quasar | 4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe
Size

3.4MB
MD5

9d6f812bb326e1ff2bddd78747fbee25
SHA1

e2c511d7634e02166a3ca7645b631e124767e216
SHA256

4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388
SHA512

12783e33c8d3a0bb0d284e300158155aa52c9a44635565a8bc53dbfcd0ff976d32983cae732e07ed207ad5bb0283ba23a88f2d426781fcbd16e8dd1b72508191
SSDEEP

49152:wvmlW2p9agXI2PrlTnr4BZmFze02sk9hEvJQLoGdhTHHB72eh2NT:wveW2p9agXI2PrlTnrmZmFzePhD

Score

10^/10

quasar pdf discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PDF

opbrghost-23030.portmap.host:27876

ghostopbr2-31034.portmap.host:1234

trackopbr2.ddns.net:1234

ghostopbr2-31034.portmap.host:31034

Mutex

1bfd6271-eb49-4e9c-8bcb-3434a8d1ce46

Attributes

encryption_key
15ABC767973F155DA890D96E8ED7EB1946705743
install_name
AdobePDFReader.exe
log_directory
Logs
reconnect_delay
300
startup_key
Adobe PDF Reader
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3436-1-0x0000000000F10000-0x0000000001276000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023cb6-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AdobePDFReader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AdobePDFReader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AdobePDFReader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AdobePDFReader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AdobePDFReader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AdobePDFReader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AdobePDFReader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AdobePDFReader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AdobePDFReader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AdobePDFReader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AdobePDFReader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AdobePDFReader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AdobePDFReader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AdobePDFReader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AdobePDFReader.exe

Executes dropped EXE 15 IoCs

pid	Process
1112	AdobePDFReader.exe
3908	AdobePDFReader.exe
1932	AdobePDFReader.exe
4636	AdobePDFReader.exe
1376	AdobePDFReader.exe
4388	AdobePDFReader.exe
220	AdobePDFReader.exe
3660	AdobePDFReader.exe
2840	AdobePDFReader.exe
3376	AdobePDFReader.exe
1564	AdobePDFReader.exe
3412	AdobePDFReader.exe
4496	AdobePDFReader.exe
3180	AdobePDFReader.exe
1364	AdobePDFReader.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File created	C:\Windows\system32\SubDir\AdobePDFReader.exe	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir	AdobePDFReader.exe
File opened for modification	C:\Windows\system32\SubDir\AdobePDFReader.exe	AdobePDFReader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4396	PING.EXE
4948	PING.EXE
1280	PING.EXE
2052	PING.EXE
3976	PING.EXE
64	PING.EXE
3132	PING.EXE
4504	PING.EXE
3708	PING.EXE
3068	PING.EXE
5056	PING.EXE
1016	PING.EXE
1388	PING.EXE
3968	PING.EXE
3192	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3132	PING.EXE
4504	PING.EXE
3708	PING.EXE
4396	PING.EXE
1388	PING.EXE
3976	PING.EXE
3968	PING.EXE
3192	PING.EXE
3068	PING.EXE
4948	PING.EXE
1280	PING.EXE
1016	PING.EXE
2052	PING.EXE
64	PING.EXE
5056	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4504	schtasks.exe
3148	schtasks.exe
100	schtasks.exe
1312	schtasks.exe
2420	schtasks.exe
3960	schtasks.exe
2272	schtasks.exe
4536	schtasks.exe
2036	schtasks.exe
2732	schtasks.exe
1300	schtasks.exe
2156	schtasks.exe
2740	schtasks.exe
3956	schtasks.exe
4368	schtasks.exe
4748	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3436	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe
Token: SeDebugPrivilege	1112	AdobePDFReader.exe
Token: SeDebugPrivilege	3908	AdobePDFReader.exe
Token: SeDebugPrivilege	1932	AdobePDFReader.exe
Token: SeDebugPrivilege	4636	AdobePDFReader.exe
Token: SeDebugPrivilege	1376	AdobePDFReader.exe
Token: SeDebugPrivilege	4388	AdobePDFReader.exe
Token: SeDebugPrivilege	220	AdobePDFReader.exe
Token: SeDebugPrivilege	3660	AdobePDFReader.exe
Token: SeDebugPrivilege	2840	AdobePDFReader.exe
Token: SeDebugPrivilege	3376	AdobePDFReader.exe
Token: SeDebugPrivilege	1564	AdobePDFReader.exe
Token: SeDebugPrivilege	3412	AdobePDFReader.exe
Token: SeDebugPrivilege	4496	AdobePDFReader.exe
Token: SeDebugPrivilege	3180	AdobePDFReader.exe
Token: SeDebugPrivilege	1364	AdobePDFReader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 2272	3436	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe	82
PID 3436 wrote to memory of 2272	3436	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe	82
PID 3436 wrote to memory of 1112	3436	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe	84
PID 3436 wrote to memory of 1112	3436	4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe	84
PID 1112 wrote to memory of 3956	1112	AdobePDFReader.exe	85
PID 1112 wrote to memory of 3956	1112	AdobePDFReader.exe	85
PID 1112 wrote to memory of 4092	1112	AdobePDFReader.exe	87
PID 1112 wrote to memory of 4092	1112	AdobePDFReader.exe	87
PID 4092 wrote to memory of 1096	4092	cmd.exe	89
PID 4092 wrote to memory of 1096	4092	cmd.exe	89
PID 4092 wrote to memory of 1016	4092	cmd.exe	90
PID 4092 wrote to memory of 1016	4092	cmd.exe	90
PID 4092 wrote to memory of 3908	4092	cmd.exe	98
PID 4092 wrote to memory of 3908	4092	cmd.exe	98
PID 3908 wrote to memory of 1312	3908	AdobePDFReader.exe	99
PID 3908 wrote to memory of 1312	3908	AdobePDFReader.exe	99
PID 3908 wrote to memory of 1988	3908	AdobePDFReader.exe	101
PID 3908 wrote to memory of 1988	3908	AdobePDFReader.exe	101
PID 1988 wrote to memory of 1364	1988	cmd.exe	103
PID 1988 wrote to memory of 1364	1988	cmd.exe	103
PID 1988 wrote to memory of 1388	1988	cmd.exe	104
PID 1988 wrote to memory of 1388	1988	cmd.exe	104
PID 1988 wrote to memory of 1932	1988	cmd.exe	105
PID 1988 wrote to memory of 1932	1988	cmd.exe	105
PID 1932 wrote to memory of 2420	1932	AdobePDFReader.exe	106
PID 1932 wrote to memory of 2420	1932	AdobePDFReader.exe	106
PID 1932 wrote to memory of 932	1932	AdobePDFReader.exe	108
PID 1932 wrote to memory of 932	1932	AdobePDFReader.exe	108
PID 932 wrote to memory of 3248	932	cmd.exe	110
PID 932 wrote to memory of 3248	932	cmd.exe	110
PID 932 wrote to memory of 3132	932	cmd.exe	111
PID 932 wrote to memory of 3132	932	cmd.exe	111
PID 932 wrote to memory of 4636	932	cmd.exe	114
PID 932 wrote to memory of 4636	932	cmd.exe	114
PID 4636 wrote to memory of 3960	4636	AdobePDFReader.exe	115
PID 4636 wrote to memory of 3960	4636	AdobePDFReader.exe	115
PID 4636 wrote to memory of 2848	4636	AdobePDFReader.exe	117
PID 4636 wrote to memory of 2848	4636	AdobePDFReader.exe	117
PID 2848 wrote to memory of 4996	2848	cmd.exe	119
PID 2848 wrote to memory of 4996	2848	cmd.exe	119
PID 2848 wrote to memory of 3976	2848	cmd.exe	120
PID 2848 wrote to memory of 3976	2848	cmd.exe	120
PID 2848 wrote to memory of 1376	2848	cmd.exe	121
PID 2848 wrote to memory of 1376	2848	cmd.exe	121
PID 1376 wrote to memory of 4368	1376	AdobePDFReader.exe	122
PID 1376 wrote to memory of 4368	1376	AdobePDFReader.exe	122
PID 1376 wrote to memory of 4628	1376	AdobePDFReader.exe	124
PID 1376 wrote to memory of 4628	1376	AdobePDFReader.exe	124
PID 4628 wrote to memory of 2676	4628	cmd.exe	126
PID 4628 wrote to memory of 2676	4628	cmd.exe	126
PID 4628 wrote to memory of 4504	4628	cmd.exe	127
PID 4628 wrote to memory of 4504	4628	cmd.exe	127
PID 4628 wrote to memory of 4388	4628	cmd.exe	128
PID 4628 wrote to memory of 4388	4628	cmd.exe	128
PID 4388 wrote to memory of 4748	4388	AdobePDFReader.exe	129
PID 4388 wrote to memory of 4748	4388	AdobePDFReader.exe	129
PID 4388 wrote to memory of 4568	4388	AdobePDFReader.exe	131
PID 4388 wrote to memory of 4568	4388	AdobePDFReader.exe	131
PID 4568 wrote to memory of 740	4568	cmd.exe	133
PID 4568 wrote to memory of 740	4568	cmd.exe	133
PID 4568 wrote to memory of 3968	4568	cmd.exe	134
PID 4568 wrote to memory of 3968	4568	cmd.exe	134
PID 4568 wrote to memory of 220	4568	cmd.exe	135
PID 4568 wrote to memory of 220	4568	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe
"C:\Users\Admin\AppData\Local\Temp\4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2272
- C:\Windows\system32\SubDir\AdobePDFReader.exe
  "C:\Windows\system32\SubDir\AdobePDFReader.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iq1rIZlO363z.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1096
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1016
  - - C:\Windows\system32\SubDir\AdobePDFReader.exe
      "C:\Windows\system32\SubDir\AdobePDFReader.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1312
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t8JewtOPzXb6.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1364
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1388
      - C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1lNqcJynr6MT.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3132
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CFKfDnuJnNQr.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3976
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NtHOLEZaE55I.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4504
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xjj46hv7Ekhp.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3968
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A81RAqOFWGty.bat" "
        15⤵
        
        PID:1116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3192
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3660
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MffkXa5ABQ9S.bat" "
        17⤵
        
        PID:1724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3708
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eagHiCHLJOg4.bat" "
        19⤵
        
        PID:4384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:64
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McVUouc5xwKg.bat" "
        21⤵
        
        PID:3972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3068
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7DffwY0LSlrP.bat" "
        23⤵
        
        PID:4448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4396
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOXPtf7wwpps.bat" "
        25⤵
        
        PID:4748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4948
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8eW49LCrTgpq.bat" "
        27⤵
        
        PID:1472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1280
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3180
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r0QvTJXeto3N.bat" "
        29⤵
        
        PID:3964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2052
        
        C:\Windows\system32\SubDir\AdobePDFReader.exe
        
        "C:\Windows\system32\SubDir\AdobePDFReader.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Adobe PDF Reader" /sc ONLOGON /tr "C:\Windows\system32\SubDir\AdobePDFReader.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKhUDYtcTr7F.bat" "
        31⤵
        
        PID:1724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AdobePDFReader.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1lNqcJynr6MT.bat

Filesize
204B

MD5
5ab4debc2491d1171d10df1cefc54096

SHA1
43cf91498b8d19bfca9dd0e9127ee41f9d8706ab

SHA256
4cfd1d137d1a9b79f7279b983e0b0f25cae0424b2a3e59295a37ecbc27375384

SHA512
5e79b68cf2f4b797f9936dcc3969657c5e423db7f4f30655f8e0a1ce821974d91580d41f7d872d9dffe0a609b9bdbccd7e68c92a0845563d7500927cbde51f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7DffwY0LSlrP.bat

Filesize
204B

MD5
5a7be1cfa1209e2a339cb8e2f60d7abd

SHA1
fcd1c630b4de9b9e01314a01c74ab662bdce5fae

SHA256
f1dd2acdf2800019eee7e8de13ab81dc079b893d8f02f13db469d4fb9885b9f9

SHA512
6059bf69fa35082e73e3a15fbf9612dec9a8739230653ef987c22489255c9a3c9cd0bc48a30ba10d3555e981a231219da0a1923a9729533df4545fb3ebbbc6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\8eW49LCrTgpq.bat

Filesize
204B

MD5
103f134d8d9e3d1228c1ee53b9ddddec

SHA1
755e1d09d00da62937d25e2533ba42c610a4579b

SHA256
2c18a003ae9af55c0a1bf895c074349fc19654b7ee1c62d2c292844f3588a0e4

SHA512
0cb34592f531108faaacf46d52b895de5ec546af27bc618afc15c370ae949504192957cddc715e69e90a7dcf243ad59179b1e4fa4d49cf3bb9b3f62cdafa51c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A81RAqOFWGty.bat

Filesize
204B

MD5
54298a2fd31e7674a6cd351a62b667e6

SHA1
d9c1edee4dfe88fac798bd7538a8fa14f9f19621

SHA256
2b0bf0464af795de9cb97b066f97ac536396783a0ef1953dfbd609255aafac1e

SHA512
a3db0f8ff9dd52fbb5f01e2807a1067d4f4e4ddd7280206f3506a1efb0e6238c33bc3938f075723cf4807c7c03529d7679f29a3c665c05aae2d5ad61e0095393

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFKfDnuJnNQr.bat

Filesize
204B

MD5
10631f649f3af2e43b464022b2ea9fb9

SHA1
f6f8a4e2f24e9699c1b33ba0f01637addb0cf456

SHA256
74793b747236d97f2f71a7451d0bae1e389f098a8af7bafdfe5df652f62da846

SHA512
72d776903788d5e8c3f6a48750ac7442a9bb73346945eb9ad96f229810be083a304019de2ef752105a10333f4f71f3fe92ece91774fb37439d199eae9a1d6f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\McVUouc5xwKg.bat

Filesize
204B

MD5
ad7a57f2e4bd8590b1c2c71909dcd75a

SHA1
430e45dca6a79afbbb79283b701af3a77fe6a3a0

SHA256
981e909b7ab50e85d7bf9d96b2d85a171326880117cf316e016ce30e40fdb9c3

SHA512
59e082cf140ead5332e8e6dad78910e8c8cedbf7f2729bbf22eadbcf5fa9fed58debb35a5920c1b8a3d03e2fd2c5612b32c8877de9b3b7b3e4ca810f45bba9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MffkXa5ABQ9S.bat

Filesize
204B

MD5
2644e95207a7791ae58e6c4e630446f0

SHA1
753c970d81dcac592846402b676b6889dfe9d04c

SHA256
a846349c5278c09aa63fb9a1eec70e78edec078961689fc966b7955f214f5f22

SHA512
fdc882ece439f0f8b82ad320273e0881816b58f02f8719237dd5f01a3639bf3bf2eee1195a233504d98f0d407c2ba0bfc342a1c58e084fca9478dc1140fee170

Download Submit
C:\Users\Admin\AppData\Local\Temp\NtHOLEZaE55I.bat

Filesize
204B

MD5
f5c4dbd66f6896057729f3e40b71ddad

SHA1
d747776117320c6ae2a6f335d189300ff3ee22d3

SHA256
79a78b7fd0580e7cc15790c07866501bf4807d99553996f1a797f7aedbd33914

SHA512
dab59e8f22e0b9bbc812a1235543407aa86bea57d07ac7eb5f63217046f515065dcff4cdc9d00dfe6417e8e15689bceaf3591de4dea0cf87bf2600e9d201f6a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xjj46hv7Ekhp.bat

Filesize
204B

MD5
74f2bb83cdd5ae4d8aa6ec964219f32c

SHA1
e268f2f6fc9848361e953067ac125c4197899894

SHA256
bc1ba8d7156955db915512ed0ead75ecbc707a398db1d7872ee6f567e670b2ce

SHA512
be5f939e4ab9eb7e1f8fef67d53ec7cf8aa44a7e73b018644983d0ea34a89cea842b9f36298cbb427ced6907b3013ce8adb2524c227854ea5402b691dd2a04cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\YOXPtf7wwpps.bat

Filesize
204B

MD5
cdc9b0ca1eb4797064b4763840d6209b

SHA1
18cf75b1d4517bd710c963c0d751c6fd45050615

SHA256
2f6d598cf9c89872eab946f2e91bf9bf2525940be56598cbeb00ade53956f217

SHA512
93123e50a21ae35630ff516df743d3c0461681065c0609f65bfe424c0292b820b930be792d71163d025ce85554af8f6ba60913ca00ffdc4bfc65ac44f88851e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eagHiCHLJOg4.bat

Filesize
204B

MD5
b96807ada33b47e228eff17c308402ba

SHA1
0a21a0097cc720514d1ee1d3b4c2889eec6483e0

SHA256
6fd6331fbd2ca64dcbe40d2b218a608bc1dd2e6f6d78782a0670f8a12458760a

SHA512
b454828b93fe4a206aa3f50ddcf2b79fe61d0e41819f317405fbd410adcc16a5fc066fb821eb05ab2aed12f4b2bd07f60c22d1bafc5bdb9d40b0e62a69c91070

Download Submit
C:\Users\Admin\AppData\Local\Temp\gKhUDYtcTr7F.bat

Filesize
204B

MD5
2d4762e65bab36a9eead12b995e8772c

SHA1
be9b4139d3eff8b1f4b4ee73329a86c13ca93181

SHA256
de52ebbc1e0f9cea663d5ca3685310b52a69d28f4c9dfed1c45f267ea0d28d3c

SHA512
a470d64b8a7bdfa17dafc796f6a17f8163960f72484494736690926f3da6200c3e58356dc8c0854da8c029b30aabc012286e693a1f54e2a4ab26899cd696baff

Download Submit
C:\Users\Admin\AppData\Local\Temp\iq1rIZlO363z.bat

Filesize
204B

MD5
03da2721d59724ec0473ab22c09f8cb1

SHA1
a11256f54c079a12fe77e1451b9435f10cb624e5

SHA256
7265410a5466291e95d52f073a1fac0b897a50a15c61e150ee72734d1583c01e

SHA512
cd3df50c596312c5390dbeec58fdfce22b6c5bef0af001ac99fd551050cfa6f819fd79d39b3d5672e381a568aa50cce47a4ecd7a8f0532c0adf502aa21b03df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\r0QvTJXeto3N.bat

Filesize
204B

MD5
fee12faabdca7e977d8fc68bd5bdd2bb

SHA1
c7dae7b8b00af68024b84e2ad568315528166fa4

SHA256
d5c76b201bc54dadbc9a0441cb51b26c8cfb1769801456842103916b892fe195

SHA512
51c6ed4a5ba9fb37024d9fab0f419c43e099870a2e47896acad988ab875134623ea7f1c203330a1d154608f4a67a76d61df690b530db1618108879f0730ccd72

Download Submit
C:\Users\Admin\AppData\Local\Temp\t8JewtOPzXb6.bat

Filesize
204B

MD5
2bcea17cffd393e528923dc5a4ec1df1

SHA1
34fb3f9887fc2b1c8ee3e7779593976782a94b6e

SHA256
f9ff69ac1cfdb8b33a2d7919b9dc51a4a112e8f955b6549d059a387de4e5ab6f

SHA512
8d26d65b0f032bcee6725e65bfc64a2e20e0188120dc814b7aafe2c2e0a9821cce24361dd13edb6460b9e7a43a6e01643c5db4d4162e388a2e715f47391de640

Download Submit
C:\Windows\System32\SubDir\AdobePDFReader.exe

Filesize
3.4MB

MD5
9d6f812bb326e1ff2bddd78747fbee25

SHA1
e2c511d7634e02166a3ca7645b631e124767e216

SHA256
4146288cd858e72cc246c03bae1cf61494a575366c4e0e86f7c824455b938388

SHA512
12783e33c8d3a0bb0d284e300158155aa52c9a44635565a8bc53dbfcd0ff976d32983cae732e07ed207ad5bb0283ba23a88f2d426781fcbd16e8dd1b72508191

Download Submit
memory/1112-18-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/1112-13-0x000000001DD60000-0x000000001DE12000-memory.dmp

Filesize
712KB

Download
memory/1112-12-0x000000001DC50000-0x000000001DCA0000-memory.dmp

Filesize
320KB

Download
memory/1112-11-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/1112-9-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/3436-0-0x00007FF974D63000-0x00007FF974D65000-memory.dmp

Filesize
8KB

Download
memory/3436-10-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/3436-2-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/3436-1-0x0000000000F10000-0x0000000001276000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads