quasar | 092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb

Analysis

max time kernel
115s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe
Size

3.1MB
MD5

7b3cdbe64809334591697b1424193cdc
SHA1

489dc1a891a4eca75df696a5c139e991277be9c7
SHA256

092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb
SHA512

811eb77ba66402dbf8ccbeacae131d36b0a97b7c813d335819d96370f904ffd7a6c9b2410f47fc2f0eac43675849e6b3473ab56ecfa0d934e97dbdc8b3e4fb74
SSDEEP

49152:zvelL26AaNeWgPhlmVqvMQ7XSKjizD+YMfrDoGdfTHHB72eh2NTt:zvOL26AaNeWgPhlmVqkQ7XSKjizD+LQ

Score

10^/10

quasar roar discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

roar

fojeweb571-59106.portmap.host:59106

Mutex

0c203952-83f0-40e8-a93c-b701163cc930

Attributes

encryption_key
B42CE86AEBA4D8818352F4D811EA7BBB472E229A
install_name
windows defender.exe
log_directory
Logs
reconnect_delay
3000
startup_key
discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3228-1-0x0000000000810000-0x0000000000B34000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c8f-7.dat	family_quasar

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	windows defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	windows defender.exe

Executes dropped EXE 12 IoCs

pid	Process
1852	windows defender.exe
4404	windows defender.exe
1992	windows defender.exe
1836	windows defender.exe
3904	windows defender.exe
3228	windows defender.exe
4916	windows defender.exe
2572	windows defender.exe
2104	windows defender.exe
2564	windows defender.exe
2364	windows defender.exe
4432	windows defender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3056	PING.EXE
1012	PING.EXE
4396	PING.EXE
3448	PING.EXE
4436	PING.EXE
964	PING.EXE
1684	PING.EXE
4736	PING.EXE
184	PING.EXE
3128	PING.EXE
3972	PING.EXE
1584	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
1684	PING.EXE
3056	PING.EXE
1584	PING.EXE
3448	PING.EXE
1012	PING.EXE
4396	PING.EXE
4736	PING.EXE
184	PING.EXE
3128	PING.EXE
3972	PING.EXE
4436	PING.EXE
964	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1796	schtasks.exe
4068	schtasks.exe
3120	schtasks.exe
3744	schtasks.exe
2536	schtasks.exe
1564	schtasks.exe
3460	schtasks.exe
1684	schtasks.exe
4384	schtasks.exe
3936	schtasks.exe
4968	schtasks.exe
828	schtasks.exe
868	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3228	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe
Token: SeDebugPrivilege	1852	windows defender.exe
Token: SeDebugPrivilege	4404	windows defender.exe
Token: SeDebugPrivilege	1992	windows defender.exe
Token: SeDebugPrivilege	1836	windows defender.exe
Token: SeDebugPrivilege	3904	windows defender.exe
Token: SeDebugPrivilege	3228	windows defender.exe
Token: SeDebugPrivilege	4916	windows defender.exe
Token: SeDebugPrivilege	2572	windows defender.exe
Token: SeDebugPrivilege	2104	windows defender.exe
Token: SeDebugPrivilege	2564	windows defender.exe
Token: SeDebugPrivilege	2364	windows defender.exe
Token: SeDebugPrivilege	4432	windows defender.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1852	windows defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 4068	3228	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe	82
PID 3228 wrote to memory of 4068	3228	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe	82
PID 3228 wrote to memory of 1852	3228	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe	84
PID 3228 wrote to memory of 1852	3228	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe	84
PID 1852 wrote to memory of 3120	1852	windows defender.exe	85
PID 1852 wrote to memory of 3120	1852	windows defender.exe	85
PID 1852 wrote to memory of 708	1852	windows defender.exe	87
PID 1852 wrote to memory of 708	1852	windows defender.exe	87
PID 708 wrote to memory of 1184	708	cmd.exe	89
PID 708 wrote to memory of 1184	708	cmd.exe	89
PID 708 wrote to memory of 1684	708	cmd.exe	90
PID 708 wrote to memory of 1684	708	cmd.exe	90
PID 708 wrote to memory of 4404	708	cmd.exe	96
PID 708 wrote to memory of 4404	708	cmd.exe	96
PID 4404 wrote to memory of 3744	4404	windows defender.exe	97
PID 4404 wrote to memory of 3744	4404	windows defender.exe	97
PID 4404 wrote to memory of 3128	4404	windows defender.exe	99
PID 4404 wrote to memory of 3128	4404	windows defender.exe	99
PID 3128 wrote to memory of 4388	3128	cmd.exe	101
PID 3128 wrote to memory of 4388	3128	cmd.exe	101
PID 3128 wrote to memory of 3056	3128	cmd.exe	102
PID 3128 wrote to memory of 3056	3128	cmd.exe	102
PID 3128 wrote to memory of 1992	3128	cmd.exe	105
PID 3128 wrote to memory of 1992	3128	cmd.exe	105
PID 1992 wrote to memory of 868	1992	windows defender.exe	106
PID 1992 wrote to memory of 868	1992	windows defender.exe	106
PID 1992 wrote to memory of 5036	1992	windows defender.exe	108
PID 1992 wrote to memory of 5036	1992	windows defender.exe	108
PID 5036 wrote to memory of 1576	5036	cmd.exe	110
PID 5036 wrote to memory of 1576	5036	cmd.exe	110
PID 5036 wrote to memory of 1012	5036	cmd.exe	111
PID 5036 wrote to memory of 1012	5036	cmd.exe	111
PID 5036 wrote to memory of 1836	5036	cmd.exe	113
PID 5036 wrote to memory of 1836	5036	cmd.exe	113
PID 1836 wrote to memory of 2536	1836	windows defender.exe	114
PID 1836 wrote to memory of 2536	1836	windows defender.exe	114
PID 1836 wrote to memory of 1380	1836	windows defender.exe	116
PID 1836 wrote to memory of 1380	1836	windows defender.exe	116
PID 1380 wrote to memory of 4800	1380	cmd.exe	118
PID 1380 wrote to memory of 4800	1380	cmd.exe	118
PID 1380 wrote to memory of 4396	1380	cmd.exe	119
PID 1380 wrote to memory of 4396	1380	cmd.exe	119
PID 1380 wrote to memory of 3904	1380	cmd.exe	121
PID 1380 wrote to memory of 3904	1380	cmd.exe	121
PID 3904 wrote to memory of 1564	3904	windows defender.exe	122
PID 3904 wrote to memory of 1564	3904	windows defender.exe	122
PID 3904 wrote to memory of 3004	3904	windows defender.exe	124
PID 3904 wrote to memory of 3004	3904	windows defender.exe	124
PID 3004 wrote to memory of 3136	3004	cmd.exe	126
PID 3004 wrote to memory of 3136	3004	cmd.exe	126
PID 3004 wrote to memory of 1584	3004	cmd.exe	127
PID 3004 wrote to memory of 1584	3004	cmd.exe	127
PID 3004 wrote to memory of 3228	3004	cmd.exe	128
PID 3004 wrote to memory of 3228	3004	cmd.exe	128
PID 3228 wrote to memory of 3460	3228	windows defender.exe	129
PID 3228 wrote to memory of 3460	3228	windows defender.exe	129
PID 3228 wrote to memory of 1132	3228	windows defender.exe	131
PID 3228 wrote to memory of 1132	3228	windows defender.exe	131
PID 1132 wrote to memory of 4524	1132	cmd.exe	133
PID 1132 wrote to memory of 4524	1132	cmd.exe	133
PID 1132 wrote to memory of 4736	1132	cmd.exe	134
PID 1132 wrote to memory of 4736	1132	cmd.exe	134
PID 1132 wrote to memory of 4916	1132	cmd.exe	135
PID 1132 wrote to memory of 4916	1132	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe
"C:\Users\Admin\AppData\Local\Temp\092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4068
- C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BlBtl2IRDBKy.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:708
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1184
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1684
  - - C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3744
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7EoGmMYbqPYF.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3128
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4388
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3056
      - C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICsCda0sdTVy.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMBe6fsphM4o.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4396
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NtJtbOq98kJO.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcJS1qR6jXZk.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4736
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0L5OZWasKy90.bat" "
        15⤵
        
        PID:1364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:184
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k8zmFyLcAiuV.bat" "
        17⤵
        
        PID:2152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2852
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3128
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Svv5loaJu1oi.bat" "
        19⤵
        
        PID:1576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3448
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4E22ZQ9biJKX.bat" "
        21⤵
        
        PID:1476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3972
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AFB5YKggoVmm.bat" "
        23⤵
        
        PID:4292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4436
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwI48iWkD5xP.bat" "
        25⤵
        
        PID:528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\windows defender.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0L5OZWasKy90.bat

Filesize
217B

MD5
8f7d3ded56f259e5f059b9cceab65a11

SHA1
9da1cf7f6c6c6d8f33ed58e771528132ac2cb746

SHA256
baf48c11a41abe37bd6c15a550e3a7c43c82c01e43754b0a33bab02a5e60a585

SHA512
ff3ab2c8645b9d02eb17efaeced672edff990ac2f2635f5de58b336a522e5f18e03ff23e6bb89888b389e0b335b92ba7d31ae533791f774563f378565dfe5c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E22ZQ9biJKX.bat

Filesize
217B

MD5
d0128014518f4e91dfd4fbfbb49d8d02

SHA1
4ad1ddb06619cae1d9a683760e569c69376d6e01

SHA256
aa18e5b7c39aa62e17b63ee32071331966305e3d3be5f47c00a2b12f0fe2a806

SHA512
65056ddc4584a7c3013c5f6376d8aa1bcb5f88f3bc0a7e221812976de9f85e7d3c712660d26cda56a61df687df9813beb38705302130904e7cabd71184f43757

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EoGmMYbqPYF.bat

Filesize
217B

MD5
9a2f427aa76f7c05f6c13d43f81cdbbe

SHA1
eab1d91ba9e82e67d841f482604583bdbdfdf7e7

SHA256
88748a78fe489d93d092e612493e07f7ca6d05e6b67fac9505a1c7a032f6cd11

SHA512
c8687269cb93aab8440e20230bf7c4e070a79de6e8b505f83d24850ebac5df57c76b62cd2e3d7d81af45488a6c7b02d58dcaf875fe589cefbab6ea61f249ff94

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFB5YKggoVmm.bat

Filesize
217B

MD5
d9f94c2f5a50f72fb66fb48aee931bbd

SHA1
c6d4ee5d01068171d6196f49c9524baee5aac218

SHA256
dd9c346918afb56c0a9a2ac6cb07b0c2b802a6192277b4ab6bbaeb0faab0f5c0

SHA512
2e640f57f698190484b73a7d753b02e1c044da606a6ed620d830987d2926ea5d114f69bf5d46f43c1e08e0b9301d9014a9f5b7350005b09e8f90aabee34f487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlBtl2IRDBKy.bat

Filesize
217B

MD5
d0d331a358f6fbdb579ac8a9a785345e

SHA1
6cc3bd91a3e35bc624093bb1dae2c9e1d6ce08cc

SHA256
f0845d04ec77251be4e80221f9fe84f99fb8dcfe33d585a8445809e95c823023

SHA512
a7931a73a1e062589c0efac5d4318d4e52b28d27c4a2d53ccb3ca4c4e974813a30c22e5f1c4bd10d4eb6d1f8ba025680c1f52ee2a069cd0c604f7da270d0706c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICsCda0sdTVy.bat

Filesize
217B

MD5
58b2ab957c91293cf5611d78982550f9

SHA1
61c0772cbd1f94bc1d5a9ba5c1384106f5481111

SHA256
be80eca4f68f81727d1c22926a58a34dcbb7e90230c8ad922ec07298ab699b93

SHA512
eb8dc531c83ee0e716b09911c5efeb8d769ec284af688fe10b86fc45f3ecd1f60d363b63a28e31e3201bf64a62da8a1b19906ea63a79a608fa710b7ebdfb1ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NtJtbOq98kJO.bat

Filesize
217B

MD5
027f4705dbab8105ebe7851b24f797f1

SHA1
69d84065524aba2100bd8b149f1dd089755bb351

SHA256
c891253b3afb0a6dd259aa94d0db9bf5d9d8aab8b9167ca4493824abae861e51

SHA512
5039585e55e0d81f0074e1bd0bde4fbc06d5a659b621a21b28549f3d09fbf932d005ca100eb15efca2decef3e97a231012920c4c2ca6d21eaa28c1022d94ff33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Svv5loaJu1oi.bat

Filesize
217B

MD5
5c13accfc5ec0a1b0ce3ae7e2c6edb06

SHA1
221c27c737fb8a24372f6d6ed3467efee114047b

SHA256
fd7640bb77b1112a3cdbf8d3d57013bff394671e0631a0eabfb3587f320d7f5e

SHA512
841ee644e5fd8522b754ac1efdd09c12301c9997b997c8acda1f72c0165b0193eeb454194ca327a2d7f808477f5e392a4044c19e1120b98ec31e3dce49b0250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMBe6fsphM4o.bat

Filesize
217B

MD5
38cbdcb389802992fc05f01b3e027799

SHA1
487a5bdb5d87e96d0ae5ca30688780fabf214956

SHA256
39abb35b9e8ab365c1218a1ad7a8fe5107872b3d3808a056eb10bf319f8e6b2a

SHA512
62a20cec628e5db078f6522b23d52c8d6d84189d54b6695ea3707b80d6bca999757a41d897c5638c953c899759936e444e6465d14ac72364976374107ad82ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwI48iWkD5xP.bat

Filesize
217B

MD5
30f3faeebb5f29fb4469861e3f84db0b

SHA1
912b55e40b4789388c304286baa8bb4ec36b0ecf

SHA256
07af7f8de13d9ab4f1132ec6d638184ab8402ead57fed37625eeb12be7d9305c

SHA512
bf918a2aa7013b281610e3016981463355973e9215b6741bb3f52d9592db7b1e6d6bf4d098d0ad9b6cca008146ce7c7616a3d827455dc777a9810ff9d7407505

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcJS1qR6jXZk.bat

Filesize
217B

MD5
4a722998553cca04d03afdb681565472

SHA1
53286d858506f48aa897c8238b602d102700baa0

SHA256
dbe2bd903c4e5eb758152c78372bf4f94af8215929c3d8469d1423a7543d949e

SHA512
9ecb3eb5c3d197148b904650c0354eb34cb0edf8ecca0ade56ce58845d4e369bda724683a68fb30f866dd85659c57b854a6ecae1ff082f7977c38c04a101a094

Download Submit
C:\Users\Admin\AppData\Local\Temp\k8zmFyLcAiuV.bat

Filesize
217B

MD5
3e5b0d8fcf04964b4409c166ca850d38

SHA1
aa45da17c178be63f4eec0a5fb4ef9bd62fd74b3

SHA256
4b5782f967c480782ce0ac351c51993855631566b5c5aa111681a356f2a82fea

SHA512
ec2b55bd0414e5af6156f82e62074588abd3ee75e1bf0430873fa6aa7e77abdca0a418887bb1a1c1445efd009c559926ddc17f90aae13638457b300592631652

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe

Filesize
3.1MB

MD5
7b3cdbe64809334591697b1424193cdc

SHA1
489dc1a891a4eca75df696a5c139e991277be9c7

SHA256
092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb

SHA512
811eb77ba66402dbf8ccbeacae131d36b0a97b7c813d335819d96370f904ffd7a6c9b2410f47fc2f0eac43675849e6b3473ab56ecfa0d934e97dbdc8b3e4fb74

Download Submit
memory/1852-9-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

Filesize
10.8MB

Download
memory/1852-19-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

Filesize
10.8MB

Download
memory/1852-13-0x000000001D980000-0x000000001DA32000-memory.dmp

Filesize
712KB

Download
memory/1852-12-0x000000001D870000-0x000000001D8C0000-memory.dmp

Filesize
320KB

Download
memory/1852-11-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

Filesize
10.8MB

Download
memory/3228-0-0x00007FF81A2E3000-0x00007FF81A2E5000-memory.dmp

Filesize
8KB

Download
memory/3228-10-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

Filesize
10.8MB

Download
memory/3228-2-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

Filesize
10.8MB

Download
memory/3228-1-0x0000000000810000-0x0000000000B34000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads