quasar | 03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7df

Analysis

max time kernel
118s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe
Size

3.1MB
MD5

59f414f74a8a0bae1a8ff0ea4b045020
SHA1

23500e649843bf0e3075da18b3c5789dc4fa6505
SHA256

03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7df
SHA512

a471c66f59311fc97dada64846a9c10109c3d455f8673b2c09f09f4513370d5384cb6509b63f549a212efefef33c37d0dda9225c49dd44b45f50fc3d42ff0d62
SSDEEP

49152:zvelL26AaNeWgPhlmVqvMQ7XSKjizD+YMfrDoGdfTHHB72eh2NT:zvOL26AaNeWgPhlmVqkQ7XSKjizD+L

Score

10^/10

quasar roar discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

roar

fojeweb571-59106.portmap.host:59106

Mutex

0c203952-83f0-40e8-a93c-b701163cc930

Attributes

encryption_key
B42CE86AEBA4D8818352F4D811EA7BBB472E229A
install_name
windows defender.exe
log_directory
Logs
reconnect_delay
3000
startup_key
discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4668-1-0x0000000000870000-0x0000000000B94000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c9f-6.dat	family_quasar

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	windows defender.exe

Executes dropped EXE 12 IoCs

pid	Process
3404	windows defender.exe
3136	windows defender.exe
3856	windows defender.exe
2072	windows defender.exe
2984	windows defender.exe
3424	windows defender.exe
2832	windows defender.exe
1328	windows defender.exe
4980	windows defender.exe
1072	windows defender.exe
4000	windows defender.exe
956	windows defender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2580	PING.EXE
1504	PING.EXE
1516	PING.EXE
4796	PING.EXE
4900	PING.EXE
3896	PING.EXE
3596	PING.EXE
3716	PING.EXE
2896	PING.EXE
2996	PING.EXE
4116	PING.EXE
2872	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
3716	PING.EXE
2896	PING.EXE
1516	PING.EXE
4116	PING.EXE
4900	PING.EXE
2872	PING.EXE
3596	PING.EXE
2580	PING.EXE
4796	PING.EXE
2996	PING.EXE
3896	PING.EXE
1504	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4508	schtasks.exe
4832	schtasks.exe
3860	schtasks.exe
208	schtasks.exe
4512	schtasks.exe
3016	schtasks.exe
3808	schtasks.exe
728	schtasks.exe
2232	schtasks.exe
2464	schtasks.exe
5080	schtasks.exe
668	schtasks.exe
2332	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe
Token: SeDebugPrivilege	3404	windows defender.exe
Token: SeDebugPrivilege	3136	windows defender.exe
Token: SeDebugPrivilege	3856	windows defender.exe
Token: SeDebugPrivilege	2072	windows defender.exe
Token: SeDebugPrivilege	2984	windows defender.exe
Token: SeDebugPrivilege	3424	windows defender.exe
Token: SeDebugPrivilege	2832	windows defender.exe
Token: SeDebugPrivilege	1328	windows defender.exe
Token: SeDebugPrivilege	4980	windows defender.exe
Token: SeDebugPrivilege	1072	windows defender.exe
Token: SeDebugPrivilege	4000	windows defender.exe
Token: SeDebugPrivilege	956	windows defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 668	4668	03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe	83
PID 4668 wrote to memory of 668	4668	03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe	83
PID 4668 wrote to memory of 3404	4668	03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe	85
PID 4668 wrote to memory of 3404	4668	03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe	85
PID 3404 wrote to memory of 2332	3404	windows defender.exe	86
PID 3404 wrote to memory of 2332	3404	windows defender.exe	86
PID 3404 wrote to memory of 844	3404	windows defender.exe	88
PID 3404 wrote to memory of 844	3404	windows defender.exe	88
PID 844 wrote to memory of 2984	844	cmd.exe	90
PID 844 wrote to memory of 2984	844	cmd.exe	90
PID 844 wrote to memory of 2996	844	cmd.exe	91
PID 844 wrote to memory of 2996	844	cmd.exe	91
PID 844 wrote to memory of 3136	844	cmd.exe	99
PID 844 wrote to memory of 3136	844	cmd.exe	99
PID 3136 wrote to memory of 3808	3136	windows defender.exe	100
PID 3136 wrote to memory of 3808	3136	windows defender.exe	100
PID 3136 wrote to memory of 4948	3136	windows defender.exe	103
PID 3136 wrote to memory of 4948	3136	windows defender.exe	103
PID 4948 wrote to memory of 1472	4948	cmd.exe	105
PID 4948 wrote to memory of 1472	4948	cmd.exe	105
PID 4948 wrote to memory of 4116	4948	cmd.exe	106
PID 4948 wrote to memory of 4116	4948	cmd.exe	106
PID 4948 wrote to memory of 3856	4948	cmd.exe	113
PID 4948 wrote to memory of 3856	4948	cmd.exe	113
PID 3856 wrote to memory of 728	3856	windows defender.exe	114
PID 3856 wrote to memory of 728	3856	windows defender.exe	114
PID 3856 wrote to memory of 1648	3856	windows defender.exe	117
PID 3856 wrote to memory of 1648	3856	windows defender.exe	117
PID 1648 wrote to memory of 3708	1648	cmd.exe	119
PID 1648 wrote to memory of 3708	1648	cmd.exe	119
PID 1648 wrote to memory of 4900	1648	cmd.exe	120
PID 1648 wrote to memory of 4900	1648	cmd.exe	120
PID 1648 wrote to memory of 2072	1648	cmd.exe	125
PID 1648 wrote to memory of 2072	1648	cmd.exe	125
PID 2072 wrote to memory of 2232	2072	windows defender.exe	126
PID 2072 wrote to memory of 2232	2072	windows defender.exe	126
PID 2072 wrote to memory of 3496	2072	windows defender.exe	129
PID 2072 wrote to memory of 3496	2072	windows defender.exe	129
PID 3496 wrote to memory of 3956	3496	cmd.exe	131
PID 3496 wrote to memory of 3956	3496	cmd.exe	131
PID 3496 wrote to memory of 2872	3496	cmd.exe	132
PID 3496 wrote to memory of 2872	3496	cmd.exe	132
PID 3496 wrote to memory of 2984	3496	cmd.exe	133
PID 3496 wrote to memory of 2984	3496	cmd.exe	133
PID 2984 wrote to memory of 4508	2984	windows defender.exe	134
PID 2984 wrote to memory of 4508	2984	windows defender.exe	134
PID 2984 wrote to memory of 1672	2984	windows defender.exe	137
PID 2984 wrote to memory of 1672	2984	windows defender.exe	137
PID 1672 wrote to memory of 4988	1672	cmd.exe	139
PID 1672 wrote to memory of 4988	1672	cmd.exe	139
PID 1672 wrote to memory of 3896	1672	cmd.exe	140
PID 1672 wrote to memory of 3896	1672	cmd.exe	140
PID 1672 wrote to memory of 3424	1672	cmd.exe	142
PID 1672 wrote to memory of 3424	1672	cmd.exe	142
PID 3424 wrote to memory of 4832	3424	windows defender.exe	143
PID 3424 wrote to memory of 4832	3424	windows defender.exe	143
PID 3424 wrote to memory of 3948	3424	windows defender.exe	146
PID 3424 wrote to memory of 3948	3424	windows defender.exe	146
PID 3948 wrote to memory of 4032	3948	cmd.exe	148
PID 3948 wrote to memory of 4032	3948	cmd.exe	148
PID 3948 wrote to memory of 3596	3948	cmd.exe	149
PID 3948 wrote to memory of 3596	3948	cmd.exe	149
PID 3948 wrote to memory of 2832	3948	cmd.exe	151
PID 3948 wrote to memory of 2832	3948	cmd.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe
"C:\Users\Admin\AppData\Local\Temp\03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:668
- C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u7vqQPuAi4Nr.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2984
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2996
  - - C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3136
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3808
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAWdGwr62QHU.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4948
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1472
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4116
      - C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U86mwvGjtw40.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4900
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIkUdF4KDHRl.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ll0vHva9Nlh1.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3896
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35yj7WKWNM7h.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3596
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7E2CQwOZRNsZ.bat" "
        15⤵
        
        PID:2512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2580
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8aTdwHHoBaBj.bat" "
        17⤵
        
        PID:4288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3716
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LtgWh9Z0bEQW.bat" "
        19⤵
        
        PID:2332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clL4WNpa8JXi.bat" "
        21⤵
        
        PID:2484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4000
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pJLKGdCiFhAl.bat" "
        23⤵
        
        PID:1940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MJR8Vdb8wAJ9.bat" "
        25⤵
        
        PID:1116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\windows defender.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\35yj7WKWNM7h.bat

Filesize
217B

MD5
a59227f0bd34c33480c06805403d0b60

SHA1
050900f836259106205e1dd9bd6ca0c5f31c7e1a

SHA256
04d28e9368f65d0844131559faf2518be0f329adcf5cff2485e907d7817a8409

SHA512
8d10d942dbdd7131f0e10c2e8e90215681fad90b88d6205352d3eb3eb75d6d015100d088b95d1271d64897bfc2a4ee06a46fda2d2d4ac6336407fce67e232e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E2CQwOZRNsZ.bat

Filesize
217B

MD5
bb02ceab6c596540ffdfa7bea55d1309

SHA1
60a85ab50f5eea350019942e28cf558b19c2a72a

SHA256
aefe5ff6dc7f895fae9989492fb525f211a8a6265d75e89c7e419d067a07b4c9

SHA512
54b14647e1211058cfa9835cb60865014aaa2cac88002680bab3a2aabd49d8156d8118d71c6465dee247dfcd7852af15b05c300132405a4f76847465ef487692

Download Submit
C:\Users\Admin\AppData\Local\Temp\8aTdwHHoBaBj.bat

Filesize
217B

MD5
fd7ac0514dfd49b9ec43636925214a0b

SHA1
0f5f098acc3e5be35cefa06c99dbf69b0a93a289

SHA256
013feaebe1146bd9c914ed3aac919a9b6f9b89eea7920e739bb0ab02e13451b6

SHA512
8d61b4188e11fdef1450de555c9270bb9a1c5c27617599ac645ae8cbd3febc4295f064f65787f99e1d972f6d16184a94a001850d066ee54d87368f25b97ff793

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIkUdF4KDHRl.bat

Filesize
217B

MD5
08609813828dbfca66666af0055822aa

SHA1
17baafd18b754b859f3ec6fc2ce075cc4235b111

SHA256
47ae747fdc9efbb933582e90e081a28766b641d9f692156aa4de75eb92c8ec28

SHA512
490ac565bd86524b15fe27f4f5c7dd9bc45adc0b110a5026d157a0f8f541a5ddd4d0adf83f891f23e25008fbc50ade98c19acc6bb16bd68da99468db6b18c67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LtgWh9Z0bEQW.bat

Filesize
217B

MD5
270b9a7b209e5a1105c97d85dc20a212

SHA1
923c1473bfa347de79cc564ade8017eccef8f8b6

SHA256
b3d1a311cefa1a8f2e4e2237c2dbda5c6f79771f471f8a674c5c2455df8be799

SHA512
66031c6b809d67b633fcfa8d150fa190c512f9fe136294de2cf1ec86fb621293567d40effea82eb41b9d427a4e12e66c9b99ad6aa1a891c6f2d091119b82202d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MJR8Vdb8wAJ9.bat

Filesize
217B

MD5
fada92e711cefdd6c7ff66b0b2210685

SHA1
552eabb6627d2c83ee38ccfe6367e7bd08224040

SHA256
e1944697019dc970ac9a671c6c18ca4c0c38d3fe988488e32a701cd5f9905c01

SHA512
57efc1c41b88cc05f598ae68257a43d70d4c011b52dedcf605dec8e333b2675d156eec1db163622f1ba22afaaa01b7b9195b0034710fd90eb4dc68ea78981b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\TAWdGwr62QHU.bat

Filesize
217B

MD5
1c69dcd68111e962f2874746199873cd

SHA1
19eca129c8dabce6a03442ae3002277e9c913a5b

SHA256
5c14d0c52be058a09d144268cfc30c57404092aad5a29b9efd8de27bbf5fd1fd

SHA512
97e8298c771a9ea737f7db8cd3cdf672221fa305ae3d2e2373253527d87b70ed9f0d5fbc4ab55282b92609c69fff44faeed33da90db5f7c971b1d5588690e335

Download Submit
C:\Users\Admin\AppData\Local\Temp\U86mwvGjtw40.bat

Filesize
217B

MD5
9d06efdf28025d745bc6f1831c763beb

SHA1
45cadd62f6bd7e686a625b64425bd3e86f716723

SHA256
5f366c34bb7c20a4b11cba75eb439fc26ae85fd8c0793f59201c89efea992421

SHA512
4f1bdd6de2e1d9734b401ff06f599921d17dd2d1aa6bf0c2b9f6383ae9e8138f76a581d12ce75e054ce57fb7ae5e1c41fa210db8663003d5e5fc19ae96b3aa55

Download Submit
C:\Users\Admin\AppData\Local\Temp\clL4WNpa8JXi.bat

Filesize
217B

MD5
aa3c1cda977765ae79b3a9987549feb0

SHA1
104f3547c3bffdcab5961e8e89fbb8e03fc7649b

SHA256
dfad95182e4a3d6c7e35135a5b3fc1681eda0efb7e544f18ebb6a902f86989b6

SHA512
b25c08e06f2c3ddb3c51b87b0035ddec99df92d20586e96b6f8db20e2f7be2ed57e8724c4f69ee8afcd90306dd00c9b9f84a0f0f08f8802e21db135d386d02a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ll0vHva9Nlh1.bat

Filesize
217B

MD5
3624c031fc4484d8d47616424b04f8ae

SHA1
460c01b71ba91f9f18e6bb8fc1b9ad1d8dc2ce88

SHA256
0fdf8236d98e2eb1159ada5ea721781647fd4c4dd34b1a1f80381239f82fe259

SHA512
5453cd40b232b21393fe8dc69d87b655cd74c479b09b293e44ec50c8bfa92d6b955fe30833372175398da1d7e3bc61b743885e9d7ed63da9eb7b956d2395197b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pJLKGdCiFhAl.bat

Filesize
217B

MD5
8ad654ca4bed66d0d72c85d1704b69d4

SHA1
2b562851ba6494d726dcd3b6845ccf4273bc8f41

SHA256
6cc505450b9bb245fbc89b614b0dc2b1e9424cf4ff9b9203bc891be975a2568c

SHA512
1621dcd3cc296475d35dda22f022a7fa9ec919520e68b7ac33b220c011eacc403d1650386829d1b233f35238581d06a562cbc4182517eefb9fa76050df17bda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\u7vqQPuAi4Nr.bat

Filesize
217B

MD5
4f3267ef4cdf199e80c067de65f7eea1

SHA1
36879765350acf4a9d443fcd70be4297869acd44

SHA256
4653019e81bffa3a647469a715d50bd6c089aacbf956dfd83470c0a1a3bde71e

SHA512
77a315a6f645d08fd46cc12901d1ade11cd9d7e2ff16859105cc734da7c63543208c833cd94404a33346af6ea332139ba2b190ab1fdcc7a204eb2c76929a8597

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe

Filesize
3.1MB

MD5
59f414f74a8a0bae1a8ff0ea4b045020

SHA1
23500e649843bf0e3075da18b3c5789dc4fa6505

SHA256
03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7df

SHA512
a471c66f59311fc97dada64846a9c10109c3d455f8673b2c09f09f4513370d5384cb6509b63f549a212efefef33c37d0dda9225c49dd44b45f50fc3d42ff0d62

Download Submit
memory/3404-18-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/3404-13-0x000000001BEC0000-0x000000001BF72000-memory.dmp

Filesize
712KB

Download
memory/3404-12-0x000000001B6B0000-0x000000001B700000-memory.dmp

Filesize
320KB

Download
memory/3404-11-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/3404-9-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/4668-0-0x00007FFEB3DF3000-0x00007FFEB3DF5000-memory.dmp

Filesize
8KB

Download
memory/4668-10-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/4668-2-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/4668-1-0x0000000000870000-0x0000000000B94000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads