quasar | 1dc08cd07a32da62aba3f31a61c0f906a2bb96f488178db94dd644e14da2189a

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fortnite.exe
Size

3.8MB
MD5

f19ebdbf52c63a6a26cde5d21c923c32
SHA1

c5db469697a3fdee465f253b91a369e3af396387
SHA256

1dc08cd07a32da62aba3f31a61c0f906a2bb96f488178db94dd644e14da2189a
SHA512

84b354d95bac0d33b31b61911cb3727e825a1ac770e1d2431eb9f77f5af6901dcb252aae8d193b40d48475d026c87cc048cd681374d5dc704aea14a3d63f81d5
SSDEEP

49152:etVo+axKEpde1nlj0qxOidcA4LQnmA+cfjm+OIJC541yygYWW+sUfuNtyza32ehx:hdA08OidcA4LWZ+cfjm+OIJC541yy1T

Score

10^/10

quasar doner spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Doner

hoposor.duckdns.org:1337

Mutex

79f4ba01-bd36-4d61-8b7e-4a107fd86bae

Attributes

encryption_key
528DA30969D512D5DC441B49DE14E59515A0FCBD
install_name
Proton.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Proton VPN
subdirectory
Proton

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe	family_quasar
behavioral2/memory/916-5-0x00000000006D0000-0x00000000009AA000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Proton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Proton.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Proton.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Proton.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Proton.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Proton.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Proton.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Proton.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Proton.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Proton.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Proton.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Proton.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Proton.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Proton.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Proton.exe

Executes dropped EXE 15 IoCs

Processes:

ProtonsVPN.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exe

pid	process
916	ProtonsVPN.exe
5012	Proton.exe
2980	Proton.exe
864	Proton.exe
4620	Proton.exe
2328	Proton.exe
4176	Proton.exe
388	Proton.exe
1112	Proton.exe
376	Proton.exe
3084	Proton.exe
1368	Proton.exe
4472	Proton.exe
996	Proton.exe
1992	Proton.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4868	schtasks.exe
4876	schtasks.exe
4136	schtasks.exe
2620	schtasks.exe
2440	schtasks.exe
3764	schtasks.exe
2868	schtasks.exe
2588	schtasks.exe
508	schtasks.exe
4368	schtasks.exe
4572	schtasks.exe
4740	schtasks.exe
2792	schtasks.exe
5008	schtasks.exe
1196	schtasks.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2780	PING.EXE
2496	PING.EXE
4424	PING.EXE
1900	PING.EXE
1492	PING.EXE
1156	PING.EXE
4948	PING.EXE
2456	PING.EXE
2492	PING.EXE
1044	PING.EXE
208	PING.EXE
2488	PING.EXE
3512	PING.EXE
2400	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Fortnite.exe

pid process

4812 Fortnite.exe
4812 Fortnite.exe

pid	process
4812	Fortnite.exe
4812	Fortnite.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

ProtonsVPN.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exeProton.exe

description	pid	process
Token: SeDebugPrivilege	916	ProtonsVPN.exe
Token: SeDebugPrivilege	5012	Proton.exe
Token: SeDebugPrivilege	2980	Proton.exe
Token: SeDebugPrivilege	864	Proton.exe
Token: SeDebugPrivilege	4620	Proton.exe
Token: SeDebugPrivilege	2328	Proton.exe
Token: SeDebugPrivilege	4176	Proton.exe
Token: SeDebugPrivilege	388	Proton.exe
Token: SeDebugPrivilege	1112	Proton.exe
Token: SeDebugPrivilege	376	Proton.exe
Token: SeDebugPrivilege	3084	Proton.exe
Token: SeDebugPrivilege	1368	Proton.exe
Token: SeDebugPrivilege	4472	Proton.exe
Token: SeDebugPrivilege	996	Proton.exe
Token: SeDebugPrivilege	1992	Proton.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Proton.exeProton.exe

pid process

5012 Proton.exe
2980 Proton.exe

pid	process
5012	Proton.exe
2980	Proton.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Fortnite.execmd.exeProtonsVPN.exeProton.execmd.exeProton.execmd.exeProton.execmd.exeProton.execmd.exeProton.execmd.exeProton.exe

description	pid	process	target process
PID 4812 wrote to memory of 1060	4812	Fortnite.exe	cmd.exe
PID 4812 wrote to memory of 1060	4812	Fortnite.exe	cmd.exe
PID 4812 wrote to memory of 3748	4812	Fortnite.exe	cmd.exe
PID 4812 wrote to memory of 3748	4812	Fortnite.exe	cmd.exe
PID 3748 wrote to memory of 916	3748	cmd.exe	ProtonsVPN.exe
PID 3748 wrote to memory of 916	3748	cmd.exe	ProtonsVPN.exe
PID 4812 wrote to memory of 4904	4812	Fortnite.exe	cmd.exe
PID 4812 wrote to memory of 4904	4812	Fortnite.exe	cmd.exe
PID 916 wrote to memory of 4868	916	ProtonsVPN.exe	schtasks.exe
PID 916 wrote to memory of 4868	916	ProtonsVPN.exe	schtasks.exe
PID 916 wrote to memory of 5012	916	ProtonsVPN.exe	Proton.exe
PID 916 wrote to memory of 5012	916	ProtonsVPN.exe	Proton.exe
PID 5012 wrote to memory of 4876	5012	Proton.exe	schtasks.exe
PID 5012 wrote to memory of 4876	5012	Proton.exe	schtasks.exe
PID 5012 wrote to memory of 1016	5012	Proton.exe	cmd.exe
PID 5012 wrote to memory of 1016	5012	Proton.exe	cmd.exe
PID 1016 wrote to memory of 4292	1016	cmd.exe	chcp.com
PID 1016 wrote to memory of 4292	1016	cmd.exe	chcp.com
PID 1016 wrote to memory of 2400	1016	cmd.exe	PING.EXE
PID 1016 wrote to memory of 2400	1016	cmd.exe	PING.EXE
PID 1016 wrote to memory of 2980	1016	cmd.exe	Proton.exe
PID 1016 wrote to memory of 2980	1016	cmd.exe	Proton.exe
PID 2980 wrote to memory of 2868	2980	Proton.exe	schtasks.exe
PID 2980 wrote to memory of 2868	2980	Proton.exe	schtasks.exe
PID 2980 wrote to memory of 2412	2980	Proton.exe	cmd.exe
PID 2980 wrote to memory of 2412	2980	Proton.exe	cmd.exe
PID 2412 wrote to memory of 4024	2412	cmd.exe	chcp.com
PID 2412 wrote to memory of 4024	2412	cmd.exe	chcp.com
PID 2412 wrote to memory of 2496	2412	cmd.exe	PING.EXE
PID 2412 wrote to memory of 2496	2412	cmd.exe	PING.EXE
PID 2412 wrote to memory of 864	2412	cmd.exe	Proton.exe
PID 2412 wrote to memory of 864	2412	cmd.exe	Proton.exe
PID 864 wrote to memory of 2792	864	Proton.exe	schtasks.exe
PID 864 wrote to memory of 2792	864	Proton.exe	schtasks.exe
PID 864 wrote to memory of 4368	864	Proton.exe	cmd.exe
PID 864 wrote to memory of 4368	864	Proton.exe	cmd.exe
PID 4368 wrote to memory of 4716	4368	cmd.exe	chcp.com
PID 4368 wrote to memory of 4716	4368	cmd.exe	chcp.com
PID 4368 wrote to memory of 2488	4368	cmd.exe	PING.EXE
PID 4368 wrote to memory of 2488	4368	cmd.exe	PING.EXE
PID 4368 wrote to memory of 4620	4368	cmd.exe	Proton.exe
PID 4368 wrote to memory of 4620	4368	cmd.exe	Proton.exe
PID 4620 wrote to memory of 4136	4620	Proton.exe	schtasks.exe
PID 4620 wrote to memory of 4136	4620	Proton.exe	schtasks.exe
PID 4620 wrote to memory of 3236	4620	Proton.exe	cmd.exe
PID 4620 wrote to memory of 3236	4620	Proton.exe	cmd.exe
PID 3236 wrote to memory of 2028	3236	cmd.exe	chcp.com
PID 3236 wrote to memory of 2028	3236	cmd.exe	chcp.com
PID 3236 wrote to memory of 2492	3236	cmd.exe	PING.EXE
PID 3236 wrote to memory of 2492	3236	cmd.exe	PING.EXE
PID 3236 wrote to memory of 2328	3236	cmd.exe	Proton.exe
PID 3236 wrote to memory of 2328	3236	cmd.exe	Proton.exe
PID 2328 wrote to memory of 2588	2328	Proton.exe	schtasks.exe
PID 2328 wrote to memory of 2588	2328	Proton.exe	schtasks.exe
PID 2328 wrote to memory of 3960	2328	Proton.exe	cmd.exe
PID 2328 wrote to memory of 3960	2328	Proton.exe	cmd.exe
PID 3960 wrote to memory of 1264	3960	cmd.exe	chcp.com
PID 3960 wrote to memory of 1264	3960	cmd.exe	chcp.com
PID 3960 wrote to memory of 4424	3960	cmd.exe	PING.EXE
PID 3960 wrote to memory of 4424	3960	cmd.exe	PING.EXE
PID 3960 wrote to memory of 4176	3960	cmd.exe	Proton.exe
PID 3960 wrote to memory of 4176	3960	cmd.exe	Proton.exe
PID 4176 wrote to memory of 5008	4176	Proton.exe	schtasks.exe
PID 4176 wrote to memory of 5008	4176	Proton.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Fortnite.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color B1
2⤵
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3748

C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe
C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4868

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NXVlP9PXvAbS.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:4292

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2400

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQ5VWeo9nkhJ.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:4024

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2496

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgDDZvecuXci.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:4716

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2488

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qdsv6TZN41pI.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:2028

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:2492

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9VbDvRRNPew7.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:1264

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:4424

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aDKomAyBSXIV.bat" "
15⤵
PID:660

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:1488

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:1900

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6G1vUZ0TyJ7m.bat" "
17⤵
PID:4444

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:3092

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1492

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESh1fPQsIHmm.bat" "
19⤵
PID:216

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:1220

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2780

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcNxujDqX3h1.bat" "
21⤵
PID:3748

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:5040

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1044

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycinND1SmHvv.bat" "
23⤵
PID:4340

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:2448

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:1156

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ajOetqFVZH0r.bat" "
25⤵
PID:2408

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:1084

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:3512

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bhSoIntoQYB6.bat" "
27⤵
PID:3692

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:3184

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:208

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JivHqkpy12jV.bat" "
29⤵
PID:844

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:3348

C:\Windows\system32\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:4948

C:\Users\Admin\AppData\Roaming\Proton\Proton.exe
"C:\Users\Admin\AppData\Roaming\Proton\Proton.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Proton VPN" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Proton\Proton.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5XPwRdkuWB3L.bat" "
31⤵
PID:2792

C:\Windows\system32\chcp.com
chcp 65001
32⤵
PID:4580

C:\Windows\system32\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
2⤵
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Proton\ProtonsVPN.exe

Filesize
2.8MB

MD5
b0b36e8c58ba04c00fc4f4a1a95b7adf

SHA1
03d53a79e2e500023a8d5ea016f47dfcc5aabf5f

SHA256
eef28529ab73a3b99804de2c9f2218b77c8c5c94d0232c09e53c56e4a0252b7f

SHA512
80b0d523e586c42c91b502b69b4c190f1a5de70c775c479406dad497a587f8e5c40c0d596985d8074bca7afd37a810538a9c3c068dabc286a4f2f0c073bf5abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Proton.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5XPwRdkuWB3L.bat

Filesize
207B

MD5
9879516c06152a1d7f3db7c207ec9032

SHA1
1070ae7a32281e3e77d78753c2cc11750a58eaa5

SHA256
1afb912151811dd8021ef1c8e0fa95baa025c4f1c22122dcfb456798821d08b6

SHA512
41046c02861a5648fcf09503a2d995080cb7e35f2093dfddf127396dc292651a9c42cab6eeba8051cb1d78f5dbe18013b40a5869c7023f3230eacbb3532ae4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\6G1vUZ0TyJ7m.bat

Filesize
207B

MD5
9a77bf6f39329a5fff1d65c0c075c135

SHA1
798cca649b31f24f161b6035e66e2a4c1b92ff7e

SHA256
578508f9937fad2f2e5f5d7b2b1a763680944148a1f11222dc154b6260bdaaf5

SHA512
2b8d3d717050fd67c95b085f839c43291d1fe30b09a00c85e31de31bba765b69ffba70a748e80271184df69498d850ff827b6a401f6382f7f847d89c86331c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\9VbDvRRNPew7.bat

Filesize
207B

MD5
11ff06b00da0679e4d2a60ecda1ac401

SHA1
290863b139b7494ab029875082cf29520be570a3

SHA256
bca5773b003cd3a8b1c14d75994d33e0fa33676ea47de685259b7621921a91be

SHA512
c69dc4ac5eb7f896bbec7095d1b92a6cdc32c24a0f61981533c516c485bc9d8a9344f71d50c79de54d4cd160e357449734796ba7f92df057e1ce76092b0c58e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESh1fPQsIHmm.bat

Filesize
207B

MD5
f138f9058b5d1a773bebfdbc101de09f

SHA1
0fda7c471dd5847a86d3ab22989b07d051053315

SHA256
02d06642d8295d881107a72d672f79af336f9026cc30fcb784f748f62653cbdb

SHA512
3e9db2bf4165b5754cd1a4864469d5fa4db708295ea1d967b574c8a2ac0fa6579dd763b95d8a8d615344bcb6913d8746d73a82d5305c14df9549de4c73b34ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JivHqkpy12jV.bat

Filesize
207B

MD5
29f59dd16af1178803426fe9e6cf69e7

SHA1
8db3ce61e7ab91d99e5d70a10c2b06a8438a7b99

SHA256
c0173c7ab1dfcd305f8d84bb75916634dcd1d8eab00ef016f93517006ee4cb28

SHA512
0c0856e75ba1681bf53c7ceac92a59a0459d1bb23d017b9bea4f2124c0602f32a809981583a8f62594c7c9e68c8121b6e5699fcdbe5abc4f711eb4d4577ca015

Download Submit
C:\Users\Admin\AppData\Local\Temp\NXVlP9PXvAbS.bat

Filesize
207B

MD5
433618715bb0483d330c487844ba3972

SHA1
93b45759388a64d4c78f47d4786c179a43090dad

SHA256
5ed6294ecc29cc3bc36b278ce04ec34c3b02efb40f0285a8796e70bf083cee77

SHA512
4cb63694bc9b5935ceb0b5195c9c1d11c026c2e1f30484ea1ee8b38433e6607d3c4b2bf3c959a6e4ac44247bd21500a749f2aa7d54be2d735094aa5c3c0dbe3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aDKomAyBSXIV.bat

Filesize
207B

MD5
b36a8e61bfb8612bd7977896a69a8687

SHA1
07d81a36362c9d7630754fd5a72ba6de453a1c48

SHA256
34c13218d907c4ff6fe64e7f377caa7da433fc9a3321ca0e9e0cfc3d651a069f

SHA512
26bb280e8d13f5700d5b21afdb3ee338502551957070f521c26492765f780f4b3e392e5a50fd09a52d270ff083f31454847e1786da86dd6c2210592ef3cdbc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajOetqFVZH0r.bat

Filesize
207B

MD5
ae8c48889276c533cf4aa79162af10e3

SHA1
091ad2d85e1edb98ab98ef26efe301a8b601bac4

SHA256
95c0b975dde85282d258e3cd4259600bee30b3f4cd314a9f81ec6e75a7b124f6

SHA512
f667ee9f5d6c26e7a14d8ad903bfa8a1f64912598481195a0b92d35c6b1886afd2e9073dcaf2ed5b2d8536069f71e85c6e3929ff9172148acd5f455b90eaec2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhSoIntoQYB6.bat

Filesize
207B

MD5
fbbd9ea26edce7746e2d8300a2bc3b11

SHA1
6d3b64f780abb47c20ac55643f6d0c4f6cbef0a5

SHA256
904f47157ff72a4e0dbdcf5be1cad09e8ac8e8f581f4efd3c92b711c30d56d54

SHA512
f3694d5962e34ebf891424542a2861d35b9facc31c57c8c913a94c03ab73e16b95b9cf929d6e0c447536e24c3fb92e80fd77eb0976dd8ece8578a7fc4e0db044

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQ5VWeo9nkhJ.bat

Filesize
207B

MD5
a76813aeffebd151c5595870fdb67d67

SHA1
53fb686b57e7e2eb981312cfff0dc40c8f593a52

SHA256
5fd57ac2c177949b95c77dbb1c630027f6be48049620934ce02ec213743789f9

SHA512
1cfd218c6c651fce0f7ac0c92728feb9fcf82c93a6ce0cf51f9d59e71c82b208aee2d4539890c8b81646cc538469ffc24be4bf9543dfdf22e27500b527ae8411

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcNxujDqX3h1.bat

Filesize
207B

MD5
877329ebee1f373937d273f78b287822

SHA1
60dfc1d9c27db0a381ca6d2bd5a3a6f7c4b6431b

SHA256
c872807eb2978650075024a9cb37a8db05e66075e0c22cd93b3a25e16918547e

SHA512
f352e37089d74cd785dcb5ed26bb6d768fbdbfd9df496b8a42c0439174c241664f180bc9e04ee2d6fd24babf671fbb7d91b794d9ddbe728bc635631b573e3ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qdsv6TZN41pI.bat

Filesize
207B

MD5
59c74485e7b2d7c4d925a6d58131d0ec

SHA1
4dd15f50baba449220585ab5da8a850e25842314

SHA256
13e1533033645cf844fb65e5d4da3fbb8f5dff815b12aa9869343fec548a9063

SHA512
5a490262eca67e6bea36b9ee513e26619bfeff4639e2b0194322f75e7455c6b024cc62e516610ec1f1c31867490097967ee54ec6303cb81b2a545bf374271292

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgDDZvecuXci.bat

Filesize
207B

MD5
a98fb1169523920037b8bb8338918660

SHA1
3a79cf8c66a0ce1a0278c92f13f5058b59919565

SHA256
4b143c092f489998357d5ce67088b7d8a254c8b148f97dcd3b60b7b2c5efa269

SHA512
e6a8d821f3066598bf02e75ffc79c7e69986b5ab868bb19a0e14a2d790b36e7f7d47261a720f54a414a6c3a85e5bc3693c2d1a818e630224c76dee03aeb40f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycinND1SmHvv.bat

Filesize
207B

MD5
b079d231e63ca438192d4f7d250a06e0

SHA1
356b94d31b3054f361faf4ecbce93251c25e1d7a

SHA256
7487fc085c71cb43e13cf1cfbab5a26efd928b56cec866cba0ecb31ec90c169d

SHA512
d85f997a0377da3c8a9ee07e7e136edec3fb6ba549f53fe844723e1a32df16616d3241d7379a05be9ec1a4a6173c4d5a5e7327b20ac5ae184de445f5add7482d

Download Submit
memory/916-12-0x00007FFF97380000-0x00007FFF97E41000-memory.dmp

Filesize
10.8MB

Download
memory/916-6-0x00007FFF97380000-0x00007FFF97E41000-memory.dmp

Filesize
10.8MB

Download
memory/916-5-0x00000000006D0000-0x00000000009AA000-memory.dmp

Filesize
2.9MB

Download
memory/916-4-0x00007FFF97383000-0x00007FFF97385000-memory.dmp

Filesize
8KB

Download
memory/5012-14-0x000000001BC80000-0x000000001BD32000-memory.dmp

Filesize
712KB

Download
memory/5012-13-0x000000001B320000-0x000000001B370000-memory.dmp

Filesize
320KB

Download