHA256
7fc813f48a480dc71d165d6f9b9ada05fdba97fce2193e9c273ca5a58c6190ef

SHA512
3a066340fed855627de24e4c41cf3774d389caab58f1a6bc2e889280523beaa9c158647db4946941ead2c16a95f161a6960a3cd1740a6bf0e2bf90b85e4c8e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\boaB1R457nbK.bat

Filesize
207B

MD5
e8373cef22ebc3a9ba18c9a28b5f3c86

SHA1
700edfcba221b0c71d1f3e3307d0189669692e70

SHA256
b251f8db294013b86819e2c9e4d59ccb73985812e9660b956de75baa81509ba6

SHA512
406d36a230881da044c2175a62f4b57abdf14e3337619352469745fa5eb13d0aa983fc5df71c2cf12b75912d86df7dca4fc3db2543b86d26855d51cd7e6aedd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dTdpsmbyrWUX.bat

Filesize
207B

MD5
2b40faf79add6ad4e16bafcf7c73de4e

SHA1
d9540eab467e3d730c023cc19db6e84e8a3b9cf0

SHA256
871f73a31b20a6967629493d2debb21f9e3856e73fc0edbb39387fdf15a5d8c1

SHA512
be10bdb4bf943719291b9e4836e8a81e0d9e78538813d5971c9d10201b1e0067090d8a3544718bffb7e8aa7626d0a77101c81a26749cc13c22953b75dd97d628

Download Submit
C:\Users\Admin\AppData\Local\Temp\gALF8mkBJaZ6.bat

Filesize
207B

MD5
8d019c123d0a21dc3173c487c7fb98db

SHA1
117b02835e1fe17f56db297654251807bfa868b7

SHA256
9c40e6962f99c9b8f7e7f43f69abd57f59312699dc5ec7307e248b691bbde336

SHA512
d6b364ddd5946b060d24bcf616d1a37744df5c475f6746e050e4c7e2276bfe229c8aeb1d41f369f93f552f62f04b3c5e96bfb71afc93fff8faf075bd2c7e8c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\j4kPnQYENWxI.bat

Filesize
207B

MD5
7370c9e6095d01c19635a61c024d7cfc

SHA1
f7f84824b61ac8ce21cac4eb6f659c71f11eac34

SHA256
98d3e32679ea1b463e17917644f2f61039224b4f8d840844f1613598d0978120

SHA512
fc56032c393366d6cdc493ef1ebe4b0a3fd14e4699acb944c8d38155904c43c89645dca23c06dcb4574e50e6f97f6d2de3843940433c0396b190277c9490f108

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqasXV6uMR7J.bat

Filesize
207B

MD5
6a4eca497e1f71df6c4f80f552c60a29

SHA1
3f7f98e4cc08789f12e1264373a9bf7c3beb8df4

SHA256
015dc628f33498f591447340702d628db85a71c2f98808d7085e77ceadd7d0c1

SHA512
e295ef2a551b25208951df81844aed2e3ae9b332102b969d5042f4a7d60d7ebca7893f21812c867229a547a4373b16be02ae8ac61f142ae55cd0fdfcb5ab3ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\obVTVGaWQhVG.bat

Filesize
207B

MD5
b3cfc67794b04ee506a507c8670087ec

SHA1
98b3a8a3da9c655e1de6e0255301ce8c764a452d

SHA256
f25b989f8407a55f0ad785503e4452d32aa907d76180daf94a422b94e6d6d5db

SHA512
3b68e207c5b3dfe93632736784502f0229779d1546cd6312b13f74ac0d26ed8cbacdcf38e2c4f117d740d6bfa32194b6f6752e6ed66fb61e5dda61aadc53d3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozLdC0ZkXzMh.bat

Filesize
207B

MD5
9c03471f85ab04182da2b84a934a2b0b

SHA1
979486eee7a05209045aed3d6cb95ec2d2c8d4eb

SHA256
67c9dd1a6f009f4e6d055c4ea5c5d93136a43c1f9a56a686f68c9b29c8a3a3c4

SHA512
9b91284487fe89a6393e117876bef85315362434cf6b41d013a5e6640b9e78b57e42c2425b0ca880015e03dfd681cc05af7b506d0794afed5ebb1fd6cadc09c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tPE1e0NIzN5A.bat

Filesize
207B

MD5
38c0a34fc2855fdbb1a768cecc8517ab

SHA1
a7e191675ae661949d9f43a7938f7b49ec345f8c

SHA256
bb9148bffa28033d4ed2d305d5521b74a03f1843a4196258bbcb41689f8c0fe4

SHA512
9032b80e064899955eaf3877b408ad6adc88775c73993914c0677d4e9183810aeba0a2ccec5c7efc2f45d9fcab3965563d4e5d3b584f95626f6daff018a02953

Download Submit
C:\Users\Admin\AppData\Local\Temp\uGHLKphyvV2T.bat

Filesize
207B

MD5
f36a40b0e046333fa26e4b4d6ab25fde

SHA1
4ffb5553f8a480db90a467add3bcb3b8b3adc6ec

SHA256
83373f0ef823d99461bbe9d7ee95fda926d47a1c05d1d5294d07750666a5e2ab

SHA512
3ad07703740bb71ff8ad5b0a65821faa147d70ba20e4d11298bea6bdbc88c0313f3b4e35e9578d45d94af506c0aff684965f18619c4b5efea7c584aefc8932aa

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.4MB

MD5
55fed3c2f548f0a0beed666f20a01d97

SHA1
e2908aeb63e17405b95c05a06a886813e1d4d594

SHA256
cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e

SHA512
2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e

Download Submit
memory/1932-9-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-0-0x00007FFF0AF23000-0x00007FFF0AF25000-memory.dmp

Filesize
8KB

Download
memory/1932-2-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-1-0x0000000000A40000-0x0000000000DA6000-memory.dmp

Filesize
3.4MB

Download
memory/3888-13-0x000000001C230000-0x000000001C2E2000-memory.dmp

Filesize
712KB

Download
memory/3888-12-0x000000001C120000-0x000000001C170000-memory.dmp

Filesize
320KB

Download
memory/3888-11-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3888-10-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3888-18-0x00007FFF0AF20000-0x00007FFF0B9E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads