quasar | cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e

Analysis

max time kernel
147s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ImageLogger3.5.exe
Size

3.4MB
MD5

55fed3c2f548f0a0beed666f20a01d97
SHA1

e2908aeb63e17405b95c05a06a886813e1d4d594
SHA256

cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e
SHA512

2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e
SSDEEP

49152:zvnI22SsaNYfdPBldt698dBcjHAKk1QmypoGd7aPTHHB72eh2NT:zvI22SsaNYfdPBldt6+dBcjHAKke

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

26.45.181.53:4782

Mutex

91fc011d-5bd3-41d0-82ab-84cdbb628ab4

Attributes

encryption_key
5E2CFB52ADC9AC8BBA82A6E18BBD8FE00311B8A0
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2704-1-0x0000000000970000-0x0000000000CD6000-memory.dmp	family_quasar
behavioral2/files/0x000b000000023b89-5.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

pid	Process
4008	Client.exe
4248	Client.exe
928	Client.exe
1036	Client.exe
1444	Client.exe
752	Client.exe
1068	Client.exe
1156	Client.exe
232	Client.exe
2572	Client.exe
3340	Client.exe
2936	Client.exe
4788	Client.exe
1712	Client.exe
4180	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
764	PING.EXE
868	PING.EXE
4532	PING.EXE
3064	PING.EXE
4252	PING.EXE
1716	PING.EXE
2888	PING.EXE
4900	PING.EXE
3540	PING.EXE
5084	PING.EXE
4180	PING.EXE
2704	PING.EXE
4340	PING.EXE
1004	PING.EXE
4372	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
764	PING.EXE
4900	PING.EXE
3540	PING.EXE
4372	PING.EXE
4532	PING.EXE
868	PING.EXE
2704	PING.EXE
3064	PING.EXE
4340	PING.EXE
4180	PING.EXE
2888	PING.EXE
4252	PING.EXE
1716	PING.EXE
5084	PING.EXE
1004	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3112	schtasks.exe
1360	schtasks.exe
392	schtasks.exe
1848	schtasks.exe
1464	schtasks.exe
2648	schtasks.exe
4068	schtasks.exe
3780	schtasks.exe
4984	schtasks.exe
3308	schtasks.exe
3920	schtasks.exe
1632	schtasks.exe
2744	schtasks.exe
5104	schtasks.exe
3328	schtasks.exe
3104	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	ImageLogger3.5.exe
Token: SeDebugPrivilege	4008	Client.exe
Token: SeDebugPrivilege	4248	Client.exe
Token: SeDebugPrivilege	928	Client.exe
Token: SeDebugPrivilege	1036	Client.exe
Token: SeDebugPrivilege	1444	Client.exe
Token: SeDebugPrivilege	752	Client.exe
Token: SeDebugPrivilege	1068	Client.exe
Token: SeDebugPrivilege	1156	Client.exe
Token: SeDebugPrivilege	232	Client.exe
Token: SeDebugPrivilege	2572	Client.exe
Token: SeDebugPrivilege	3340	Client.exe
Token: SeDebugPrivilege	2936	Client.exe
Token: SeDebugPrivilege	4788	Client.exe
Token: SeDebugPrivilege	1712	Client.exe
Token: SeDebugPrivilege	4180	Client.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
4008	Client.exe
4248	Client.exe
928	Client.exe
1036	Client.exe
1444	Client.exe
752	Client.exe
1068	Client.exe
1156	Client.exe
232	Client.exe
2572	Client.exe
3340	Client.exe
2936	Client.exe
4788	Client.exe
1712	Client.exe
4180	Client.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4008	Client.exe
4248	Client.exe
928	Client.exe
1036	Client.exe
1444	Client.exe
752	Client.exe
1068	Client.exe
1156	Client.exe
232	Client.exe
2572	Client.exe
3340	Client.exe
2936	Client.exe
4788	Client.exe
1712	Client.exe
4180	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 4984	2704	ImageLogger3.5.exe	86
PID 2704 wrote to memory of 4984	2704	ImageLogger3.5.exe	86
PID 2704 wrote to memory of 4008	2704	ImageLogger3.5.exe	88
PID 2704 wrote to memory of 4008	2704	ImageLogger3.5.exe	88
PID 4008 wrote to memory of 3308	4008	Client.exe	91
PID 4008 wrote to memory of 3308	4008	Client.exe	91
PID 4008 wrote to memory of 532	4008	Client.exe	93
PID 4008 wrote to memory of 532	4008	Client.exe	93
PID 532 wrote to memory of 2032	532	cmd.exe	95
PID 532 wrote to memory of 2032	532	cmd.exe	95
PID 532 wrote to memory of 764	532	cmd.exe	96
PID 532 wrote to memory of 764	532	cmd.exe	96
PID 532 wrote to memory of 4248	532	cmd.exe	97
PID 532 wrote to memory of 4248	532	cmd.exe	97
PID 4248 wrote to memory of 3112	4248	Client.exe	98
PID 4248 wrote to memory of 3112	4248	Client.exe	98
PID 4248 wrote to memory of 1984	4248	Client.exe	100
PID 4248 wrote to memory of 1984	4248	Client.exe	100
PID 1984 wrote to memory of 4940	1984	cmd.exe	103
PID 1984 wrote to memory of 4940	1984	cmd.exe	103
PID 1984 wrote to memory of 4340	1984	cmd.exe	104
PID 1984 wrote to memory of 4340	1984	cmd.exe	104
PID 1984 wrote to memory of 928	1984	cmd.exe	106
PID 1984 wrote to memory of 928	1984	cmd.exe	106
PID 928 wrote to memory of 2648	928	Client.exe	107
PID 928 wrote to memory of 2648	928	Client.exe	107
PID 928 wrote to memory of 1560	928	Client.exe	109
PID 928 wrote to memory of 1560	928	Client.exe	109
PID 1560 wrote to memory of 4516	1560	cmd.exe	112
PID 1560 wrote to memory of 4516	1560	cmd.exe	112
PID 1560 wrote to memory of 1716	1560	cmd.exe	113
PID 1560 wrote to memory of 1716	1560	cmd.exe	113
PID 1560 wrote to memory of 1036	1560	cmd.exe	118
PID 1560 wrote to memory of 1036	1560	cmd.exe	118
PID 1036 wrote to memory of 1360	1036	Client.exe	119
PID 1036 wrote to memory of 1360	1036	Client.exe	119
PID 1036 wrote to memory of 3708	1036	Client.exe	121
PID 1036 wrote to memory of 3708	1036	Client.exe	121
PID 3708 wrote to memory of 1368	3708	cmd.exe	124
PID 3708 wrote to memory of 1368	3708	cmd.exe	124
PID 3708 wrote to memory of 4180	3708	cmd.exe	125
PID 3708 wrote to memory of 4180	3708	cmd.exe	125
PID 3708 wrote to memory of 1444	3708	cmd.exe	127
PID 3708 wrote to memory of 1444	3708	cmd.exe	127
PID 1444 wrote to memory of 4068	1444	Client.exe	128
PID 1444 wrote to memory of 4068	1444	Client.exe	128
PID 1444 wrote to memory of 3340	1444	Client.exe	131
PID 1444 wrote to memory of 3340	1444	Client.exe	131
PID 3340 wrote to memory of 4884	3340	cmd.exe	133
PID 3340 wrote to memory of 4884	3340	cmd.exe	133
PID 3340 wrote to memory of 868	3340	cmd.exe	134
PID 3340 wrote to memory of 868	3340	cmd.exe	134
PID 3340 wrote to memory of 752	3340	cmd.exe	136
PID 3340 wrote to memory of 752	3340	cmd.exe	136
PID 752 wrote to memory of 2744	752	Client.exe	137
PID 752 wrote to memory of 2744	752	Client.exe	137
PID 752 wrote to memory of 3348	752	Client.exe	139
PID 752 wrote to memory of 3348	752	Client.exe	139
PID 3348 wrote to memory of 444	3348	cmd.exe	142
PID 3348 wrote to memory of 444	3348	cmd.exe	142
PID 3348 wrote to memory of 2888	3348	cmd.exe	143
PID 3348 wrote to memory of 2888	3348	cmd.exe	143
PID 3348 wrote to memory of 1068	3348	cmd.exe	145
PID 3348 wrote to memory of 1068	3348	cmd.exe	145

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ImageLogger3.5.exe
"C:\Users\Admin\AppData\Local\Temp\ImageLogger3.5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4984
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMeXeHD1FG8C.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2032
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:764
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3112
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BJwgZAVDT5UB.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4940
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4340
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G1gpttesxFtC.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1716
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wN9JdSfQPnNP.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4180
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7wANeKTQATlR.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:868
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8gizbFKcuC3K.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1068
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CthvZUgGd1ym.bat" "
        15⤵
        
        PID:3848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4900
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1156
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O9CzcwsbbzpJ.bat" "
        17⤵
        
        PID:2100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3540
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:232
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9gY5AtFjuGwQ.bat" "
        19⤵
        
        PID:3100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2572
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neE4cTRhAsgq.bat" "
        21⤵
        
        PID:3580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5084
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3340
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYbMHc0siWyF.bat" "
        23⤵
        
        PID:3512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2936
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWLXSEUi2YJJ.bat" "
        25⤵
        
        PID:4624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4788
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYzskin3vXmC.bat" "
        27⤵
        
        PID:3220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4372
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1712
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w1l1AeknUJ6S.bat" "
        29⤵
        
        PID:3088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4532
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4180
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I59tnl9g9aDq.bat" "
        31⤵
        
        PID:3308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7wANeKTQATlR.bat

Filesize
207B

MD5
6458ef9194d22dfc8a5f82be9bc69e34

SHA1
c221326a7e0eabf6e2b5ddc6265808689c3b3d17

SHA256
696a735ab2defb756b2a587e0ef7b9d8bd4bd3c2bdc41961445dcf492261c086

SHA512
049a506f944ff6c2aaafb1fc7eb6f4e098b3ea759c4976d65ef65648aa4148da7cdce2de9d558db1daf40b48c8fc4b1cbe53cd16cae0f7be4b87f00b2407810e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8gizbFKcuC3K.bat

Filesize
207B

MD5
68d75dd237f975a7a3362e13970d34c5

SHA1
3cf10e7d25c8b05dfb3077ab7e7f782220b706c1

SHA256
0cf533846794f0630a953503e46729cf4ab2ed17e49cfd187987ad3f24c13543

SHA512
63817d4aa9ada367b3c83375ac2ca44d0dfb738bdec7eb9eaa008b46e83c3e1c22d806cac7f66b28922808586983755777330d351841963355d33766c412a1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gY5AtFjuGwQ.bat

Filesize
207B

MD5
c8948d641692e7f018a86d801b037b58

SHA1
baca4fec543310a82a245bb72bad1e6027679101

SHA256
a8e8533739c23c9957fdc1c68495e66feb5b053a458e19b4a10ce17c3e200eb7

SHA512
385aeca43f090af3a7ae63c45a89e9777d321802019247cf4b23d59913d295c263dd42f279477b93151bb0bafba10690033572abcdc2625a4552abff705f1487

Download Submit
C:\Users\Admin\AppData\Local\Temp\BJwgZAVDT5UB.bat

Filesize
207B

MD5
bba8e53614f1956b564aa90801b42528

SHA1
7f5a08b8112cde8692550009745e1e215246345a

SHA256
d24a5723111b8ed50e3e4e99e306f7840a08ff60bb689cddc0de913954001439

SHA512
eadec04f45965d214f034e964a821cb429656dee2bc1750815a151cfd40ea4c1621ea2b9c6e6d598a85334e59908be8da40ad7a739194e4eb3ee3b8cec4bbf01

Download Submit
C:\Users\Admin\AppData\Local\Temp\CthvZUgGd1ym.bat

Filesize
207B

MD5
84eb00ef4a29c459059b6efbdfa95658

SHA1
a06d7d365c0cf550262ff6b80b19619d4d728c78

SHA256
5dd8fa567dd0e419674887695a2221df9fde542380938d86004e7c753df93986

SHA512
b51f017080303466804f079edf6d2d9f2e5308c47099afe50e6c7505c75c8f38fcd9aaa1b179f017da98390365990fa01a3da1386b1ff7e1669bbdc48ee90093

Download Submit
C:\Users\Admin\AppData\Local\Temp\G1gpttesxFtC.bat

Filesize
207B

MD5
cf4648ce19b337558dfc64d7ff793379

SHA1
d482437d7f54bfb1b0df4f5dc8bc49a196f0878b

SHA256
4ec49d3493fd74ae9f11935148315be36100765211f067761ff7fc852a8654b3

SHA512
e760cf456d4918c66363a494f51756716eac7a34dd76d3cfc843ddfa6ff13ff10adb200a23042591d9d5d5e219151063c0206f3f8a57c7bd742e4fbd6cd8f46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYzskin3vXmC.bat

Filesize
207B

MD5
49bb198ddf9ba241119ee7ca5b909aa7

SHA1
e6177a21266ed268a6a697b0eb5379429aceaade

SHA256
6e04964d11c6485ad593a7bdfd77c5fe03136adefee049051abdae928c48ac5a

SHA512
466ce600df84c841438c32290814f2889415d859010c0de3fa1766ddeaad2ef2478e4c41e1d6fe3a9b2c6257693f25560bf9e1ba7753a60b0bac97a74903d1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\I59tnl9g9aDq.bat

Filesize
207B

MD5
f2c5be7f2ef7e520b9db4c5b20b2e8df

SHA1
8fc1e7cfb5ca242be2e19f044dc0314b6daf3d48

SHA256
84bab5f3b2ad1c6d32c59c7815aa454a6c4d7ff913a0ab86d32e2f17594f5553

SHA512
7b771e6b07c348e29aa709d39335bd003865ff6af1a4eff54ad6b0c3e0aad81e7a263ea00f31d3f4735090923acf99f5f33d4f5c16f107fcd22cf0e0536e6b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\O9CzcwsbbzpJ.bat

Filesize
207B

MD5
349c29795f6eaa66713dd469a8535768

SHA1
c19c802f9ac0447c9d8f3caef44569a858e6e435

SHA256
892b2c401aa43271427998d68743f51b75317f122136fd3b3aee28114c8cc644

SHA512
ed3ee0741ff39ec4d3f9ea19bf7c9463491625f5bf1b08b5f780fc86540ad88d6ad7f5e9cfe37fa70a16ab18cc6957f9f204a6a1372fa9be0b9b17a462a61ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\neE4cTRhAsgq.bat

Filesize
207B

MD5
0a6583f853d060aac6adaa236300f54c

SHA1
849943564d3daf67a5faed429b0d4533ebc59bc8

SHA256
5da0a06234715c13e340a4a7188e6de2fe3d612d2a42fea9b306960ed121115b

SHA512
8f7b6f752bc8f88fb63b9383c0e97755a478c58dab534f45ba3fda83926ac110cf6bb7545bd0cc716a874f227dbe66becff055e8f59da82801c0c9ee9c3c2c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYbMHc0siWyF.bat

Filesize
207B

MD5
93e3c88e9f79dd6284a3254254dd717d

SHA1
eea320db69ea19929d3597b8c22944fccd52de9b

SHA256
470f000af53010df4ccb4308249340f85049683bc706e1c5912e28d8a30d14e4

SHA512
67709a7b5ef31af3d40ad96347cb201943e7df5805cdfb5c3512bbef59365b727f699d47eca8fa6f05da48a9348454481b77162752b1b0eab7517beec2f56241

Download Submit
C:\Users\Admin\AppData\Local\Temp\rWLXSEUi2YJJ.bat

Filesize
207B

MD5
682384d493d910adbff53d76afa0c28e

SHA1
822c88943962d9d302019c8cf9bf39c8ed368b10

SHA256
16aace6acabb1145b05d7d77a862bc466a6e9e993eb555fe3d5fd0fa300129b6

SHA512
7dd53357256975360e0ec374575ddd3c5e59fd2f9b70e9a1ff9b76a3a3e7356f58ec853ec5ef873a697f79498cd3ae21a073903a64061ed60c383dbe786431ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\w1l1AeknUJ6S.bat

Filesize
207B

MD5
9ea14ad45d594237150d1ab78054dbbf

SHA1
a62076d5719d3462d27d75c7fbb1f6026ea85c87

SHA256
ebc552540f3fa8291d1b5d109180b964c91f11ec67f41f449f77c2f101ecbc15

SHA512
978ba35254be869ba70fb675d272c78cd396e6c50538d96234197b89a714d6cf0b443ba9b9aa8837a2a942edc18416ca205e0e425b6e5b0243c1433e10d4221f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wN9JdSfQPnNP.bat

Filesize
207B

MD5
ce4ee6fceb7cc645d68fedcfd04ae116

SHA1
a0f87cc041cac3dbba36a72a9c3fd80622d1ed1b

SHA256
cf1a3bbafc9eb52f7fe7a5a8e0398018bc79a0e25355bdcf5cdad8ac9dfb40ec

SHA512
e431f5e1b29189fa079fb81db1bd08416bc81ac6ca35206fb4c354503b530c9be37ee6bf26e0d03f735c09d520c0075ad61b96431bacfaf4264fcd465843a182

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMeXeHD1FG8C.bat

Filesize
207B

MD5
ada91f157c5740f393a188b54f8bd5cc

SHA1
93c7a4ebce0451d85ee2aa0cf5609dbda513ccc8

SHA256
06f9418fb54cbf04a81f4ac75761a55bfad6e216744763469283aca63435229e

SHA512
b84ada4d18c7b45856b3bb1c79d833aa83c0aa45c5be11393797624ffd1ae402b94f6bcccfc5ae1a482ff1fbad9dc1a45be31ea0b320f5b80c9cf1eba674cd01

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.4MB

MD5
55fed3c2f548f0a0beed666f20a01d97

SHA1
e2908aeb63e17405b95c05a06a886813e1d4d594

SHA256
cd63a66b508d6653ee22e5fdc44dbcb6e9c7fe64e0eac9ed781ee82fe187005e

SHA512
2ca21479151e585416d63430f57faaf3f070af2cdc9f22ece10e439fdb1eb71a455fa75f1b925550ce74838e7cb69c0d110c6881c167c403b4c594834c72860e

Download Submit
memory/2704-10-0x00007FF99A610000-0x00007FF99B0D1000-memory.dmp

Filesize
10.8MB

Download
memory/2704-0-0x00007FF99A613000-0x00007FF99A615000-memory.dmp

Filesize
8KB

Download
memory/2704-2-0x00007FF99A610000-0x00007FF99B0D1000-memory.dmp

Filesize
10.8MB

Download
memory/2704-1-0x0000000000970000-0x0000000000CD6000-memory.dmp

Filesize
3.4MB

Download
memory/4008-11-0x00007FF99A610000-0x00007FF99B0D1000-memory.dmp

Filesize
10.8MB

Download
memory/4008-9-0x00007FF99A610000-0x00007FF99B0D1000-memory.dmp

Filesize
10.8MB

Download
memory/4008-12-0x000000001BCF0000-0x000000001BD40000-memory.dmp

Filesize
320KB

Download
memory/4008-13-0x000000001C510000-0x000000001C5C2000-memory.dmp

Filesize
712KB

Download
memory/4008-18-0x00007FF99A610000-0x00007FF99B0D1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads