Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 03:20
Static task
static1
Behavioral task
behavioral1
Sample
EXIT/Exit.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
QuasarDependencies.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
QuasarScript.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
Start.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
img-recog.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
self-contain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
win/qwindows.dll
Resource
win10v2004-20241007-en
General
-
Target
QuasarScript.exe
-
Size
1.2MB
-
MD5
90ccd90706e5f5ecf0a4fd6301cf18c8
-
SHA1
141f82fc5e8ddf7c2b87cf71bf1f506d2a3f06d4
-
SHA256
44ab3d116f6c6318067f89ccb838b5198b6544469ec27557ca1de3655a6ceb96
-
SHA512
a8689448e4781013c6ae7a3744673f849d759954b91a341703897d5de6bdd1e08f43f03e8a71bdebd296d3d3b8a0928c39729b7a2044e095f0d4625c1325ca5c
-
SSDEEP
24576:nTgjYdbiDh2VehFCrs/vtp3+G44Bkl2uXn4zImcKbPJhSvW1o:ncj7hUehgs/D+G44Bkl2y4zgW
Malware Config
Extracted
quasar
1.4.0
YT_RAT
FlawGFX-25466.portmap.io:25466
b0e42180-0b07-43a4-8af5-751a530df10c
-
encryption_key
F38AD66AF1B37C4D9D83D6A35EA505EADBD633EE
-
install_name
UpdateScheduler.exe
-
log_directory
WinDefender_Logs
-
reconnect_delay
1500
-
startup_key
Windows Update Scheduler
-
subdirectory
WindowsDefender
Signatures
-
Quasar family
-
Quasar payload 44 IoCs
resource yara_rule behavioral3/memory/1544-2-0x0000000000B20000-0x0000000000EFA000-memory.dmp family_quasar behavioral3/memory/1544-14-0x0000000000B20000-0x0000000000EFA000-memory.dmp family_quasar behavioral3/memory/3992-16-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/3992-29-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/4628-34-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/4628-33-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/4628-39-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/5052-43-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/5052-44-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/5052-49-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/3036-54-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/3036-53-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/3036-59-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/3388-64-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/3388-63-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/3388-69-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/4128-74-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/4128-73-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/4128-79-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/4592-82-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/4592-83-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/4592-84-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/4592-89-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/3936-93-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/3936-94-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/3936-99-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/1704-102-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/1704-104-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/2340-107-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/2340-108-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/2340-113-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/728-141-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/728-142-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/728-147-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/1072-172-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/1072-173-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/1072-178-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/3024-182-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/3024-183-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/3024-188-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/3672-191-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/3672-192-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/3672-193-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar behavioral3/memory/3672-198-0x0000000000750000-0x0000000000B2A000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation UpdateScheduler.exe -
Executes dropped EXE 14 IoCs
pid Process 3992 UpdateScheduler.exe 4628 UpdateScheduler.exe 5052 UpdateScheduler.exe 3036 UpdateScheduler.exe 3388 UpdateScheduler.exe 4128 UpdateScheduler.exe 4592 UpdateScheduler.exe 3936 UpdateScheduler.exe 1704 UpdateScheduler.exe 2340 UpdateScheduler.exe 728 UpdateScheduler.exe 1072 UpdateScheduler.exe 3024 UpdateScheduler.exe 3672 UpdateScheduler.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
pid Process 1544 QuasarScript.exe 3992 UpdateScheduler.exe 4628 UpdateScheduler.exe 4628 UpdateScheduler.exe 5052 UpdateScheduler.exe 3036 UpdateScheduler.exe 3388 UpdateScheduler.exe 4128 UpdateScheduler.exe 4128 UpdateScheduler.exe 4592 UpdateScheduler.exe 3936 UpdateScheduler.exe 2340 UpdateScheduler.exe 728 UpdateScheduler.exe 728 UpdateScheduler.exe 1072 UpdateScheduler.exe 3024 UpdateScheduler.exe 3672 UpdateScheduler.exe 3672 UpdateScheduler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdateScheduler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QuasarScript.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3580 PING.EXE 4816 PING.EXE 2276 PING.EXE 2980 PING.EXE 4436 PING.EXE 2784 PING.EXE 4880 PING.EXE 4820 PING.EXE 5012 PING.EXE 3340 PING.EXE 5012 PING.EXE 5048 PING.EXE 3828 PING.EXE 924 PING.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings OpenWith.exe -
Runs ping.exe 1 TTPs 14 IoCs
pid Process 924 PING.EXE 3340 PING.EXE 5012 PING.EXE 4880 PING.EXE 4816 PING.EXE 2980 PING.EXE 5012 PING.EXE 4436 PING.EXE 2784 PING.EXE 3580 PING.EXE 3828 PING.EXE 4820 PING.EXE 2276 PING.EXE 5048 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 744 schtasks.exe 2780 schtasks.exe 396 schtasks.exe 2388 schtasks.exe 3268 schtasks.exe 5100 schtasks.exe 4628 schtasks.exe 1800 schtasks.exe 1416 schtasks.exe 4116 schtasks.exe 744 schtasks.exe 3940 schtasks.exe 1900 schtasks.exe 4876 schtasks.exe 1196 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4164 WINWORD.EXE 4164 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1544 QuasarScript.exe 1544 QuasarScript.exe 3992 UpdateScheduler.exe 3992 UpdateScheduler.exe 4628 UpdateScheduler.exe 4628 UpdateScheduler.exe 5052 UpdateScheduler.exe 5052 UpdateScheduler.exe 3036 UpdateScheduler.exe 3036 UpdateScheduler.exe 3388 UpdateScheduler.exe 3388 UpdateScheduler.exe 4128 UpdateScheduler.exe 4128 UpdateScheduler.exe 4592 UpdateScheduler.exe 4592 UpdateScheduler.exe 3936 UpdateScheduler.exe 3936 UpdateScheduler.exe 2340 UpdateScheduler.exe 2340 UpdateScheduler.exe 728 UpdateScheduler.exe 728 UpdateScheduler.exe 1072 UpdateScheduler.exe 1072 UpdateScheduler.exe 3024 UpdateScheduler.exe 3024 UpdateScheduler.exe 3672 UpdateScheduler.exe 3672 UpdateScheduler.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 1544 QuasarScript.exe Token: SeDebugPrivilege 3992 UpdateScheduler.exe Token: SeDebugPrivilege 4628 UpdateScheduler.exe Token: SeDebugPrivilege 5052 UpdateScheduler.exe Token: SeDebugPrivilege 3036 UpdateScheduler.exe Token: SeDebugPrivilege 3388 UpdateScheduler.exe Token: SeDebugPrivilege 4128 UpdateScheduler.exe Token: SeDebugPrivilege 4592 UpdateScheduler.exe Token: SeDebugPrivilege 3936 UpdateScheduler.exe Token: SeDebugPrivilege 2340 UpdateScheduler.exe Token: SeDebugPrivilege 728 UpdateScheduler.exe Token: SeDebugPrivilege 1072 UpdateScheduler.exe Token: SeDebugPrivilege 3024 UpdateScheduler.exe Token: SeDebugPrivilege 3672 UpdateScheduler.exe -
Suspicious use of SetWindowsHookEx 23 IoCs
pid Process 1544 QuasarScript.exe 3992 UpdateScheduler.exe 4628 UpdateScheduler.exe 5052 UpdateScheduler.exe 3036 UpdateScheduler.exe 3388 UpdateScheduler.exe 4128 UpdateScheduler.exe 4592 UpdateScheduler.exe 3936 UpdateScheduler.exe 2340 UpdateScheduler.exe 2844 OpenWith.exe 3660 OpenWith.exe 4164 WINWORD.EXE 4164 WINWORD.EXE 4164 WINWORD.EXE 4164 WINWORD.EXE 4164 WINWORD.EXE 4164 WINWORD.EXE 4164 WINWORD.EXE 728 UpdateScheduler.exe 1072 UpdateScheduler.exe 3024 UpdateScheduler.exe 3672 UpdateScheduler.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1544 wrote to memory of 1416 1544 QuasarScript.exe 86 PID 1544 wrote to memory of 1416 1544 QuasarScript.exe 86 PID 1544 wrote to memory of 1416 1544 QuasarScript.exe 86 PID 1544 wrote to memory of 3992 1544 QuasarScript.exe 88 PID 1544 wrote to memory of 3992 1544 QuasarScript.exe 88 PID 1544 wrote to memory of 3992 1544 QuasarScript.exe 88 PID 3992 wrote to memory of 4876 3992 UpdateScheduler.exe 91 PID 3992 wrote to memory of 4876 3992 UpdateScheduler.exe 91 PID 3992 wrote to memory of 4876 3992 UpdateScheduler.exe 91 PID 3992 wrote to memory of 3120 3992 UpdateScheduler.exe 93 PID 3992 wrote to memory of 3120 3992 UpdateScheduler.exe 93 PID 3992 wrote to memory of 3120 3992 UpdateScheduler.exe 93 PID 3120 wrote to memory of 4556 3120 cmd.exe 95 PID 3120 wrote to memory of 4556 3120 cmd.exe 95 PID 3120 wrote to memory of 4556 3120 cmd.exe 95 PID 3120 wrote to memory of 4880 3120 cmd.exe 96 PID 3120 wrote to memory of 4880 3120 cmd.exe 96 PID 3120 wrote to memory of 4880 3120 cmd.exe 96 PID 3120 wrote to memory of 4628 3120 cmd.exe 101 PID 3120 wrote to memory of 4628 3120 cmd.exe 101 PID 3120 wrote to memory of 4628 3120 cmd.exe 101 PID 4628 wrote to memory of 3268 4628 UpdateScheduler.exe 102 PID 4628 wrote to memory of 3268 4628 UpdateScheduler.exe 102 PID 4628 wrote to memory of 3268 4628 UpdateScheduler.exe 102 PID 4628 wrote to memory of 3472 4628 UpdateScheduler.exe 104 PID 4628 wrote to memory of 3472 4628 UpdateScheduler.exe 104 PID 4628 wrote to memory of 3472 4628 UpdateScheduler.exe 104 PID 3472 wrote to memory of 2784 3472 cmd.exe 106 PID 3472 wrote to memory of 2784 3472 cmd.exe 106 PID 3472 wrote to memory of 2784 3472 cmd.exe 106 PID 3472 wrote to memory of 3580 3472 cmd.exe 107 PID 3472 wrote to memory of 3580 3472 cmd.exe 107 PID 3472 wrote to memory of 3580 3472 cmd.exe 107 PID 3472 wrote to memory of 5052 3472 cmd.exe 113 PID 3472 wrote to memory of 5052 3472 cmd.exe 113 PID 3472 wrote to memory of 5052 3472 cmd.exe 113 PID 5052 wrote to memory of 5100 5052 UpdateScheduler.exe 114 PID 5052 wrote to memory of 5100 5052 UpdateScheduler.exe 114 PID 5052 wrote to memory of 5100 5052 UpdateScheduler.exe 114 PID 5052 wrote to memory of 1120 5052 UpdateScheduler.exe 116 PID 5052 wrote to memory of 1120 5052 UpdateScheduler.exe 116 PID 5052 wrote to memory of 1120 5052 UpdateScheduler.exe 116 PID 1120 wrote to memory of 2136 1120 cmd.exe 118 PID 1120 wrote to memory of 2136 1120 cmd.exe 118 PID 1120 wrote to memory of 2136 1120 cmd.exe 118 PID 1120 wrote to memory of 4816 1120 cmd.exe 119 PID 1120 wrote to memory of 4816 1120 cmd.exe 119 PID 1120 wrote to memory of 4816 1120 cmd.exe 119 PID 1120 wrote to memory of 3036 1120 cmd.exe 121 PID 1120 wrote to memory of 3036 1120 cmd.exe 121 PID 1120 wrote to memory of 3036 1120 cmd.exe 121 PID 3036 wrote to memory of 4116 3036 UpdateScheduler.exe 122 PID 3036 wrote to memory of 4116 3036 UpdateScheduler.exe 122 PID 3036 wrote to memory of 4116 3036 UpdateScheduler.exe 122 PID 3036 wrote to memory of 1544 3036 UpdateScheduler.exe 124 PID 3036 wrote to memory of 1544 3036 UpdateScheduler.exe 124 PID 3036 wrote to memory of 1544 3036 UpdateScheduler.exe 124 PID 1544 wrote to memory of 2128 1544 cmd.exe 126 PID 1544 wrote to memory of 2128 1544 cmd.exe 126 PID 1544 wrote to memory of 2128 1544 cmd.exe 126 PID 1544 wrote to memory of 2276 1544 cmd.exe 127 PID 1544 wrote to memory of 2276 1544 cmd.exe 127 PID 1544 wrote to memory of 2276 1544 cmd.exe 127 PID 1544 wrote to memory of 3388 1544 cmd.exe 128
Processes
-
C:\Users\Admin\AppData\Local\Temp\QuasarScript.exe"C:\Users\Admin\AppData\Local\Temp\QuasarScript.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\QuasarScript.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1416
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b4d8IDc0SX4M.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:4556
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4880
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3268
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\82WCNdz6gGUr.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
- System Location Discovery: System Language Discovery
PID:2784
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3580
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zHjHIEgOCrLC.bat" "7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
- System Location Discovery: System Language Discovery
PID:2136
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4816
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f9⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4116
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I3VBIaAUQslw.bat" "9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\chcp.comchcp 6500110⤵
- System Location Discovery: System Language Discovery
PID:2128
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost10⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2276
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3388 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f11⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3940
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tb6qqh8Kt04E.bat" "11⤵
- System Location Discovery: System Language Discovery
PID:3956 -
C:\Windows\SysWOW64\chcp.comchcp 6500112⤵
- System Location Discovery: System Language Discovery
PID:1984
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost12⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2980
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4128 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YM8cXjv7mMbo.bat" "13⤵
- System Location Discovery: System Language Discovery
PID:888 -
C:\Windows\SysWOW64\chcp.comchcp 6500114⤵
- System Location Discovery: System Language Discovery
PID:1916
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3828
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4592 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f15⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vNMEoKSUuAp3.bat" "15⤵
- System Location Discovery: System Language Discovery
PID:3652 -
C:\Windows\SysWOW64\chcp.comchcp 6500116⤵
- System Location Discovery: System Language Discovery
PID:1848
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3340
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3936 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:744
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\veKsOgHDlNBP.bat" "17⤵
- System Location Discovery: System Language Discovery
PID:644 -
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
- System Location Discovery: System Language Discovery
PID:4548
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost18⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5012
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f19⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YHNC5nmaMIx7.bat" "19⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\chcp.comchcp 6500120⤵
- System Location Discovery: System Language Discovery
PID:4816
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost20⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:924
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2340 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f21⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:396
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ozHrTLt7XD8Y.bat" "21⤵PID:4876
-
C:\Windows\SysWOW64\chcp.comchcp 6500122⤵
- System Location Discovery: System Language Discovery
PID:4796
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost22⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4820
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:728 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f23⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:744
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8Cp0XtRUQjCK.bat" "23⤵
- System Location Discovery: System Language Discovery
PID:3936 -
C:\Windows\SysWOW64\chcp.comchcp 6500124⤵
- System Location Discovery: System Language Discovery
PID:3244
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost24⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5012
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1072 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f25⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1196
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TB4k2koaIaOy.bat" "25⤵
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\chcp.comchcp 6500126⤵
- System Location Discovery: System Language Discovery
PID:4248
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost26⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5048
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3024 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f27⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1800
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsDaw188G6L1.bat" "27⤵
- System Location Discovery: System Language Discovery
PID:4004 -
C:\Windows\SysWOW64\chcp.comchcp 6500128⤵
- System Location Discovery: System Language Discovery
PID:5108
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost28⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4436
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3672 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Scheduler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\UpdateScheduler.exe" /rl HIGHEST /f29⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2388
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAgFlPeeiH7G.bat" "29⤵
- System Location Discovery: System Language Discovery
PID:3828 -
C:\Windows\SysWOW64\chcp.comchcp 6500130⤵PID:4564
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost30⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3536
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\RevokeCheckpoint.bat" "1⤵PID:4092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\RevokeCheckpoint.bat" "1⤵PID:4152
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\RevokeCheckpoint.bat" "1⤵PID:1576
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\RevokeCheckpoint.bat" "1⤵PID:4532
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2844
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3660
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\UnlockDebug.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4164
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD538b07cd5da5c740e9629fd801dc26e5a
SHA142816159ab9367165cf58603b09b134d488c1690
SHA25620049cc7ade63a31f442dfd2b99740f0512fdcc764266b8b105292e30d2b7483
SHA5121769ffefe181531476e10311295f38d11b85b5ec3710000b5cb081675e5f233792f96bb4178b75fd0e2cfc86965e7368173d22799a1e9fa3317ddd49047fab5a
-
Filesize
225B
MD572323b0e6221da4ff1c71d1ff6f2f7b2
SHA17f9a3a32d0b897ba5e92e14a521a714b29d76932
SHA25625487ddd3aad490433de8788b2b5dc48997ee3bc836eb4b83f30cf02adfbed16
SHA51238d1a3c2dae87bdddc7b1bf2479f5e3b76bd60559308c8479aaa35c73f9271b7038e8b284e0ffe4643f476fd3074b4c62ef7fc4eedca74d7b8be17e10085bdaf
-
Filesize
225B
MD5615b46066b56b094c614662b32f8fbb6
SHA13f50719d00692cabd72147f89f5418eb871a366c
SHA256f303a08bf427fb07914a2dfc124398d26a7659da2c3a8f9dddc3abf435017708
SHA5125e33635c5d54cd2eef08a6bb6dbfc56926f4010e74dc786de877b42db8bed8e3f46ceaa307e2ab81a5c28080652eb042ee42437941434c9ccd1acc8a36c5024e
-
Filesize
225B
MD56948428d44acd2d162db50f757ba798c
SHA16a161def1d8d7e5c1b5d185710600fa250141c8c
SHA2564304ddfc44c37ef6e04475fc2dba5dcd655dc3e037d8a147c930875de67b59f6
SHA51263651bd818f32e16bb08ea86062c96810012e5b5369c84cf50bbd2b10ef86383500ec061ba1a7253ba3689bdecafee6773e627c7f4e94a3b077119d358450135
-
Filesize
225B
MD5f328d3a3f667ef2c8fbea1474afcb123
SHA1eea244b188e9f26d299eb6caf0fe4b81723aaf96
SHA256e5847fd85692018e9b17ee947256c71dc25909d11278ddca26a5c19656477e5c
SHA512576f8a28efda2e950e093a73b58b684eafad0ac9c38cf2595c6dabb1c6726195af769a5f2381e49d704fbd6f703fb179947cc56bdd294351be1c59221814dddf
-
Filesize
225B
MD5eb20e6abfb26ad57058a2b26d3a51d60
SHA1dd9f4a98bbedb105ed3c2727df26499b7aca7422
SHA25605b16c35cb8b289dfa456c4df4e5922c6342f018f4a0fbb610b1c23be0696f64
SHA512acbc107507222b1f32bc375283556dc1884048495d97cb4fceb3a286d0531819b30934b046b5863806d4dff3caac9934a9046d9fdfe334caa4cce819aecfe83d
-
Filesize
225B
MD5e872722a61d3750a5dd6011c1975c846
SHA114cdbb388a7ca501bc5eede83e1686c69a36a242
SHA256e2ea5046627473bb0496940fd255da3fa1d94f1ecbc12e65c2506ab77c700d21
SHA5123215589edcd62cfafab8f2d4ae22b909349625735384e9059187316500b8e24e27f07d10c5b4b0c54311a1d7ceaf926d195e5f5d0964af9261cbd5a00ae7e5cb
-
Filesize
225B
MD505eec6415950a85d77c7467ed1408424
SHA1480827c8622a75ad19037bfafd24e2153e624f5d
SHA2561b5c03274ded343836e1137f23aa2f22e0c38a43750d7ffd6858fb6f60e6eb12
SHA512a3726abb37217fba87135fc2b19335a6a56d9e5325e6c864ae19b216085b98203f31ce3fe4a217e6331c68d7413f358d63a512e211877b7fecdf525a24f25e86
-
Filesize
225B
MD5c998081fa0ec34d9085f1a910e7b6d05
SHA1d81cb3cd790450b22be939e196794d2139411aef
SHA256fd621c99a38eae384a1d41b16157cfdc9cbd8fed0fe0e5792aa24177392beba9
SHA5128545a0fba4983e52a83ba183020985f8ce90fee7ea6c1a92af7ae4c66cf188b68457d4472bc60764640d45d3483ce0059470b0b2a61b1e5983b04cc1c82b8a9f
-
Filesize
225B
MD5b6af462b1499f124cd7f88a44946cf4c
SHA16dc75aa485e1c4a17ca9743b16f0b46e953024fc
SHA25617088ca88b22445c7a74e7e4feb03550ad767854cabc761d19f4b6258a232d5e
SHA512073b8543e3d3286b3c72f09ae0fe137bd7fe3589aaa9ba6935900929b9d083cc1f9182aefe8bbb76ee883d97d954ee00bf897ccca5bd83094644545f2168c0f9
-
Filesize
225B
MD501401414110adc5062da73c8808c7e9f
SHA19042b0042cfb6cfb641447ca7507625c0edd58bc
SHA25635e71d0b6cd86b2aed3f6d50d5950613f716fd3c0ce3d78afb367c15d4168609
SHA512255eceb7e872c89b51337a226569841e971d304e6ab79548ccaec7bd23623f85da985cf603d2413ecf07dd5d7e08d4e16015a014a6bcb3af0f39b7a57ea5ca16
-
Filesize
225B
MD5f06e1289395f65d297b369a6b8a765bc
SHA158e968881101857c8fb0b3ae925454e1a3e8befa
SHA256b63ff66d2c2e1040df07c0660deb4c4137db55a1cc52e4e6e39229c8e3da13e0
SHA512dd72a7db55d9fde36ff035c55a17823279def45030303b257cc2c2468952c5537f95667baa2804cc4fdec49688cd909c22e3dbd18591b70c1314c8250d02dffd
-
Filesize
225B
MD5c3543d64a7c8ced9311f3e0b60b6a655
SHA1d5bfd15fe52f77ae0bb8aa8c85333d4544fda77a
SHA256fcec87b361d97c8df4fbaf152a2cb81ce096244c0220ce05d5b1a91c9020a31f
SHA512346dea823e652ade935677416b77dcf2b897a72d4a91cda992ad094427fcea58f397db3faa31493e4f8ee8069cb93e6e0a14dcb4fca449fb5b734a66d24f4663
-
Filesize
225B
MD58e15ae259776918e20c4e1217a03f7d8
SHA11e497cba3edae8ed54fb9a6fad7519efb32dc131
SHA25645752122a23de3796209756995f6c750ecc530c8c0bd359d1bdc37f58ab78b31
SHA5123726f538e138b6ef4fc390a12c002713b599a08d59e035c19ac6619b0cdc30dfeb2e3d08cababb1b1ed9627005df82f8d8307221d4334b2015e1dfc5b4761837
-
Filesize
326B
MD5d9c7ac73750397038d53f18f016a6fba
SHA1d0778473283aea018a414bb7b2f900a8d4cd563b
SHA256c5dfea23d864f3c9007d26cd9a1adc3b0bf2f7b45e0954d28e5fdda8bcea3fb1
SHA512f1fa08a91ba5defae86b8ddaa8d26705228cd5e65e6c0244071cede89f5f0bfccaa407ab519c9b95cdd71ec0abf7b9d6d86535e156982ca60be599a235f8b86e
-
Filesize
1.2MB
MD590ccd90706e5f5ecf0a4fd6301cf18c8
SHA1141f82fc5e8ddf7c2b87cf71bf1f506d2a3f06d4
SHA25644ab3d116f6c6318067f89ccb838b5198b6544469ec27557ca1de3655a6ceb96
SHA512a8689448e4781013c6ae7a3744673f849d759954b91a341703897d5de6bdd1e08f43f03e8a71bdebd296d3d3b8a0928c39729b7a2044e095f0d4625c1325ca5c