quasar | 21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe
Size

3.1MB
MD5

a3ffca2a5a9a4917a64bcabccb4f9fad
SHA1

9cfc0318809849ab6f2edfc18f6975da812a9f51
SHA256

21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb
SHA512

d491dcf7bf4d7d20632b31e82eee824ffb1eedca18f0f25b46aae1750f40240589e4600566e327bd866374ec36321db2d79f05fe6fc49ed3d30901e31bfc384e
SSDEEP

49152:nv3I22SsaNYfdPBldt698dBcjHKPRJ6CbR3LoGd2THHB72eh2NT:nv422SsaNYfdPBldt6+dBcjHKPRJ68

Score

10^/10

quasar dilly discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

dilly

lvke-45989.portmap.host:45989

Mutex

0cb49dc2-fd0d-4581-ae1e-04154c41f310

Attributes

encryption_key
E5250226804167CB0B1B4B0E9667D0C056694DCA
install_name
defenderx64.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Helper
subdirectory
en

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4808-1-0x0000000000D80000-0x00000000010A4000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b74-5.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	defenderx64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	defenderx64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	defenderx64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	defenderx64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	defenderx64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	defenderx64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	defenderx64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	defenderx64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	defenderx64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	defenderx64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	defenderx64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	defenderx64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	defenderx64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	defenderx64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	defenderx64.exe

Executes dropped EXE 15 IoCs

pid	Process
1588	defenderx64.exe
4144	defenderx64.exe
3596	defenderx64.exe
1784	defenderx64.exe
3544	defenderx64.exe
1756	defenderx64.exe
3768	defenderx64.exe
1632	defenderx64.exe
4484	defenderx64.exe
3912	defenderx64.exe
3292	defenderx64.exe
588	defenderx64.exe
924	defenderx64.exe
3232	defenderx64.exe
3484	defenderx64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
544	PING.EXE
4060	PING.EXE
4956	PING.EXE
1804	PING.EXE
4300	PING.EXE
1660	PING.EXE
4744	PING.EXE
3952	PING.EXE
2724	PING.EXE
3736	PING.EXE
4880	PING.EXE
3684	PING.EXE
4364	PING.EXE
2924	PING.EXE
836	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3736	PING.EXE
4300	PING.EXE
3684	PING.EXE
544	PING.EXE
836	PING.EXE
1660	PING.EXE
4880	PING.EXE
4364	PING.EXE
3952	PING.EXE
4744	PING.EXE
2924	PING.EXE
2724	PING.EXE
4060	PING.EXE
4956	PING.EXE
1804	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2132	schtasks.exe
3232	schtasks.exe
4664	schtasks.exe
2620	schtasks.exe
4040	schtasks.exe
64	schtasks.exe
4316	schtasks.exe
3624	schtasks.exe
4692	schtasks.exe
1228	schtasks.exe
1424	schtasks.exe
2932	schtasks.exe
1492	schtasks.exe
2340	schtasks.exe
3644	schtasks.exe
2420	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe
Token: SeDebugPrivilege	1588	defenderx64.exe
Token: SeDebugPrivilege	4144	defenderx64.exe
Token: SeDebugPrivilege	3596	defenderx64.exe
Token: SeDebugPrivilege	1784	defenderx64.exe
Token: SeDebugPrivilege	3544	defenderx64.exe
Token: SeDebugPrivilege	1756	defenderx64.exe
Token: SeDebugPrivilege	3768	defenderx64.exe
Token: SeDebugPrivilege	1632	defenderx64.exe
Token: SeDebugPrivilege	4484	defenderx64.exe
Token: SeDebugPrivilege	3912	defenderx64.exe
Token: SeDebugPrivilege	3292	defenderx64.exe
Token: SeDebugPrivilege	588	defenderx64.exe
Token: SeDebugPrivilege	924	defenderx64.exe
Token: SeDebugPrivilege	3232	defenderx64.exe
Token: SeDebugPrivilege	3484	defenderx64.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1588	defenderx64.exe
4144	defenderx64.exe
3596	defenderx64.exe
1784	defenderx64.exe
3544	defenderx64.exe
1756	defenderx64.exe
3768	defenderx64.exe
1632	defenderx64.exe
4484	defenderx64.exe
3912	defenderx64.exe
3292	defenderx64.exe
588	defenderx64.exe
924	defenderx64.exe
3232	defenderx64.exe
3484	defenderx64.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1588	defenderx64.exe
4144	defenderx64.exe
3596	defenderx64.exe
1784	defenderx64.exe
3544	defenderx64.exe
1756	defenderx64.exe
3768	defenderx64.exe
1632	defenderx64.exe
4484	defenderx64.exe
3912	defenderx64.exe
3292	defenderx64.exe
588	defenderx64.exe
924	defenderx64.exe
3232	defenderx64.exe
3484	defenderx64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4316	4808	21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe	83
PID 4808 wrote to memory of 4316	4808	21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe	83
PID 4808 wrote to memory of 1588	4808	21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe	85
PID 4808 wrote to memory of 1588	4808	21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe	85
PID 1588 wrote to memory of 1424	1588	defenderx64.exe	86
PID 1588 wrote to memory of 1424	1588	defenderx64.exe	86
PID 1588 wrote to memory of 4036	1588	defenderx64.exe	88
PID 1588 wrote to memory of 4036	1588	defenderx64.exe	88
PID 4036 wrote to memory of 1784	4036	cmd.exe	90
PID 4036 wrote to memory of 1784	4036	cmd.exe	90
PID 4036 wrote to memory of 836	4036	cmd.exe	91
PID 4036 wrote to memory of 836	4036	cmd.exe	91
PID 4036 wrote to memory of 4144	4036	cmd.exe	98
PID 4036 wrote to memory of 4144	4036	cmd.exe	98
PID 4144 wrote to memory of 2932	4144	defenderx64.exe	99
PID 4144 wrote to memory of 2932	4144	defenderx64.exe	99
PID 4144 wrote to memory of 2016	4144	defenderx64.exe	104
PID 4144 wrote to memory of 2016	4144	defenderx64.exe	104
PID 2016 wrote to memory of 2336	2016	cmd.exe	106
PID 2016 wrote to memory of 2336	2016	cmd.exe	106
PID 2016 wrote to memory of 3736	2016	cmd.exe	107
PID 2016 wrote to memory of 3736	2016	cmd.exe	107
PID 2016 wrote to memory of 3596	2016	cmd.exe	113
PID 2016 wrote to memory of 3596	2016	cmd.exe	113
PID 3596 wrote to memory of 3624	3596	defenderx64.exe	114
PID 3596 wrote to memory of 3624	3596	defenderx64.exe	114
PID 3596 wrote to memory of 3588	3596	defenderx64.exe	117
PID 3596 wrote to memory of 3588	3596	defenderx64.exe	117
PID 3588 wrote to memory of 2924	3588	cmd.exe	119
PID 3588 wrote to memory of 2924	3588	cmd.exe	119
PID 3588 wrote to memory of 4300	3588	cmd.exe	120
PID 3588 wrote to memory of 4300	3588	cmd.exe	120
PID 3588 wrote to memory of 1784	3588	cmd.exe	125
PID 3588 wrote to memory of 1784	3588	cmd.exe	125
PID 1784 wrote to memory of 2620	1784	defenderx64.exe	126
PID 1784 wrote to memory of 2620	1784	defenderx64.exe	126
PID 1784 wrote to memory of 872	1784	defenderx64.exe	129
PID 1784 wrote to memory of 872	1784	defenderx64.exe	129
PID 872 wrote to memory of 3676	872	cmd.exe	131
PID 872 wrote to memory of 3676	872	cmd.exe	131
PID 872 wrote to memory of 4060	872	cmd.exe	132
PID 872 wrote to memory of 4060	872	cmd.exe	132
PID 872 wrote to memory of 3544	872	cmd.exe	134
PID 872 wrote to memory of 3544	872	cmd.exe	134
PID 3544 wrote to memory of 4692	3544	defenderx64.exe	135
PID 3544 wrote to memory of 4692	3544	defenderx64.exe	135
PID 3544 wrote to memory of 1916	3544	defenderx64.exe	138
PID 3544 wrote to memory of 1916	3544	defenderx64.exe	138
PID 1916 wrote to memory of 1336	1916	cmd.exe	140
PID 1916 wrote to memory of 1336	1916	cmd.exe	140
PID 1916 wrote to memory of 1660	1916	cmd.exe	141
PID 1916 wrote to memory of 1660	1916	cmd.exe	141
PID 1916 wrote to memory of 1756	1916	cmd.exe	143
PID 1916 wrote to memory of 1756	1916	cmd.exe	143
PID 1756 wrote to memory of 2132	1756	defenderx64.exe	144
PID 1756 wrote to memory of 2132	1756	defenderx64.exe	144
PID 1756 wrote to memory of 3128	1756	defenderx64.exe	147
PID 1756 wrote to memory of 3128	1756	defenderx64.exe	147
PID 3128 wrote to memory of 2392	3128	cmd.exe	149
PID 3128 wrote to memory of 2392	3128	cmd.exe	149
PID 3128 wrote to memory of 4744	3128	cmd.exe	150
PID 3128 wrote to memory of 4744	3128	cmd.exe	150
PID 3128 wrote to memory of 3768	3128	cmd.exe	151
PID 3128 wrote to memory of 3768	3128	cmd.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe
"C:\Users\Admin\AppData\Local\Temp\21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4316
- C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
  "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5gaszm3sihHt.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1784
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:836
  - - C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
      "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4144
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2932
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MFkmocRFhbiJ.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2016
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2336
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3736
      - C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGS3pnKqgEzg.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4300
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\37fW1iCFdvo0.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4060
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gNhQlW8HkWmC.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1660
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jru2KwTqSMeR.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4744
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3768
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vPOQ5wQpCuTp.bat" "
        15⤵
        
        PID:1680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4880
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1632
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEtI0uvYadpT.bat" "
        17⤵
        
        PID:1484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3684
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4484
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kh0MfBLOuvF4.bat" "
        19⤵
        
        PID:396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4364
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ioqtz9KHuIrZ.bat" "
        21⤵
        
        PID:3344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4956
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3292
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoGVrUHEc8fX.bat" "
        23⤵
        
        PID:3452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1804
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:588
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:64
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YjvfXYAv5yMq.bat" "
        25⤵
        
        PID:4232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3952
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vpTT9oCFRZzh.bat" "
        27⤵
        
        PID:2184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3232
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAqI0a80yVPE.bat" "
        29⤵
        
        PID:2324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3484
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ext0DlS76tNe.bat" "
        31⤵
        
        PID:4228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3520
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\defenderx64.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\37fW1iCFdvo0.bat

Filesize
208B

MD5
e9166df8cc6ace6e4e3150ae5efadd3f

SHA1
c7b70bd960b978bd401a7f056fc8f463494fe40c

SHA256
c9166193943f5737c770bccc710f5711ff54fdeb0e008250ea7860e3835dd72b

SHA512
3a3a9b1fb10e605b3243cd9eed3144404cdbd8dc02a4a25b71e6cafd52b017e3a04e8e2e0a2548c7fadf40156d4bcab53a351fc64c5509ccbc72a48672213d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\5gaszm3sihHt.bat

Filesize
208B

MD5
3d7454454c2b26a3545767c84ebded57

SHA1
7623478ff9d5ce3cc29ee48f4f5c05003fafe1e7

SHA256
ff7dd4eefdd5d8f65edf54ab293d77715f3a584715ba255cc13591dfe7988a6a

SHA512
3f966b778cb094b1770e4de7924eb4c1de94e47629f28f3b99b30b734e12fc9f6fa84250149cb6358b982f6508450eb73a65e22b7cd687844ff4b6fb64945039

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ext0DlS76tNe.bat

Filesize
208B

MD5
5747cedde1529eddfe9499b5206edc1d

SHA1
4efce96df15e21cf356176bdf855a6447aea359c

SHA256
0dca17ae5dbd24ec0c271a09cc0a8ad7dee5ea987963c4228cf9f8e6e5f8766b

SHA512
776617f154b2b8573c384f84f451969ee13b742f03ec5f15c91b5ff4503776fc168df3479942b2fe146d425ea68c8af8987d75263828131703be53a027c3ea72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ioqtz9KHuIrZ.bat

Filesize
208B

MD5
370f14c3c1c98993c36b25047e75d7b5

SHA1
ad75115c1edbad4f0135017100f4232cef03fca6

SHA256
237f2aaa202543ed63a80210cb9687f0aa33e7ab476456a0a997bf4d47331c4b

SHA512
8c701594568159d59fbdad3530c2ce16ef5e3be2dd7e8f567b5df6408e4a2259fb411f85c36cc221396fdd296483f3870e09a6bc0cb1e8df3d708108f1f38829

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAqI0a80yVPE.bat

Filesize
208B

MD5
285efc57d797dd0d9e7851c38eaef17d

SHA1
77712aa4e8e870726faa87a3722a667b91ba2112

SHA256
eac1a539a1790b649f3f66211c4e817098dbfb7ce74811ec22fa490c1a7de574

SHA512
9025d80687433f206b0abc311d5ad3be71de9e882fa47677962e968f1830aa0f7cc254c7702ccf389dfa2a7a0a8ca5c44888ae23120df0fb2f1c79e1a431a1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFkmocRFhbiJ.bat

Filesize
208B

MD5
eb3706c36220f1b5709e19c4c47971a2

SHA1
7a69de98374d8279320204ce986634dfed3eecfc

SHA256
c6f0f54af7d394b7f692e43dd2409ca3ba186b401552de02409a2036ee9f9eec

SHA512
1b6fa4440ce695de1cfcd8cd93ba92c9d73447b8de02369dc48cd7bb784df945d0794c251b6d95d3dd02846911b3cc9ebf1cb108f8dcea0e8fe27830be7e4fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGS3pnKqgEzg.bat

Filesize
208B

MD5
e5da921683f7553f4fa84581194c6700

SHA1
3cee348866e295bef3e6084015b5aaa8da744e4e

SHA256
1b9c17c7118e05f281e4a23029c6b082b5cb5da8b2e8db4515adfd8e10aac516

SHA512
1eba20a1fbeb6eac71ab9975c273c717a419cd93ecc0cb58226dfe310e564d3dc3b51bb06c82ba42b938c6cfbd591a4b99c661feb41a69d5820c3f891fd15c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\YjvfXYAv5yMq.bat

Filesize
208B

MD5
e287824143950f881d0933970b1c8a98

SHA1
1fbf52bb739fcf641488cf41ae5db324efa1e445

SHA256
ff3a57a619d5f9fe1770a374fb0ad2bf339a7621ccded787aafc496c87a04f4b

SHA512
a882441992db59961dd348590f8ac6cacab280b52dde2614e56650c93b477d7daa8480d6187a0785f0398ed08c003814c0fe489da155f25da39a48a56394294a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fEtI0uvYadpT.bat

Filesize
208B

MD5
6387ae67bfe98be391dcc46cb999c793

SHA1
752a12d7f8112076400f5998e4bad0ea0f2bb2ee

SHA256
2b2977905a39e72127eaadd77836ddcdc6ba1f29aeab177891ac7c2fc33e65ea

SHA512
916de8489be06cb6b15208f36882bce788fdd921faa8d8b46836befa5999db054b91d0d31d020b306efdade18247fc2c327e4622a72a96734eda04bf782e7375

Download Submit
C:\Users\Admin\AppData\Local\Temp\gNhQlW8HkWmC.bat

Filesize
208B

MD5
4dc81a81d519ce69554539472d64cd81

SHA1
c32f9fca20256c36005582016ab0395aa800a701

SHA256
c7039ac083be573ea856a5e8d445fed65518e1d50f9b4abb7982edc5b9ac4fee

SHA512
903d74e882e8ef1dee9791d8c751a9ef1fbdccdedccbe2ca7b32938296611bef2b747f27829b3e3931b774af4178167d55c9c7e3ab61851c4a1b31940e69bca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jru2KwTqSMeR.bat

Filesize
208B

MD5
df8c541deac44ace42e6511147bdd8f4

SHA1
a83fafa88f7199221f81d22711941d36bd6e1a40

SHA256
bc35fe72902e387c9c54178d9f628ead71bad61b8d66efc39a78596f7048e8b8

SHA512
c395b60a860e9e0806ce6eaff730d3c71be0d08b66660865427de2327ff8b9c5d5e2833fc25756e401620854b1e972ad5fbb89f3fb1cceb5ee17fa66ff44bd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\kh0MfBLOuvF4.bat

Filesize
208B

MD5
4b3380e4ec00225eda4e5ab8e7c462d8

SHA1
db0e8bad860fc74b318c93ddefc3b3813c41124e

SHA256
10c80e5e5e47d6bd7df9bb108a1acda27380caddcc8bf1343bb0300c1c2ff6eb

SHA512
0469595ce7ff02a9f43d6714ef70c008f9855ab0695329cda54f11783c6157a451a6b1c8064273ef43b2fd05120727a6397b8708d707b46d47d56c57688d290d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vPOQ5wQpCuTp.bat

Filesize
208B

MD5
1b269661ba132b872e304a71cdcd57e5

SHA1
ddf47e5cda9771179469e119c0dc6d5c4f2654db

SHA256
0f5e9b6994f8f65579e66a8af8e52d4936318167a6e6c4afd445c83cd5409244

SHA512
864b050e5a1c1a5e6df30af9e8d22148b8505db17f3fdb175ddbbd895242bd207fdfdd7b5e201dc7a0d13dc0ee84da6339dfb1ea02a74dc43e14c40e28380faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vpTT9oCFRZzh.bat

Filesize
208B

MD5
9cdc9589539cb9e80aa79674e8f91f56

SHA1
260b18d113999b0f042fb0c8f93b741e0094653d

SHA256
e53ed51794fed6aa5363748e7703b25db0813f86c3206fdcae8afd2502462c91

SHA512
89671318ddbf3ab346dfc4c68ecb5171a024601a82dffe24438362706ed5eb056362c93c4fdc2e1e413b446c0869823fb76fb1298db426a90b533cee3b59b2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoGVrUHEc8fX.bat

Filesize
208B

MD5
af30ecd7392e524d6eda64222c6a411b

SHA1
75377853676c6440ed69b8c720e900027f0acb39

SHA256
4ef87c3ea214e4275ea548f7438f9e5ace653fd6155a2084e66005a5e2323f07

SHA512
0c470e29f3f19614b6786ab544df99a392c3c21125a337bcebc269c49ff2b55e2035eaf93ceb4bea05dca6720dc6854fc7e24c6ec36cdfa6245eecc60ba2b7ae

Download Submit
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe

Filesize
3.1MB

MD5
a3ffca2a5a9a4917a64bcabccb4f9fad

SHA1
9cfc0318809849ab6f2edfc18f6975da812a9f51

SHA256
21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb

SHA512
d491dcf7bf4d7d20632b31e82eee824ffb1eedca18f0f25b46aae1750f40240589e4600566e327bd866374ec36321db2d79f05fe6fc49ed3d30901e31bfc384e

Download Submit
memory/1588-12-0x000000001C690000-0x000000001C742000-memory.dmp

Filesize
712KB

Download
memory/1588-11-0x000000001C580000-0x000000001C5D0000-memory.dmp

Filesize
320KB

Download
memory/1588-10-0x00007FFC61BE0000-0x00007FFC626A1000-memory.dmp

Filesize
10.8MB

Download
memory/1588-17-0x00007FFC61BE0000-0x00007FFC626A1000-memory.dmp

Filesize
10.8MB

Download
memory/1588-8-0x00007FFC61BE0000-0x00007FFC626A1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-9-0x00007FFC61BE0000-0x00007FFC626A1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-0-0x00007FFC61BE3000-0x00007FFC61BE5000-memory.dmp

Filesize
8KB

Download
memory/4808-2-0x00007FFC61BE0000-0x00007FFC626A1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-1-0x0000000000D80000-0x00000000010A4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads