quasar | 092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb

Analysis

max time kernel
113s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe
Size

3.1MB
MD5

7b3cdbe64809334591697b1424193cdc
SHA1

489dc1a891a4eca75df696a5c139e991277be9c7
SHA256

092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb
SHA512

811eb77ba66402dbf8ccbeacae131d36b0a97b7c813d335819d96370f904ffd7a6c9b2410f47fc2f0eac43675849e6b3473ab56ecfa0d934e97dbdc8b3e4fb74
SSDEEP

49152:zvelL26AaNeWgPhlmVqvMQ7XSKjizD+YMfrDoGdfTHHB72eh2NTt:zvOL26AaNeWgPhlmVqkQ7XSKjizD+LQ

Score

10^/10

quasar roar discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

roar

fojeweb571-59106.portmap.host:59106

Mutex

0c203952-83f0-40e8-a93c-b701163cc930

Attributes

encryption_key
B42CE86AEBA4D8818352F4D811EA7BBB472E229A
install_name
windows defender.exe
log_directory
Logs
reconnect_delay
3000
startup_key
discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral1/memory/1480-1-0x00000000010E0000-0x0000000001404000-memory.dmp	family_quasar
behavioral1/files/0x0009000000016d0d-6.dat	family_quasar
behavioral1/memory/2932-9-0x0000000000B40000-0x0000000000E64000-memory.dmp	family_quasar
behavioral1/memory/2604-23-0x0000000001250000-0x0000000001574000-memory.dmp	family_quasar
behavioral1/memory/1868-34-0x0000000001270000-0x0000000001594000-memory.dmp	family_quasar
behavioral1/memory/2440-66-0x0000000000360000-0x0000000000684000-memory.dmp	family_quasar
behavioral1/memory/1852-77-0x0000000000FE0000-0x0000000001304000-memory.dmp	family_quasar
behavioral1/memory/1272-108-0x0000000001140000-0x0000000001464000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

pid	Process
2932	windows defender.exe
2604	windows defender.exe
1868	windows defender.exe
3028	windows defender.exe
1068	windows defender.exe
2440	windows defender.exe
1852	windows defender.exe
2208	windows defender.exe
1648	windows defender.exe
1272	windows defender.exe
1196	windows defender.exe
1188	windows defender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2708	PING.EXE
1588	PING.EXE
3044	PING.EXE
2188	PING.EXE
1496	PING.EXE
864	PING.EXE
1696	PING.EXE
1684	PING.EXE
480	PING.EXE
1636	PING.EXE
1764	PING.EXE
780	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
1764	PING.EXE
780	PING.EXE
2708	PING.EXE
864	PING.EXE
1696	PING.EXE
3044	PING.EXE
1636	PING.EXE
1588	PING.EXE
1496	PING.EXE
1684	PING.EXE
480	PING.EXE
2188	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1324	schtasks.exe
1332	schtasks.exe
2668	schtasks.exe
3012	schtasks.exe
2792	schtasks.exe
2656	schtasks.exe
1808	schtasks.exe
2860	schtasks.exe
2012	schtasks.exe
1724	schtasks.exe
2164	schtasks.exe
2884	schtasks.exe
2984	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe
Token: SeDebugPrivilege	2932	windows defender.exe
Token: SeDebugPrivilege	2604	windows defender.exe
Token: SeDebugPrivilege	1868	windows defender.exe
Token: SeDebugPrivilege	3028	windows defender.exe
Token: SeDebugPrivilege	1068	windows defender.exe
Token: SeDebugPrivilege	2440	windows defender.exe
Token: SeDebugPrivilege	1852	windows defender.exe
Token: SeDebugPrivilege	2208	windows defender.exe
Token: SeDebugPrivilege	1648	windows defender.exe
Token: SeDebugPrivilege	1272	windows defender.exe
Token: SeDebugPrivilege	1196	windows defender.exe
Token: SeDebugPrivilege	1188	windows defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2164	1480	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe	30
PID 1480 wrote to memory of 2164	1480	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe	30
PID 1480 wrote to memory of 2164	1480	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe	30
PID 1480 wrote to memory of 2932	1480	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe	32
PID 1480 wrote to memory of 2932	1480	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe	32
PID 1480 wrote to memory of 2932	1480	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe	32
PID 2932 wrote to memory of 2792	2932	windows defender.exe	33
PID 2932 wrote to memory of 2792	2932	windows defender.exe	33
PID 2932 wrote to memory of 2792	2932	windows defender.exe	33
PID 2932 wrote to memory of 2832	2932	windows defender.exe	35
PID 2932 wrote to memory of 2832	2932	windows defender.exe	35
PID 2932 wrote to memory of 2832	2932	windows defender.exe	35
PID 2832 wrote to memory of 2752	2832	cmd.exe	37
PID 2832 wrote to memory of 2752	2832	cmd.exe	37
PID 2832 wrote to memory of 2752	2832	cmd.exe	37
PID 2832 wrote to memory of 2708	2832	cmd.exe	38
PID 2832 wrote to memory of 2708	2832	cmd.exe	38
PID 2832 wrote to memory of 2708	2832	cmd.exe	38
PID 2832 wrote to memory of 2604	2832	cmd.exe	40
PID 2832 wrote to memory of 2604	2832	cmd.exe	40
PID 2832 wrote to memory of 2604	2832	cmd.exe	40
PID 2604 wrote to memory of 2656	2604	windows defender.exe	41
PID 2604 wrote to memory of 2656	2604	windows defender.exe	41
PID 2604 wrote to memory of 2656	2604	windows defender.exe	41
PID 2604 wrote to memory of 1064	2604	windows defender.exe	43
PID 2604 wrote to memory of 1064	2604	windows defender.exe	43
PID 2604 wrote to memory of 1064	2604	windows defender.exe	43
PID 1064 wrote to memory of 1096	1064	cmd.exe	45
PID 1064 wrote to memory of 1096	1064	cmd.exe	45
PID 1064 wrote to memory of 1096	1064	cmd.exe	45
PID 1064 wrote to memory of 1588	1064	cmd.exe	46
PID 1064 wrote to memory of 1588	1064	cmd.exe	46
PID 1064 wrote to memory of 1588	1064	cmd.exe	46
PID 1064 wrote to memory of 1868	1064	cmd.exe	47
PID 1064 wrote to memory of 1868	1064	cmd.exe	47
PID 1064 wrote to memory of 1868	1064	cmd.exe	47
PID 1868 wrote to memory of 1808	1868	windows defender.exe	48
PID 1868 wrote to memory of 1808	1868	windows defender.exe	48
PID 1868 wrote to memory of 1808	1868	windows defender.exe	48
PID 1868 wrote to memory of 1764	1868	windows defender.exe	50
PID 1868 wrote to memory of 1764	1868	windows defender.exe	50
PID 1868 wrote to memory of 1764	1868	windows defender.exe	50
PID 1764 wrote to memory of 1244	1764	cmd.exe	52
PID 1764 wrote to memory of 1244	1764	cmd.exe	52
PID 1764 wrote to memory of 1244	1764	cmd.exe	52
PID 1764 wrote to memory of 1496	1764	cmd.exe	53
PID 1764 wrote to memory of 1496	1764	cmd.exe	53
PID 1764 wrote to memory of 1496	1764	cmd.exe	53
PID 1764 wrote to memory of 3028	1764	cmd.exe	54
PID 1764 wrote to memory of 3028	1764	cmd.exe	54
PID 1764 wrote to memory of 3028	1764	cmd.exe	54
PID 3028 wrote to memory of 2884	3028	windows defender.exe	55
PID 3028 wrote to memory of 2884	3028	windows defender.exe	55
PID 3028 wrote to memory of 2884	3028	windows defender.exe	55
PID 3028 wrote to memory of 2232	3028	windows defender.exe	57
PID 3028 wrote to memory of 2232	3028	windows defender.exe	57
PID 3028 wrote to memory of 2232	3028	windows defender.exe	57
PID 2232 wrote to memory of 1544	2232	cmd.exe	59
PID 2232 wrote to memory of 1544	2232	cmd.exe	59
PID 2232 wrote to memory of 1544	2232	cmd.exe	59
PID 2232 wrote to memory of 864	2232	cmd.exe	60
PID 2232 wrote to memory of 864	2232	cmd.exe	60
PID 2232 wrote to memory of 864	2232	cmd.exe	60
PID 2232 wrote to memory of 1068	2232	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe
"C:\Users\Admin\AppData\Local\Temp\092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2164
- C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2792
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Rn0jO6fgItVe.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2752
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2708
  - - C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2656
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\R29vKQG6mLzs.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1096
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1588
      - C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1808
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zEXTkJHoUUex.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2884
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NXwOL1uRaIHF.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:864
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1324
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ICbLVFNOJdgz.bat" "
        11⤵
        
        PID:1728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1332
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zEEjviUyWLmQ.bat" "
        13⤵
        
        PID:2088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2984
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\010Hs36SvIpK.bat" "
        15⤵
        
        PID:768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:480
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2860
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hH1dwgdmRTH6.bat" "
        17⤵
        
        PID:2944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2668
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\M64Ycaxwj7fv.bat" "
        19⤵
        
        PID:2592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kNAjPgyRX2LR.bat" "
        21⤵
        
        PID:992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3012
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lM2LmXTjaDdO.bat" "
        23⤵
        
        PID:1120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2188
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1724
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RqFwtWuxwb5S.bat" "
        25⤵
        
        PID:648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\010Hs36SvIpK.bat

Filesize
217B

MD5
12ae6e5b6c3e40773a21d8966d61d70c

SHA1
64360a73433328e0477e2f91e7cd780736862dd5

SHA256
5bf2f0989956ebdaa6666797ee8b1af435dac3b5212fbca07378c120c708b421

SHA512
578d06a20202de6b7004cec2ba1ccf69464d1e07ac3bf3b5066581841c4caff9c035f275bb74491583ae5b881143f3d7b8e77a08a0cec6ea5d014f89f25aebee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICbLVFNOJdgz.bat

Filesize
217B

MD5
d9c5c07fcbbfdf1103cf12e7dcbeabad

SHA1
8cebd36e3520044b4111c69635efd3068e2ab5e9

SHA256
377f093702fa94b4b4016cc4b930536754063f542558132f57c1c7244b21d4ba

SHA512
94a8235d26936038189a59e75dd99a920906052179b4fc6acf3fa4cb34e32851ad864df55a20417bb7e7ff6a7a9875154996b6bbee3f024afe7d078c30cb2fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\M64Ycaxwj7fv.bat

Filesize
217B

MD5
6a9532eacdc488e98190cecd8ec9f460

SHA1
b8ac13361fb5979805ca5bce6da7cc69928a28b7

SHA256
7df5e860b7c66be694e3888f7ee81377a05118279cfbfcc76d23d6d570b10011

SHA512
ae67e100c75ee1b7cd7ad8d6c4846aa0c90096c400103067951a020a4719f84166579ad5d753e8e4d983521bbfad131de6a53c70b5a360e23899a2fe8c13edec

Download Submit
C:\Users\Admin\AppData\Local\Temp\NXwOL1uRaIHF.bat

Filesize
217B

MD5
b8cad74948e3e06fc8570cfd10c709ae

SHA1
9141d6f070af627b9ac428bcf1db541b6ff5d31d

SHA256
d14a56c3682e16d1f7c55c6998d4588b25cfa53fe48696f093a406980f671d7d

SHA512
64add0428b3ad362f32c41ef704004b60a638692f13f46ba9d252d457bc4f29a0ab9afd45eafc060983e2f564a81447e6ca120446235fc355f5addbb5cc66356

Download Submit
C:\Users\Admin\AppData\Local\Temp\R29vKQG6mLzs.bat

Filesize
217B

MD5
426466733a3692e6c34c2118d610cd40

SHA1
3a335c61d441772e66ae74492f5ce79d27e95791

SHA256
2207f76a5f864b0988cca84bae4fe2124b46a63645222d22e9607afb8baa9c80

SHA512
3bc04be846300e8fb493651553f3a0ca39c02005c6bf89632a0b88d36aa8112012095c6e27f18913304e05e830e496babd5230a3faac95386950ebf7be259d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rn0jO6fgItVe.bat

Filesize
217B

MD5
59a9dd760dd02116d74ecdd599b6b744

SHA1
dd10f5d06b6ca6d6ad77b7532aed20161773f69f

SHA256
0da0d0423e9605378a07416f00e90baa6ea734eab9182842b9c074e944bb46e1

SHA512
d9441184fe9a73c29d02a4fdcb77db9d77a65de4e4865bf18a798e0f28db5dae95324ff0e06b6e14986a4bff0d5a0385278eb159050c7a59d63468ee02290af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RqFwtWuxwb5S.bat

Filesize
217B

MD5
f45a2b7463619972ddcea054cc5ba737

SHA1
3a5314c4e53fb9819e9fdb89c1f7268e92718c81

SHA256
b60e46a36ffcf668cdd6486adc10b2a899a061d3925b0dfe4433ad865c7fe7b0

SHA512
3618f444eecb510361b03ae79d820ea5e6bb85efa216129d6f892c92905595d5f5f316f86530a15189c72366f6cefa3dc4a71aac29c4f24784f54618a8591c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\hH1dwgdmRTH6.bat

Filesize
217B

MD5
cfdca787793f2cbc0face664903b5ac1

SHA1
4a48d212c2ab8b57eee476f5b8f533fc9ba8829c

SHA256
30415458133e4327548476f7c3032419e5139d10357fca6ee2c6e44e3a0fdbc2

SHA512
1e5d3bbf967e8dd018085489c42e5841f92ab3d6f01c320e7dcf7497b671919b72a362d84d3f51860c364a412817b93055b1d75c158c42fdd961f14cd35a157c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kNAjPgyRX2LR.bat

Filesize
217B

MD5
a482945d65c1d8e914f9f9eff819d3a8

SHA1
7c44981a550bee9d693dcfd41d9bbd22ebbc57ea

SHA256
39a56ba0c36ffa12e82c96f64d460343dcb1140db13580b4d2320136148f1656

SHA512
716f32ee61d995e24e3300c53d46d5d78c70165e855a864d0d8e374dc24dbeb974234f2a59131dcc7f6e35d26dbd1773245cae27e64ab17a557b83c341aa8735

Download Submit
C:\Users\Admin\AppData\Local\Temp\lM2LmXTjaDdO.bat

Filesize
217B

MD5
a6f3068024d879e12b322a4ce11e1df5

SHA1
f21cd8bf2dd7966003a7bad62ff30efdd184f7f4

SHA256
e04636e2cb667d48f1288db71aa4b9564ffe2011fa6d4905cbb9b2027c548c4b

SHA512
544421c8a3d492bfc4f2b960fdabf74b9f089b7354128c6419e4710ace9c8c08f2a097247377e5444e9dbf4a77fb558c70f1cae0f022ecc98d1a8fdc62d8252c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEEjviUyWLmQ.bat

Filesize
217B

MD5
250bf72ed3680c9fc3c38cc50d9dd7ed

SHA1
cf75c04961ebef87307b26f5bd83df17b93de72f

SHA256
8e88d54ceb2bf4041cdf56000970da8035c30955c8a14f36307badb806591a3d

SHA512
5248026fa77472238ab9e370fda9508e83cef214ef196f8f076d8cbda99d2da0cd35081477f4d10eeb60cb946d83fb1730dfdcdbd9d407671e64ee77ac7ae4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEXTkJHoUUex.bat

Filesize
217B

MD5
b5ce7f0bf3f2a2505c62a426265c7b05

SHA1
494eae67026c58b592c11fb6e907d0d6bbe8aec9

SHA256
8c9d694e85e2fb92d2bd24612fc1d099b05483a60af317cb040b4a8943a24937

SHA512
03929a3b9eedf60807fffd3500a9d3349298a50b632e93f5e950a2f099cc11315fbdfaa0396f27bff3644c3b7b7f690445fa1b373a27f36f77c0d68162a1c249

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe

Filesize
3.1MB

MD5
7b3cdbe64809334591697b1424193cdc

SHA1
489dc1a891a4eca75df696a5c139e991277be9c7

SHA256
092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb

SHA512
811eb77ba66402dbf8ccbeacae131d36b0a97b7c813d335819d96370f904ffd7a6c9b2410f47fc2f0eac43675849e6b3473ab56ecfa0d934e97dbdc8b3e4fb74

Download Submit
memory/1272-108-0x0000000001140000-0x0000000001464000-memory.dmp

Filesize
3.1MB

Download
memory/1480-0-0x000007FEF53D3000-0x000007FEF53D4000-memory.dmp

Filesize
4KB

Download
memory/1480-1-0x00000000010E0000-0x0000000001404000-memory.dmp

Filesize
3.1MB

Download
memory/1480-2-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/1480-10-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/1852-77-0x0000000000FE0000-0x0000000001304000-memory.dmp

Filesize
3.1MB

Download
memory/1868-34-0x0000000001270000-0x0000000001594000-memory.dmp

Filesize
3.1MB

Download
memory/2440-66-0x0000000000360000-0x0000000000684000-memory.dmp

Filesize
3.1MB

Download
memory/2604-23-0x0000000001250000-0x0000000001574000-memory.dmp

Filesize
3.1MB

Download
memory/2932-21-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2932-11-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2932-9-0x0000000000B40000-0x0000000000E64000-memory.dmp

Filesize
3.1MB

Download
memory/2932-8-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads