quasar | 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Size

3.1MB
MD5

239c5f964b458a0a935a4b42d74bcbda
SHA1

7a037d3bd8817adf6e58734b08e807a84083f0ce
SHA256

7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c
SHA512

2e9e95d5097ce751d2a641a8fc7f8bc824a525a07bc06cd8a60580405fad90543ffa3259e6b2b2e97a70a3c3ed03e73b29f7cb9ebd10e7c62eaef2078805be19
SSDEEP

98304:mWV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvhk:JTQzG

Score

10^/10

quasar zjeb discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ad21b115-2c1b-40cb-adba-a50736b76c21

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1964-1-0x0000000000B80000-0x0000000000EA4000-memory.dmp	family_quasar
behavioral1/memory/2832-13-0x0000000000270000-0x0000000000594000-memory.dmp	family_quasar
behavioral1/memory/1984-23-0x0000000001120000-0x0000000001444000-memory.dmp	family_quasar
behavioral1/memory/608-42-0x0000000000040000-0x0000000000364000-memory.dmp	family_quasar
behavioral1/memory/1736-53-0x0000000000B10000-0x0000000000E34000-memory.dmp	family_quasar
behavioral1/memory/1908-72-0x0000000000E70000-0x0000000001194000-memory.dmp	family_quasar
behavioral1/memory/1748-91-0x0000000000380000-0x00000000006A4000-memory.dmp	family_quasar
behavioral1/memory/2016-101-0x0000000000C20000-0x0000000000F44000-memory.dmp	family_quasar
behavioral1/memory/1184-112-0x00000000010E0000-0x0000000001404000-memory.dmp	family_quasar
behavioral1/memory/2180-142-0x00000000001A0000-0x00000000004C4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
752	PING.EXE
2348	PING.EXE
2852	PING.EXE
2952	PING.EXE
308	PING.EXE
2716	PING.EXE
2760	PING.EXE
1892	PING.EXE
3024	PING.EXE
1956	PING.EXE
2676	PING.EXE
484	PING.EXE
1460	PING.EXE
2632	PING.EXE
2316	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
2760	PING.EXE
2632	PING.EXE
1892	PING.EXE
3024	PING.EXE
2852	PING.EXE
308	PING.EXE
484	PING.EXE
2952	PING.EXE
2716	PING.EXE
2348	PING.EXE
1956	PING.EXE
2316	PING.EXE
752	PING.EXE
2676	PING.EXE
1460	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2992	schtasks.exe
3048	schtasks.exe
2164	schtasks.exe
680	schtasks.exe
1760	schtasks.exe
1748	schtasks.exe
268	schtasks.exe
2776	schtasks.exe
2904	schtasks.exe
1204	schtasks.exe
1620	schtasks.exe
1344	schtasks.exe
1232	schtasks.exe
2108	schtasks.exe
1200	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe

description	pid	Process
Token: SeDebugPrivilege	1964	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	2832	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	1984	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	2948	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	608	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	1736	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	1456	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	1908	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	2640	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	1748	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	2016	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	1184	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	1576	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	276	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	2180	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.execmd.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.execmd.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.execmd.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.execmd.exe7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe

description	pid	Process	procid_target
PID 1964 wrote to memory of 2904	1964	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	30
PID 1964 wrote to memory of 2904	1964	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	30
PID 1964 wrote to memory of 2904	1964	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	30
PID 1964 wrote to memory of 2476	1964	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	32
PID 1964 wrote to memory of 2476	1964	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	32
PID 1964 wrote to memory of 2476	1964	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	32
PID 2476 wrote to memory of 2756	2476	cmd.exe	34
PID 2476 wrote to memory of 2756	2476	cmd.exe	34
PID 2476 wrote to memory of 2756	2476	cmd.exe	34
PID 2476 wrote to memory of 2760	2476	cmd.exe	35
PID 2476 wrote to memory of 2760	2476	cmd.exe	35
PID 2476 wrote to memory of 2760	2476	cmd.exe	35
PID 2476 wrote to memory of 2832	2476	cmd.exe	36
PID 2476 wrote to memory of 2832	2476	cmd.exe	36
PID 2476 wrote to memory of 2832	2476	cmd.exe	36
PID 2832 wrote to memory of 2992	2832	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	37
PID 2832 wrote to memory of 2992	2832	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	37
PID 2832 wrote to memory of 2992	2832	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	37
PID 2832 wrote to memory of 2660	2832	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	39
PID 2832 wrote to memory of 2660	2832	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	39
PID 2832 wrote to memory of 2660	2832	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	39
PID 2660 wrote to memory of 2624	2660	cmd.exe	41
PID 2660 wrote to memory of 2624	2660	cmd.exe	41
PID 2660 wrote to memory of 2624	2660	cmd.exe	41
PID 2660 wrote to memory of 2632	2660	cmd.exe	42
PID 2660 wrote to memory of 2632	2660	cmd.exe	42
PID 2660 wrote to memory of 2632	2660	cmd.exe	42
PID 2660 wrote to memory of 1984	2660	cmd.exe	44
PID 2660 wrote to memory of 1984	2660	cmd.exe	44
PID 2660 wrote to memory of 1984	2660	cmd.exe	44
PID 1984 wrote to memory of 1748	1984	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	45
PID 1984 wrote to memory of 1748	1984	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	45
PID 1984 wrote to memory of 1748	1984	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	45
PID 1984 wrote to memory of 2072	1984	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	47
PID 1984 wrote to memory of 2072	1984	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	47
PID 1984 wrote to memory of 2072	1984	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	47
PID 2072 wrote to memory of 2924	2072	cmd.exe	49
PID 2072 wrote to memory of 2924	2072	cmd.exe	49
PID 2072 wrote to memory of 2924	2072	cmd.exe	49
PID 2072 wrote to memory of 1892	2072	cmd.exe	50
PID 2072 wrote to memory of 1892	2072	cmd.exe	50
PID 2072 wrote to memory of 1892	2072	cmd.exe	50
PID 2072 wrote to memory of 2948	2072	cmd.exe	51
PID 2072 wrote to memory of 2948	2072	cmd.exe	51
PID 2072 wrote to memory of 2948	2072	cmd.exe	51
PID 2948 wrote to memory of 3048	2948	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	52
PID 2948 wrote to memory of 3048	2948	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	52
PID 2948 wrote to memory of 3048	2948	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	52
PID 2948 wrote to memory of 2088	2948	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	54
PID 2948 wrote to memory of 2088	2948	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	54
PID 2948 wrote to memory of 2088	2948	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	54
PID 2088 wrote to memory of 3064	2088	cmd.exe	56
PID 2088 wrote to memory of 3064	2088	cmd.exe	56
PID 2088 wrote to memory of 3064	2088	cmd.exe	56
PID 2088 wrote to memory of 752	2088	cmd.exe	57
PID 2088 wrote to memory of 752	2088	cmd.exe	57
PID 2088 wrote to memory of 752	2088	cmd.exe	57
PID 2088 wrote to memory of 608	2088	cmd.exe	58
PID 2088 wrote to memory of 608	2088	cmd.exe	58
PID 2088 wrote to memory of 608	2088	cmd.exe	58
PID 608 wrote to memory of 1232	608	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	59
PID 608 wrote to memory of 1232	608	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	59
PID 608 wrote to memory of 1232	608	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	59
PID 608 wrote to memory of 444	608	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2904
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\4wwHr2XV3ZEW.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2756
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2760
- - C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
    "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2992
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\rXwunFEAzPqW.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2624
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2632
    - - C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1748
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HJIJtCLp8DpE.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3048
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LNLi57ZYg26S.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1232
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\M3tJES1h1HOV.bat" "
        10⤵
        
        PID:444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1204
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\40wPSFPKC6FD.bat" "
        12⤵
        
        PID:656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:268
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\15L1pexmLsBz.bat" "
        14⤵
        
        PID:1416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2108
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ANfuN31Yhgc.bat" "
        16⤵
        
        PID:2188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qIEDsSmdkVSt.bat" "
        18⤵
        
        PID:1652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1200
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zbKzvyVEVrD5.bat" "
        20⤵
        
        PID:2008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2164
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\denSTtRF5V00.bat" "
        22⤵
        
        PID:3064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:680
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oA5oUS6XTMLW.bat" "
        24⤵
        
        PID:2796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EE8PKNrXPbxp.bat" "
        26⤵
        
        PID:2212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1424
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1760
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0dLzKyloNMMd.bat" "
        28⤵
        
        PID:1628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        29⤵
        
        PID:3032
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1344
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Mw4URB1bkKX0.bat" "
        30⤵
        
        PID:2696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0dLzKyloNMMd.bat

Filesize
261B

MD5
eb90649b78aef29876025ccae140d553

SHA1
76878147ea505f7df9e85dd63d6117a61658469c

SHA256
e5ede2d1e54990c820da3b92afd4072230b9b1b3b8b5fa017701f8658240af5b

SHA512
b4ffd7975f2e3bdb588f6fc0826bb236c1063b5a6a2772c4b35142e225593291daba3101847d5ed3910aa1184a163e0c999b6f58459202cdc2768297b3f9157d

Download Submit
C:\Users\Admin\AppData\Local\Temp\15L1pexmLsBz.bat

Filesize
261B

MD5
b2ac727934ad24bc8f99a49dd6daf555

SHA1
47bf4306a79b93223bce2fa820810c752cfb0a5b

SHA256
45db9b27ef913f16d5d44a48370206f93c2a539aeb59dd450a37914a10d99883

SHA512
898d2324525da3ef8b360791d784414645c48cd6d83e184e075283bc70da630bde1a34dc6e0d46405643eba26b51f97a47a1fe58164733c2a4c58f4ab8cba5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\40wPSFPKC6FD.bat

Filesize
261B

MD5
b7d13cacb16f8dd02a1cc69bc8b0c1a9

SHA1
d90b7f14e289c9807be46d539e4c3fc509f0613c

SHA256
f624296c716193bba74b75152e91929ac16d1390495c8a5ef2628755982b6724

SHA512
b1071136eab09954aa876b3f64e9804423979a00b9afc1118948cec7ecbc07f6b060cfc13094bec4012b8bab67306032d63f964c72b3ee4f55e703ed3a6b785f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4wwHr2XV3ZEW.bat

Filesize
261B

MD5
fbcc9464b60fb5f7165edd85934e3bdb

SHA1
097c5884a8a8085f9e708291fcc63cdd2f53153d

SHA256
07d2630d8e53b2647db1c21b77cdc1599ba8d503b6047b30a4deea0af1ed3170

SHA512
887a6e232010b45c5b98d4c78d2bcf912eecb0c12d926ed48235b60772be4b5ad2c6976209f080d7f3eec37e76fd874fd719bfe02687f0e2e7c6010fa69f26d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ANfuN31Yhgc.bat

Filesize
261B

MD5
4de240a2bba95159115d10cb3f02374a

SHA1
166f59957adf0166abd8448c1a3852efbc8bbabd

SHA256
552361c350ed24b6e9484573ee1353b52f009eb1a60d6742e64a9209b2d337b0

SHA512
0ac7d6ac58845676e00f9d147cc0c4179c4aba8ad3259b48b49711228c6928db043a2bea0b032774b208f0d8654ce69e4fde5d670d4f3930f6453efec876a25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE8PKNrXPbxp.bat

Filesize
261B

MD5
3cdc2a8bacc4a03b2e7f3ddaaac153da

SHA1
06df76fbdf5807b392bc8ca068c452f3aed5d5c8

SHA256
bbe6e910ea31942570273bcb30824b74e4a5bbebbfcd4d7d005e654420c3505e

SHA512
75ac4358b9eb64cac4a03d9e4ee3f810a78e3f4fad1408fa98affd7a8cfa8e27607250183d33b40ace000b8941ace9d9503af63e51e0052b4e3f97a79f93cd68

Download Submit
C:\Users\Admin\AppData\Local\Temp\HJIJtCLp8DpE.bat

Filesize
261B

MD5
f58bcaf025cdba447209fbc817301fa1

SHA1
f5d9a80f1c10c342769599907564de2f9c301e77

SHA256
aff4528d03b6f2fad131a967ca4c5b195bc3471af1776af1a638be49988077bf

SHA512
495a8e375583a481a6e0dad4c4b867135f3379b54065121e0ba4be39be758d4d82a42be7a794d9f1ba876cde17c7107432b29ea437f77dc8e3ac90dd76d1f9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\LNLi57ZYg26S.bat

Filesize
261B

MD5
1a4ffe83b7338a376059ed4d6576e04d

SHA1
70140b76716293516c6163b7725d85351436e8cb

SHA256
eeffadee959c91a29360d6aa16dfe6229a36cf6855074ff1eaa29e3c888ed84f

SHA512
8ffdb874120605a30fcb8cca34005e5aed446bb3555629ed9b2afbc997e61aa714c7159fab8fd96d294cb3ee28bea792f36c8097a10a4df98a5eb96b6f7de9b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\M3tJES1h1HOV.bat

Filesize
261B

MD5
d6540fcd5a7d37132e241d7e458fbbc8

SHA1
69fbbaad96d5a389ccd9899eb8e8faba026806b4

SHA256
330fae793abaee6c6a2bfd04be038cb02489df94d164c8c2182090a26b4067c5

SHA512
4d1890257395d713aa15796c2ba4d481b0ace5f01bf8eb4c89b174b5424cf44cba2220bea1a0bdd2880bf34e78673818bdc1d603e3cac883b215ad497caa265a

Download Submit
C:\Users\Admin\AppData\Local\Temp\denSTtRF5V00.bat

Filesize
261B

MD5
cc983d900181c6893e2033b2d106bad9

SHA1
327fc50c33309a5ef7051ff1ae7cf463e22093d3

SHA256
cef0431d8cc02a969410a7b5099e47edfa7a3f5b317bd41b71309bb8685ae7f2

SHA512
d862a1d75e66447ab85a397ec9664f495297fd9ced7214280f21fc5927f7841c69d23d1ef440c6e48087d667811db46eb4bdea36bf1c3225834ea88cf023c3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\oA5oUS6XTMLW.bat

Filesize
261B

MD5
169281b36c8da28c501aed65f4193114

SHA1
3f177dd46e4150b33863f60d6e61988da5d78507

SHA256
e022ea5f4557c68fa7ae2a7a2fd519350c16feac68a52508b0c1b7f0687a9b06

SHA512
c9693245a5105e04be713cfceec708364dc6cfffbcc8b75d0df9497a337424c8df2cf9e203d32156c1562f085ed14dc71a4485601cfa1cf50258181fce5b8da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIEDsSmdkVSt.bat

Filesize
261B

MD5
af0a0510f18d2e2fe17b75aa684ec40b

SHA1
edf4f2500433598706e83beb9becc39b9beb72b3

SHA256
2680d8cc48eab74a059c52f2389082f9ae3a997c8a8c803516e390972cd38a81

SHA512
b04c3b560d416ce8f97b2f3ba9a6b85944f8300c59716a2b55c2cbf70ed8e783d88adb8f2179ee86f14d8b8ea27a468f2aa39fc1d5cafa32d9f53b3cce91f8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\rXwunFEAzPqW.bat

Filesize
261B

MD5
6e52da834581658a2537a81b07a159bd

SHA1
1319b857e38f0eb27f0bfb903b34850d9f3ba407

SHA256
9f809b69b48b62f2b77168659591ac920863d532f7be072fbe3193627cbe180b

SHA512
ee8f0fd6a8b10c20eb904c90688986a0ad7d21c4dab4441d3104aeb8bca67811d7a802ac3cbee1b34408262f2b71ee74a6e0557b8ca39577c7d2de3c0789a5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbKzvyVEVrD5.bat

Filesize
261B

MD5
ea7f4ad7ffa12e44cfebb15824fd92dc

SHA1
3dc7021affc319bb03cf1ab62ff94f01b93ab5ca

SHA256
262884b895c7c95fdf5ffb7e533203ff7788a021c0d9bf6e19d56ec597470dd8

SHA512
4d201544f1cbb9468699a5f00f32f415bcfe48e9125d591eae4f295ff3a33a5bce8ecbdf885b335e6705efbcb0a8b8fbb189e7f1cb326b4d29b19ad1ce1b6628

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/608-42-0x0000000000040000-0x0000000000364000-memory.dmp

Filesize
3.1MB

Download
memory/1184-112-0x00000000010E0000-0x0000000001404000-memory.dmp

Filesize
3.1MB

Download
memory/1736-53-0x0000000000B10000-0x0000000000E34000-memory.dmp

Filesize
3.1MB

Download
memory/1748-91-0x0000000000380000-0x00000000006A4000-memory.dmp

Filesize
3.1MB

Download
memory/1908-72-0x0000000000E70000-0x0000000001194000-memory.dmp

Filesize
3.1MB

Download
memory/1964-0-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

Filesize
4KB

Download
memory/1964-11-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/1964-2-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/1964-1-0x0000000000B80000-0x0000000000EA4000-memory.dmp

Filesize
3.1MB

Download
memory/1984-23-0x0000000001120000-0x0000000001444000-memory.dmp

Filesize
3.1MB

Download
memory/2016-101-0x0000000000C20000-0x0000000000F44000-memory.dmp

Filesize
3.1MB

Download
memory/2180-142-0x00000000001A0000-0x00000000004C4000-memory.dmp

Filesize
3.1MB

Download
memory/2832-13-0x0000000000270000-0x0000000000594000-memory.dmp

Filesize
3.1MB

Download