quasar | a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

Analysis

max time kernel
177s
max time network
197s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-05-2022 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
Size

629KB
MD5

4df6edc58b2aee8108bbf41a5281a0b3
SHA1

372c881c85e6dd404ff65a086b0c7dd8e300ec19
SHA256

a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c
SHA512

3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Score

10^/10

quasar venomrat windows defender security host evasion persistence rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Defender Security Host

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_s1ArJSYbui8dt0HUpJ

Attributes

encryption_key
8gl4TCjsLQUmqCIxalku
install_name
Windows Defender Security Host.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Security Host
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 9 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1744-65-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1744-62-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1744-67-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1744-63-0x0000000000486CAE-mapping.dmp	disable_win_def
behavioral1/memory/1744-61-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1744-60-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/968-83-0x0000000000486CAE-mapping.dmp	disable_win_def
behavioral1/memory/1836-111-0x0000000000486CAE-mapping.dmp	disable_win_def
behavioral1/memory/948-131-0x0000000000486CAE-mapping.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1744-65-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1744-62-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1744-67-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1744-63-0x0000000000486CAE-mapping.dmp	family_quasar
behavioral1/memory/1744-61-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1744-60-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/968-83-0x0000000000486CAE-mapping.dmp	family_quasar
behavioral1/memory/1836-111-0x0000000000486CAE-mapping.dmp	family_quasar
behavioral1/memory/948-131-0x0000000000486CAE-mapping.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Executes dropped EXE 4 IoCs

Processes:

Windows Defender Security Host.exeWindows Defender Security Host.exeWindows Defender Security Host.exeWindows Defender Security Host.exe

pid	Process
1832	Windows Defender Security Host.exe
968	Windows Defender Security Host.exe
600	Windows Defender Security Host.exe
1836	Windows Defender Security Host.exe

Loads dropped DLL 7 IoCs

Processes:

a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exeWindows Defender Security Host.exeWerFault.exe

pid	Process
1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
1832	Windows Defender Security Host.exe
2012	WerFault.exe
2012	WerFault.exe
2012	WerFault.exe
2012	WerFault.exe
2012	WerFault.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exea640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exeWindows Defender Security Host.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zHRMiXKHpW = "C:\\Users\\Admin\\AppData\\Roaming\\LbFPJdQtDA\\ZmFSAqsNCM.exe"	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Security Host = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe\""	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Security Host = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Windows Defender Security Host.exe\""	Windows Defender Security Host.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exeWindows Defender Security Host.exeWindows Defender Security Host.exea640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe

description	pid	Process	procid_target
PID 1016 set thread context of 1744	1016	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	28
PID 1832 set thread context of 968	1832	Windows Defender Security Host.exe	35
PID 600 set thread context of 1836	600	Windows Defender Security Host.exe	44
PID 580 set thread context of 948	580	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	53

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2012	968	WerFault.exe	35

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
456	schtasks.exe
280	schtasks.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXE

pid	Process
1232	PING.EXE
1100	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exeWindows Defender Security Host.exea640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exea640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe

pid	Process
1884	powershell.exe
1836	Windows Defender Security Host.exe
1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
948	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exeWindows Defender Security Host.exepowershell.exeWindows Defender Security Host.exea640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe

description	pid	Process
Token: SeDebugPrivilege	1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
Token: SeDebugPrivilege	968	Windows Defender Security Host.exe
Token: SeDebugPrivilege	968	Windows Defender Security Host.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	1836	Windows Defender Security Host.exe
Token: SeDebugPrivilege	948	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Defender Security Host.exe

pid	Process
968	Windows Defender Security Host.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exea640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exeWindows Defender Security Host.exeWindows Defender Security Host.execmd.exeWindows Defender Security Host.exe

description	pid	Process	procid_target
PID 1016 wrote to memory of 1744	1016	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	28
PID 1016 wrote to memory of 1744	1016	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	28
PID 1016 wrote to memory of 1744	1016	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	28
PID 1016 wrote to memory of 1744	1016	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	28
PID 1016 wrote to memory of 1744	1016	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	28
PID 1016 wrote to memory of 1744	1016	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	28
PID 1016 wrote to memory of 1744	1016	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	28
PID 1016 wrote to memory of 1744	1016	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	28
PID 1016 wrote to memory of 1744	1016	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	28
PID 1744 wrote to memory of 456	1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	30
PID 1744 wrote to memory of 456	1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	30
PID 1744 wrote to memory of 456	1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	30
PID 1744 wrote to memory of 456	1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	30
PID 1744 wrote to memory of 1832	1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	32
PID 1744 wrote to memory of 1832	1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	32
PID 1744 wrote to memory of 1832	1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	32
PID 1744 wrote to memory of 1832	1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	32
PID 1744 wrote to memory of 1884	1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	33
PID 1744 wrote to memory of 1884	1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	33
PID 1744 wrote to memory of 1884	1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	33
PID 1744 wrote to memory of 1884	1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	33
PID 1832 wrote to memory of 968	1832	Windows Defender Security Host.exe	35
PID 1832 wrote to memory of 968	1832	Windows Defender Security Host.exe	35
PID 1832 wrote to memory of 968	1832	Windows Defender Security Host.exe	35
PID 1832 wrote to memory of 968	1832	Windows Defender Security Host.exe	35
PID 1832 wrote to memory of 968	1832	Windows Defender Security Host.exe	35
PID 1832 wrote to memory of 968	1832	Windows Defender Security Host.exe	35
PID 1832 wrote to memory of 968	1832	Windows Defender Security Host.exe	35
PID 1832 wrote to memory of 968	1832	Windows Defender Security Host.exe	35
PID 1832 wrote to memory of 968	1832	Windows Defender Security Host.exe	35
PID 968 wrote to memory of 280	968	Windows Defender Security Host.exe	36
PID 968 wrote to memory of 280	968	Windows Defender Security Host.exe	36
PID 968 wrote to memory of 280	968	Windows Defender Security Host.exe	36
PID 968 wrote to memory of 280	968	Windows Defender Security Host.exe	36
PID 968 wrote to memory of 1620	968	Windows Defender Security Host.exe	38
PID 968 wrote to memory of 1620	968	Windows Defender Security Host.exe	38
PID 968 wrote to memory of 1620	968	Windows Defender Security Host.exe	38
PID 968 wrote to memory of 1620	968	Windows Defender Security Host.exe	38
PID 968 wrote to memory of 2012	968	Windows Defender Security Host.exe	40
PID 968 wrote to memory of 2012	968	Windows Defender Security Host.exe	40
PID 968 wrote to memory of 2012	968	Windows Defender Security Host.exe	40
PID 968 wrote to memory of 2012	968	Windows Defender Security Host.exe	40
PID 1620 wrote to memory of 1724	1620	cmd.exe	41
PID 1620 wrote to memory of 1724	1620	cmd.exe	41
PID 1620 wrote to memory of 1724	1620	cmd.exe	41
PID 1620 wrote to memory of 1724	1620	cmd.exe	41
PID 1620 wrote to memory of 1232	1620	cmd.exe	42
PID 1620 wrote to memory of 1232	1620	cmd.exe	42
PID 1620 wrote to memory of 1232	1620	cmd.exe	42
PID 1620 wrote to memory of 1232	1620	cmd.exe	42
PID 1620 wrote to memory of 600	1620	cmd.exe	43
PID 1620 wrote to memory of 600	1620	cmd.exe	43
PID 1620 wrote to memory of 600	1620	cmd.exe	43
PID 1620 wrote to memory of 600	1620	cmd.exe	43
PID 600 wrote to memory of 1836	600	Windows Defender Security Host.exe	44
PID 600 wrote to memory of 1836	600	Windows Defender Security Host.exe	44
PID 600 wrote to memory of 1836	600	Windows Defender Security Host.exe	44
PID 600 wrote to memory of 1836	600	Windows Defender Security Host.exe	44
PID 600 wrote to memory of 1836	600	Windows Defender Security Host.exe	44
PID 600 wrote to memory of 1836	600	Windows Defender Security Host.exe	44
PID 600 wrote to memory of 1836	600	Windows Defender Security Host.exe	44
PID 600 wrote to memory of 1836	600	Windows Defender Security Host.exe	44
PID 600 wrote to memory of 1836	600	Windows Defender Security Host.exe	44
PID 1744 wrote to memory of 1148	1744	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	45

C:\Users\Admin\AppData\Local\Temp\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
"C:\Users\Admin\AppData\Local\Temp\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
  "C:\Users\Admin\AppData\Local\Temp\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe"
  2⤵
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Defender Security Host" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:456
- - C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:968
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Security Host" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:280
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gVO2Mfmrgx3e.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1724
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:1232
      - C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 1508
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2012
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    PID:1148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\jZ1U7pdeA38w.bat" "
    3⤵
    PID:1940
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:640
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
      "C:\Users\Admin\AppData\Local\Temp\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:580
    - - C:\Users\Admin\AppData\Local\Temp\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gVO2Mfmrgx3e.bat

Filesize
231B

MD5
377b63bf10302dc3b20271427efdd657

SHA1
fa81d6ac514583c1dc4fbeebc72065c247373442

SHA256
be847136629e797bdb53055b024adbb5fd564b22926f63f7ca72bf3995340380

SHA512
14c019a55b687a8a7be6de962474856b1397c479135594e6cb17c26606719799f8242965ec1b126e50083803dbc943ccd7b9d71c5735e1d63f96ef99ceec59e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jZ1U7pdeA38w.bat

Filesize
261B

MD5
dda6438e0925e9f11fa1f34a1a8974cb

SHA1
93de00592a6b99323dd53da8703e81646666a723

SHA256
5ee26beb2dc50d5ac1c1f761521c650b6d30ce8ead87d9c4350cd468b0ef2419

SHA512
a55e406a861c27ce8bc12dc940390b941393a4fd6814c1619510950c3a1482448dfc14ffd1875059a4ea9d13fa5ed940b158474a5ff85d6e4b4850e11876643e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
629KB

MD5
4df6edc58b2aee8108bbf41a5281a0b3

SHA1
372c881c85e6dd404ff65a086b0c7dd8e300ec19

SHA256
a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

SHA512
3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
629KB

MD5
4df6edc58b2aee8108bbf41a5281a0b3

SHA1
372c881c85e6dd404ff65a086b0c7dd8e300ec19

SHA256
a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

SHA512
3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
629KB

MD5
4df6edc58b2aee8108bbf41a5281a0b3

SHA1
372c881c85e6dd404ff65a086b0c7dd8e300ec19

SHA256
a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

SHA512
3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
629KB

MD5
4df6edc58b2aee8108bbf41a5281a0b3

SHA1
372c881c85e6dd404ff65a086b0c7dd8e300ec19

SHA256
a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

SHA512
3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
629KB

MD5
4df6edc58b2aee8108bbf41a5281a0b3

SHA1
372c881c85e6dd404ff65a086b0c7dd8e300ec19

SHA256
a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

SHA512
3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
629KB

MD5
4df6edc58b2aee8108bbf41a5281a0b3

SHA1
372c881c85e6dd404ff65a086b0c7dd8e300ec19

SHA256
a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

SHA512
3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
629KB

MD5
4df6edc58b2aee8108bbf41a5281a0b3

SHA1
372c881c85e6dd404ff65a086b0c7dd8e300ec19

SHA256
a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

SHA512
3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
629KB

MD5
4df6edc58b2aee8108bbf41a5281a0b3

SHA1
372c881c85e6dd404ff65a086b0c7dd8e300ec19

SHA256
a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

SHA512
3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
629KB

MD5
4df6edc58b2aee8108bbf41a5281a0b3

SHA1
372c881c85e6dd404ff65a086b0c7dd8e300ec19

SHA256
a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

SHA512
3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
629KB

MD5
4df6edc58b2aee8108bbf41a5281a0b3

SHA1
372c881c85e6dd404ff65a086b0c7dd8e300ec19

SHA256
a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

SHA512
3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
629KB

MD5
4df6edc58b2aee8108bbf41a5281a0b3

SHA1
372c881c85e6dd404ff65a086b0c7dd8e300ec19

SHA256
a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

SHA512
3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
629KB

MD5
4df6edc58b2aee8108bbf41a5281a0b3

SHA1
372c881c85e6dd404ff65a086b0c7dd8e300ec19

SHA256
a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

SHA512
3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Download Submit
memory/280-90-0x0000000000000000-mapping.dmp

Download
memory/456-69-0x0000000000000000-mapping.dmp

Download
memory/580-124-0x0000000000000000-mapping.dmp

Download
memory/600-103-0x0000000000000000-mapping.dmp

Download
memory/640-122-0x0000000000000000-mapping.dmp

Download
memory/948-131-0x0000000000486CAE-mapping.dmp

Download
memory/968-83-0x0000000000486CAE-mapping.dmp

Download
memory/1016-55-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1016-56-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/1016-54-0x0000000001220000-0x00000000012C4000-memory.dmp

Filesize
656KB

Download
memory/1100-123-0x0000000000000000-mapping.dmp

Download
memory/1148-118-0x0000000000000000-mapping.dmp

Download
memory/1232-100-0x0000000000000000-mapping.dmp

Download
memory/1620-92-0x0000000000000000-mapping.dmp

Download
memory/1724-95-0x0000000000000000-mapping.dmp

Download
memory/1744-57-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1744-61-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1744-58-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1744-62-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1744-63-0x0000000000486CAE-mapping.dmp

Download
memory/1744-65-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1744-60-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1744-67-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1832-75-0x00000000010A0000-0x0000000001144000-memory.dmp

Filesize
656KB

Download
memory/1832-71-0x0000000000000000-mapping.dmp

Download
memory/1836-111-0x0000000000486CAE-mapping.dmp

Download
memory/1884-101-0x000000006F420000-0x000000006F9CB000-memory.dmp

Filesize
5.7MB

Download
memory/1884-74-0x0000000000000000-mapping.dmp

Download
memory/1940-120-0x0000000000000000-mapping.dmp

Download
memory/2012-94-0x0000000000000000-mapping.dmp

Download
memory/2032-119-0x0000000000000000-mapping.dmp

Download