quasar | 175d2c313c08824712c3225985c2c166b93337ccb1cf1a7dffae3b284a7f3579

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

8d2777f7a9541759b2d6a4d713a5e0db
SHA1

f99839b640dd713cde9515fe9962bb344ef65f4f
SHA256

175d2c313c08824712c3225985c2c166b93337ccb1cf1a7dffae3b284a7f3579
SHA512

544c55362443bf3f941319f84bae875db3ab9af29f31967a7cf2eb35aefba38e29ea2117c7dd43d7c6828cb0f37adee314aeefb7929e48a555e19138c3b15abf
SSDEEP

49152:PvelL26AaNeWgPhlmVqvMQ7XSKUc1oLoGdATHHB72eh2NT:PvOL26AaNeWgPhlmVqkQ7XSKUc1G

Score

10^/10

quasar roar discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

roar

fojeweb571-45302.portmap.host:45302

Mutex

703bfb38-0c01-48b6-b84b-a41889e3bcdd

Attributes

encryption_key
B42CE86AEBA4D8818352F4D811EA7BBB472E229A
install_name
windows defender.exe
log_directory
Logs
reconnect_delay
3000
startup_key
discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3240-1-0x00000000002A0000-0x00000000005C4000-memory.dmp	family_quasar
behavioral1/files/0x0007000000023c9a-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	windows defender.exe

Executes dropped EXE 15 IoCs

pid	Process
4944	windows defender.exe
4992	windows defender.exe
4004	windows defender.exe
4312	windows defender.exe
2136	windows defender.exe
2600	windows defender.exe
3704	windows defender.exe
4912	windows defender.exe
3036	windows defender.exe
2952	windows defender.exe
4596	windows defender.exe
4736	windows defender.exe
4176	windows defender.exe
2924	windows defender.exe
3060	windows defender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3356	PING.EXE
4240	PING.EXE
1464	PING.EXE
1508	PING.EXE
3304	PING.EXE
2228	PING.EXE
1664	PING.EXE
3380	PING.EXE
4880	PING.EXE
2204	PING.EXE
3168	PING.EXE
3024	PING.EXE
1644	PING.EXE
1160	PING.EXE
3704	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1664	PING.EXE
1160	PING.EXE
3356	PING.EXE
2228	PING.EXE
3704	PING.EXE
3168	PING.EXE
2204	PING.EXE
3304	PING.EXE
3024	PING.EXE
4240	PING.EXE
1644	PING.EXE
1464	PING.EXE
3380	PING.EXE
4880	PING.EXE
1508	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4968	schtasks.exe
1968	schtasks.exe
4888	schtasks.exe
2908	schtasks.exe
1136	schtasks.exe
1112	schtasks.exe
4796	schtasks.exe
1260	schtasks.exe
1680	schtasks.exe
3088	schtasks.exe
2328	schtasks.exe
2588	schtasks.exe
1536	schtasks.exe
1476	schtasks.exe
2084	schtasks.exe
3064	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3240	Client-built.exe
Token: SeDebugPrivilege	4944	windows defender.exe
Token: SeDebugPrivilege	4992	windows defender.exe
Token: SeDebugPrivilege	4004	windows defender.exe
Token: SeDebugPrivilege	4312	windows defender.exe
Token: SeDebugPrivilege	2136	windows defender.exe
Token: SeDebugPrivilege	2600	windows defender.exe
Token: SeDebugPrivilege	3704	windows defender.exe
Token: SeDebugPrivilege	4912	windows defender.exe
Token: SeDebugPrivilege	3036	windows defender.exe
Token: SeDebugPrivilege	2952	windows defender.exe
Token: SeDebugPrivilege	4596	windows defender.exe
Token: SeDebugPrivilege	4736	windows defender.exe
Token: SeDebugPrivilege	4176	windows defender.exe
Token: SeDebugPrivilege	2924	windows defender.exe
Token: SeDebugPrivilege	3060	windows defender.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4944	windows defender.exe
4176	windows defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 1476	3240	Client-built.exe	82
PID 3240 wrote to memory of 1476	3240	Client-built.exe	82
PID 3240 wrote to memory of 4944	3240	Client-built.exe	84
PID 3240 wrote to memory of 4944	3240	Client-built.exe	84
PID 4944 wrote to memory of 1968	4944	windows defender.exe	85
PID 4944 wrote to memory of 1968	4944	windows defender.exe	85
PID 4944 wrote to memory of 3912	4944	windows defender.exe	87
PID 4944 wrote to memory of 3912	4944	windows defender.exe	87
PID 3912 wrote to memory of 1768	3912	cmd.exe	89
PID 3912 wrote to memory of 1768	3912	cmd.exe	89
PID 3912 wrote to memory of 3356	3912	cmd.exe	90
PID 3912 wrote to memory of 3356	3912	cmd.exe	90
PID 3912 wrote to memory of 4992	3912	cmd.exe	96
PID 3912 wrote to memory of 4992	3912	cmd.exe	96
PID 4992 wrote to memory of 3088	4992	windows defender.exe	97
PID 4992 wrote to memory of 3088	4992	windows defender.exe	97
PID 4992 wrote to memory of 1268	4992	windows defender.exe	99
PID 4992 wrote to memory of 1268	4992	windows defender.exe	99
PID 1268 wrote to memory of 2120	1268	cmd.exe	101
PID 1268 wrote to memory of 2120	1268	cmd.exe	101
PID 1268 wrote to memory of 3168	1268	cmd.exe	102
PID 1268 wrote to memory of 3168	1268	cmd.exe	102
PID 1268 wrote to memory of 4004	1268	cmd.exe	106
PID 1268 wrote to memory of 4004	1268	cmd.exe	106
PID 4004 wrote to memory of 1112	4004	windows defender.exe	107
PID 4004 wrote to memory of 1112	4004	windows defender.exe	107
PID 4004 wrote to memory of 3916	4004	windows defender.exe	109
PID 4004 wrote to memory of 3916	4004	windows defender.exe	109
PID 3916 wrote to memory of 2752	3916	cmd.exe	111
PID 3916 wrote to memory of 2752	3916	cmd.exe	111
PID 3916 wrote to memory of 1508	3916	cmd.exe	112
PID 3916 wrote to memory of 1508	3916	cmd.exe	112
PID 3916 wrote to memory of 4312	3916	cmd.exe	115
PID 3916 wrote to memory of 4312	3916	cmd.exe	115
PID 4312 wrote to memory of 4888	4312	windows defender.exe	116
PID 4312 wrote to memory of 4888	4312	windows defender.exe	116
PID 4312 wrote to memory of 3884	4312	windows defender.exe	118
PID 4312 wrote to memory of 3884	4312	windows defender.exe	118
PID 3884 wrote to memory of 3808	3884	cmd.exe	120
PID 3884 wrote to memory of 3808	3884	cmd.exe	120
PID 3884 wrote to memory of 3024	3884	cmd.exe	121
PID 3884 wrote to memory of 3024	3884	cmd.exe	121
PID 3884 wrote to memory of 2136	3884	cmd.exe	122
PID 3884 wrote to memory of 2136	3884	cmd.exe	122
PID 2136 wrote to memory of 2908	2136	windows defender.exe	123
PID 2136 wrote to memory of 2908	2136	windows defender.exe	123
PID 2136 wrote to memory of 3700	2136	windows defender.exe	125
PID 2136 wrote to memory of 3700	2136	windows defender.exe	125
PID 3700 wrote to memory of 4608	3700	cmd.exe	127
PID 3700 wrote to memory of 4608	3700	cmd.exe	127
PID 3700 wrote to memory of 4240	3700	cmd.exe	128
PID 3700 wrote to memory of 4240	3700	cmd.exe	128
PID 3700 wrote to memory of 2600	3700	cmd.exe	129
PID 3700 wrote to memory of 2600	3700	cmd.exe	129
PID 2600 wrote to memory of 2328	2600	windows defender.exe	130
PID 2600 wrote to memory of 2328	2600	windows defender.exe	130
PID 2600 wrote to memory of 4444	2600	windows defender.exe	132
PID 2600 wrote to memory of 4444	2600	windows defender.exe	132
PID 4444 wrote to memory of 4944	4444	cmd.exe	134
PID 4444 wrote to memory of 4944	4444	cmd.exe	134
PID 4444 wrote to memory of 1664	4444	cmd.exe	135
PID 4444 wrote to memory of 1664	4444	cmd.exe	135
PID 4444 wrote to memory of 3704	4444	cmd.exe	136
PID 4444 wrote to memory of 3704	4444	cmd.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1476
- C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCwOUwg8vCAt.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1768
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3356
  - - C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuQ7CXl1PgqO.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1268
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2120
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3168
      - C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCoILboWf2L4.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwD3V2cKbf0E.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3808
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGCwB2whbNKv.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4240
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6hLXQjcXjXN8.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1664
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A5ZxfT9PKtkF.bat" "
        15⤵
        
        PID:2740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcrl58HLFxBS.bat" "
        17⤵
        
        PID:4604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1464
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BfcTudeJMCAQ.bat" "
        19⤵
        
        PID:4292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3304
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWxW97WR2Yr9.bat" "
        21⤵
        
        PID:988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3380
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XXv3n6hyYpQL.bat" "
        23⤵
        
        PID:4692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qENS1WYYokmd.bat" "
        25⤵
        
        PID:2972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1160
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4176
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MBLNEEhUHbZW.bat" "
        27⤵
        
        PID:1308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3704
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GTvheMOo9M5u.bat" "
        29⤵
        
        PID:2680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4880
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCQk77Qk3yOw.bat" "
        31⤵
        
        PID:1740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\windows defender.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6hLXQjcXjXN8.bat

Filesize
217B

MD5
4cb3f7dc70583fee8c4a3c8ce062f3b6

SHA1
50c25c7222056395ec43a25e6f0684cd7c5f8b55

SHA256
ff3cbbc0444b9d8ac905feb111fa2cf73c6ec7c51909915fab1468c421825a74

SHA512
3794b6492b450a3488897e0a6b4c36e3e27844934720d22b77300b54b6e01312ba69fbd1db1d6da5876fbb6c215b04f65d1595beab7346a991eec5539d0ad6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5ZxfT9PKtkF.bat

Filesize
217B

MD5
365f86caa0f901dfc35b3155bedb6fcc

SHA1
0445210adc2934aeedf763dbb45b2ac508029fbd

SHA256
e35b52d4a62de879d7bd2cb73580a48d92c2b5aa865a5864faeb6bbf24782ba4

SHA512
8b78927821ae87b080b6b8db03eebe8b0b7228eb0da70f4bcf9bb840f6a5b02ee94e0b0f1f031bd7db51c9782eca79255e31d0dc717cc51cec08afc9cc4d32b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BfcTudeJMCAQ.bat

Filesize
217B

MD5
9d3e9b9afc78d8c2631b1312eba07762

SHA1
cb4f31778d001c61d08c51a8b19c2330a0403127

SHA256
a947d1f5f7b8cb0e4ed280acb138bfbeef702048334fa25f358649dba0361612

SHA512
dfcf3d53f4bf26d36c2b1feb8475ad042e0fa633f27645253aa64d1f5e13eb5dd64bcd9ab72bbaccb8319f22544cbe961377b12c0eacea7f11dec172d255900c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCQk77Qk3yOw.bat

Filesize
217B

MD5
d64b065929331c02f3dbf78bb3a2f32b

SHA1
e9f98c4018060597b6437e333cea61e796652488

SHA256
f4f97560ae6afcf771175a9010ca240d354a6fd5a3068af944afc9d58081761c

SHA512
90497bc2d218d14a1e9c356129f4f5db5b1774947e3cf3b573a138da3d4c9fe3ecabf0a094be4f2e4ffe45493f835678b9bc4f1a6ba25c6f5a0a865328a4bd11

Download Submit
C:\Users\Admin\AppData\Local\Temp\GTvheMOo9M5u.bat

Filesize
217B

MD5
3fd9acd1456b54de7b84cd4ab381d0e2

SHA1
cd11bd17fb99eb4c829cef90f094c6380a787d04

SHA256
712ea8f62bb95c280f605f986564f9809887a135593b417cc50d642148be4929

SHA512
b3dc19593219c66d51dbbb990e4d0ffd7b43bb16ba471dfa501eb5287095d24d96dd345113ff9944f2fa719fdfd3cc8281849155c4189fecf59ffed5526e9a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBLNEEhUHbZW.bat

Filesize
217B

MD5
e7dec3c7123d8125fbcf9b4a18b164cb

SHA1
504ba2dd0710c36eabb06133a6f2c73767cf7564

SHA256
185f290bb0054280f38127a32e7ea5bab053530d43bdc247fe59a98e79aed681

SHA512
f48ef999927eb7f8486c555dc70c657dc36693560cb5eb5e94fe698499b24d659411836f89ca6f56ba8d4c8feb025546d4acf9de4b716b1d9ba8e2bb592d057e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWxW97WR2Yr9.bat

Filesize
217B

MD5
398097810e2da18bf5318f0a8f780721

SHA1
e1d19fbe45916a7589677e234ba9542f68fd4974

SHA256
1cbc6b17e337e8678a7831a9629a7408462c0c49a75969166d15db4e1a1e27a0

SHA512
131984b27af6db708e22af8124dce5d8b288b703efd5ab02ce763c07949b2dda925ff2740f2b0844a539ffb335d1e76fc9401849b0afec6be12b2c31e711f013

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCwOUwg8vCAt.bat

Filesize
217B

MD5
6a4134f91b8d7e7a16deed88e0716ec0

SHA1
1109007f2ac2bcf284928a5b19845a68659b8adb

SHA256
419d2b17db04a7f150dd4f59cce94338e903692deef8b679559f916e4ff2c11a

SHA512
5661c63454ff6b0ed5dc8bc798cd9663480f6a5411020e4c882ae4ffbedbf11864925b8d65167b2ce6bdeccc7948944d5d22fb3e6fe09490b1a0c8dbb582bafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwD3V2cKbf0E.bat

Filesize
217B

MD5
f08f208708e5ac4cc23584832ab259e9

SHA1
c2e1d42080ef8bfe2c831997c47a154688ba95ac

SHA256
5ef340e473f6313101ce170cc76e73e5344defd717a4eb069f2dac9a70e3586e

SHA512
b5b04d3442e9d849897e8685ef291b16d7cf1bbc525a8a25a715072fad22fe8160bcd64479fe5f28f0bf12a4cd842b0dc278e5fda43329f385963ceb35a4a610

Download Submit
C:\Users\Admin\AppData\Local\Temp\XXv3n6hyYpQL.bat

Filesize
217B

MD5
cab93da9c9896f9c97c2ad67e980a2ba

SHA1
5e65825e678ee4a5345d782ae49e1a95e56526b5

SHA256
0676066d98475054603e4a056549942ac89d9fbac5221dcaf4708fbe03377ece

SHA512
5f83593f2d5c30246bc2105b247ed435bcd22ef02f4aeb20021978c9c8edd5309f12d258080f77b677615bae14ff643fd0537b94ea7e737eb0695b5367f68e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\qENS1WYYokmd.bat

Filesize
217B

MD5
5c1fda7137956dc56e6b4c98debf6a9b

SHA1
2df81b915d2a802decd78c5413ba167db5127f13

SHA256
39ad2950041d2ff7f392c550dcadb7c327736620ea78a7e30b50277a0185168d

SHA512
7d125f4b59d51a2abb062b2135abfe3b7bbf56f81e600bd2caba9370f227a6afb49f4f7a974b7dc777c6304bb0da03f9a8660bd50f7cb8e0ccd37bebbebaf08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qGCwB2whbNKv.bat

Filesize
217B

MD5
cabdd2cff9bad4779d8367217fed5e6b

SHA1
f195505fecb9e6b32b82062554bd3b7b075de2bd

SHA256
3acb286686366ad72fcd13ab09b32f35eb77259ce4171d5a5c5e536f22f7ae33

SHA512
29730725996a2a858de523f31317e451e13ef1a5e022a3c67dcfea7b582192ca2b86a1ad4038b99df4d200832d717b79f557fb520a26d917e07bcd415383890f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcrl58HLFxBS.bat

Filesize
217B

MD5
c3a240aac14a9a73f7afb18de9e879e1

SHA1
faa6ad93eb0fc53082fe89bd0da7bdc8b5f5874c

SHA256
b9763ff31a84548346dd5daad7af3cb81139530d9262e5884944117849e2fa65

SHA512
624820e24953e3b767ad4a7f8df847f145eded9c68ef4ce132936754e6aaf1d23ed652ba3954498bba203f21e0da287274216d21d2264999f0773e4e4b086826

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuQ7CXl1PgqO.bat

Filesize
217B

MD5
94cb664ef1d711c538be833d74094409

SHA1
74047f583aeee7332a56cbcfdfe5ee30580b276a

SHA256
6bc1a2a6b5e87abad6218d04514dade09d0af79ca9c486941764407d2aaebd94

SHA512
8755b6f09261ed81c80ea088dc4dd8fd26d9eff032305bd9bc0c68f4efb44529913a74b98badae909f019160c0ba864be19c5e3a971db5f6acf2538ce295bdf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yCoILboWf2L4.bat

Filesize
217B

MD5
5a2df762bb92cfea430902f683b455f3

SHA1
85072bfdd71b44d1b4a9244c204adc83dc74072c

SHA256
4ef18a9133399e81e90ab3c1db84364a51e55d1b34c220e02b26ecd317157a00

SHA512
20da72fe2e4f351d5f40b701c911e7c0ab58f1a7874beabffbf4fe4e04c6a5cffb095b393ecfb508cb359b8091337522cc1592eaa2d66d5351a476ecc4a22e1b

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe

Filesize
3.1MB

MD5
8d2777f7a9541759b2d6a4d713a5e0db

SHA1
f99839b640dd713cde9515fe9962bb344ef65f4f

SHA256
175d2c313c08824712c3225985c2c166b93337ccb1cf1a7dffae3b284a7f3579

SHA512
544c55362443bf3f941319f84bae875db3ab9af29f31967a7cf2eb35aefba38e29ea2117c7dd43d7c6828cb0f37adee314aeefb7929e48a555e19138c3b15abf

Download Submit
memory/3240-0-0x00007FF989863000-0x00007FF989865000-memory.dmp

Filesize
8KB

Download
memory/3240-10-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/3240-2-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/3240-1-0x00000000002A0000-0x00000000005C4000-memory.dmp

Filesize
3.1MB

Download
memory/4944-18-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/4944-13-0x000000001DFD0000-0x000000001E082000-memory.dmp

Filesize
712KB

Download
memory/4944-12-0x000000001BFB0000-0x000000001C000000-memory.dmp

Filesize
320KB

Download
memory/4944-11-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/4944-9-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads