quasar | dc6032bb4d1d30872419a285faf9e3cc8829d6b826151b61317e85cb5e0cec83

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc6032bb4d1d30872419a285faf9e3cc8829d6b826151b61317e85cb5e0cec83.exe
Size

1.3MB
MD5

092a56d2ffbc62dad8d8a3864fd046fe
SHA1

e90b1e199a1df28a2b748340b3a90a3e6112c058
SHA256

dc6032bb4d1d30872419a285faf9e3cc8829d6b826151b61317e85cb5e0cec83
SHA512

f6215dfd153385b49bf7b2cdb95bc45a2fb45be4ee295448d1bea946199e660ebcb920746388262e05405dc239478f1d4b156bbb03f66c0fb1702df88fba5470
SSDEEP

24576:6gZml969wUGPr2uGKFzFTSpkPNnJJUwEbkWppzscd1:65769PaFTFNn/Uwyzppz

Score

10^/10

quasar pc01 defense_evasion discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

PC01

Dejvicek-46680.portmap.host:46680

Mutex

5f92fc2b-da3a-4aeb-ba6a-9b3d116a65dd

Attributes

encryption_key
32B21847D3A2E85D5FC0279E929E168D73071B91
install_name
Discord.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
discord

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b6d-2.dat	family_quasar
behavioral2/memory/4876-5-0x0000000000430000-0x00000000004FA000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Discord.exe

Executes dropped EXE 16 IoCs

pid	Process
4876	fivem.exe
1672	Discord.exe
1892	Discord.exe
3708	Discord.exe
2452	Discord.exe
548	Discord.exe
4200	Discord.exe
2920	Discord.exe
4460	Discord.exe
4784	Discord.exe
1748	Discord.exe
3168	Discord.exe
628	Discord.exe
2008	Discord.exe
1204	Discord.exe
1044	Discord.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\fivem.exe	dc6032bb4d1d30872419a285faf9e3cc8829d6b826151b61317e85cb5e0cec83.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3860	PING.EXE
3972	PING.EXE
2996	PING.EXE
3804	PING.EXE
1176	PING.EXE
5020	PING.EXE
2352	PING.EXE
1176	PING.EXE
2004	PING.EXE
4528	PING.EXE
4312	PING.EXE
1796	PING.EXE
4316	PING.EXE
432	PING.EXE
2408	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1176	PING.EXE
4316	PING.EXE
432	PING.EXE
3860	PING.EXE
1176	PING.EXE
4312	PING.EXE
2408	PING.EXE
3972	PING.EXE
5020	PING.EXE
1796	PING.EXE
2352	PING.EXE
2004	PING.EXE
2996	PING.EXE
3804	PING.EXE
4528	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5072	schtasks.exe
2844	schtasks.exe
1636	schtasks.exe
3104	schtasks.exe
2988	schtasks.exe
4396	schtasks.exe
4900	schtasks.exe
3524	schtasks.exe
5112	schtasks.exe
2728	schtasks.exe
2176	schtasks.exe
4584	schtasks.exe
4648	schtasks.exe
2008	schtasks.exe
3636	schtasks.exe
2088	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2596	dc6032bb4d1d30872419a285faf9e3cc8829d6b826151b61317e85cb5e0cec83.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4876	fivem.exe
Token: SeDebugPrivilege	1672	Discord.exe
Token: SeDebugPrivilege	1892	Discord.exe
Token: SeDebugPrivilege	3708	Discord.exe
Token: SeDebugPrivilege	2452	Discord.exe
Token: SeDebugPrivilege	548	Discord.exe
Token: SeDebugPrivilege	4200	Discord.exe
Token: SeDebugPrivilege	2920	Discord.exe
Token: SeDebugPrivilege	4460	Discord.exe
Token: SeDebugPrivilege	4784	Discord.exe
Token: SeDebugPrivilege	1748	Discord.exe
Token: SeDebugPrivilege	3168	Discord.exe
Token: SeDebugPrivilege	628	Discord.exe
Token: SeDebugPrivilege	2008	Discord.exe
Token: SeDebugPrivilege	1204	Discord.exe
Token: SeDebugPrivilege	1044	Discord.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1672	Discord.exe
1892	Discord.exe
3708	Discord.exe
2452	Discord.exe
548	Discord.exe
4200	Discord.exe
2920	Discord.exe
4460	Discord.exe
4784	Discord.exe
1748	Discord.exe
3168	Discord.exe
628	Discord.exe
2008	Discord.exe
1204	Discord.exe
1044	Discord.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1672	Discord.exe
1892	Discord.exe
3708	Discord.exe
2452	Discord.exe
548	Discord.exe
4200	Discord.exe
2920	Discord.exe
4460	Discord.exe
4784	Discord.exe
1748	Discord.exe
3168	Discord.exe
628	Discord.exe
2008	Discord.exe
1204	Discord.exe
1044	Discord.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 1500	2596	dc6032bb4d1d30872419a285faf9e3cc8829d6b826151b61317e85cb5e0cec83.exe	83
PID 2596 wrote to memory of 1500	2596	dc6032bb4d1d30872419a285faf9e3cc8829d6b826151b61317e85cb5e0cec83.exe	83
PID 1500 wrote to memory of 4876	1500	cmd.exe	85
PID 1500 wrote to memory of 4876	1500	cmd.exe	85
PID 4876 wrote to memory of 3636	4876	fivem.exe	89
PID 4876 wrote to memory of 3636	4876	fivem.exe	89
PID 4876 wrote to memory of 1672	4876	fivem.exe	91
PID 4876 wrote to memory of 1672	4876	fivem.exe	91
PID 2596 wrote to memory of 2900	2596	dc6032bb4d1d30872419a285faf9e3cc8829d6b826151b61317e85cb5e0cec83.exe	92
PID 2596 wrote to memory of 2900	2596	dc6032bb4d1d30872419a285faf9e3cc8829d6b826151b61317e85cb5e0cec83.exe	92
PID 1672 wrote to memory of 4584	1672	Discord.exe	95
PID 1672 wrote to memory of 4584	1672	Discord.exe	95
PID 1672 wrote to memory of 2732	1672	Discord.exe	99
PID 1672 wrote to memory of 2732	1672	Discord.exe	99
PID 2732 wrote to memory of 1420	2732	cmd.exe	101
PID 2732 wrote to memory of 1420	2732	cmd.exe	101
PID 2732 wrote to memory of 432	2732	cmd.exe	102
PID 2732 wrote to memory of 432	2732	cmd.exe	102
PID 2732 wrote to memory of 1892	2732	cmd.exe	112
PID 2732 wrote to memory of 1892	2732	cmd.exe	112
PID 1892 wrote to memory of 4396	1892	Discord.exe	113
PID 1892 wrote to memory of 4396	1892	Discord.exe	113
PID 1892 wrote to memory of 4232	1892	Discord.exe	116
PID 1892 wrote to memory of 4232	1892	Discord.exe	116
PID 4232 wrote to memory of 4820	4232	cmd.exe	118
PID 4232 wrote to memory of 4820	4232	cmd.exe	118
PID 4232 wrote to memory of 2004	4232	cmd.exe	119
PID 4232 wrote to memory of 2004	4232	cmd.exe	119
PID 4232 wrote to memory of 3708	4232	cmd.exe	120
PID 4232 wrote to memory of 3708	4232	cmd.exe	120
PID 3708 wrote to memory of 2088	3708	Discord.exe	121
PID 3708 wrote to memory of 2088	3708	Discord.exe	121
PID 3708 wrote to memory of 220	3708	Discord.exe	124
PID 3708 wrote to memory of 220	3708	Discord.exe	124
PID 220 wrote to memory of 3068	220	cmd.exe	126
PID 220 wrote to memory of 3068	220	cmd.exe	126
PID 220 wrote to memory of 2996	220	cmd.exe	127
PID 220 wrote to memory of 2996	220	cmd.exe	127
PID 220 wrote to memory of 2452	220	cmd.exe	131
PID 220 wrote to memory of 2452	220	cmd.exe	131
PID 2452 wrote to memory of 4900	2452	Discord.exe	133
PID 2452 wrote to memory of 4900	2452	Discord.exe	133
PID 2452 wrote to memory of 2536	2452	Discord.exe	135
PID 2452 wrote to memory of 2536	2452	Discord.exe	135
PID 2536 wrote to memory of 1968	2536	cmd.exe	138
PID 2536 wrote to memory of 1968	2536	cmd.exe	138
PID 2536 wrote to memory of 3804	2536	cmd.exe	139
PID 2536 wrote to memory of 3804	2536	cmd.exe	139
PID 2536 wrote to memory of 548	2536	cmd.exe	140
PID 2536 wrote to memory of 548	2536	cmd.exe	140
PID 548 wrote to memory of 1636	548	Discord.exe	141
PID 548 wrote to memory of 1636	548	Discord.exe	141
PID 548 wrote to memory of 2988	548	Discord.exe	143
PID 548 wrote to memory of 2988	548	Discord.exe	143
PID 2988 wrote to memory of 3624	2988	cmd.exe	146
PID 2988 wrote to memory of 3624	2988	cmd.exe	146
PID 2988 wrote to memory of 1176	2988	cmd.exe	147
PID 2988 wrote to memory of 1176	2988	cmd.exe	147
PID 2988 wrote to memory of 4200	2988	cmd.exe	149
PID 2988 wrote to memory of 4200	2988	cmd.exe	149
PID 4200 wrote to memory of 4648	4200	Discord.exe	150
PID 4200 wrote to memory of 4648	4200	Discord.exe	150
PID 4200 wrote to memory of 2004	4200	Discord.exe	153
PID 4200 wrote to memory of 2004	4200	Discord.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dc6032bb4d1d30872419a285faf9e3cc8829d6b826151b61317e85cb5e0cec83.exe
"C:\Users\Admin\AppData\Local\Temp\dc6032bb4d1d30872419a285faf9e3cc8829d6b826151b61317e85cb5e0cec83.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\fivem.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\System32\fivem.exe
    C:\Windows\System32\fivem.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Windows\System32\schtasks.exe
      "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\System32\fivem.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3636
  - - C:\Users\Admin\AppData\Roaming\discord\Discord.exe
      "C:\Users\Admin\AppData\Roaming\discord\Discord.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\Discord.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4584
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAhB89nzIr6N.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1420
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:432
      - C:\Users\Admin\AppData\Roaming\discord\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\Discord.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\Discord.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkUbjRXGWPGO.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\discord\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\Discord.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\Discord.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4lxe1dQOjJaQ.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\discord\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\Discord.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\Discord.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E5c19qzxI5GG.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3804
        
        C:\Users\Admin\AppData\Roaming\discord\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\Discord.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\Discord.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q693CbEMXGjf.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\discord\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\Discord.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\Discord.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3UNOgN4v4XSR.bat" "
        15⤵
        
        PID:2004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4528
        
        C:\Users\Admin\AppData\Roaming\discord\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\Discord.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2920
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\Discord.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cvv6eQpYFnHB.bat" "
        17⤵
        
        PID:3428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4420
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5020
        
        C:\Users\Admin\AppData\Roaming\discord\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\Discord.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\Discord.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m485Wj2aprRh.bat" "
        19⤵
        
        PID:556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3860
        
        C:\Users\Admin\AppData\Roaming\discord\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\Discord.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4784
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\Discord.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CLfZWyCilKyo.bat" "
        21⤵
        
        PID:1960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4312
        
        C:\Users\Admin\AppData\Roaming\discord\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\Discord.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1748
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\Discord.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oB3k7aoTDswa.bat" "
        23⤵
        
        PID:1744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1796
        
        C:\Users\Admin\AppData\Roaming\discord\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\Discord.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\Discord.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sZaHdqM7wAXe.bat" "
        25⤵
        
        PID:2004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\discord\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\Discord.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:628
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\Discord.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiaCsHaNPgSr.bat" "
        27⤵
        
        PID:1520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\discord\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\Discord.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2008
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\Discord.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUn5guFrg6Oz.bat" "
        29⤵
        
        PID:3348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4316
        
        C:\Users\Admin\AppData\Roaming\discord\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\Discord.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1204
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\Discord.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WV9SonLtdldn.bat" "
        31⤵
        
        PID:4396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\discord\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\Discord.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\Discord.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIYg77jPahBE.bat" "
        33⤵
        
        PID:4056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:4272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\System32\fivem.exe
  2⤵
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Discord.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3UNOgN4v4XSR.bat

Filesize
209B

MD5
3fe791ef60723b83775eb9f5de894d32

SHA1
f2778d356ecc61a76aa159630ff2093b7dfd0fa3

SHA256
93ede6741c16cbe4905feca54ffd187f528effa1adb0b68301e415a3e002f7e3

SHA512
7ae1f84e8d99df28ac67aaf2cc86e14810376de8ade30cfee5f22c169ed16ae99bf64c08247ea788225172206d34e2a40c95a973877ed8637ac1dc5bd24660b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4lxe1dQOjJaQ.bat

Filesize
209B

MD5
f3e8f890e7221cc933e3b762a99f3da3

SHA1
9ba729631000ba8a03651f7b84136b34a4582e15

SHA256
1cb65a53c414272dae1aa07768fa82eaa7aed190bf6b8f32e8f78a3fdea7f78a

SHA512
9ef93c77237ea1e8bc626c7dfdf72eaca0c3b12394cbab6ce1559bfed66f067b2bbff5c7309505ecd8079676297cbc3c91bc4f58f818fac8f1be955f414bff3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLfZWyCilKyo.bat

Filesize
209B

MD5
d5f1e891462c1f92129a1c6fd3517742

SHA1
d8457445b75d483041bb9193518dc50a838df481

SHA256
3d058867964d24717205240980aa956b4e05f9de5341a5ddd9328ece86f7e194

SHA512
599f5ef89be8a7167a8dc6e0586a5c72ac82c2732863ed6d5ef00bc909e1a6925fe1a4f97fe6d89eb0485fc6c1ad65a0452de44bd6691170cfb156f69b4b8a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5c19qzxI5GG.bat

Filesize
209B

MD5
3b941351773238afcb89ed0256943f6c

SHA1
7a54da47b4ca5619aa6052295a51cc4f895fec46

SHA256
20f41fd4a6cf2a3dabab6066eef54667b55be2e4d85e4d61d85ac2f268e508c5

SHA512
b047e8b270d4a3c1d54e5bbcf31949b2f63db1845ef9a0294fdc86a2c463db37675efdff1dc5c568cda2fbb8042b4c7f1c906375b6180ee8bb3a45868cc80e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAhB89nzIr6N.bat

Filesize
209B

MD5
2f58348da672d86dedc41cffe7087761

SHA1
8b1229f728aa494074ce1f4133af2bba0213bb43

SHA256
efa9a317c1fe5c65b2e7202043c0963fae092655dcd2c855c2c7ee5be25ac587

SHA512
0584583014d15ff68eede04963985408b8abc3e1b43f2daea8fdbdffd6bbe01dc5619e815899c1699c82b28d34727bdbb192a38f25d3d9f2c449ddd89babb021

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIYg77jPahBE.bat

Filesize
209B

MD5
f657ffff5fba3031848e27d0e7751157

SHA1
b35c704a421d377c6ac904e3c9cd8622ad938f1d

SHA256
4b6f0eae00de7cadd9b1b76438ce01c5c579e0ee4e83e2624aa14c96c55ca936

SHA512
a8bbd40217baf73394b43090b40362cff5c2a33fb0449b5c6ec8cf1ec218d5622810f11fd2b0d957ff2a67a881290eb6224c680d05983faaf01a152a754ceaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OiaCsHaNPgSr.bat

Filesize
209B

MD5
4cdf137734df8daa765dabfa141419d1

SHA1
5030137cbc1ea9413fe0593d63efb9b4b932ea9e

SHA256
f88e435c46a1f35eee0398e4adf8b79b477635f3f599d0ab904926500d6f8214

SHA512
d4b7b9940763629bbd581fd4d491cbba6f8e7c94971d759d04d5fa67eef414a95eaf21834b9b69ddc8e6f86c93c515aa2509e0a4fe1415469bc7fe7b0ce7e349

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q693CbEMXGjf.bat

Filesize
209B

MD5
f23585873367abbc9486f95647b23c95

SHA1
2cd9088100713ebc972df8966ddf5f35df533e7a

SHA256
26c34e44d63323613a382608ca59fb9b3816b3d7e3e509991f3e3e9d3dd30bd4

SHA512
38d3a6dd24dd0bea929947921387803fd6234ab0a9cf94466a05f3f59bac9a59ceaa75e7ff28d63d8e67b6d476b0d66eca609218f05aab25a030cc1491a76467

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUn5guFrg6Oz.bat

Filesize
209B

MD5
6796c312815008a205198ab7d09944fe

SHA1
3411bb68cb15db3599ae48dda069c496636a3eac

SHA256
f9ab9ed7a474fef2399ab228254dd49f9852e0b0f8b8486c30331a75fa320a71

SHA512
be0b4a1289327f18d8b62f047f58b39ef7a95e8f249816defdd674b5d672ef694eb545a454c66ccc9e29452776c23171842bf7c45189b52e60b0bb6a328ab2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WV9SonLtdldn.bat

Filesize
209B

MD5
f5453e95b9f157e06ae4461fbb27db76

SHA1
f534fc548291c55950aa177c1dd372614ac0bfe3

SHA256
071092af616d4ea55d59b6987ed3d6383c4c262efb871978dcf07b0a0f7e37ce

SHA512
bcc068b3a892a61d935a29f7a716418c7d608a90dc1ef419a8e87e705dcb842773614d37c4d5cae40c629a6f4a03b5fe5774bf7220d63d14fb7fedfc084e31c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkUbjRXGWPGO.bat

Filesize
209B

MD5
078c8b9d6a7cd6a8fd17e3f507ea2a24

SHA1
68cb799382cfb99b53aeed0de25dc927e788fb15

SHA256
827f5bc4622bb908c26d9bd4bb694dcc83c4718a2171953acee21da65e2ca9e0

SHA512
4c99cd9be8b0adf14d94417992ff39507fdf9d622f14b4cb0f59461195251ed8e975f8af47fc0d5cb98a83630ed972dc8597143ee0b5ef8d5026f2dd729081f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvv6eQpYFnHB.bat

Filesize
209B

MD5
248b5851c7d400ef88aa044e84680c83

SHA1
28b1e81c7bc6dd0708676ded0a74029380e933e3

SHA256
9470df20e5c06e3e8820613d74c9a3e6e4f0e71e2214413fd697cafc8cda6ab2

SHA512
55f2de62457e076c55e100d0bcd2cd8847e81dcaa85b247bbd89eacd2a49b9ac68cde5a0f8fa2c8b014ba652a3695a98c81102cef1ad873101a12e95d7d847ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\m485Wj2aprRh.bat

Filesize
209B

MD5
7395fd3b231f496fb91a76433ed3537d

SHA1
49d921468d71cfbdc29b97a26e8f9904181ad040

SHA256
f122cc0b2393c342f2072e4a33af4cfb5367272cfa96611e3f4f7e788d41f65e

SHA512
9caeb988960def2255e14c4e075611daea3e0fda720420d160edc9f0d6dc9905b7347698ac3b54eb9b980b6de5ac348dfc06cc93a03a9e598b85f80ed68fc218

Download Submit
C:\Users\Admin\AppData\Local\Temp\oB3k7aoTDswa.bat

Filesize
209B

MD5
5e299405cbbfbc63ef8647bff7ce88a0

SHA1
97f27b0f17e40f253615a549852fb6d82346b687

SHA256
819851c875ef7896128936df8ec07bbf69bc05d71ba374ae6168dd77521aa1f6

SHA512
5fbf15f1f9c4c8bf2fcc9017c9982bd355d9f69594ca8e1bf636849c67731f4131d6ddd98e8e49c16b9b3cb6e25d59f6cad724bff063ddf4a6fda490c73e4b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sZaHdqM7wAXe.bat

Filesize
209B

MD5
97645cda70d26fcb8eac1472ec454907

SHA1
372c194355abacc2dd21df303267e8cde6c283b1

SHA256
75d21e24b2054ed30f49efd21d59d434c9101a558be04a3790f80ffb0a6c37cf

SHA512
efaebdb5243d50d842d3cccc851f9ac8f768806aba8cee411d35573d7188601557771c191599f370d393a9e7803d3d229b05a8217241207e7acacebd7c064a11

Download Submit
C:\Windows\System32\fivem.exe

Filesize
781KB

MD5
bfa45271290a25e528236a17ae596272

SHA1
1dfedba344f9b5e1444023b93b7f9250ee9cb874

SHA256
3f9c36ad227f8a0e7ac69eaa85c00f054264ebad92bdff2fa5c87de386b444b2

SHA512
db5616e2a6b9a6fbbd0c444ff2d7e9dadfee240afc0e35f58e8ccc69d2b50a7cc131e9cd2183c4edfbb5a579500fb603c1430692c7c580e6171d1da549e6d41e

Download Submit
memory/1672-14-0x000000001C350000-0x000000001C402000-memory.dmp

Filesize
712KB

Download
memory/1672-13-0x00000000031E0000-0x0000000003230000-memory.dmp

Filesize
320KB

Download
memory/4876-12-0x00007FFC5A730000-0x00007FFC5B1F1000-memory.dmp

Filesize
10.8MB

Download
memory/4876-6-0x00007FFC5A730000-0x00007FFC5B1F1000-memory.dmp

Filesize
10.8MB

Download
memory/4876-5-0x0000000000430000-0x00000000004FA000-memory.dmp

Filesize
808KB

Download
memory/4876-4-0x00007FFC5A733000-0x00007FFC5A735000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads