quasar | e5473833fb038cbdabc999603e62fb649050e727467e263e2ca90da92028a156

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EnigmaSRC..exe
Size

3.3MB
MD5

bf4ca8258fd2f4df510aa046bbf7b21c
SHA1

79fe2a2cd3df7f83a44c33d2a061d588a8238c07
SHA256

e5473833fb038cbdabc999603e62fb649050e727467e263e2ca90da92028a156
SHA512

aa29baddc0854ab283b14ad2ef1de9bca806576dccfcce4d92675220f5f7f9c4c4a5c6f3f88b6316d765749c4845013ab674cbc1574e9e252d3e179dd0d48828
SSDEEP

49152:tvjt62XlaSFNWPjljiFa2RoUYI8qR16AbR30oGdUTHHB72eh2NT:tvx62XlaSFNWPjljiFXRoUYI8qR161

Score

10^/10

quasar enigma.sln discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Enigma.Sln

C:\Users\nigger>:4782

Mutex

79e05c67-893c-4161-b8aa-df3a5e2de8c8

Attributes

encryption_key
180D990AA3B58892A5FBAE1EDF8AAEDB00F4AF8E
install_name
host.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Visual Studios
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1796-1-0x0000000000DA0000-0x00000000010F0000-memory.dmp	family_quasar
behavioral1/files/0x000700000001925b-6.dat	family_quasar
behavioral1/memory/1036-9-0x0000000001100000-0x0000000001450000-memory.dmp	family_quasar
behavioral1/memory/3068-23-0x0000000001220000-0x0000000001570000-memory.dmp	family_quasar
behavioral1/memory/744-74-0x0000000000170000-0x00000000004C0000-memory.dmp	family_quasar
behavioral1/memory/868-85-0x0000000000290000-0x00000000005E0000-memory.dmp	family_quasar
behavioral1/memory/2368-96-0x00000000002D0000-0x0000000000620000-memory.dmp	family_quasar
behavioral1/memory/2904-107-0x00000000000B0000-0x0000000000400000-memory.dmp	family_quasar
behavioral1/memory/2296-118-0x0000000000110000-0x0000000000460000-memory.dmp	family_quasar
behavioral1/memory/880-129-0x0000000000FD0000-0x0000000001320000-memory.dmp	family_quasar
behavioral1/memory/2012-140-0x00000000001A0000-0x00000000004F0000-memory.dmp	family_quasar
behavioral1/memory/2492-151-0x0000000000A90000-0x0000000000DE0000-memory.dmp	family_quasar
behavioral1/memory/1040-162-0x0000000001370000-0x00000000016C0000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

Processes:

host.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exe

pid	Process
1036	host.exe
3068	host.exe
2852	host.exe
1272	host.exe
1612	host.exe
2320	host.exe
744	host.exe
868	host.exe
2368	host.exe
2904	host.exe
2296	host.exe
880	host.exe
2012	host.exe
2492	host.exe
1040	host.exe

Drops file in System32 directory 33 IoCs

Processes:

host.exeEnigmaSRC..exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File created	C:\Windows\system32\SubDir\host.exe	EnigmaSRC..exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	EnigmaSRC..exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	EnigmaSRC..exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
1380	PING.EXE
2636	PING.EXE
2596	PING.EXE
2552	PING.EXE
1756	PING.EXE
1100	PING.EXE
2912	PING.EXE
2900	PING.EXE
2884	PING.EXE
2412	PING.EXE
2552	PING.EXE
1180	PING.EXE
992	PING.EXE
2524	PING.EXE
680	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
1100	PING.EXE
2912	PING.EXE
1180	PING.EXE
992	PING.EXE
2900	PING.EXE
2636	PING.EXE
1756	PING.EXE
2412	PING.EXE
2552	PING.EXE
2524	PING.EXE
680	PING.EXE
1380	PING.EXE
2596	PING.EXE
2884	PING.EXE
2552	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2444	schtasks.exe
2548	schtasks.exe
2148	schtasks.exe
2816	schtasks.exe
2688	schtasks.exe
2008	schtasks.exe
1528	schtasks.exe
2860	schtasks.exe
1140	schtasks.exe
2588	schtasks.exe
376	schtasks.exe
1052	schtasks.exe
2944	schtasks.exe
1720	schtasks.exe
1692	schtasks.exe
1348	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

EnigmaSRC..exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exe

description	pid	Process
Token: SeDebugPrivilege	1796	EnigmaSRC..exe
Token: SeDebugPrivilege	1036	host.exe
Token: SeDebugPrivilege	3068	host.exe
Token: SeDebugPrivilege	2852	host.exe
Token: SeDebugPrivilege	1272	host.exe
Token: SeDebugPrivilege	1612	host.exe
Token: SeDebugPrivilege	2320	host.exe
Token: SeDebugPrivilege	744	host.exe
Token: SeDebugPrivilege	868	host.exe
Token: SeDebugPrivilege	2368	host.exe
Token: SeDebugPrivilege	2904	host.exe
Token: SeDebugPrivilege	2296	host.exe
Token: SeDebugPrivilege	880	host.exe
Token: SeDebugPrivilege	2012	host.exe
Token: SeDebugPrivilege	2492	host.exe
Token: SeDebugPrivilege	1040	host.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

host.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exe

pid	Process
1036	host.exe
3068	host.exe
2852	host.exe
1272	host.exe
1612	host.exe
2320	host.exe
744	host.exe
868	host.exe
2368	host.exe
2904	host.exe
2296	host.exe
880	host.exe
2012	host.exe
2492	host.exe
1040	host.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

host.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exe

pid	Process
1036	host.exe
3068	host.exe
2852	host.exe
1272	host.exe
1612	host.exe
2320	host.exe
744	host.exe
868	host.exe
2368	host.exe
2904	host.exe
2296	host.exe
880	host.exe
2012	host.exe
2492	host.exe
1040	host.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EnigmaSRC..exehost.execmd.exehost.execmd.exehost.execmd.exehost.execmd.exe

description	pid	Process	procid_target
PID 1796 wrote to memory of 2008	1796	EnigmaSRC..exe	30
PID 1796 wrote to memory of 2008	1796	EnigmaSRC..exe	30
PID 1796 wrote to memory of 2008	1796	EnigmaSRC..exe	30
PID 1796 wrote to memory of 1036	1796	EnigmaSRC..exe	32
PID 1796 wrote to memory of 1036	1796	EnigmaSRC..exe	32
PID 1796 wrote to memory of 1036	1796	EnigmaSRC..exe	32
PID 1036 wrote to memory of 1692	1036	host.exe	33
PID 1036 wrote to memory of 1692	1036	host.exe	33
PID 1036 wrote to memory of 1692	1036	host.exe	33
PID 1036 wrote to memory of 2804	1036	host.exe	35
PID 1036 wrote to memory of 2804	1036	host.exe	35
PID 1036 wrote to memory of 2804	1036	host.exe	35
PID 2804 wrote to memory of 2888	2804	cmd.exe	37
PID 2804 wrote to memory of 2888	2804	cmd.exe	37
PID 2804 wrote to memory of 2888	2804	cmd.exe	37
PID 2804 wrote to memory of 2900	2804	cmd.exe	38
PID 2804 wrote to memory of 2900	2804	cmd.exe	38
PID 2804 wrote to memory of 2900	2804	cmd.exe	38
PID 2804 wrote to memory of 3068	2804	cmd.exe	40
PID 2804 wrote to memory of 3068	2804	cmd.exe	40
PID 2804 wrote to memory of 3068	2804	cmd.exe	40
PID 3068 wrote to memory of 1528	3068	host.exe	41
PID 3068 wrote to memory of 1528	3068	host.exe	41
PID 3068 wrote to memory of 1528	3068	host.exe	41
PID 3068 wrote to memory of 2752	3068	host.exe	43
PID 3068 wrote to memory of 2752	3068	host.exe	43
PID 3068 wrote to memory of 2752	3068	host.exe	43
PID 2752 wrote to memory of 2404	2752	cmd.exe	45
PID 2752 wrote to memory of 2404	2752	cmd.exe	45
PID 2752 wrote to memory of 2404	2752	cmd.exe	45
PID 2752 wrote to memory of 2552	2752	cmd.exe	46
PID 2752 wrote to memory of 2552	2752	cmd.exe	46
PID 2752 wrote to memory of 2552	2752	cmd.exe	46
PID 2752 wrote to memory of 2852	2752	cmd.exe	47
PID 2752 wrote to memory of 2852	2752	cmd.exe	47
PID 2752 wrote to memory of 2852	2752	cmd.exe	47
PID 2852 wrote to memory of 2860	2852	host.exe	48
PID 2852 wrote to memory of 2860	2852	host.exe	48
PID 2852 wrote to memory of 2860	2852	host.exe	48
PID 2852 wrote to memory of 2920	2852	host.exe	50
PID 2852 wrote to memory of 2920	2852	host.exe	50
PID 2852 wrote to memory of 2920	2852	host.exe	50
PID 2920 wrote to memory of 356	2920	cmd.exe	52
PID 2920 wrote to memory of 356	2920	cmd.exe	52
PID 2920 wrote to memory of 356	2920	cmd.exe	52
PID 2920 wrote to memory of 1380	2920	cmd.exe	53
PID 2920 wrote to memory of 1380	2920	cmd.exe	53
PID 2920 wrote to memory of 1380	2920	cmd.exe	53
PID 2920 wrote to memory of 1272	2920	cmd.exe	54
PID 2920 wrote to memory of 1272	2920	cmd.exe	54
PID 2920 wrote to memory of 1272	2920	cmd.exe	54
PID 1272 wrote to memory of 1140	1272	host.exe	55
PID 1272 wrote to memory of 1140	1272	host.exe	55
PID 1272 wrote to memory of 1140	1272	host.exe	55
PID 1272 wrote to memory of 2524	1272	host.exe	57
PID 1272 wrote to memory of 2524	1272	host.exe	57
PID 1272 wrote to memory of 2524	1272	host.exe	57
PID 2524 wrote to memory of 2272	2524	cmd.exe	59
PID 2524 wrote to memory of 2272	2524	cmd.exe	59
PID 2524 wrote to memory of 2272	2524	cmd.exe	59
PID 2524 wrote to memory of 2636	2524	cmd.exe	60
PID 2524 wrote to memory of 2636	2524	cmd.exe	60
PID 2524 wrote to memory of 2636	2524	cmd.exe	60
PID 2524 wrote to memory of 1612	2524	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\EnigmaSRC..exe
"C:\Users\Admin\AppData\Local\Temp\EnigmaSRC..exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2008
- C:\Windows\system32\SubDir\host.exe
  "C:\Windows\system32\SubDir\host.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1692
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7xfrxdYY6iyo.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2888
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2900
  - - C:\Windows\system32\SubDir\host.exe
      "C:\Windows\system32\SubDir\host.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1528
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\i50VFvwxAjeS.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2404
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2552
      - C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2860
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8qezZ8uTZqgw.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1380
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1140
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\khnUI5hsy1oF.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2636
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1612
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2588
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\p2ZyFdmbW7e6.bat" "
        11⤵
        
        PID:2536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1124
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1100
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2320
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1348
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0eNIDhN69paG.bat" "
        13⤵
        
        PID:828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:744
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2444
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\c1sais40qMYo.bat" "
        15⤵
        
        PID:1800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2596
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:868
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2148
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LWX2S7LA4c87.bat" "
        17⤵
        
        PID:2072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1180
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2368
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2816
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JzrajFKdKm8x.bat" "
        19⤵
        
        PID:1904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2236
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2884
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2904
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2688
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\R4pZWus7ZoIv.bat" "
        21⤵
        
        PID:2284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2552
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2296
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2944
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vEaRh3KnHsi8.bat" "
        23⤵
        
        PID:2764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:992
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:880
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2548
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1WqHJRFpa7lv.bat" "
        25⤵
        
        PID:2272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2524
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2012
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:376
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1bcD2xlm66wh.bat" "
        27⤵
        
        PID:2660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:680
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2492
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1720
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Gv44Aop7hHBS.bat" "
        29⤵
        
        PID:1536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1756
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1040
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1052
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HfU5C95BbIfK.bat" "
        31⤵
        
        PID:1716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2808
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0eNIDhN69paG.bat

Filesize
194B

MD5
8c9115e80c4fae30fda7fca5f1be8348

SHA1
f1e9225ff109478295be58b34508b6c785fa4fa6

SHA256
0100d36a5c4c5d99d8258bedbdc59c0ccace98b056717bf3523865e88b7c9129

SHA512
50f1efabbc4ba4a3708976649bf0c771bc5562681e0204e975d9577b41654568a31eaf902b8cf0cde972a8e6dfd8d319c36b9e2d38ed1565438a59107e1ad809

Download Submit
C:\Users\Admin\AppData\Local\Temp\1WqHJRFpa7lv.bat

Filesize
194B

MD5
e87cba16faacbf494cabfa43790eca33

SHA1
cac18ed517b036f544a117613677087292bc6491

SHA256
0c711197623d4db26a0543011ff2b58498e65f668d6bcd235c9e4f3c01cef532

SHA512
ccfbf8a13b9bf434ddcdcc5acc74aa7e27d3ad2e1cec1c0b905421a8a94d99f8d036dd29ef67d717b94069fed8684fa775c545f02ceae8a1c203e269ef6caf16

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bcD2xlm66wh.bat

Filesize
194B

MD5
d71af13028fdd3d3ca463dca22702bef

SHA1
18ce273424e63e4115d3a4ee08febacab073b2be

SHA256
d1b7546e45ed9df3bb4897d7a1297c140d43f4494c23ce25ffce83b50a4ae095

SHA512
2185880d0f918b7bfc763cb26fc769091207850d77c56904763fd6d3fd98607d00959244bc0c43d15a1b98eebb19ef37a73437e63022b61980bbb73a38135100

Download Submit
C:\Users\Admin\AppData\Local\Temp\7xfrxdYY6iyo.bat

Filesize
194B

MD5
2ea89a444fb274b504307950c3bb5372

SHA1
8c68df5abb9036e1f2fed9312c98bdd14e712566

SHA256
1b5bf2254e2c8a1299829e7ae64c3cc9667698f602938eba4f2b1773825100a0

SHA512
5d5b32a12d43a64a757f4757210bf21dfcb3babede9f1bdac64353c494b2b01ca2c4ac5282c208c63c00ff8c024222166197304de2eb38d17547623038dcb91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8qezZ8uTZqgw.bat

Filesize
194B

MD5
d905dd24148a31fb4703f60e10ffae03

SHA1
1dcdb466645cfb105c3c0d226dd30e40002e6d65

SHA256
53a5bb69c5415d69c411c067bea6f1fa9e6e71c8ce509ea827c97bf55a717319

SHA512
7000e234859fff51d1031a5ebc66f8bd852433b7ad90ff0bf5211a539468299274b5da428842f52879e2cb7b8a512cd3a77d1a932ba812436cb9a7cab509d959

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gv44Aop7hHBS.bat

Filesize
194B

MD5
4bb80837463455182087f2345f877f35

SHA1
9ac1d2eb031d7143442effe4c1c134226a4c2eec

SHA256
4e022ed9032318c740ab3f7444bd2f52ecdc7029061c52357d538c98fee6faa3

SHA512
739943f9a00f1674be885cd8882a8373b0307c82aaeb8b9a0533eeaaf2ad51c08ecd0e0be7fa1415fed6bbc4789294457c83de4ef63545056119ef511fd9e129

Download Submit
C:\Users\Admin\AppData\Local\Temp\HfU5C95BbIfK.bat

Filesize
194B

MD5
c510ad4926e4ce789f13217ae3d64c2f

SHA1
549dcfed39bff445d35189d905dc7b61038e7b54

SHA256
189d9510594d9d2e722678ce9a95512d82f35048be33d55de3ab839f97ccecbb

SHA512
34f9a8c46b64a4a8a846ac24fc427cf78818b0dfa29ec169ef9c52438035c54958a9c7ccb16e0ec7d240867937b1f7774caf6f875dc3b96252da7109911febdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\JzrajFKdKm8x.bat

Filesize
194B

MD5
5af727d741776ae2b39148d268d9c1a7

SHA1
4ee8cb23f4649ffdcadf29b7e6c340c13e9714f4

SHA256
e5e4f4f9468cf2cad6fe623cb9abd133a68fac664cfa6ff33e6923d75b6ceb4a

SHA512
b9e5ae19cea1aa61acdc1ac65da859cda3746d51eadaed27e7962819eea70f63080f62b09a47418da8f58aaf278b4c8c505484ce44be0fabe40818d59d6fa95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LWX2S7LA4c87.bat

Filesize
194B

MD5
4724a483efdf71af8542ca907c4a320e

SHA1
efe8db5b15cb9a7a596a9ed5be126ffbaecf4d74

SHA256
0ac5aa16f895dbdbae3a6cd30071df23c770c02f500dfb0c833f399417440e39

SHA512
66989a577f9f2cc4a72d3f4d7a8eaf90221aa0fb7b42bff202873596d0372ed222142d31259bf4fe770d5b56178f5997121b492e94bb126d8a4ffed2378afaaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\R4pZWus7ZoIv.bat

Filesize
194B

MD5
8014fefb522e6cd401369608e70491d5

SHA1
cf65c86a601b0cccd804856c21ab7d07b2a92bba

SHA256
6ee6513d97503935e661a172d101e40ee4bc5f977c0df4e581a16d968fecb9f9

SHA512
22d6cdfadc5588ffe014e80f6e308e401e81b11914614211fc35cc7056c40145da1c8749cd91d07b1ea190e85fa791c66caca17c2c5d497bd6589663cd224ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1sais40qMYo.bat

Filesize
194B

MD5
48298948b741477407f5c6ee069aa473

SHA1
e4de91b68c6ee2ed9524613b40439488987c1e3f

SHA256
1cddb3cfde38d441dae929cb6b744d300a0bedc931fa8207ba6fb230395a2eb8

SHA512
3c73a5120a3788ee3af6f3ccf8e75e82f733771d95e13229356afaa383863bfbd016ebfa29f3a528e61c984fbaf873b249574774c3f68796045022ec5b006ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\i50VFvwxAjeS.bat

Filesize
194B

MD5
72c4d1bb59460c79278856658eaf5a19

SHA1
cbf63a70d48b2937415bc2f4add3aa646079554e

SHA256
644997e4a3a79fd8eeec6b2891a1d35a722e0ed13b7970347732b91ab60c599e

SHA512
9f4f93d757facd35aadcc808ad491d68bd8f82e4111f0f86e97aaae81a19a62b386a7ef279016dd2a2ca8c16f48ab330e857caf63b2d77454cd7f6dbfa3ae583

Download Submit
C:\Users\Admin\AppData\Local\Temp\khnUI5hsy1oF.bat

Filesize
194B

MD5
374ec04bd66a7f8333654eaf656a13a7

SHA1
28fa69b0981440046abb4a3630323c65aae646a9

SHA256
f6aa10807f8735d9af10b6134a5d065707d47e3e4ece0b89fceb8613099068e2

SHA512
dc7bf6568445166924d598d458b735045034dcfbfb9095f46787d5a1290b468157e3422e939d85f1c0ff8da70cbfbde207cc03020587751d3d9f5cb347b6d885

Download Submit
C:\Users\Admin\AppData\Local\Temp\p2ZyFdmbW7e6.bat

Filesize
194B

MD5
0f79a209a320296da007080393806ae4

SHA1
ba9857a31eb51d5d94a117298405469c32844cae

SHA256
b552268be1dc49c1f62f8d84dc4ec8268e243f517dd5359617bb0a0187c66eb2

SHA512
3d3bf2d25de09214d95465f314774ae2f30c34346ec32775fd521abfa9b7f9e9d4ec543e037e1efbd7393b9d3c0dd42892c57f505d13e04a370d679d45ad459b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEaRh3KnHsi8.bat

Filesize
194B

MD5
3d5d2182f12cad1cb4d2ef70dfa2bbfb

SHA1
d58f30c0998dfe8efae7315086a5ba2597f6a891

SHA256
6168dff7df3e282caa5ad9526a684804cd9aea69c35c05d9bf41df746dbf9286

SHA512
4416557b47f21ea419a7a6123e62a1910a1294bf75ea14d205dc24bfc2b90dfb8b39fd43c06c95e2fbb0589948d94b711e373329adf6095194084d8ece575da6

Download Submit
C:\Windows\System32\SubDir\host.exe

Filesize
3.3MB

MD5
bf4ca8258fd2f4df510aa046bbf7b21c

SHA1
79fe2a2cd3df7f83a44c33d2a061d588a8238c07

SHA256
e5473833fb038cbdabc999603e62fb649050e727467e263e2ca90da92028a156

SHA512
aa29baddc0854ab283b14ad2ef1de9bca806576dccfcce4d92675220f5f7f9c4c4a5c6f3f88b6316d765749c4845013ab674cbc1574e9e252d3e179dd0d48828

Download Submit
memory/744-74-0x0000000000170000-0x00000000004C0000-memory.dmp

Filesize
3.3MB

Download
memory/868-85-0x0000000000290000-0x00000000005E0000-memory.dmp

Filesize
3.3MB

Download
memory/880-129-0x0000000000FD0000-0x0000000001320000-memory.dmp

Filesize
3.3MB

Download
memory/1036-8-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/1036-9-0x0000000001100000-0x0000000001450000-memory.dmp

Filesize
3.3MB

Download
memory/1036-21-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/1036-11-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/1040-162-0x0000000001370000-0x00000000016C0000-memory.dmp

Filesize
3.3MB

Download
memory/1796-0-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

Filesize
4KB

Download
memory/1796-10-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/1796-2-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/1796-1-0x0000000000DA0000-0x00000000010F0000-memory.dmp

Filesize
3.3MB

Download
memory/2012-140-0x00000000001A0000-0x00000000004F0000-memory.dmp

Filesize
3.3MB

Download
memory/2296-118-0x0000000000110000-0x0000000000460000-memory.dmp

Filesize
3.3MB

Download
memory/2368-96-0x00000000002D0000-0x0000000000620000-memory.dmp

Filesize
3.3MB

Download
memory/2492-151-0x0000000000A90000-0x0000000000DE0000-memory.dmp

Filesize
3.3MB

Download
memory/2904-107-0x00000000000B0000-0x0000000000400000-memory.dmp

Filesize
3.3MB

Download
memory/3068-23-0x0000000001220000-0x0000000001570000-memory.dmp

Filesize
3.3MB

Download