quasar | 4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388

Analysis

max time kernel
147s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe
Size

3.4MB
MD5

9d6f812bb326e1ff2bddd78747fbee25
SHA1

e2c511d7634e02166a3ca7645b631e124767e216
SHA256

4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388
SHA512

12783e33c8d3a0bb0d284e300158155aa52c9a44635565a8bc53dbfcd0ff976d32983cae732e07ed207ad5bb0283ba23a88f2d426781fcbd16e8dd1b72508191
SSDEEP

49152:wvmlW2p9agXI2PrlTnr4BZmFze02sk9hEvJQLoGdhTHHB72eh2NT:wveW2p9agXI2PrlTnrmZmFzePhD

Score

10^/10

quasar pdf discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PDF

opbrghost-23030.portmap.host:27876

ghostopbr2-31034.portmap.host:1234

trackopbr2.ddns.net:1234

ghostopbr2-31034.portmap.host:31034

Mutex

1bfd6271-eb49-4e9c-8bcb-3434a8d1ce46

Attributes

encryption_key
15ABC767973F155DA890D96E8ED7EB1946705743
install_name
AdobePDFReader.exe
log_directory
Logs
reconnect_delay
300
startup_key
Adobe PDF Reader
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/2108-1-0x00000000010B0000-0x0000000001416000-memory.dmp	family_quasar
behavioral1/files/0x0012000000016d3f-6.dat	family_quasar
behavioral1/memory/2868-9-0x0000000001270000-0x00000000015D6000-memory.dmp	family_quasar
behavioral1/memory/2224-23-0x00000000001F0000-0x0000000000556000-memory.dmp	family_quasar
behavioral1/memory/2112-34-0x0000000000C30000-0x0000000000F96000-memory.dmp	family_quasar
behavioral1/memory/1752-45-0x00000000001B0000-0x0000000000516000-memory.dmp	family_quasar
behavioral1/memory/708-56-0x0000000001390000-0x00000000016F6000-memory.dmp	family_quasar
behavioral1/memory/2748-89-0x0000000000240000-0x00000000005A6000-memory.dmp	family_quasar
behavioral1/memory/776-100-0x0000000000E90000-0x00000000011F6000-memory.dmp	family_quasar
behavioral1/memory/2568-112-0x00000000002D0000-0x0000000000636000-memory.dmp	family_quasar
behavioral1/memory/1200-123-0x0000000001110000-0x0000000001476000-memory.dmp	family_quasar
behavioral1/memory/1520-134-0x00000000002B0000-0x0000000000616000-memory.dmp	family_quasar
behavioral1/memory/2676-145-0x0000000001260000-0x00000000015C6000-memory.dmp	family_quasar

Executes dropped EXE 13 IoCs

pid	Process
2868	AdobePDFReader.exe
2224	AdobePDFReader.exe
2112	AdobePDFReader.exe
1752	AdobePDFReader.exe
708	AdobePDFReader.exe
1180	AdobePDFReader.exe
1592	AdobePDFReader.exe
2748	AdobePDFReader.exe
776	AdobePDFReader.exe
2568	AdobePDFReader.exe
1200	AdobePDFReader.exe
1520	AdobePDFReader.exe
2676	AdobePDFReader.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File created	C:\Windows\system32\SubDir\AdobePDFReader.exe	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2752	PING.EXE
2296	PING.EXE
2388	PING.EXE
1708	PING.EXE
1976	PING.EXE
900	PING.EXE
2680	PING.EXE
1468	PING.EXE
2904	PING.EXE
2340	PING.EXE
2640	PING.EXE
936	PING.EXE
1676	PING.EXE

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

pid	Process
2340	PING.EXE
1708	PING.EXE
2640	PING.EXE
1676	PING.EXE
2752	PING.EXE
2296	PING.EXE
2680	PING.EXE
1468	PING.EXE
2904	PING.EXE
936	PING.EXE
1976	PING.EXE
900	PING.EXE
2388	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3004	schtasks.exe
2084	schtasks.exe
2176	schtasks.exe
2212	schtasks.exe
2996	schtasks.exe
2552	schtasks.exe
2940	schtasks.exe
1184	schtasks.exe
2116	schtasks.exe
2564	schtasks.exe
1480	schtasks.exe
944	schtasks.exe
552	schtasks.exe
2304	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe
Token: SeDebugPrivilege	2868	AdobePDFReader.exe
Token: SeDebugPrivilege	2224	AdobePDFReader.exe
Token: SeDebugPrivilege	2112	AdobePDFReader.exe
Token: SeDebugPrivilege	1752	AdobePDFReader.exe
Token: SeDebugPrivilege	708	AdobePDFReader.exe
Token: SeDebugPrivilege	1180	AdobePDFReader.exe
Token: SeDebugPrivilege	1592	AdobePDFReader.exe
Token: SeDebugPrivilege	2748	AdobePDFReader.exe
Token: SeDebugPrivilege	776	AdobePDFReader.exe
Token: SeDebugPrivilege	2568	AdobePDFReader.exe
Token: SeDebugPrivilege	1200	AdobePDFReader.exe
Token: SeDebugPrivilege	1520	AdobePDFReader.exe
Token: SeDebugPrivilege	2676	AdobePDFReader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2212	2108	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe	30
PID 2108 wrote to memory of 2212	2108	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe	30
PID 2108 wrote to memory of 2212	2108	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe	30
PID 2108 wrote to memory of 2868	2108	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe	32
PID 2108 wrote to memory of 2868	2108	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe	32
PID 2108 wrote to memory of 2868	2108	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe	32
PID 2868 wrote to memory of 2940	2868	AdobePDFReader.exe	33
PID 2868 wrote to memory of 2940	2868	AdobePDFReader.exe	33
PID 2868 wrote to memory of 2940	2868	AdobePDFReader.exe	33
PID 2868 wrote to memory of 2904	2868	AdobePDFReader.exe	35
PID 2868 wrote to memory of 2904	2868	AdobePDFReader.exe	35
PID 2868 wrote to memory of 2904	2868	AdobePDFReader.exe	35
PID 2904 wrote to memory of 2740	2904	cmd.exe	37
PID 2904 wrote to memory of 2740	2904	cmd.exe	37
PID 2904 wrote to memory of 2740	2904	cmd.exe	37
PID 2904 wrote to memory of 2752	2904	cmd.exe	38
PID 2904 wrote to memory of 2752	2904	cmd.exe	38
PID 2904 wrote to memory of 2752	2904	cmd.exe	38
PID 2904 wrote to memory of 2224	2904	cmd.exe	39
PID 2904 wrote to memory of 2224	2904	cmd.exe	39
PID 2904 wrote to memory of 2224	2904	cmd.exe	39
PID 2224 wrote to memory of 1184	2224	AdobePDFReader.exe	40
PID 2224 wrote to memory of 1184	2224	AdobePDFReader.exe	40
PID 2224 wrote to memory of 1184	2224	AdobePDFReader.exe	40
PID 2224 wrote to memory of 2384	2224	AdobePDFReader.exe	42
PID 2224 wrote to memory of 2384	2224	AdobePDFReader.exe	42
PID 2224 wrote to memory of 2384	2224	AdobePDFReader.exe	42
PID 2384 wrote to memory of 2352	2384	cmd.exe	44
PID 2384 wrote to memory of 2352	2384	cmd.exe	44
PID 2384 wrote to memory of 2352	2384	cmd.exe	44
PID 2384 wrote to memory of 1976	2384	cmd.exe	45
PID 2384 wrote to memory of 1976	2384	cmd.exe	45
PID 2384 wrote to memory of 1976	2384	cmd.exe	45
PID 2384 wrote to memory of 2112	2384	cmd.exe	46
PID 2384 wrote to memory of 2112	2384	cmd.exe	46
PID 2384 wrote to memory of 2112	2384	cmd.exe	46
PID 2112 wrote to memory of 3004	2112	AdobePDFReader.exe	47
PID 2112 wrote to memory of 3004	2112	AdobePDFReader.exe	47
PID 2112 wrote to memory of 3004	2112	AdobePDFReader.exe	47
PID 2112 wrote to memory of 2284	2112	AdobePDFReader.exe	49
PID 2112 wrote to memory of 2284	2112	AdobePDFReader.exe	49
PID 2112 wrote to memory of 2284	2112	AdobePDFReader.exe	49
PID 2284 wrote to memory of 304	2284	cmd.exe	51
PID 2284 wrote to memory of 304	2284	cmd.exe	51
PID 2284 wrote to memory of 304	2284	cmd.exe	51
PID 2284 wrote to memory of 2296	2284	cmd.exe	52
PID 2284 wrote to memory of 2296	2284	cmd.exe	52
PID 2284 wrote to memory of 2296	2284	cmd.exe	52
PID 2284 wrote to memory of 1752	2284	cmd.exe	53
PID 2284 wrote to memory of 1752	2284	cmd.exe	53
PID 2284 wrote to memory of 1752	2284	cmd.exe	53
PID 1752 wrote to memory of 2084	1752	AdobePDFReader.exe	54
PID 1752 wrote to memory of 2084	1752	AdobePDFReader.exe	54
PID 1752 wrote to memory of 2084	1752	AdobePDFReader.exe	54
PID 1752 wrote to memory of 2488	1752	AdobePDFReader.exe	56
PID 1752 wrote to memory of 2488	1752	AdobePDFReader.exe	56
PID 1752 wrote to memory of 2488	1752	AdobePDFReader.exe	56
PID 2488 wrote to memory of 2192	2488	cmd.exe	58
PID 2488 wrote to memory of 2192	2488	cmd.exe	58
PID 2488 wrote to memory of 2192	2488	cmd.exe	58
PID 2488 wrote to memory of 900	2488	cmd.exe	59
PID 2488 wrote to memory of 900	2488	cmd.exe	59
PID 2488 wrote to memory of 900	2488	cmd.exe	59
PID 2488 wrote to memory of 708	2488	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe
"C:\Users\Admin\AppData\Local\Temp\4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2212
- C:\Windows\system32\SubDir\AdobePDFReader.exe
  "C:\Windows\system32\SubDir\AdobePDFReader.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2940
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\n4b8R093znCi.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2740
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2752
  - - C:\Windows\system32\SubDir\AdobePDFReader.exe
      "C:\Windows\system32\SubDir\AdobePDFReader.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1184
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aezQCTdLTwko.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2352
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1976
      - C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3004
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQfW4VKbxgeJ.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2296
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2084
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ctiQYMYCOcQR.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:900
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1480
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RjgCktC890Ao.bat" "
        11⤵
        
        PID:2688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2388
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:944
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\D6ea90SMjBtw.bat" "
        13⤵
        
        PID:2332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2680
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:552
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\h734eoRa4Eri.bat" "
        15⤵
        
        PID:2960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1468
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\siNpyqxguVbA.bat" "
        17⤵
        
        PID:2784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2904
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2552
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\I7xkHog7Wac6.bat" "
        19⤵
        
        PID:1940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2340
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2176
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Fj41Fq8uOil3.bat" "
        21⤵
        
        PID:1112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1708
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2304
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aOpCdzoEI8W1.bat" "
        23⤵
        
        PID:2064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2640
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2116
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EHynyK4pRs1e.bat" "
        25⤵
        
        PID:1436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:936
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2564
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RlldaukNORok.bat" "
        27⤵
        
        PID:688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D6ea90SMjBtw.bat

Filesize
204B

MD5
5204e7a30e937654a6f50b42e97c773b

SHA1
3b0ef43496f7e9b7151a1f8b51b99c9500887a3b

SHA256
9361763320ce1403184f9b9f4036cb20d3d44b78e8c3ddfa1c365eba8a1fbcad

SHA512
b3af61e77868c746d6923bb00eca2e59adaf3232d8d7a3aa1cf174ac216ad496e9de31365f7b7bcb0753667a619b531793f0427a734c92bc2a3cfdb8283bb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\EHynyK4pRs1e.bat

Filesize
204B

MD5
fae30599d7cc0209c93074ff70b986f1

SHA1
aca0dac367f1f27eebea6aa49bb18f1704125fb3

SHA256
f7904b9e9c4c027ce141ff6b1b0bd050f24d056efa8563a72ad50759ad34f59f

SHA512
c5169193ddbcaeef2fb740919b5141f6811a16fc5cd5fc90f24d32e8a2de03b38f3a204ec6e7c325eb56697b8e30bcc9860b97caf3c915d87ee767e06168eb31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fj41Fq8uOil3.bat

Filesize
204B

MD5
6dc7fbaae7ef3ca99c3c089223f27cea

SHA1
9a5fb8ae3bed8fdde41e7d5c351440a09081a52d

SHA256
3836ce98a3f31529a558c88de23939e4747bbc906d80fd7b20a5cb6d0b2ee80e

SHA512
cd0fefd544d83d624302c3a97ea9fe7bb3fa3a4ea93db2da23e5e996b319547f934eed3eb1f0e5f38f92823140034b0cb77ae22b224e8d185ff98de3596b161d

Download Submit
C:\Users\Admin\AppData\Local\Temp\I7xkHog7Wac6.bat

Filesize
204B

MD5
0a47ad2011fbef70e799fc1d15b33780

SHA1
c29b5a3fa34eb976687f1489421c227ed6ce22f0

SHA256
dd2ecdeb7c282c1f0dbb9bb48e190182c190d3f1c0bceffd828a636c494fc9dc

SHA512
7637359e2ed81679264ee6fe3dc069f9f6beff03f2be6ac4c59acdd92e99bfd047ae0e2b5cb751633de9cafcb396c2f36e1ce32e8f0284c3c672b9cfb460879a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RjgCktC890Ao.bat

Filesize
204B

MD5
52bcf6c7071e5c6dc71aad8a4f7f0603

SHA1
d7c729c872c0f1add14c395e6aee8c163613e559

SHA256
0731457208f1e723a6b4183a549c986083aea963caf3c528a62eb6c128138374

SHA512
369d306851c3e86524aed47f75d04c6f7f4a9a4680c1a3aadf8f3bc1d079db818f5dd7429e1da8bc340537e96b4e6a562603ef83edd98cf43bd510a027c13992

Download Submit
C:\Users\Admin\AppData\Local\Temp\RlldaukNORok.bat

Filesize
204B

MD5
a827dfd05980693be82f6f1be55470ff

SHA1
c0c1c2d3175614c25dc6aae069c975a3124ff86a

SHA256
4e51832bb8875631293758d4bca662ab7d19b3aaacda7556503a5d8be46403b6

SHA512
b0e64fcf062e47b572e1da41caa0d4222a6db6d7da80fcf19844edceb3f3ccc297b52fe77a8be82a6710ca32f25fa78630e1a947153270e22af3cd678bb6d1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aOpCdzoEI8W1.bat

Filesize
204B

MD5
248eaf15b9587c1957e0525dff819056

SHA1
1964a2073721c5a15550497cf5af15e156e73d42

SHA256
de193baaca9f266e1f4c4bbd2ed0f234242893c6e5b99765e20210bfdbbbaec0

SHA512
dd740d60fd3e6f7e6af871ee123b08209a8dc1f4e9e4df31c8de4d477f451bd7426624941e4f3b703dc23e62302bf4e4c2c2fede3756c6484a999df99aa71e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\aezQCTdLTwko.bat

Filesize
204B

MD5
cb840864619179494a574609cfe57316

SHA1
502cf721db6c68944e045f57359d13f78ccb2595

SHA256
7bb502764ae3b21c99a5798d928aad00914af08f6c3ec8fba58144b8d627f30c

SHA512
dfffc2652b1dd42a69c2c58727b7d0ed2cee0eb3d5e76725475c90f4d2c5dfa6f99a418ceb9e69dbe0b4f7f74718c8a8171d006a4b67795440e28b2800c70846

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctiQYMYCOcQR.bat

Filesize
204B

MD5
6a069571cdb55447a56e6c870c21ab90

SHA1
47a2a3c1dfac5a955aede85df391561e8f69810f

SHA256
e599cdba62148a35785643855cd4398f0fb8cc2e8ef2dc4038a599109fedcfe3

SHA512
b0b8ab5bcd903457819ac976b857a4cb22870aaf7a0a02a7d413b0fd76a9e20a476ca73e321520cdcf9ac22d43e5f8ce0be22eb8f59f1a184b599de8be438b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\h734eoRa4Eri.bat

Filesize
204B

MD5
ea70c4cf2e624c254ba4e89ed8b1f1b8

SHA1
ba6d2866bfb4db61591f0b9a61734e0316a2f188

SHA256
64b04061099bcdf58e96f6fccce6efb56c703cf6e6e6577b9e4ca0128ac94d09

SHA512
0d7c8c577d03aa9c5721299bc17aea911412f53348ad743bea7f1cf53291a3edfd2888a3a746963a509953640742c403c3270bccce2ca5a12695f229170ed1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\n4b8R093znCi.bat

Filesize
204B

MD5
b541275b5ec1cae18c46d8ae0b1797a0

SHA1
b78f66da91f9ef4b3871631fcf3e8d78a2e7e05d

SHA256
c9dcc5f18e2ff80efae274d431d0f0aed2d3577dcf578a98c3f2a4e9cf139765

SHA512
a50c7963dbe8811db1f69fc295dedf8b32377a40e9d5cecf2099d7b7277c4cef326bdaad6e6ba8a0af267b591e60583d13a97b66e1e4b1cbac60ba16753e957a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQfW4VKbxgeJ.bat

Filesize
204B

MD5
f59e5e2a42d3d6b2eac1b951c5c2e0d3

SHA1
51fb064548ef480f0017c7e22920a8cc49676b87

SHA256
0c722859fec20b711738cd47bd1ece4acf6b923dceda4c9fe6173a40738b6c9f

SHA512
5a9336f0054b825e860fac71cefd9b9206a5f62b1ae38bbf6fbe3eb27793322f57cb915a620802d1fb58f3f16523cdf7b9352d6ff0974fc59c2afb42849d8848

Download Submit
C:\Users\Admin\AppData\Local\Temp\siNpyqxguVbA.bat

Filesize
204B

MD5
2c755361a6aff08de7a338dd753ab88d

SHA1
24edf58621d9024b62b7e03ae05feb5e37b1b1df

SHA256
37eb366f8d05a0f51eb7577dd8ba650c2e772f3bad8c31956e5d7e9afcd89358

SHA512
09ced7ba5c286ac51b336ce938d5130c2e6ebeae62c7af42a9d4a8a238f1055e17c1b7a8f9ef8a696c7274484178e6da82540497d72e1b6a5ba3a3a4d58c39a8

Download Submit
C:\Windows\System32\SubDir\AdobePDFReader.exe

Filesize
3.4MB

MD5
9d6f812bb326e1ff2bddd78747fbee25

SHA1
e2c511d7634e02166a3ca7645b631e124767e216

SHA256
4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388

SHA512
12783e33c8d3a0bb0d284e300158155aa52c9a44635565a8bc53dbfcd0ff976d32983cae732e07ed207ad5bb0283ba23a88f2d426781fcbd16e8dd1b72508191

Download Submit
memory/708-56-0x0000000001390000-0x00000000016F6000-memory.dmp

Filesize
3.4MB

Download
memory/776-100-0x0000000000E90000-0x00000000011F6000-memory.dmp

Filesize
3.4MB

Download
memory/1200-123-0x0000000001110000-0x0000000001476000-memory.dmp

Filesize
3.4MB

Download
memory/1520-134-0x00000000002B0000-0x0000000000616000-memory.dmp

Filesize
3.4MB

Download
memory/1752-45-0x00000000001B0000-0x0000000000516000-memory.dmp

Filesize
3.4MB

Download
memory/2108-8-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2108-0-0x000007FEF6423000-0x000007FEF6424000-memory.dmp

Filesize
4KB

Download
memory/2108-2-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2108-1-0x00000000010B0000-0x0000000001416000-memory.dmp

Filesize
3.4MB

Download
memory/2112-34-0x0000000000C30000-0x0000000000F96000-memory.dmp

Filesize
3.4MB

Download
memory/2224-23-0x00000000001F0000-0x0000000000556000-memory.dmp

Filesize
3.4MB

Download
memory/2568-112-0x00000000002D0000-0x0000000000636000-memory.dmp

Filesize
3.4MB

Download
memory/2676-145-0x0000000001260000-0x00000000015C6000-memory.dmp

Filesize
3.4MB

Download
memory/2748-89-0x0000000000240000-0x00000000005A6000-memory.dmp

Filesize
3.4MB

Download
memory/2868-10-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2868-11-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2868-9-0x0000000001270000-0x00000000015D6000-memory.dmp

Filesize
3.4MB

Download
memory/2868-21-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads