Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 03:20
Static task
static1
Behavioral task
behavioral1
Sample
EXIT/Exit.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
QuasarDependencies.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
QuasarScript.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
Start.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
img-recog.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
self-contain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
win/qwindows.dll
Resource
win10v2004-20241007-en
General
-
Target
QuasarDependencies.exe
-
Size
120KB
-
MD5
8e3e60ba2c742636546e314805e31c19
-
SHA1
cb09acc414a975f1d084183e0b5d2c5b7a77d339
-
SHA256
4d728486d5ccfc33c5853866da2e1549677181334552c36e0988bc4f64a208b1
-
SHA512
e4460b9dd06221c40388abaa7b912af67772ef159b5497406ef19399c5f8ad08edf0e9af1504048dc2a6b6cc2928027f657522ebecd412f986580b361eef56ab
-
SSDEEP
3072:EV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPKn:pt5hBPi0BW69hd1MMdxPe9N9uA069TBg
Malware Config
Extracted
quasar
1.4.0
YT_RAT
FlawGFX-25466.portmap.io:25466
b0e42180-0b07-43a4-8af5-751a530df10c
-
encryption_key
F38AD66AF1B37C4D9D83D6A35EA505EADBD633EE
-
install_name
UpdateScheduler.exe
-
log_directory
WinDefender_Logs
-
reconnect_delay
1500
-
startup_key
Windows Update Scheduler
-
subdirectory
WindowsDefender
Signatures
-
Quasar family
-
Quasar payload 48 IoCs
resource yara_rule behavioral2/memory/3388-19-0x0000000000E60000-0x000000000123A000-memory.dmp family_quasar behavioral2/memory/3388-30-0x0000000000E60000-0x000000000123A000-memory.dmp family_quasar behavioral2/memory/3548-31-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/3548-32-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/3548-41-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/4276-46-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/4276-47-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/4276-52-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/4772-56-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/4772-57-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/4772-62-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/1964-65-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/1964-66-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/1964-67-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/1964-72-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/3964-76-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/3964-77-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/3964-82-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/1124-87-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/1124-86-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/1124-92-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/2916-96-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/2916-101-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/3416-106-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/3416-105-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/3416-111-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/3064-114-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/3064-115-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/3064-116-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/3064-121-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/3552-124-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/3552-125-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/3552-126-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/3552-131-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/4100-134-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/4100-135-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/4100-136-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/4100-141-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/4848-144-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/4848-146-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/4848-145-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/4848-151-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/4164-155-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/4164-156-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/4164-161-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/2740-165-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/2740-166-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar behavioral2/memory/2740-171-0x00000000003B0000-0x000000000078A000-memory.dmp family_quasar -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1064 powershell.exe 1064 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation QuasarDependencies.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe -
Executes dropped EXE 14 IoCs
pid Process 3548 UpdateScheduler.exe 4276 UpdateScheduler.exe 4772 UpdateScheduler.exe 1964 UpdateScheduler.exe 3964 UpdateScheduler.exe 1124 UpdateScheduler.exe 2916 UpdateScheduler.exe 3416 UpdateScheduler.exe 3064 UpdateScheduler.exe 3552 UpdateScheduler.exe 4100 UpdateScheduler.exe 4848 UpdateScheduler.exe 4164 UpdateScheduler.exe 2740 UpdateScheduler.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 3388 QuasarScript.exe 3388 QuasarScript.exe 3548 UpdateScheduler.exe 4276 UpdateScheduler.exe 4772 UpdateScheduler.exe 1964 UpdateScheduler.exe 3964 UpdateScheduler.exe 1124 UpdateScheduler.exe 2916 UpdateScheduler.exe 3416 UpdateScheduler.exe 3064 UpdateScheduler.exe 3552 UpdateScheduler.exe 4100 UpdateScheduler.exe 4848 UpdateScheduler.exe 4848 UpdateScheduler.exe 4164 UpdateScheduler.exe 2740 UpdateScheduler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QuasarScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2044 PING.EXE 4184 PING.EXE 1412 PING.EXE 2196 PING.EXE 2104 PING.EXE 4344 PING.EXE 4008 PING.EXE 3916 PING.EXE 644 PING.EXE 3384 PING.EXE 4548 PING.EXE 3132 PING.EXE 3412 PING.EXE 3972 PING.EXE -
Runs ping.exe 1 TTPs 14 IoCs
pid Process 2196 PING.EXE 4184 PING.EXE 4344 PING.EXE 4008 PING.EXE 3384 PING.EXE 3132 PING.EXE 2104 PING.EXE 4548 PING.EXE 1412 PING.EXE 3916 PING.EXE 3412 PING.EXE 644 PING.EXE 3972 PING.EXE 2044 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1832 schtasks.exe 3448 schtasks.exe 3840 schtasks.exe 428 schtasks.exe 5004 schtasks.exe 1252 schtasks.exe 4044 schtasks.exe 4628 schtasks.exe 2152 schtasks.exe 3616 schtasks.exe 2288 schtasks.exe 4196 schtasks.exe 4820 schtasks.exe 5112 schtasks.exe 2236 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 1064 powershell.exe 1064 powershell.exe 3388 QuasarScript.exe 3388 QuasarScript.exe 3548 UpdateScheduler.exe 3548 UpdateScheduler.exe 4276 UpdateScheduler.exe 4276 UpdateScheduler.exe 4772 UpdateScheduler.exe 4772 UpdateScheduler.exe 1964 UpdateScheduler.exe 1964 UpdateScheduler.exe 3964 UpdateScheduler.exe 3964 UpdateScheduler.exe 1124 UpdateScheduler.exe 1124 UpdateScheduler.exe 2916 UpdateScheduler.exe 2916 UpdateScheduler.exe 3416 UpdateScheduler.exe 3416 UpdateScheduler.exe 3064 UpdateScheduler.exe 3064 UpdateScheduler.exe 3552 UpdateScheduler.exe 3552 UpdateScheduler.exe 4100 UpdateScheduler.exe 4100 UpdateScheduler.exe 4848 UpdateScheduler.exe 4848 UpdateScheduler.exe 4164 UpdateScheduler.exe 4164 UpdateScheduler.exe 2740 UpdateScheduler.exe 2740 UpdateScheduler.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1064 powershell.exe Token: SeDebugPrivilege 3388 QuasarScript.exe Token: SeDebugPrivilege 3548 UpdateScheduler.exe Token: SeDebugPrivilege 4276 UpdateScheduler.exe Token: SeDebugPrivilege 4772 UpdateScheduler.exe Token: SeDebugPrivilege 1964 UpdateScheduler.exe Token: SeDebugPrivilege 3964 UpdateScheduler.exe Token: SeDebugPrivilege 1124 UpdateScheduler.exe Token: SeDebugPrivilege 2916 UpdateScheduler.exe Token: SeDebugPrivilege 3416 UpdateScheduler.exe Token: SeDebugPrivilege 3064 UpdateScheduler.exe Token: SeDebugPrivilege 3552 UpdateScheduler.exe Token: SeDebugPrivilege 4100 UpdateScheduler.exe Token: SeDebugPrivilege 4848 UpdateScheduler.exe Token: SeDebugPrivilege 4164 UpdateScheduler.exe Token: SeDebugPrivilege 2740 UpdateScheduler.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 3388 QuasarScript.exe 3548 UpdateScheduler.exe 4276 UpdateScheduler.exe 4772 UpdateScheduler.exe 1964 UpdateScheduler.exe 3964 UpdateScheduler.exe 1124 UpdateScheduler.exe 2916 UpdateScheduler.exe 3416 UpdateScheduler.exe 3064 UpdateScheduler.exe 3552 UpdateScheduler.exe 4100 UpdateScheduler.exe 4848 UpdateScheduler.exe 4164 UpdateScheduler.exe 2740 UpdateScheduler.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4456 wrote to memory of 4760 4456 QuasarDependencies.exe 83 PID 4456 wrote to memory of 4760 4456 QuasarDependencies.exe 83 PID 4760 wrote to memory of 1064 4760 cmd.exe 85 PID 4760 wrote to memory of 1064 4760 cmd.exe 85 PID 4760 wrote to memory of 3388 4760 cmd.exe 86 PID 4760 wrote to memory of 3388 4760 cmd.exe 86 PID 4760 wrote to memory of 3388 4760 cmd.exe 86 PID 3388 wrote to memory of 4820 3388 QuasarScript.exe 91 PID 3388 wrote to memory of 4820 3388 QuasarScript.exe 91 PID 3388 wrote to memory of 4820 3388 QuasarScript.exe 91 PID 3388 wrote to memory of 3548 3388 QuasarScript.exe 93 PID 3388 wrote to memory of 3548 3388 QuasarScript.exe 93 PID 3388 wrote to memory of 3548 3388 QuasarScript.exe 93 PID 3548 wrote to memory of 1252 3548 UpdateScheduler.exe 94 PID 3548 wrote to memory of 1252 3548 UpdateScheduler.exe 94 PID 3548 wrote to memory of 1252 3548 UpdateScheduler.exe 94 PID 3548 wrote to memory of 1636 3548 UpdateScheduler.exe 97 PID 3548 wrote to memory of 1636 3548 UpdateScheduler.exe 97 PID 3548 wrote to memory of 1636 3548 UpdateScheduler.exe 97 PID 1636 wrote to memory of 2156 1636 cmd.exe 99 PID 1636 wrote to memory of 2156 1636 cmd.exe 99 PID 1636 wrote to memory of 2156 1636 cmd.exe 99 PID 1636 wrote to memory of 2044 1636 cmd.exe 100 PID 1636 wrote to memory of 2044 1636 cmd.exe 100 PID 1636 wrote to memory of 2044 1636 cmd.exe 100 PID 1636 wrote to memory of 4276 1636 cmd.exe 107 PID 1636 wrote to memory of 4276 1636 cmd.exe 107 PID 1636 wrote to memory of 4276 1636 cmd.exe 107 PID 4276 wrote to memory of 3448 4276 UpdateScheduler.exe 108 PID 4276 wrote to memory of 3448 4276 UpdateScheduler.exe 108 PID 4276 wrote to memory of 3448 4276 UpdateScheduler.exe 108 PID 4276 wrote to memory of 5032 4276 UpdateScheduler.exe 111 PID 4276 wrote to memory of 5032 4276 UpdateScheduler.exe 111 PID 4276 wrote to memory of 5032 4276 UpdateScheduler.exe 111 PID 5032 wrote to memory of 1808 5032 cmd.exe 113 PID 5032 wrote to memory of 1808 5032 cmd.exe 113 PID 5032 wrote to memory of 1808 5032 cmd.exe 113 PID 5032 wrote to memory of 4184 5032 cmd.exe 114 PID 5032 wrote to memory of 4184 5032 cmd.exe 114 PID 5032 wrote to memory of 4184 5032 cmd.exe 114 PID 5032 wrote to memory of 4772 5032 cmd.exe 116 PID 5032 wrote to memory of 4772 5032 cmd.exe 116 PID 5032 wrote to memory of 4772 5032 cmd.exe 116 PID 4772 wrote to memory of 4044 4772 UpdateScheduler.exe 117 PID 4772 wrote to memory of 4044 4772 UpdateScheduler.exe 117 PID 4772 wrote to memory of 4044 4772 UpdateScheduler.exe 117 PID 4772 wrote to memory of 3248 4772 UpdateScheduler.exe 120 PID 4772 wrote to memory of 3248 4772 UpdateScheduler.exe 120 PID 4772 wrote to memory of 3248 4772 UpdateScheduler.exe 120 PID 3248 wrote to memory of 2472 3248 cmd.exe 122 PID 3248 wrote to memory of 2472 3248 cmd.exe 122 PID 3248 wrote to memory of 2472 3248 cmd.exe 122 PID 3248 wrote to memory of 2104 3248 cmd.exe 123 PID 3248 wrote to memory of 2104 3248 cmd.exe 123 PID 3248 wrote to memory of 2104 3248 cmd.exe 123 PID 3248 wrote to memory of 1964 3248 cmd.exe 127 PID 3248 wrote to memory of 1964 3248 cmd.exe 127 PID 3248 wrote to memory of 1964 3248 cmd.exe 127 PID 1964 wrote to memory of 4628 1964 UpdateScheduler.exe 128 PID 1964 wrote to memory of 4628 1964 UpdateScheduler.exe 128 PID 1964 wrote to memory of 4628 1964 UpdateScheduler.exe 128 PID 1964 wrote to memory of 376 1964 UpdateScheduler.exe 131 PID 1964 wrote to memory of 376 1964 UpdateScheduler.exe 131 PID 1964 wrote to memory of 376 1964 UpdateScheduler.exe 131
Processes
-
C:\Users\Admin\AppData\Local\Temp\QuasarDependencies.exe"C:\Users\Admin\AppData\Local\Temp\QuasarDependencies.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A20C.tmp\A20D.tmp\A20E.bat C:\Users\Admin\AppData\Local\Temp\QuasarDependencies.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden Add-MpPreference -ExclusionExtension "exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Users\Admin\AppData\Local\Temp\QuasarScript.exeQuasarScript.exe3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\QuasarScript.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4820
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:1252
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaLAyL1fwV2P.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
- System Location Discovery: System Language Discovery
PID:2156
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2044
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3448
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCehSxxfSY9v.bat" "7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
- System Location Discovery: System Language Discovery
PID:1808
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4184
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f9⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4044
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CLKkQkGsysOv.bat" "9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\chcp.comchcp 6500110⤵
- System Location Discovery: System Language Discovery
PID:2472
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost10⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2104
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f11⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W3gsW8be6LBY.bat" "11⤵
- System Location Discovery: System Language Discovery
PID:376 -
C:\Windows\SysWOW64\chcp.comchcp 6500112⤵
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3384
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3964 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f13⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3840
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T6W1hIinK8Qx.bat" "13⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\chcp.comchcp 6500114⤵
- System Location Discovery: System Language Discovery
PID:1528
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4548
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1124 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f15⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3616
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAWRi1lNFBY0.bat" "15⤵
- System Location Discovery: System Language Discovery
PID:1036 -
C:\Windows\SysWOW64\chcp.comchcp 6500116⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4344
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2916 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f17⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:428
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1unW4VTyENhY.bat" "17⤵
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
- System Location Discovery: System Language Discovery
PID:4932
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost18⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4008
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3416 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f19⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2152
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r6O0wPOlJwTh.bat" "19⤵
- System Location Discovery: System Language Discovery
PID:628 -
C:\Windows\SysWOW64\chcp.comchcp 6500120⤵
- System Location Discovery: System Language Discovery
PID:3140
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1412
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3064 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f21⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2288
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UnLiwXwF4dxF.bat" "21⤵
- System Location Discovery: System Language Discovery
PID:3556 -
C:\Windows\SysWOW64\chcp.comchcp 6500122⤵
- System Location Discovery: System Language Discovery
PID:3684
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost22⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3132
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3552 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f23⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gZH0VgrZHKZn.bat" "23⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\chcp.comchcp 6500124⤵
- System Location Discovery: System Language Discovery
PID:4660
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost24⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2196
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4100 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f25⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5112
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g6e4IITmiOch.bat" "25⤵
- System Location Discovery: System Language Discovery
PID:4696 -
C:\Windows\SysWOW64\chcp.comchcp 6500126⤵
- System Location Discovery: System Language Discovery
PID:1424
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost26⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3916
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4848 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f27⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1832
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vq7XAEuRtYrg.bat" "27⤵
- System Location Discovery: System Language Discovery
PID:4708 -
C:\Windows\SysWOW64\chcp.comchcp 6500128⤵
- System Location Discovery: System Language Discovery
PID:2736
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost28⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3412
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4164 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f29⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2236
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w2THKsXKOzMJ.bat" "29⤵
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\chcp.comchcp 6500130⤵
- System Location Discovery: System Language Discovery
PID:1364
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost30⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:644
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2740 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f31⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4196
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rZ0Pw0axPoZ1.bat" "31⤵
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\chcp.comchcp 6500132⤵PID:3132
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD538b07cd5da5c740e9629fd801dc26e5a
SHA142816159ab9367165cf58603b09b134d488c1690
SHA25620049cc7ade63a31f442dfd2b99740f0512fdcc764266b8b105292e30d2b7483
SHA5121769ffefe181531476e10311295f38d11b85b5ec3710000b5cb081675e5f233792f96bb4178b75fd0e2cfc86965e7368173d22799a1e9fa3317ddd49047fab5a
-
Filesize
225B
MD5cabf92e60ba88d7cd997f9f77a93467e
SHA1cba644f257d982fb0e2b1eeadd0227438f30ad42
SHA2566234bceac01a79334c2fa5c636f31dd73d7f84b5de0322a0d9d9e3b9740004a3
SHA512d7cc09a59071f4b4202aa165f42f66b14715df2e9536bdfeb2a4cbe89e12b9b17b3dd1064998d9954a38c7fc3d8c895724382a35f1aab09a6a47fc0b4e63cc34
-
Filesize
139B
MD5b08a879a860d4cb3471cb94ad718da56
SHA12ce7182ec699bb362479def589f98174cbdeddde
SHA256b3c03878cdcd3427b57946da7f09489f0bb08fd28d277c848dbe49b5678f349b
SHA5124ddcdb440bb1909113e34741ab388c5095e0b07db90e089db22c830f8a5db1996f1e3619a9538655058c8ddb6df38ed80df255a7aaa99eef75783a6c6e149081
-
Filesize
225B
MD57e701b9f1a4bb4182fc0d1fd9d005a34
SHA13b30cdf95448ffd7eb037e0809df74031cbdc31b
SHA2569e4b856b7b1767cd69bdfc9b6c6e54903844399d1901ddaf27e7ffcf55a44ffe
SHA51247038ff63b82a7ccf8cb90145946388edc11b969646f68dcbee91fff399b6d7d0cfe865065e1290a5c49368fd819bc741c9c580b12fb296cf63d8c3335001b12
-
Filesize
225B
MD58d6c057e069bfba31e6ac8f926b2781e
SHA1c8de62d52dfb65459279550756ba3e6ca449a01b
SHA2567cbb044b2457e448345d865899b238e9fc93181dd0d1fcfe34ad211b72aca930
SHA512e07282396c92e30ec876c0d6afc9cc2fd9e36d4c4141c35720010091ebdc28112745af6557d7a01d30951c1a5701e1995554df6ad0614f0752f68e67dbb7939f
-
Filesize
225B
MD5a9a32f6f006b3303ff861f9b1a645650
SHA1e6d816fffadcd2080ab5d5fc60d9fe800f075ae0
SHA256c4743b9f0cf4657ada81fdd09d26777131c50dd2a270d9c425f2e6d4e5f95a09
SHA512490ee97161bd00e750f13dfd214280b49dd38bab68554bffe753a10bb7d41e0e17cd2cc181f194e04ef6c184234547ecb459817c2278451e776fc1b17c950529
-
Filesize
225B
MD5711a3123f507e28c3194932952ce72a5
SHA19327affb9853ea3b1285dea855fd0eafc80bb376
SHA256c9c230467d9a910b4a92cdabbe2985f189305cd38437c67a00c013dc7d708c3e
SHA512483d8e04f681e1aded5dce79c11256df45c3bb86bbde1f99e7985f3a9f85533acaa7ec8c447f3a038e2c5aa8c599244fc3c98bcd3fcf54f94501bee361bfcf6f
-
Filesize
225B
MD5508d08c6f7b48bfb06bf16b8849bedf5
SHA1373bece4d8028217d06849bf1f9e5ceb4181a288
SHA256df2b98bc9a015795bd7ca20d61348cb3ae4ec975953851fecd050bc05507b8c2
SHA51261a0215a8ac54133bd17d5541f5bd4ae0bc7b8e13b3d872bfe5354a01f8896689562cef025eb102a471289d3d4265563dab33c93fe10fe4b007fc4c101544208
-
Filesize
225B
MD529888889b55625bd2063d8a82c28f0c1
SHA11fcd12aa38ad45712f071562b6729c419d8406ec
SHA256435e8583fa37b215749fadd93aafdf73256b58fcd4fb8302a8bafdc215f7481b
SHA5121f426d806e68058182368f7d12930f7ade4ceadc4abd1c4c32e1282104e03230efcbdbc55415b8899920bf34d8c64fe53fe9d571d48de7e1f319b35c16890a65
-
Filesize
225B
MD5d250947f4b5618497704aa27bc783eb4
SHA1513ad2391e1c33355ac4ab671d3092231acd41de
SHA25619336147f3a977b9e3f7836a4f7379abafc10a976807fe86b4db601670fcc92e
SHA5127aa6474faa729a212385547c976b5e9eae15d29e43b01901a97a59b517681f3313b76abc5067649d9707b28b83b9f234919f795c9b63a84391ca4860942d83b7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
225B
MD59baea759491c4dd8cd7543c2c3aa1796
SHA1c642d86f6c20e4d4082be0ed637e85b55dbe2324
SHA256688a7851a1044246236309ddbd614fa74eff6e663b692e2739c790b1a5e0bbeb
SHA512d999bf47b5ada7354bba37fc72a0f3c71810f079fdf268ce8957c231b75e1e94a958cd7f0642e4e1c08edaee5f50f95b6cfe67bcf4cfb8a3508f18a90c899fa7
-
Filesize
225B
MD5b7eb59b1787b995f9f96fe4759ba7c92
SHA1cf2f3abc6296c922b8f410f27ef4816a301ce263
SHA2567cfd71b668a750a87d84a3f17c1db05a05394e22d9dee098bfb3293975e98664
SHA51295311bcced5ea3b5109e9ef0b20ccbbfeac761e89f270a5a99645de0b53effb06ebd736c36f1811b091a4a4838d349329c7b6d860420e8180eac6347e860941f
-
Filesize
225B
MD57f04205f83c09b6a6717c83cc0c060c0
SHA169e85c15a13b463bd0edc7f625504d9a66734926
SHA256aada123e9038651070b8b72934b0f5ec307663a5990e8aa40fe843049eb2d276
SHA512f547ee126e1345cf5706eff638ef862b5e86cf8513c54296db50d6ee50e3b1bcc8d8e2427b89ca57b5ed0277fc9438228e69c94045230869705b8c52b016e143
-
Filesize
225B
MD50e4f171d41c2ee69a278dad0fba20cc0
SHA133921733480ab03264734638eda0546d41a03197
SHA256a0f1e4f08a4ff48655e20bfba75595cb905a89db6d70115ad1578e58a2576753
SHA5128a09018122965661c3481bd0179d7495135faf319fa631eb4de4e6cb404b39441a893c5dc94920f66d4bcf30ddb83d0b70af7e4798f3d93cec43a41868c5ea94
-
Filesize
225B
MD56e57b8be101502184d7e84b245331179
SHA1cee7fe1cabb06ee405fdd774ec3f80912d2de678
SHA256ed15a1c292259b4b2abfaf023c425cbdd3a49af15b615044999a418f617e8126
SHA5126d5539f8c6d210dc51a75905a79a13afeeb1c04adfeaa95c9f9a49c4ca7b9a7f003960b8906cd597100b9786419033014a8f2576120914bc68cdbdaa66bb5fca
-
Filesize
225B
MD5a123701d619ffbfadf3b1359a1c855ad
SHA1502c1db74d8964133787fce3997e1eca76adf7bd
SHA256eb0ced65817e4829fc2d34fd71dadc132e435ee189f87635ea5d5302a90c9c92
SHA512a0ebae8db2a550008d8474429614c14bbbae8f7fe59c2d88a085cf3b319992fdbedc415058d609c20c5f193c0af7c810fa738bcd84ce7ea0082cf1609dc1bf79
-
Filesize
1.2MB
MD590ccd90706e5f5ecf0a4fd6301cf18c8
SHA1141f82fc5e8ddf7c2b87cf71bf1f506d2a3f06d4
SHA25644ab3d116f6c6318067f89ccb838b5198b6544469ec27557ca1de3655a6ceb96
SHA512a8689448e4781013c6ae7a3744673f849d759954b91a341703897d5de6bdd1e08f43f03e8a71bdebd296d3d3b8a0928c39729b7a2044e095f0d4625c1325ca5c