quasar | 258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe
Size

3.1MB
MD5

4b831b964f39059bfd95f56e78086830
SHA1

48649150d6a30522ee550b2cfc5b00fdda00889e
SHA256

258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db
SHA512

ed737225027fce0f6d030a3ab8f9ee329f395e08657e1c283402b7bcab772776f8015afd19535e250899893ed655b40fbed4f7fb2c22f28e668290d322ccd398
SSDEEP

49152:DvilL26AaNeWgPhlmVqvMQ7XSKnIRJ6ibR3LoGdWhNTHHB72eh2NT8:DvaL26AaNeWgPhlmVqkQ7XSKnIRJ6cYp

Score

10^/10

quasar triage discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Triage

sekacex395-58825.portmap.host:1194

Mutex

144ba9a1-0ea5-481a-929a-2aff73023537

Attributes

encryption_key
480A149BDA5F1D4EEBD5CF8EA0711405B7FC59B1
install_name
Client.exe
log_directory
kLogs
reconnect_delay
3000
startup_key
Avast Free Antivirus
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3344-1-0x0000000000E70000-0x0000000001194000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2032	Client.exe
2452	Client.exe
2036	Client.exe
3624	Client.exe
1748	Client.exe
4812	Client.exe
3956	Client.exe
4616	Client.exe
4648	Client.exe
1848	Client.exe
4584	Client.exe
4060	Client.exe
2520	Client.exe
3264	Client.exe
328	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3628	PING.EXE
3644	PING.EXE
2748	PING.EXE
4776	PING.EXE
2892	PING.EXE
5092	PING.EXE
2468	PING.EXE
1008	PING.EXE
2512	PING.EXE
404	PING.EXE
2636	PING.EXE
1448	PING.EXE
3336	PING.EXE
4004	PING.EXE
4792	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2636	PING.EXE
3628	PING.EXE
5092	PING.EXE
3336	PING.EXE
2468	PING.EXE
2748	PING.EXE
4776	PING.EXE
2512	PING.EXE
1448	PING.EXE
4004	PING.EXE
4792	PING.EXE
3644	PING.EXE
2892	PING.EXE
1008	PING.EXE
404	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1128	schtasks.exe
4164	schtasks.exe
3412	schtasks.exe
3436	schtasks.exe
3540	schtasks.exe
4236	schtasks.exe
4956	schtasks.exe
764	schtasks.exe
3456	schtasks.exe
3604	schtasks.exe
4440	schtasks.exe
1284	schtasks.exe
3628	schtasks.exe
4688	schtasks.exe
748	schtasks.exe
1844	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3344	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe
Token: SeDebugPrivilege	2032	Client.exe
Token: SeDebugPrivilege	2452	Client.exe
Token: SeDebugPrivilege	2036	Client.exe
Token: SeDebugPrivilege	3624	Client.exe
Token: SeDebugPrivilege	1748	Client.exe
Token: SeDebugPrivilege	4812	Client.exe
Token: SeDebugPrivilege	3956	Client.exe
Token: SeDebugPrivilege	4616	Client.exe
Token: SeDebugPrivilege	4648	Client.exe
Token: SeDebugPrivilege	1848	Client.exe
Token: SeDebugPrivilege	4584	Client.exe
Token: SeDebugPrivilege	4060	Client.exe
Token: SeDebugPrivilege	2520	Client.exe
Token: SeDebugPrivilege	3264	Client.exe
Token: SeDebugPrivilege	328	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 3344 wrote to memory of 3412	3344	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe	schtasks.exe
PID 3344 wrote to memory of 3412	3344	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe	schtasks.exe
PID 3344 wrote to memory of 2032	3344	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe	Client.exe
PID 3344 wrote to memory of 2032	3344	258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe	Client.exe
PID 2032 wrote to memory of 4688	2032	Client.exe	schtasks.exe
PID 2032 wrote to memory of 4688	2032	Client.exe	schtasks.exe
PID 2032 wrote to memory of 2920	2032	Client.exe	cmd.exe
PID 2032 wrote to memory of 2920	2032	Client.exe	cmd.exe
PID 2920 wrote to memory of 2700	2920	cmd.exe	chcp.com
PID 2920 wrote to memory of 2700	2920	cmd.exe	chcp.com
PID 2920 wrote to memory of 2748	2920	cmd.exe	PING.EXE
PID 2920 wrote to memory of 2748	2920	cmd.exe	PING.EXE
PID 2920 wrote to memory of 2452	2920	cmd.exe	Client.exe
PID 2920 wrote to memory of 2452	2920	cmd.exe	Client.exe
PID 2452 wrote to memory of 3436	2452	Client.exe	schtasks.exe
PID 2452 wrote to memory of 3436	2452	Client.exe	schtasks.exe
PID 2452 wrote to memory of 5008	2452	Client.exe	cmd.exe
PID 2452 wrote to memory of 5008	2452	Client.exe	cmd.exe
PID 5008 wrote to memory of 2744	5008	cmd.exe	chcp.com
PID 5008 wrote to memory of 2744	5008	cmd.exe	chcp.com
PID 5008 wrote to memory of 2636	5008	cmd.exe	PING.EXE
PID 5008 wrote to memory of 2636	5008	cmd.exe	PING.EXE
PID 5008 wrote to memory of 2036	5008	cmd.exe	Client.exe
PID 5008 wrote to memory of 2036	5008	cmd.exe	Client.exe
PID 2036 wrote to memory of 748	2036	Client.exe	schtasks.exe
PID 2036 wrote to memory of 748	2036	Client.exe	schtasks.exe
PID 2036 wrote to memory of 1568	2036	Client.exe	cmd.exe
PID 2036 wrote to memory of 1568	2036	Client.exe	cmd.exe
PID 1568 wrote to memory of 3132	1568	cmd.exe	chcp.com
PID 1568 wrote to memory of 3132	1568	cmd.exe	chcp.com
PID 1568 wrote to memory of 3628	1568	cmd.exe	PING.EXE
PID 1568 wrote to memory of 3628	1568	cmd.exe	PING.EXE
PID 1568 wrote to memory of 3624	1568	cmd.exe	Client.exe
PID 1568 wrote to memory of 3624	1568	cmd.exe	Client.exe
PID 3624 wrote to memory of 1128	3624	Client.exe	schtasks.exe
PID 3624 wrote to memory of 1128	3624	Client.exe	schtasks.exe
PID 3624 wrote to memory of 3040	3624	Client.exe	cmd.exe
PID 3624 wrote to memory of 3040	3624	Client.exe	cmd.exe
PID 3040 wrote to memory of 3952	3040	cmd.exe	chcp.com
PID 3040 wrote to memory of 3952	3040	cmd.exe	chcp.com
PID 3040 wrote to memory of 4776	3040	cmd.exe	PING.EXE
PID 3040 wrote to memory of 4776	3040	cmd.exe	PING.EXE
PID 3040 wrote to memory of 1748	3040	cmd.exe	Client.exe
PID 3040 wrote to memory of 1748	3040	cmd.exe	Client.exe
PID 1748 wrote to memory of 3456	1748	Client.exe	schtasks.exe
PID 1748 wrote to memory of 3456	1748	Client.exe	schtasks.exe
PID 1748 wrote to memory of 2596	1748	Client.exe	cmd.exe
PID 1748 wrote to memory of 2596	1748	Client.exe	cmd.exe
PID 2596 wrote to memory of 3108	2596	cmd.exe	chcp.com
PID 2596 wrote to memory of 3108	2596	cmd.exe	chcp.com
PID 2596 wrote to memory of 2892	2596	cmd.exe	PING.EXE
PID 2596 wrote to memory of 2892	2596	cmd.exe	PING.EXE
PID 2596 wrote to memory of 4812	2596	cmd.exe	Client.exe
PID 2596 wrote to memory of 4812	2596	cmd.exe	Client.exe
PID 4812 wrote to memory of 4956	4812	Client.exe	schtasks.exe
PID 4812 wrote to memory of 4956	4812	Client.exe	schtasks.exe
PID 4812 wrote to memory of 4412	4812	Client.exe	cmd.exe
PID 4812 wrote to memory of 4412	4812	Client.exe	cmd.exe
PID 4412 wrote to memory of 3028	4412	cmd.exe	chcp.com
PID 4412 wrote to memory of 3028	4412	cmd.exe	chcp.com
PID 4412 wrote to memory of 1008	4412	cmd.exe	PING.EXE
PID 4412 wrote to memory of 1008	4412	cmd.exe	PING.EXE
PID 4412 wrote to memory of 3956	4412	cmd.exe	Client.exe
PID 4412 wrote to memory of 3956	4412	cmd.exe	Client.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe
"C:\Users\Admin\AppData\Local\Temp\258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3412
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sHNTKBfSFZMB.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2700
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2748
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3436
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oNu2krpVMMZK.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5008
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2744
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2636
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGjWa9Nxj3JS.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3628
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0OVGgb3Zkxs8.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4776
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omwDjEbndsdb.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaVPiDqSFFq0.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1008
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liQ9gb7VYRGl.bat" "
        15⤵
        
        PID:4992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5092
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZFftUMPSu8p7.bat" "
        17⤵
        
        PID:4488
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\edEYQRU7PBva.bat" "
        19⤵
        
        PID:3544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:5020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1448
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AFMhp6qZN7HX.bat" "
        21⤵
        
        PID:2324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3336
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iJ4xK8YZyryP.bat" "
        23⤵
        
        PID:4740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgNOeYLuFsOd.bat" "
        25⤵
        
        PID:4156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4004
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XPWF28LRwdtV.bat" "
        27⤵
        
        PID:4804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:404
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3264
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOsiyapuFjfq.bat" "
        29⤵
        
        PID:3228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4792
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Avast Free Antivirus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R0RS0kb3znsa.bat" "
        31⤵
        
        PID:1576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0OVGgb3Zkxs8.bat

Filesize
207B

MD5
3864a85a49e3a9f523051240c674d535

SHA1
6abec131aa7633417f4061e09934d11295920f01

SHA256
89d1ae460549ffde4fd08c8961061a4fe363606eb2320954a5dc06c8f89ffe43

SHA512
c1276c5d8a31bcc2c3519b22826bb352450cc385c64c4dd960ca7e4ee877d47814fb4b83ac8b086198f80bfd0674e263b92fa8fbf04b2f677305592cb488bfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFMhp6qZN7HX.bat

Filesize
207B

MD5
26a37c299d442a76af6a6d26012f015a

SHA1
ca6a4685bed2de4d8f2724ef2e36a14cc28b2f24

SHA256
c95109fb9125704a1b08347e0c05819aecbc78a0d39db99edd0be5f49cf5e2ca

SHA512
9792013691ed692bd762c02e18f7c4f2302ab71df398b8ae6dfa5fef1a075118fb4d44ab97b5d2d3498fe750d71cf1fd62844dc0e557309337e8fd733f35836c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgNOeYLuFsOd.bat

Filesize
207B

MD5
e8aea2de0fb10a64cdebb50fa5c58de9

SHA1
da28c5d42fe215e68d570e2e3fd89762bfb084a4

SHA256
600c0f9b867a56b9502353dc8cdf308805f538d7c9c751613f828c32bdadb147

SHA512
fe5b38a8e5bdc862c5bf11e9739070a1285c95d6417b645b8bdcb3687df75397e1d604bd847f7b00070dedc0dd52a6d7d7d4ef51a61aa75980a5f86691d4ce59

Download Submit
C:\Users\Admin\AppData\Local\Temp\R0RS0kb3znsa.bat

Filesize
207B

MD5
0871566392e425f7cc4af3c8a4c8cf3d

SHA1
b151214c747c4cfbea4e0e7a56697a561c94fe93

SHA256
84827189b42936cd6a956f52ba58d479e23b3bad43fcc1988970c81dedb18788

SHA512
6deca06076ec9bc568e6dee68419001a4670e7f380b228bd7a431e0906bb7604b8de97ff480e8d6ef73848c3c935c32ddb4880ccff09c7314545d6e580656719

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPWF28LRwdtV.bat

Filesize
207B

MD5
06a998a6cce10a07b769cb0b96d98ab4

SHA1
97a0615f01149433b0dfd4c5b2dc5ad7d0da4c8e

SHA256
cc11477c6e2b0fb202e108a8124035477ea66ad8ec6545b8d13b2dc0b83c4392

SHA512
3409595c2181675dc3ddfc462704ad7aa6aed2700fd5a4ebed58ce3c3ee9ea6cb54bb9e11ec0b2cb80929c8f12ed94b3741c68f80e295834973ef71e960b6ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\YOsiyapuFjfq.bat

Filesize
207B

MD5
3032caf7634cf1674433acb1d8eb35d4

SHA1
a5792c1580288cb03991ae8bd54abae1697857d8

SHA256
25c6a714ac9565ab3edbb802262ff67c780652b955ce56b092572c0a948a58d5

SHA512
e378f36ee5fd1dfc927cafbcd6f861c0b1dcfe2b686053da60a8b84e586973b982417d5af5c57da11c45996de2d532e3ace062fd048455fe3c5f79c69f90ec56

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZFftUMPSu8p7.bat

Filesize
207B

MD5
001fef58a7abbb02f5974d51f17c9cb0

SHA1
4273655af20744b42c9dd5b458ff3fab82f441eb

SHA256
43252788da2667ecea2d74f69c1a7fcc46d26fc355091690d49821e2de542e0d

SHA512
9dd1b97f106b17d54a84f1a1546e5ae99311f25f180da7545d4a81cf4708ea386545d18449829c9a914c8a4c3a138bbeb4f14a33d7928d7078575625b8406702

Download Submit
C:\Users\Admin\AppData\Local\Temp\edEYQRU7PBva.bat

Filesize
207B

MD5
0672c22184df28821dbf403a5d93a308

SHA1
1faf5d8f353c86adb3977bef580cebb44a064893

SHA256
7c832f8fc7accc2a7464181f6a6a0f4faff2eb1708f993dca06ae8f9fad077f4

SHA512
7adf0ee4ec42f844aca6c4e282bc001e8443c0dd88fcf686c76e8dea5b3b4321be1db09e05e91844686db8d4afaad02e96807790a0a188fc1f0bd3f468e80c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iJ4xK8YZyryP.bat

Filesize
207B

MD5
a1adcd91f89d2e0a1a2f9c98a0518184

SHA1
223ca5b293ca55c0d44d391a06e5d0a73a30a3b4

SHA256
d62d704f5ed2d01bdb2b9e37b2639353e4f8371b07838b965e24425716f81a94

SHA512
68d20a61ac43a6756c38ccc1570897092e97e7963c6b2031678e737abc830e58aeb0071be4b10bf7da5fd40c8e3d8ce2aa8280b78c03ead3abeb7334c7877a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iaVPiDqSFFq0.bat

Filesize
207B

MD5
9b2f5285607dbcb7612ace4f6b1820ca

SHA1
cbd2c29c6e87da4a59158d8bb6abd5d15802d659

SHA256
f16244968c1c46ebf68dc6bf9bb593a5adb87986939dc3eee940901dac18250e

SHA512
732d0d0546f56b7369e2150ada4671b83d3a77ed1d47fbcb97ec5a7805a1a85eb53dceaf5e917fa881be5450b2d3cb01b1a9f6d0039562c4c6fa82e74ede5d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\liQ9gb7VYRGl.bat

Filesize
207B

MD5
b5c23554f81feee12232e2a07fca065c

SHA1
56269c6be1b2da4210c9395ba7c7bd34f8c4d2e8

SHA256
f53e7636c310a6732e5f0eef398e8fd394ff3de09c5404513e1043175152a4c6

SHA512
38c5d146fd7ac85ec233932893f9a3a170a201d54eda4080455ee29177c5a3c5bbba888c63f7273c7227353ee339b07c5da3e86dc54420b7df3d437043fe51d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oNu2krpVMMZK.bat

Filesize
207B

MD5
dd0858a6dce015a08bb11d1912c22bf4

SHA1
2da7eea51b514b255404230da898d445b9aa14c7

SHA256
a2c05ff947bfe9481562f6d7a56fd874d02d762468d484164558eca68821ad86

SHA512
f3689b2e26ba4cf1dbe525d771aeef220441ff3a55b70fc96f91552aaed47ed691e59f696170c1ec773a2a8844f109f536f9fd4e652309d62d0ec69e2c9fc638

Download Submit
C:\Users\Admin\AppData\Local\Temp\omwDjEbndsdb.bat

Filesize
207B

MD5
5f9d6b6b17bd0bfa659c366cf29558f7

SHA1
4061d1e60d04702cc064e997b64cda42f28c6040

SHA256
b00a2e6fa89527ed6e3004a25e890c5ecd9f75f30f5a2b2a3ca5fc76fa4797c1

SHA512
6a0074821a4200f6905600dea23639abcf4e99b238ca6f5f05cbdafbb793f8d97e05029b024fdd48cdfc58d47e66d378138b45b7eaf5f8f1129618a9e9a74df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sHNTKBfSFZMB.bat

Filesize
207B

MD5
21e2952fdfc43763c9a96d6f7fd2c702

SHA1
76e8f36561b1e37fc99754f0b69ced6c1be5c9d8

SHA256
dc0250ac87212b8a74c9afd6cd791c1c6d4eae539ca35e4c190483171813c283

SHA512
4e46b641ee81c26f4ca593efec2076d5fadd10a53b874db51fe403f9f83ae0fcf18b345adba3b394eb0dc8200e2fb4e2353fddc43a39713cd505d2a0e81f9cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGjWa9Nxj3JS.bat

Filesize
207B

MD5
2b8ed93cd3b7d5fb8000273840b33b8b

SHA1
ef43fdc3af1b1d0a4dc01ebe587c90461f308f3c

SHA256
60eefa80d4627775d51952323c03547aef94b51a1f7b11c24cbc9ce7818e8127

SHA512
0557692763fd811dc4602a71b9773801d074cf743c4015348ab4d2caaf1fd9abfae6d1a75536cfd1f44df4fd9e388ba67b506681312c015711fcfbf68bf4b3bb

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
4b831b964f39059bfd95f56e78086830

SHA1
48649150d6a30522ee550b2cfc5b00fdda00889e

SHA256
258ba8472468daf6cd6fa5f330bc6d28939507e414d29dd7d712d3351e8282db

SHA512
ed737225027fce0f6d030a3ab8f9ee329f395e08657e1c283402b7bcab772776f8015afd19535e250899893ed655b40fbed4f7fb2c22f28e668290d322ccd398

Download Submit
memory/2032-12-0x000000001BCE0000-0x000000001BD30000-memory.dmp

Filesize
320KB

Download
memory/2032-13-0x000000001C3F0000-0x000000001C4A2000-memory.dmp

Filesize
712KB

Download
memory/2032-18-0x00007FFB40EF0000-0x00007FFB419B1000-memory.dmp

Filesize
10.8MB

Download
memory/2032-11-0x00007FFB40EF0000-0x00007FFB419B1000-memory.dmp

Filesize
10.8MB

Download
memory/2032-9-0x00007FFB40EF0000-0x00007FFB419B1000-memory.dmp

Filesize
10.8MB

Download
memory/3344-10-0x00007FFB40EF0000-0x00007FFB419B1000-memory.dmp

Filesize
10.8MB

Download
memory/3344-0-0x00007FFB40EF3000-0x00007FFB40EF5000-memory.dmp

Filesize
8KB

Download
memory/3344-2-0x00007FFB40EF0000-0x00007FFB419B1000-memory.dmp

Filesize
10.8MB

Download
memory/3344-1-0x0000000000E70000-0x0000000001194000-memory.dmp

Filesize
3.1MB

Download