Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 03:20

General

  • Target

    QuasarDependencies.exe

  • Size

    120KB

  • MD5

    8e3e60ba2c742636546e314805e31c19

  • SHA1

    cb09acc414a975f1d084183e0b5d2c5b7a77d339

  • SHA256

    4d728486d5ccfc33c5853866da2e1549677181334552c36e0988bc4f64a208b1

  • SHA512

    e4460b9dd06221c40388abaa7b912af67772ef159b5497406ef19399c5f8ad08edf0e9af1504048dc2a6b6cc2928027f657522ebecd412f986580b361eef56ab

  • SSDEEP

    3072:EV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPKn:pt5hBPi0BW69hd1MMdxPe9N9uA069TBg

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

YT_RAT

C2

FlawGFX-25466.portmap.io:25466

Mutex

b0e42180-0b07-43a4-8af5-751a530df10c

Attributes
  • encryption_key

    F38AD66AF1B37C4D9D83D6A35EA505EADBD633EE

  • install_name

    UpdateScheduler.exe

  • log_directory

    WinDefender_Logs

  • reconnect_delay

    1500

  • startup_key

    Windows Update Scheduler

  • subdirectory

    WindowsDefender

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 48 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QuasarDependencies.exe
    "C:\Users\Admin\AppData\Local\Temp\QuasarDependencies.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A20C.tmp\A20D.tmp\A20E.bat C:\Users\Admin\AppData\Local\Temp\QuasarDependencies.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -windowstyle hidden Add-MpPreference -ExclusionExtension "exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1064
      • C:\Users\Admin\AppData\Local\Temp\QuasarScript.exe
        QuasarScript.exe
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3388
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\QuasarScript.exe" /rl HIGHEST /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4820
        • C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe
          "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3548
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1252
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaLAyL1fwV2P.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1636
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2156
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2044
            • C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe
              "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4276
              • C:\Windows\SysWOW64\schtasks.exe
                "schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:3448
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCehSxxfSY9v.bat" "
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:5032
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1808
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  8⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4184
                • C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe
                  "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:4772
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:4044
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CLKkQkGsysOv.bat" "
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:3248
                    • C:\Windows\SysWOW64\chcp.com
                      chcp 65001
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2472
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 10 localhost
                      10⤵
                      • System Location Discovery: System Language Discovery
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Runs ping.exe
                      PID:2104
                    • C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe
                      "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      PID:1964
                      • C:\Windows\SysWOW64\schtasks.exe
                        "schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f
                        11⤵
                        • System Location Discovery: System Language Discovery
                        • Scheduled Task/Job: Scheduled Task
                        PID:4628
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W3gsW8be6LBY.bat" "
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:376
                        • C:\Windows\SysWOW64\chcp.com
                          chcp 65001
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2720
                        • C:\Windows\SysWOW64\PING.EXE
                          ping -n 10 localhost
                          12⤵
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Runs ping.exe
                          PID:3384
                        • C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe
                          "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"
                          12⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of SetWindowsHookEx
                          PID:3964
                          • C:\Windows\SysWOW64\schtasks.exe
                            "schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f
                            13⤵
                            • System Location Discovery: System Language Discovery
                            • Scheduled Task/Job: Scheduled Task
                            PID:3840
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T6W1hIinK8Qx.bat" "
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2908
                            • C:\Windows\SysWOW64\chcp.com
                              chcp 65001
                              14⤵
                              • System Location Discovery: System Language Discovery
                              PID:1528
                            • C:\Windows\SysWOW64\PING.EXE
                              ping -n 10 localhost
                              14⤵
                              • System Location Discovery: System Language Discovery
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:4548
                            • C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe
                              "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"
                              14⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              PID:1124
                              • C:\Windows\SysWOW64\schtasks.exe
                                "schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f
                                15⤵
                                • System Location Discovery: System Language Discovery
                                • Scheduled Task/Job: Scheduled Task
                                PID:3616
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAWRi1lNFBY0.bat" "
                                15⤵
                                • System Location Discovery: System Language Discovery
                                PID:1036
                                • C:\Windows\SysWOW64\chcp.com
                                  chcp 65001
                                  16⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2856
                                • C:\Windows\SysWOW64\PING.EXE
                                  ping -n 10 localhost
                                  16⤵
                                  • System Location Discovery: System Language Discovery
                                  • System Network Configuration Discovery: Internet Connection Discovery
                                  • Runs ping.exe
                                  PID:4344
                                • C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe
                                  "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"
                                  16⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of SetWindowsHookEx
                                  PID:2916
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    "schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f
                                    17⤵
                                    • System Location Discovery: System Language Discovery
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:428
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1unW4VTyENhY.bat" "
                                    17⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:4900
                                    • C:\Windows\SysWOW64\chcp.com
                                      chcp 65001
                                      18⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:4932
                                    • C:\Windows\SysWOW64\PING.EXE
                                      ping -n 10 localhost
                                      18⤵
                                      • System Location Discovery: System Language Discovery
                                      • System Network Configuration Discovery: Internet Connection Discovery
                                      • Runs ping.exe
                                      PID:4008
                                    • C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe
                                      "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"
                                      18⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of SetWindowsHookEx
                                      PID:3416
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        "schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f
                                        19⤵
                                        • System Location Discovery: System Language Discovery
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2152
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r6O0wPOlJwTh.bat" "
                                        19⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:628
                                        • C:\Windows\SysWOW64\chcp.com
                                          chcp 65001
                                          20⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:3140
                                        • C:\Windows\SysWOW64\PING.EXE
                                          ping -n 10 localhost
                                          20⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:1412
                                        • C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe
                                          "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"
                                          20⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of SetWindowsHookEx
                                          PID:3064
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            "schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f
                                            21⤵
                                            • System Location Discovery: System Language Discovery
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2288
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UnLiwXwF4dxF.bat" "
                                            21⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:3556
                                            • C:\Windows\SysWOW64\chcp.com
                                              chcp 65001
                                              22⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:3684
                                            • C:\Windows\SysWOW64\PING.EXE
                                              ping -n 10 localhost
                                              22⤵
                                              • System Location Discovery: System Language Discovery
                                              • System Network Configuration Discovery: Internet Connection Discovery
                                              • Runs ping.exe
                                              PID:3132
                                            • C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe
                                              "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"
                                              22⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of SetWindowsHookEx
                                              PID:3552
                                              • C:\Windows\SysWOW64\schtasks.exe
                                                "schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f
                                                23⤵
                                                • System Location Discovery: System Language Discovery
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:5004
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gZH0VgrZHKZn.bat" "
                                                23⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:1616
                                                • C:\Windows\SysWOW64\chcp.com
                                                  chcp 65001
                                                  24⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:4660
                                                • C:\Windows\SysWOW64\PING.EXE
                                                  ping -n 10 localhost
                                                  24⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:2196
                                                • C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe
                                                  "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"
                                                  24⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:4100
                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                    "schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f
                                                    25⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:5112
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g6e4IITmiOch.bat" "
                                                    25⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:4696
                                                    • C:\Windows\SysWOW64\chcp.com
                                                      chcp 65001
                                                      26⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:1424
                                                    • C:\Windows\SysWOW64\PING.EXE
                                                      ping -n 10 localhost
                                                      26⤵
                                                      • System Location Discovery: System Language Discovery
                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                      • Runs ping.exe
                                                      PID:3916
                                                    • C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe
                                                      "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"
                                                      26⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:4848
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        "schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f
                                                        27⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1832
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vq7XAEuRtYrg.bat" "
                                                        27⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4708
                                                        • C:\Windows\SysWOW64\chcp.com
                                                          chcp 65001
                                                          28⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2736
                                                        • C:\Windows\SysWOW64\PING.EXE
                                                          ping -n 10 localhost
                                                          28⤵
                                                          • System Location Discovery: System Language Discovery
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:3412
                                                        • C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe
                                                          "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"
                                                          28⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:4164
                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                            "schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f
                                                            29⤵
                                                            • System Location Discovery: System Language Discovery
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2236
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w2THKsXKOzMJ.bat" "
                                                            29⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2432
                                                            • C:\Windows\SysWOW64\chcp.com
                                                              chcp 65001
                                                              30⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1364
                                                            • C:\Windows\SysWOW64\PING.EXE
                                                              ping -n 10 localhost
                                                              30⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                              • Runs ping.exe
                                                              PID:644
                                                            • C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe
                                                              "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"
                                                              30⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2740
                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                "schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f
                                                                31⤵
                                                                • System Location Discovery: System Language Discovery
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:4196
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rZ0Pw0axPoZ1.bat" "
                                                                31⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:876
                                                                • C:\Windows\SysWOW64\chcp.com
                                                                  chcp 65001
                                                                  32⤵
                                                                    PID:3132
                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                    ping -n 10 localhost
                                                                    32⤵
                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                    • Runs ping.exe
                                                                    PID:3972

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UpdateScheduler.exe.log

      Filesize

      1KB

      MD5

      38b07cd5da5c740e9629fd801dc26e5a

      SHA1

      42816159ab9367165cf58603b09b134d488c1690

      SHA256

      20049cc7ade63a31f442dfd2b99740f0512fdcc764266b8b105292e30d2b7483

      SHA512

      1769ffefe181531476e10311295f38d11b85b5ec3710000b5cb081675e5f233792f96bb4178b75fd0e2cfc86965e7368173d22799a1e9fa3317ddd49047fab5a

    • C:\Users\Admin\AppData\Local\Temp\1unW4VTyENhY.bat

      Filesize

      225B

      MD5

      cabf92e60ba88d7cd997f9f77a93467e

      SHA1

      cba644f257d982fb0e2b1eeadd0227438f30ad42

      SHA256

      6234bceac01a79334c2fa5c636f31dd73d7f84b5de0322a0d9d9e3b9740004a3

      SHA512

      d7cc09a59071f4b4202aa165f42f66b14715df2e9536bdfeb2a4cbe89e12b9b17b3dd1064998d9954a38c7fc3d8c895724382a35f1aab09a6a47fc0b4e63cc34

    • C:\Users\Admin\AppData\Local\Temp\A20C.tmp\A20D.tmp\A20E.bat

      Filesize

      139B

      MD5

      b08a879a860d4cb3471cb94ad718da56

      SHA1

      2ce7182ec699bb362479def589f98174cbdeddde

      SHA256

      b3c03878cdcd3427b57946da7f09489f0bb08fd28d277c848dbe49b5678f349b

      SHA512

      4ddcdb440bb1909113e34741ab388c5095e0b07db90e089db22c830f8a5db1996f1e3619a9538655058c8ddb6df38ed80df255a7aaa99eef75783a6c6e149081

    • C:\Users\Admin\AppData\Local\Temp\CLKkQkGsysOv.bat

      Filesize

      225B

      MD5

      7e701b9f1a4bb4182fc0d1fd9d005a34

      SHA1

      3b30cdf95448ffd7eb037e0809df74031cbdc31b

      SHA256

      9e4b856b7b1767cd69bdfc9b6c6e54903844399d1901ddaf27e7ffcf55a44ffe

      SHA512

      47038ff63b82a7ccf8cb90145946388edc11b969646f68dcbee91fff399b6d7d0cfe865065e1290a5c49368fd819bc741c9c580b12fb296cf63d8c3335001b12

    • C:\Users\Admin\AppData\Local\Temp\T6W1hIinK8Qx.bat

      Filesize

      225B

      MD5

      8d6c057e069bfba31e6ac8f926b2781e

      SHA1

      c8de62d52dfb65459279550756ba3e6ca449a01b

      SHA256

      7cbb044b2457e448345d865899b238e9fc93181dd0d1fcfe34ad211b72aca930

      SHA512

      e07282396c92e30ec876c0d6afc9cc2fd9e36d4c4141c35720010091ebdc28112745af6557d7a01d30951c1a5701e1995554df6ad0614f0752f68e67dbb7939f

    • C:\Users\Admin\AppData\Local\Temp\TaLAyL1fwV2P.bat

      Filesize

      225B

      MD5

      a9a32f6f006b3303ff861f9b1a645650

      SHA1

      e6d816fffadcd2080ab5d5fc60d9fe800f075ae0

      SHA256

      c4743b9f0cf4657ada81fdd09d26777131c50dd2a270d9c425f2e6d4e5f95a09

      SHA512

      490ee97161bd00e750f13dfd214280b49dd38bab68554bffe753a10bb7d41e0e17cd2cc181f194e04ef6c184234547ecb459817c2278451e776fc1b17c950529

    • C:\Users\Admin\AppData\Local\Temp\UnLiwXwF4dxF.bat

      Filesize

      225B

      MD5

      711a3123f507e28c3194932952ce72a5

      SHA1

      9327affb9853ea3b1285dea855fd0eafc80bb376

      SHA256

      c9c230467d9a910b4a92cdabbe2985f189305cd38437c67a00c013dc7d708c3e

      SHA512

      483d8e04f681e1aded5dce79c11256df45c3bb86bbde1f99e7985f3a9f85533acaa7ec8c447f3a038e2c5aa8c599244fc3c98bcd3fcf54f94501bee361bfcf6f

    • C:\Users\Admin\AppData\Local\Temp\Vq7XAEuRtYrg.bat

      Filesize

      225B

      MD5

      508d08c6f7b48bfb06bf16b8849bedf5

      SHA1

      373bece4d8028217d06849bf1f9e5ceb4181a288

      SHA256

      df2b98bc9a015795bd7ca20d61348cb3ae4ec975953851fecd050bc05507b8c2

      SHA512

      61a0215a8ac54133bd17d5541f5bd4ae0bc7b8e13b3d872bfe5354a01f8896689562cef025eb102a471289d3d4265563dab33c93fe10fe4b007fc4c101544208

    • C:\Users\Admin\AppData\Local\Temp\W3gsW8be6LBY.bat

      Filesize

      225B

      MD5

      29888889b55625bd2063d8a82c28f0c1

      SHA1

      1fcd12aa38ad45712f071562b6729c419d8406ec

      SHA256

      435e8583fa37b215749fadd93aafdf73256b58fcd4fb8302a8bafdc215f7481b

      SHA512

      1f426d806e68058182368f7d12930f7ade4ceadc4abd1c4c32e1282104e03230efcbdbc55415b8899920bf34d8c64fe53fe9d571d48de7e1f319b35c16890a65

    • C:\Users\Admin\AppData\Local\Temp\XAWRi1lNFBY0.bat

      Filesize

      225B

      MD5

      d250947f4b5618497704aa27bc783eb4

      SHA1

      513ad2391e1c33355ac4ab671d3092231acd41de

      SHA256

      19336147f3a977b9e3f7836a4f7379abafc10a976807fe86b4db601670fcc92e

      SHA512

      7aa6474faa729a212385547c976b5e9eae15d29e43b01901a97a59b517681f3313b76abc5067649d9707b28b83b9f234919f795c9b63a84391ca4860942d83b7

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ntvlz3yq.lxo.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\g6e4IITmiOch.bat

      Filesize

      225B

      MD5

      9baea759491c4dd8cd7543c2c3aa1796

      SHA1

      c642d86f6c20e4d4082be0ed637e85b55dbe2324

      SHA256

      688a7851a1044246236309ddbd614fa74eff6e663b692e2739c790b1a5e0bbeb

      SHA512

      d999bf47b5ada7354bba37fc72a0f3c71810f079fdf268ce8957c231b75e1e94a958cd7f0642e4e1c08edaee5f50f95b6cfe67bcf4cfb8a3508f18a90c899fa7

    • C:\Users\Admin\AppData\Local\Temp\gZH0VgrZHKZn.bat

      Filesize

      225B

      MD5

      b7eb59b1787b995f9f96fe4759ba7c92

      SHA1

      cf2f3abc6296c922b8f410f27ef4816a301ce263

      SHA256

      7cfd71b668a750a87d84a3f17c1db05a05394e22d9dee098bfb3293975e98664

      SHA512

      95311bcced5ea3b5109e9ef0b20ccbbfeac761e89f270a5a99645de0b53effb06ebd736c36f1811b091a4a4838d349329c7b6d860420e8180eac6347e860941f

    • C:\Users\Admin\AppData\Local\Temp\iCehSxxfSY9v.bat

      Filesize

      225B

      MD5

      7f04205f83c09b6a6717c83cc0c060c0

      SHA1

      69e85c15a13b463bd0edc7f625504d9a66734926

      SHA256

      aada123e9038651070b8b72934b0f5ec307663a5990e8aa40fe843049eb2d276

      SHA512

      f547ee126e1345cf5706eff638ef862b5e86cf8513c54296db50d6ee50e3b1bcc8d8e2427b89ca57b5ed0277fc9438228e69c94045230869705b8c52b016e143

    • C:\Users\Admin\AppData\Local\Temp\r6O0wPOlJwTh.bat

      Filesize

      225B

      MD5

      0e4f171d41c2ee69a278dad0fba20cc0

      SHA1

      33921733480ab03264734638eda0546d41a03197

      SHA256

      a0f1e4f08a4ff48655e20bfba75595cb905a89db6d70115ad1578e58a2576753

      SHA512

      8a09018122965661c3481bd0179d7495135faf319fa631eb4de4e6cb404b39441a893c5dc94920f66d4bcf30ddb83d0b70af7e4798f3d93cec43a41868c5ea94

    • C:\Users\Admin\AppData\Local\Temp\rZ0Pw0axPoZ1.bat

      Filesize

      225B

      MD5

      6e57b8be101502184d7e84b245331179

      SHA1

      cee7fe1cabb06ee405fdd774ec3f80912d2de678

      SHA256

      ed15a1c292259b4b2abfaf023c425cbdd3a49af15b615044999a418f617e8126

      SHA512

      6d5539f8c6d210dc51a75905a79a13afeeb1c04adfeaa95c9f9a49c4ca7b9a7f003960b8906cd597100b9786419033014a8f2576120914bc68cdbdaa66bb5fca

    • C:\Users\Admin\AppData\Local\Temp\w2THKsXKOzMJ.bat

      Filesize

      225B

      MD5

      a123701d619ffbfadf3b1359a1c855ad

      SHA1

      502c1db74d8964133787fce3997e1eca76adf7bd

      SHA256

      eb0ced65817e4829fc2d34fd71dadc132e435ee189f87635ea5d5302a90c9c92

      SHA512

      a0ebae8db2a550008d8474429614c14bbbae8f7fe59c2d88a085cf3b319992fdbedc415058d609c20c5f193c0af7c810fa738bcd84ce7ea0082cf1609dc1bf79

    • C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe

      Filesize

      1.2MB

      MD5

      90ccd90706e5f5ecf0a4fd6301cf18c8

      SHA1

      141f82fc5e8ddf7c2b87cf71bf1f506d2a3f06d4

      SHA256

      44ab3d116f6c6318067f89ccb838b5198b6544469ec27557ca1de3655a6ceb96

      SHA512

      a8689448e4781013c6ae7a3744673f849d759954b91a341703897d5de6bdd1e08f43f03e8a71bdebd296d3d3b8a0928c39729b7a2044e095f0d4625c1325ca5c

    • memory/1064-17-0x00007FFB89AF0000-0x00007FFB8A5B1000-memory.dmp

      Filesize

      10.8MB

    • memory/1064-2-0x00007FFB89AF3000-0x00007FFB89AF5000-memory.dmp

      Filesize

      8KB

    • memory/1064-8-0x0000018633DA0000-0x0000018633DC2000-memory.dmp

      Filesize

      136KB

    • memory/1064-13-0x00007FFB89AF0000-0x00007FFB8A5B1000-memory.dmp

      Filesize

      10.8MB

    • memory/1064-14-0x00007FFB89AF0000-0x00007FFB8A5B1000-memory.dmp

      Filesize

      10.8MB

    • memory/1124-92-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/1124-86-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/1124-87-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/1124-85-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/1964-66-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/1964-65-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/1964-72-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/1964-67-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/2740-171-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/2740-164-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/2740-165-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/2740-166-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/2916-101-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/2916-96-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/2916-95-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3064-121-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3064-114-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3064-115-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3064-116-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3388-19-0x0000000000E60000-0x000000000123A000-memory.dmp

      Filesize

      3.9MB

    • memory/3388-22-0x00000000063C0000-0x00000000063CA000-memory.dmp

      Filesize

      40KB

    • memory/3388-30-0x0000000000E60000-0x000000000123A000-memory.dmp

      Filesize

      3.9MB

    • memory/3388-20-0x00000000067F0000-0x0000000006D94000-memory.dmp

      Filesize

      5.6MB

    • memory/3388-21-0x0000000006320000-0x00000000063B2000-memory.dmp

      Filesize

      584KB

    • memory/3388-18-0x0000000000E60000-0x000000000123A000-memory.dmp

      Filesize

      3.9MB

    • memory/3416-104-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3416-106-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3416-105-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3416-111-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3548-41-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3548-34-0x00000000065D0000-0x0000000006620000-memory.dmp

      Filesize

      320KB

    • memory/3548-35-0x0000000006840000-0x00000000068F2000-memory.dmp

      Filesize

      712KB

    • memory/3548-33-0x0000000006B50000-0x0000000007168000-memory.dmp

      Filesize

      6.1MB

    • memory/3548-32-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3548-26-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3548-31-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3552-124-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3552-125-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3552-126-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3552-131-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3964-75-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3964-76-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3964-82-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/3964-77-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4100-134-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4100-135-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4100-136-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4100-141-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4164-154-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4164-155-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4164-161-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4164-156-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4276-47-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4276-44-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4276-46-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4276-52-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4772-55-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4772-56-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4772-57-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4772-62-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4848-151-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4848-145-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4848-146-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB

    • memory/4848-144-0x00000000003B0000-0x000000000078A000-memory.dmp

      Filesize

      3.9MB