quasar | f8cce268eecf24bebe0d96991f7013921fd9eb34570a09acfd6ad8fb6ff198f9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

303775c9adc3380f20ce1e6ebf6d3a1e_JaffaCakes118.exe
Size

213KB
MD5

303775c9adc3380f20ce1e6ebf6d3a1e
SHA1

cdc095814bb120f51be73728f78dbe29e82eea9d
SHA256

f8cce268eecf24bebe0d96991f7013921fd9eb34570a09acfd6ad8fb6ff198f9
SHA512

94bd19ef4703790b819a211eb348186d7002eb8d9f96eef1253a447dd2e1df9eb8462b9fa1173ee6f49787083c49f4ee095c0693f85962575ae804e8bd349625
SSDEEP

6144:/+8ZepOGuDnw9tOJavXhe9Tedm/8b1tnawa:/jZepgDj44IyctnE

Score

10^/10

quasar spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RealtekAudio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RealtekAudio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RealtekAudio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RealtekAudio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RealtekAudio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RealtekAudio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RealtekAudio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RealtekAudio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RealtekAudio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RealtekAudio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RealtekAudio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RealtekAudio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RealtekAudio.exe

Executes dropped EXE 13 IoCs

pid	Process
4536	RealtekAudio.exe
4412	RealtekAudio.exe
952	RealtekAudio.exe
4452	RealtekAudio.exe
4668	RealtekAudio.exe
1036	RealtekAudio.exe
452	RealtekAudio.exe
948	RealtekAudio.exe
1124	RealtekAudio.exe
3580	RealtekAudio.exe
2272	RealtekAudio.exe
4908	RealtekAudio.exe
1244	RealtekAudio.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	api.ipstack.com
12	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5000	schtasks.exe
3920	schtasks.exe
4308	schtasks.exe
3600	schtasks.exe
1584	schtasks.exe
4204	schtasks.exe
432	schtasks.exe
3392	schtasks.exe
3916	schtasks.exe
2544	schtasks.exe
3660	schtasks.exe
3384	schtasks.exe
2152	schtasks.exe
3704	schtasks.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

pid	Process
1804	PING.EXE
1920	PING.EXE
3900	PING.EXE
4536	PING.EXE
3076	PING.EXE
4164	PING.EXE
2036	PING.EXE
4824	PING.EXE
1656	PING.EXE
2828	PING.EXE
392	PING.EXE
3184	PING.EXE
2188	PING.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	303775c9adc3380f20ce1e6ebf6d3a1e_JaffaCakes118.exe
Token: SeDebugPrivilege	4536	RealtekAudio.exe
Token: SeDebugPrivilege	4412	RealtekAudio.exe
Token: SeDebugPrivilege	952	RealtekAudio.exe
Token: SeDebugPrivilege	4452	RealtekAudio.exe
Token: SeDebugPrivilege	4668	RealtekAudio.exe
Token: SeDebugPrivilege	1036	RealtekAudio.exe
Token: SeDebugPrivilege	452	RealtekAudio.exe
Token: SeDebugPrivilege	948	RealtekAudio.exe
Token: SeDebugPrivilege	1124	RealtekAudio.exe
Token: SeDebugPrivilege	3580	RealtekAudio.exe
Token: SeDebugPrivilege	2272	RealtekAudio.exe
Token: SeDebugPrivilege	4908	RealtekAudio.exe
Token: SeDebugPrivilege	1244	RealtekAudio.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2152	2188	303775c9adc3380f20ce1e6ebf6d3a1e_JaffaCakes118.exe	87
PID 2188 wrote to memory of 2152	2188	303775c9adc3380f20ce1e6ebf6d3a1e_JaffaCakes118.exe	87
PID 2188 wrote to memory of 2152	2188	303775c9adc3380f20ce1e6ebf6d3a1e_JaffaCakes118.exe	87
PID 2188 wrote to memory of 4536	2188	303775c9adc3380f20ce1e6ebf6d3a1e_JaffaCakes118.exe	90
PID 2188 wrote to memory of 4536	2188	303775c9adc3380f20ce1e6ebf6d3a1e_JaffaCakes118.exe	90
PID 2188 wrote to memory of 4536	2188	303775c9adc3380f20ce1e6ebf6d3a1e_JaffaCakes118.exe	90
PID 4536 wrote to memory of 4308	4536	RealtekAudio.exe	91
PID 4536 wrote to memory of 4308	4536	RealtekAudio.exe	91
PID 4536 wrote to memory of 4308	4536	RealtekAudio.exe	91
PID 4536 wrote to memory of 2692	4536	RealtekAudio.exe	93
PID 4536 wrote to memory of 2692	4536	RealtekAudio.exe	93
PID 4536 wrote to memory of 2692	4536	RealtekAudio.exe	93
PID 2692 wrote to memory of 3076	2692	cmd.exe	95
PID 2692 wrote to memory of 3076	2692	cmd.exe	95
PID 2692 wrote to memory of 3076	2692	cmd.exe	95
PID 2692 wrote to memory of 4412	2692	cmd.exe	96
PID 2692 wrote to memory of 4412	2692	cmd.exe	96
PID 2692 wrote to memory of 4412	2692	cmd.exe	96
PID 4412 wrote to memory of 3704	4412	RealtekAudio.exe	97
PID 4412 wrote to memory of 3704	4412	RealtekAudio.exe	97
PID 4412 wrote to memory of 3704	4412	RealtekAudio.exe	97
PID 4412 wrote to memory of 664	4412	RealtekAudio.exe	99
PID 4412 wrote to memory of 664	4412	RealtekAudio.exe	99
PID 4412 wrote to memory of 664	4412	RealtekAudio.exe	99
PID 664 wrote to memory of 3184	664	cmd.exe	101
PID 664 wrote to memory of 3184	664	cmd.exe	101
PID 664 wrote to memory of 3184	664	cmd.exe	101
PID 664 wrote to memory of 952	664	cmd.exe	102
PID 664 wrote to memory of 952	664	cmd.exe	102
PID 664 wrote to memory of 952	664	cmd.exe	102
PID 952 wrote to memory of 4204	952	RealtekAudio.exe	103
PID 952 wrote to memory of 4204	952	RealtekAudio.exe	103
PID 952 wrote to memory of 4204	952	RealtekAudio.exe	103
PID 952 wrote to memory of 3984	952	RealtekAudio.exe	105
PID 952 wrote to memory of 3984	952	RealtekAudio.exe	105
PID 952 wrote to memory of 3984	952	RealtekAudio.exe	105
PID 3984 wrote to memory of 1656	3984	cmd.exe	107
PID 3984 wrote to memory of 1656	3984	cmd.exe	107
PID 3984 wrote to memory of 1656	3984	cmd.exe	107
PID 3984 wrote to memory of 4452	3984	cmd.exe	110
PID 3984 wrote to memory of 4452	3984	cmd.exe	110
PID 3984 wrote to memory of 4452	3984	cmd.exe	110
PID 4452 wrote to memory of 3600	4452	RealtekAudio.exe	111
PID 4452 wrote to memory of 3600	4452	RealtekAudio.exe	111
PID 4452 wrote to memory of 3600	4452	RealtekAudio.exe	111
PID 4452 wrote to memory of 4996	4452	RealtekAudio.exe	113
PID 4452 wrote to memory of 4996	4452	RealtekAudio.exe	113
PID 4452 wrote to memory of 4996	4452	RealtekAudio.exe	113
PID 4996 wrote to memory of 2828	4996	cmd.exe	115
PID 4996 wrote to memory of 2828	4996	cmd.exe	115
PID 4996 wrote to memory of 2828	4996	cmd.exe	115
PID 4996 wrote to memory of 4668	4996	cmd.exe	116
PID 4996 wrote to memory of 4668	4996	cmd.exe	116
PID 4996 wrote to memory of 4668	4996	cmd.exe	116
PID 4668 wrote to memory of 432	4668	RealtekAudio.exe	117
PID 4668 wrote to memory of 432	4668	RealtekAudio.exe	117
PID 4668 wrote to memory of 432	4668	RealtekAudio.exe	117
PID 4668 wrote to memory of 1632	4668	RealtekAudio.exe	119
PID 4668 wrote to memory of 1632	4668	RealtekAudio.exe	119
PID 4668 wrote to memory of 1632	4668	RealtekAudio.exe	119
PID 1632 wrote to memory of 2036	1632	cmd.exe	121
PID 1632 wrote to memory of 2036	1632	cmd.exe	121
PID 1632 wrote to memory of 2036	1632	cmd.exe	121
PID 1632 wrote to memory of 1036	1632	cmd.exe	122

C:\Users\Admin\AppData\Local\Temp\303775c9adc3380f20ce1e6ebf6d3a1e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\303775c9adc3380f20ce1e6ebf6d3a1e_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\303775c9adc3380f20ce1e6ebf6d3a1e_JaffaCakes118.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2152
- C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe
  "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKtrYehoG92d.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:3076
  - - C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe
      "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4412
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:3704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fqahde8Ige6G.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:664
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:3184
      - C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe
        
        "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MrR0SQoVHfsp.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe
        
        "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f
        9⤵
        Creates scheduled task(s)
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H8spSnHQ7DJN.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        Runs ping.exe
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe
        
        "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f
        11⤵
        Creates scheduled task(s)
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rlrk6Nv5Olc0.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        Runs ping.exe
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe
        
        "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f
        13⤵
        Creates scheduled task(s)
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0Cigy2dKTdYK.bat" "
        13⤵
        
        PID:652
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        Runs ping.exe
        
        PID:2188
        
        C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe
        
        "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f
        15⤵
        Creates scheduled task(s)
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CdMMdSVs5JBY.bat" "
        15⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        Runs ping.exe
        
        PID:4164
        
        C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe
        
        "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f
        17⤵
        Creates scheduled task(s)
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaAr33yVOxhg.bat" "
        17⤵
        
        PID:876
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        Runs ping.exe
        
        PID:392
        
        C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe
        
        "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f
        19⤵
        Creates scheduled task(s)
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\whBD9hqmSjQU.bat" "
        19⤵
        
        PID:508
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        Runs ping.exe
        
        PID:3900
        
        C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe
        
        "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f
        21⤵
        Creates scheduled task(s)
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owoJLK9OmTA8.bat" "
        21⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        Runs ping.exe
        
        PID:1804
        
        C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe
        
        "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f
        23⤵
        Creates scheduled task(s)
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKPz3Zq1Jg7t.bat" "
        23⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        Runs ping.exe
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe
        
        "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f
        25⤵
        Creates scheduled task(s)
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6xPth9UgaEQW.bat" "
        25⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        26⤵
        Runs ping.exe
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe
        
        "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f
        27⤵
        Creates scheduled task(s)
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQrJ9JWYhikd.bat" "
        27⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        Runs ping.exe
        
        PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RealtekAudio.exe.log

Filesize
584B

MD5
b2777e9dc90f5ad266047f597f77fbbc

SHA1
0dd2266e068267d4c44193785a6b25c46d9cff00

SHA256
262cf63be22ec43b2d5656aa9fb9db03fe914210d2ddd68d428c5c09057e6c2d

SHA512
3f7647c65d1bddb454991b03175f9fe58f2bd79b19d9fbc9a2ccb83ac60514e2a793073991762f793af19539dcccc76eb9099690cf261ab2c35952fb0dd36724

Download Submit
C:\Users\Admin\AppData\Local\Temp\0Cigy2dKTdYK.bat

Filesize
172B

MD5
b75dfb31cb2bc8bf63f2b5d76f7478c0

SHA1
b746be61316311e9b7cd7d576842dd993b656588

SHA256
c4e5523d7bab1742fea4aba9a7db8baf6a9d24964113afbc34a2310e3819da35

SHA512
f258033f0e0fb7591bd787b73a4d59ec5dc88196cea5db610fd09f16cac8352997736d5f7bf47e6459f49df4376193f47c0cf63339e898080ff6c67432c2fd99

Download Submit
C:\Users\Admin\AppData\Local\Temp\6xPth9UgaEQW.bat

Filesize
172B

MD5
8e26152afddc2255aab72cbd9c261d41

SHA1
5947ad8d24947e65c6a3b00331aa55baa01542e1

SHA256
84af8eb605bcc25aa9005fb9390ccc2cccb187d087c60e20bc51beb96025310a

SHA512
1e96a76532f8c6d6479e5a50152849303263a9cefb502e675f8ed75ca3ee16a69d6bebfa4419d0a19724f4538df481f3d8ca36a0576571c9985ff3f76aa510ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\CdMMdSVs5JBY.bat

Filesize
172B

MD5
7cb99732c241af18fc4fbc274108053a

SHA1
17752d193335109c23f10fb60d6f445a67518d2f

SHA256
0821e65083b3e4fb0eee60794a899326e706d742a3aef94fe61c157ecb721141

SHA512
0669a6c5f1f65d1f30df48a2d638cf59395cf6bc5896dc5653573473d5a435f7797138faead876c29ffb0f142604fddf89974daea1bc8d1159aa2b28405ec6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fqahde8Ige6G.bat

Filesize
172B

MD5
9a4ab529f7ce6affea854c52fd94c4bf

SHA1
af66704622cc08503f01c12139e3a4361a9ba13d

SHA256
7e509542911ddfd4c0132f0b68479b4635d18ec97b9de3042705e822cd374994

SHA512
68056e44cec6a6a2b0b3992b76fac0d461f1a803d61fb3121b2f65b737a2abc6d73f504ff71510db1e31e0d9d45667f3b13382438ed4da9443da2252344cb4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\H8spSnHQ7DJN.bat

Filesize
172B

MD5
f073383d1519d8d70c965547d2de517f

SHA1
60958e86f470b2fd1898e7363e8f8d60ff631165

SHA256
3aa7c0302554c1d684952a88a69a5618982dff179741631fdbb30a336e26699e

SHA512
ce8d90fbb74027c926e1f9a1457503ab2595ffd71cd6c0711e18cd3c26b5104818caeb3b02088fb721def5086c0ceaa60a0aa680373fd36a25433b61e9063966

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQrJ9JWYhikd.bat

Filesize
172B

MD5
11c9a432dbeb7d37ddd697f13f9bc0f2

SHA1
89e859767e32cee6ad016f25f5c612f6ac331b23

SHA256
95c32d9aa1d9591efd80edf3703d168efa47560ed6b5dd1d32323a60a0a52117

SHA512
541a0ae6690653e47bef162730fb21d90284b54e64a77630ffc8ea320b673edd4048feb569af93d2f3eeab6e675af46b8cfaa3b633b774d9e292e277c049fc92

Download Submit
C:\Users\Admin\AppData\Local\Temp\MrR0SQoVHfsp.bat

Filesize
172B

MD5
855945ce24b84e057a23400c322e0bc6

SHA1
e386d867369dcf40f3570b0662870a349526f777

SHA256
4218401ac2df5af41eaa0742dfb8f335053ecf20e24a0d64bf6a24fee72676b8

SHA512
bf642a1a45a73d48877cca49a2a5a20ee00e1fb2e28b08e44e513d06aadbab96d66c99435c23ababf43fe389aa64655b530d54b24b11aaa805da542bb1040b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaAr33yVOxhg.bat

Filesize
172B

MD5
03a4167280a8b4e6c6d39669163751c9

SHA1
02577a374a2918ad25f0ee56f80b69a46c5e4317

SHA256
ed44e974b6629134fd96f1ef446b548efcd005781ecb9c21f403ae5f4ad596ee

SHA512
4f3dab4afc16127cdf418a9f6e2b672cc95bf42704ee437c779a2d5c195d93aadc8179845ee9144534c2406959d36895cca7379f45260fb31f554f574e63d744

Download Submit
C:\Users\Admin\AppData\Local\Temp\WKPz3Zq1Jg7t.bat

Filesize
172B

MD5
73b0f091d1083696b3fcdf0d09c2dc1d

SHA1
d4816225c285f69794363998b90a85467b58036a

SHA256
58aebd0b2d7ec8e5787e5f8c15bdc9e89fd024812f606f05cbef618ed0fed33c

SHA512
45c5e586c2d8c0652076880eb1c8c1b5db5456fd1b76e0d869ee28ad1e4252f5db568569d710ac0189e2270f2ec948d55b60ae6aa9f00d0114acb274ebbae8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\owoJLK9OmTA8.bat

Filesize
172B

MD5
b426d47e911a1237419f478c593f07bb

SHA1
b5b6e8d0de3e77a01c5a19cb3725d8e511223a4e

SHA256
9d799c2636aef93e2866218806501b5addfa3c52e6fc04d7dd6698f6ef8c5133

SHA512
824983b0286a52e03cc8e8a6ebf11418788f79e1fc88c384d4e0d0e4b2046b85f033b2e5799bbd2b296f80ffed29e273408728e0f4e653f064ba1cce7d94603f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rlrk6Nv5Olc0.bat

Filesize
172B

MD5
7b2cc9c993f686539c159d82a19609dc

SHA1
eff40547e90a354c6fa973c27982c9c0acd3428a

SHA256
880c3ebe848ff072f8ba99a4554d8c17992cdfe56c33d3791396574e932f35ca

SHA512
e8ef07ce1abe2561c047805e7ca154b661ff7a015d9966748d2e7a58c8202971d2dbe0c5d7032259e0261a2e66fb7ebd3eeb64e154bef1600d2b4f27ed215991

Download Submit
C:\Users\Admin\AppData\Local\Temp\whBD9hqmSjQU.bat

Filesize
172B

MD5
72fde8408af640e1467ab019b2a6964a

SHA1
e8c815859f63e381580197351c20542a45e51268

SHA256
87ba09a252bd81c1ced988b72a371af6d65646e33cf5e2185583d80490bcf15c

SHA512
5cbda349cc068c755ca25f9b327380ad0c0f2ffeb028a6d8bad3c2050d6b1e7c6b70d38c14b0217f7568bc4c7b1bf022d59de51dc61eb3cc68e8bc1c930ada38

Download Submit
C:\Users\Admin\AppData\Local\Temp\yKtrYehoG92d.bat

Filesize
172B

MD5
243aa3c2bf15a7b396f0a9a211a43d51

SHA1
0df082d0e4494cb4973ef236adfb0cea5ef9c6fb

SHA256
99f97568d62562add59d13af61ce14881bc992ec2bdf20f709dae0f8b9fa2e78

SHA512
d1888a5136cd82801ef3a7a8a47860d2fb3f2cd2f79f4985467d79ee9bb39dcefd4e749bbf8031639a90b63a420f2da6b5f5eeccd79eacc09bc6eb6cbc668fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Realtek\RealtekAudio.exe

Filesize
213KB

MD5
303775c9adc3380f20ce1e6ebf6d3a1e

SHA1
cdc095814bb120f51be73728f78dbe29e82eea9d

SHA256
f8cce268eecf24bebe0d96991f7013921fd9eb34570a09acfd6ad8fb6ff198f9

SHA512
94bd19ef4703790b819a211eb348186d7002eb8d9f96eef1253a447dd2e1df9eb8462b9fa1173ee6f49787083c49f4ee095c0693f85962575ae804e8bd349625

Download Submit
memory/2188-0-0x0000000075192000-0x0000000075193000-memory.dmp

Filesize
4KB

Download
memory/2188-2-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/2188-1-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/2188-11-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/4536-16-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/4536-10-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/4536-9-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/4536-8-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads