quasar | e5473833fb038cbdabc999603e62fb649050e727467e263e2ca90da92028a156

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EnigmaSRC.exe
Size

3.3MB
MD5

bf4ca8258fd2f4df510aa046bbf7b21c
SHA1

79fe2a2cd3df7f83a44c33d2a061d588a8238c07
SHA256

e5473833fb038cbdabc999603e62fb649050e727467e263e2ca90da92028a156
SHA512

aa29baddc0854ab283b14ad2ef1de9bca806576dccfcce4d92675220f5f7f9c4c4a5c6f3f88b6316d765749c4845013ab674cbc1574e9e252d3e179dd0d48828
SSDEEP

49152:tvjt62XlaSFNWPjljiFa2RoUYI8qR16AbR30oGdUTHHB72eh2NT:tvx62XlaSFNWPjljiFXRoUYI8qR161

Score

10^/10

quasar enigma.sln discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Enigma.Sln

C:\Users\nigger>:4782

Mutex

79e05c67-893c-4161-b8aa-df3a5e2de8c8

Attributes

encryption_key
180D990AA3B58892A5FBAE1EDF8AAEDB00F4AF8E
install_name
host.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Visual Studios
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/324-1-0x0000000000DB0000-0x0000000001100000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b8d-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

host.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	host.exe

Executes dropped EXE 15 IoCs

Processes:

host.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exe

pid	Process
224	host.exe
3676	host.exe
1856	host.exe
2220	host.exe
936	host.exe
968	host.exe
5088	host.exe
1672	host.exe
2856	host.exe
3332	host.exe
2588	host.exe
2980	host.exe
1808	host.exe
3144	host.exe
4432	host.exe

Drops file in System32 directory 33 IoCs

Processes:

host.exehost.exehost.exeEnigmaSRC.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	EnigmaSRC.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File created	C:\Windows\system32\SubDir\host.exe	EnigmaSRC.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir	EnigmaSRC.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir\host.exe	host.exe
File opened for modification	C:\Windows\system32\SubDir	host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
3392	PING.EXE
2460	PING.EXE
1304	PING.EXE
2724	PING.EXE
1192	PING.EXE
2456	PING.EXE
3484	PING.EXE
5064	PING.EXE
1200	PING.EXE
4472	PING.EXE
1600	PING.EXE
2548	PING.EXE
2420	PING.EXE
4180	PING.EXE
2612	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
1304	PING.EXE
1600	PING.EXE
2456	PING.EXE
2548	PING.EXE
3484	PING.EXE
1192	PING.EXE
5064	PING.EXE
3392	PING.EXE
2612	PING.EXE
1200	PING.EXE
4472	PING.EXE
2460	PING.EXE
4180	PING.EXE
2724	PING.EXE
2420	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2464	schtasks.exe
5028	schtasks.exe
4848	schtasks.exe
3948	schtasks.exe
1700	schtasks.exe
2016	schtasks.exe
1960	schtasks.exe
2284	schtasks.exe
4676	schtasks.exe
1088	schtasks.exe
2064	schtasks.exe
4468	schtasks.exe
4340	schtasks.exe
4744	schtasks.exe
732	schtasks.exe
336	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

EnigmaSRC.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exe

description	pid	Process
Token: SeDebugPrivilege	324	EnigmaSRC.exe
Token: SeDebugPrivilege	224	host.exe
Token: SeDebugPrivilege	3676	host.exe
Token: SeDebugPrivilege	1856	host.exe
Token: SeDebugPrivilege	2220	host.exe
Token: SeDebugPrivilege	936	host.exe
Token: SeDebugPrivilege	968	host.exe
Token: SeDebugPrivilege	5088	host.exe
Token: SeDebugPrivilege	1672	host.exe
Token: SeDebugPrivilege	2856	host.exe
Token: SeDebugPrivilege	3332	host.exe
Token: SeDebugPrivilege	2588	host.exe
Token: SeDebugPrivilege	2980	host.exe
Token: SeDebugPrivilege	1808	host.exe
Token: SeDebugPrivilege	3144	host.exe
Token: SeDebugPrivilege	4432	host.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

host.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exe

pid	Process
224	host.exe
3676	host.exe
1856	host.exe
2220	host.exe
936	host.exe
968	host.exe
5088	host.exe
1672	host.exe
2856	host.exe
3332	host.exe
2588	host.exe
2980	host.exe
1808	host.exe
3144	host.exe
4432	host.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

host.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exehost.exe

pid	Process
224	host.exe
3676	host.exe
1856	host.exe
2220	host.exe
936	host.exe
968	host.exe
5088	host.exe
1672	host.exe
2856	host.exe
3332	host.exe
2588	host.exe
2980	host.exe
1808	host.exe
3144	host.exe
4432	host.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EnigmaSRC.exehost.execmd.exehost.execmd.exehost.execmd.exehost.execmd.exehost.execmd.exehost.execmd.exe

description	pid	Process	procid_target
PID 324 wrote to memory of 2016	324	EnigmaSRC.exe	82
PID 324 wrote to memory of 2016	324	EnigmaSRC.exe	82
PID 324 wrote to memory of 224	324	EnigmaSRC.exe	84
PID 324 wrote to memory of 224	324	EnigmaSRC.exe	84
PID 224 wrote to memory of 4340	224	host.exe	85
PID 224 wrote to memory of 4340	224	host.exe	85
PID 224 wrote to memory of 3536	224	host.exe	87
PID 224 wrote to memory of 3536	224	host.exe	87
PID 3536 wrote to memory of 3172	3536	cmd.exe	89
PID 3536 wrote to memory of 3172	3536	cmd.exe	89
PID 3536 wrote to memory of 2460	3536	cmd.exe	90
PID 3536 wrote to memory of 2460	3536	cmd.exe	90
PID 3536 wrote to memory of 3676	3536	cmd.exe	96
PID 3536 wrote to memory of 3676	3536	cmd.exe	96
PID 3676 wrote to memory of 2464	3676	host.exe	97
PID 3676 wrote to memory of 2464	3676	host.exe	97
PID 3676 wrote to memory of 4976	3676	host.exe	99
PID 3676 wrote to memory of 4976	3676	host.exe	99
PID 4976 wrote to memory of 4916	4976	cmd.exe	101
PID 4976 wrote to memory of 4916	4976	cmd.exe	101
PID 4976 wrote to memory of 1304	4976	cmd.exe	102
PID 4976 wrote to memory of 1304	4976	cmd.exe	102
PID 4976 wrote to memory of 1856	4976	cmd.exe	105
PID 4976 wrote to memory of 1856	4976	cmd.exe	105
PID 1856 wrote to memory of 1960	1856	host.exe	106
PID 1856 wrote to memory of 1960	1856	host.exe	106
PID 1856 wrote to memory of 1392	1856	host.exe	108
PID 1856 wrote to memory of 1392	1856	host.exe	108
PID 1392 wrote to memory of 1288	1392	cmd.exe	110
PID 1392 wrote to memory of 1288	1392	cmd.exe	110
PID 1392 wrote to memory of 4180	1392	cmd.exe	111
PID 1392 wrote to memory of 4180	1392	cmd.exe	111
PID 1392 wrote to memory of 2220	1392	cmd.exe	113
PID 1392 wrote to memory of 2220	1392	cmd.exe	113
PID 2220 wrote to memory of 4744	2220	host.exe	114
PID 2220 wrote to memory of 4744	2220	host.exe	114
PID 2220 wrote to memory of 2228	2220	host.exe	116
PID 2220 wrote to memory of 2228	2220	host.exe	116
PID 2228 wrote to memory of 4488	2228	cmd.exe	118
PID 2228 wrote to memory of 4488	2228	cmd.exe	118
PID 2228 wrote to memory of 1192	2228	cmd.exe	119
PID 2228 wrote to memory of 1192	2228	cmd.exe	119
PID 2228 wrote to memory of 936	2228	cmd.exe	121
PID 2228 wrote to memory of 936	2228	cmd.exe	121
PID 936 wrote to memory of 5028	936	host.exe	122
PID 936 wrote to memory of 5028	936	host.exe	122
PID 936 wrote to memory of 1620	936	host.exe	124
PID 936 wrote to memory of 1620	936	host.exe	124
PID 1620 wrote to memory of 3968	1620	cmd.exe	126
PID 1620 wrote to memory of 3968	1620	cmd.exe	126
PID 1620 wrote to memory of 1600	1620	cmd.exe	127
PID 1620 wrote to memory of 1600	1620	cmd.exe	127
PID 1620 wrote to memory of 968	1620	cmd.exe	128
PID 1620 wrote to memory of 968	1620	cmd.exe	128
PID 968 wrote to memory of 4848	968	host.exe	129
PID 968 wrote to memory of 4848	968	host.exe	129
PID 968 wrote to memory of 3048	968	host.exe	131
PID 968 wrote to memory of 3048	968	host.exe	131
PID 3048 wrote to memory of 2380	3048	cmd.exe	133
PID 3048 wrote to memory of 2380	3048	cmd.exe	133
PID 3048 wrote to memory of 2456	3048	cmd.exe	134
PID 3048 wrote to memory of 2456	3048	cmd.exe	134
PID 3048 wrote to memory of 5088	3048	cmd.exe	135
PID 3048 wrote to memory of 5088	3048	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\EnigmaSRC.exe
"C:\Users\Admin\AppData\Local\Temp\EnigmaSRC.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2016
- C:\Windows\system32\SubDir\host.exe
  "C:\Windows\system32\SubDir\host.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwshCYz57mqN.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3172
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2460
  - - C:\Windows\system32\SubDir\host.exe
      "C:\Windows\system32\SubDir\host.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3676
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2464
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkWCCOFW5LSC.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4976
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4916
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1304
      - C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmC2DNcIMadp.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4180
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQ85k90qv167.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1192
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCMjsBpFoWy2.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1600
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bjgDczSe2RLU.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2456
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5088
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMCls9HXTFYK.bat" "
        15⤵
        
        PID:2464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2724
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1672
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cocVS6EQJvMc.bat" "
        17⤵
        
        PID:1932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2548
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2856
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5HSuF779qBvs.bat" "
        19⤵
        
        PID:1480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2420
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3332
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkAY8ratYTSS.bat" "
        21⤵
        
        PID:3720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5064
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2588
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WVDk1ipJzwIr.bat" "
        23⤵
        
        PID:5052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3484
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2980
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dys6UiQWHOMj.bat" "
        25⤵
        
        PID:2032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3392
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1808
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lG6ovqraoW5t.bat" "
        27⤵
        
        PID:4080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2612
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3144
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zZACXDTJpIZw.bat" "
        29⤵
        
        PID:4016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1200
        
        C:\Windows\system32\SubDir\host.exe
        
        "C:\Windows\system32\SubDir\host.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4432
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Visual Studios" /sc ONLOGON /tr "C:\Windows\system32\SubDir\host.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d0vpS2iq5XRc.bat" "
        31⤵
        
        PID:3728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\host.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5HSuF779qBvs.bat

Filesize
194B

MD5
db385f5fa5017c16259e9ed6f100611f

SHA1
d39325dbdf8a32c824e8f95eac452f9170313f14

SHA256
3905a4faf20126f7a6d6c494f3a876559e715c2aefe7b06f0e2c432dc8e26a0e

SHA512
975bd09c1aebf59b3ed05d469ccc5f3b234a1afa651ad480846012ef41d72104944507a62c819e4a7baaa224927fec0a7d5faa7751f9aac0d7ddf3eeecbdba77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkAY8ratYTSS.bat

Filesize
194B

MD5
82cd60d85c90475f2c0cf95a8c107409

SHA1
26bef435d80e99008e90e06dffef0a4d997acf72

SHA256
f1fbb5faa878e5e880ef80d745269b936c47f3856a5907cf506fcb0aeee78707

SHA512
c7c2d7a5a590f2a86f3211039640775f96d0ffe7c44ebbc444891bb355cabbff03f0c0de3f0b0b46289cafead8d591edabcbbf6287aeac9609efbbbed1ca8b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQ85k90qv167.bat

Filesize
194B

MD5
35ea11c58dff2c056b8071118b22329a

SHA1
db01da5bc73d4b2de1424651373f24c1b0e83163

SHA256
9e70ca3448bd55832cb683acbf32ea4e69d72d5ed983dc8ea35549e3cd4ab53d

SHA512
a65b3095263dd8fa4b74512609aad6532f739feae20fa1c3e3f499070b823c366d5b3603a63733b3ae2be1e6e0284680d21425ab60e889ce933b0c9cb0530a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkWCCOFW5LSC.bat

Filesize
194B

MD5
9bf5449bd29c37feb25e1f60e8757016

SHA1
0779b08aa7a45a64f8a1a7a626f7965e94ac468d

SHA256
951cf091e157a4740eee1bd984263b1c43913b0ee303de8f3e7a2fb8de22f095

SHA512
32045fb80d53e7a1a722149f01e976f442499276a796f11d0d1521eb8a6211ca6874dee8f13b0c37e3b28104401f7d5fff5a152117541a42e5a4644914edd58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WVDk1ipJzwIr.bat

Filesize
194B

MD5
7428b5c2bd639a5b163eaf6ea3b498a3

SHA1
d0c426ab6468f6495a2dd1b8e917f4fa7898705b

SHA256
37d3a91c37c57dde92a0e7b1a379aed2ec5c5780249a048a64ade8d921bb42c4

SHA512
cc3d7c13ae15aad14fcc3f3ad7047156c5b16adc9a209f120f43e56669158f92c1a47020a8f8a0f98fd294646d49fe4bc9955fa73cceb22798a8200dde9d01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjgDczSe2RLU.bat

Filesize
194B

MD5
5dd2b1c4075ba9c27d633b981d0ead2c

SHA1
6ce82abd0da17738557143dade7564c4ff7a0094

SHA256
c77e86772376963abb297f18e89b3057c1a2e9e9256ac8c1853ac12f5e373c8b

SHA512
34ccae002a25838d970242c7bbd31c01cc0f0896274f723ddad1be6381b62c4e02f0d993837ba2d1f69a5d1a2fa58cff6bbd8eeb14f69ec68872cd547dc567b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cocVS6EQJvMc.bat

Filesize
194B

MD5
dab9d125b8a47c14a160e12df814288d

SHA1
fa79e9a030b658c4b5f4d1387a9566d1f72e0412

SHA256
c78a0dc0d77f41ce5995d2e92a2998f15db2882c714134597e2048335d111432

SHA512
e8d99deb3283e1899714aa1bf62aea15c6cb89d62a81b40cf67ea57c2ba5743743249bcfc9fe984746369f8a1506504642af94fc0349a19e559201c028b84962

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0vpS2iq5XRc.bat

Filesize
194B

MD5
f8b3721eb25ea6668e691d887699b0e9

SHA1
8c575ef0f28e675b9c2d8598c16d45d712d2d671

SHA256
c5e45d5684e7aebf0506f6d70d2ccade3285e8a07710ccd9fd8705d377b7383a

SHA512
a08f7c53fe9d9dad97ec590f2cbec12efe385378324b3e280f384d387eac0a718c5b5cf93496e7895d1ac942fe07c68708c7891c30858fd614ce279b90c6c6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmC2DNcIMadp.bat

Filesize
194B

MD5
784378064c22f6745a39c7fb6f3c25c2

SHA1
f1458cd678767ad194a232af5c080ac28705ab47

SHA256
bb09f2c682e7313089ef4342c14517a2af573a66d2445dc99f006364f6127c97

SHA512
4a3ff7fd8f106b8fdb0e74cc0b3896d676d90c61813b4d48185d6d94d07fc1fb671bc7c540576188955ad74fd2b8add2fabc0786c36d13e2937969fd5f43e167

Download Submit
C:\Users\Admin\AppData\Local\Temp\dys6UiQWHOMj.bat

Filesize
194B

MD5
989886749616825cde22c1d358830e05

SHA1
dacbf263a4213c9229ea56b41c07140d93cac5e3

SHA256
4eeaad72d9fb3c4abfe9a131a02b8dba443836908f67757846dc299527eef594

SHA512
2620e7f5ac9800c541dd32aaf6c4f02dde9769d5f0eeebc9979718a76424badf27b1a645d5c9418ee9f61b6ffc8fef4cc03f9fa76b8c8c493f111825d2c83277

Download Submit
C:\Users\Admin\AppData\Local\Temp\hMCls9HXTFYK.bat

Filesize
194B

MD5
3bac64fa3aab407b25b25a14f58f1565

SHA1
c1b52ee93b6ca253571dd2241aa0521e19dca66c

SHA256
d8209ca17fd52e44fb89224240c18feb6bf3c8b6862baf250740ecbdd1f70acc

SHA512
05bb029e4a2b34e6b333c2f79f2bf91c8fc9dcabbcaff6fb6a7ab2778c51bd68d2a7226523db76797604f64e4717ecdb5f900e50b20600858ff916b9fbfce168

Download Submit
C:\Users\Admin\AppData\Local\Temp\lG6ovqraoW5t.bat

Filesize
194B

MD5
9ba2a97c6016b9f5ccda23d01b040ff8

SHA1
8346636a3fc093671a9c1c32c327fbe3affccb89

SHA256
ca5150db6d95131822ad327a39b21f9f3c3c93691edd24b1b79fd7df3ec34a00

SHA512
417b762f12e7e958b93ff408d12e74d22f13f3c8d68e8fdb3c43d6f8c73562cdd20ccfc3b4a7ad1be1bd1a22f2fdf1f9dffa05dd7e3eb42a5801273f2f214aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwshCYz57mqN.bat

Filesize
194B

MD5
66f8451ad91fb1791a78e0b96e34975c

SHA1
5a2bee8f6afcc25415bb28707262b4285cd6f4d4

SHA256
2be563fe5fea57ec6d0a58247ed4a4fd0e621a6afefa1772feb15b42c8bb93c5

SHA512
8183e7ebf70bd915b972574f56f1b6d3c7d7af6030d45955237733fab226cb353141333fd510f3522ab563d8cfa4eb95ae31bdd9d2575098108533770ec1fd3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCMjsBpFoWy2.bat

Filesize
194B

MD5
eec6032a4ea433f5621bedd960c09227

SHA1
e39dc93796a3e56e7ad997c1b9b50ea4193a2804

SHA256
f65c244b02b204a6b4992486e5e14984c63c23cf5315881e4a7c038cebb157e8

SHA512
4e943dcfd3ccee4e7ebf849067c940f70e2a5e997da129bed60ac1252c1189c9f10307dadbd752c86694f5c44ebe024be0c2a05c1556524e84d717b29c6ad88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zZACXDTJpIZw.bat

Filesize
194B

MD5
6083b8b0a301251ca1bd3584ea78af2a

SHA1
dcb289c8e655d4f45894b3f9ccc3f57339d74fb1

SHA256
fe8850446890303107650380a1423b44e5bed1a9965db5f7b52f097b7bd82938

SHA512
92c506b49d1dc4978047c4fab938578a18dc8c8327b7adaf83eb8bc1421d35039d0e07cbd724bdd2fd920131e1756ab3e7ad4bce22bcb60009a0f6c933dfbe54

Download Submit
C:\Windows\System32\SubDir\host.exe

Filesize
3.3MB

MD5
bf4ca8258fd2f4df510aa046bbf7b21c

SHA1
79fe2a2cd3df7f83a44c33d2a061d588a8238c07

SHA256
e5473833fb038cbdabc999603e62fb649050e727467e263e2ca90da92028a156

SHA512
aa29baddc0854ab283b14ad2ef1de9bca806576dccfcce4d92675220f5f7f9c4c4a5c6f3f88b6316d765749c4845013ab674cbc1574e9e252d3e179dd0d48828

Download Submit
memory/224-12-0x000000001BDE0000-0x000000001BE30000-memory.dmp

Filesize
320KB

Download
memory/224-13-0x000000001C610000-0x000000001C6C2000-memory.dmp

Filesize
712KB

Download
memory/224-10-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

Filesize
10.8MB

Download
memory/224-11-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

Filesize
10.8MB

Download
memory/224-19-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

Filesize
10.8MB

Download
memory/324-9-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

Filesize
10.8MB

Download
memory/324-1-0x0000000000DB0000-0x0000000001100000-memory.dmp

Filesize
3.3MB

Download
memory/324-2-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

Filesize
10.8MB

Download
memory/324-0-0x00007FFFF8853000-0x00007FFFF8855000-memory.dmp

Filesize
8KB

Download