quasar | 40f9ef6921839b83373e8d981655b24f2b9c6d9b5b342d2bf621c8d6ea5528f8

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/01/2025, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe
Size

6.0MB
MD5

d04352c69e8d56db5f9eb8f0b6573365
SHA1

21d7ec8a608f26756eb8531f3d51f7e0a63f7d8d
SHA256

40f9ef6921839b83373e8d981655b24f2b9c6d9b5b342d2bf621c8d6ea5528f8
SHA512

b341b0e0eeb9031ed17dcc490b6bbb74fb3f6b563a09c66ce59acc002967a86719d7ac1e31b30068277be0448672a35a330271ac74b032f6216e8fc93160ce41
SSDEEP

98304:blFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:bWJuMg53HRVu7vHDpS1IqBRU7kCs2q

Score

10^/10

quasar chrome discovery evasion spyware themida trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Chrome

live.nodenet.ml:8863

Mutex

754ce6d6-f75b-4c6f-964c-3996e749369e

Attributes

encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
install_name
chrome.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System
subdirectory
chrome

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/files/0x000700000001920f-19.dat	family_quasar
behavioral1/memory/2436-29-0x0000000001060000-0x00000000010E4000-memory.dmp	family_quasar
behavioral1/memory/2628-36-0x0000000000190000-0x0000000000214000-memory.dmp	family_quasar
behavioral1/memory/300-47-0x0000000000C30000-0x0000000000CB4000-memory.dmp	family_quasar
behavioral1/memory/1196-59-0x0000000000EA0000-0x0000000000F24000-memory.dmp	family_quasar
behavioral1/memory/1300-70-0x00000000003F0000-0x0000000000474000-memory.dmp	family_quasar
behavioral1/memory/764-82-0x0000000000E70000-0x0000000000EF4000-memory.dmp	family_quasar
behavioral1/memory/2288-93-0x0000000000FE0000-0x0000000001064000-memory.dmp	family_quasar
behavioral1/memory/1356-114-0x0000000001270000-0x00000000012F4000-memory.dmp	family_quasar
behavioral1/memory/2952-136-0x00000000001F0000-0x0000000000274000-memory.dmp	family_quasar
behavioral1/memory/904-148-0x0000000000F50000-0x0000000000FD4000-memory.dmp	family_quasar
behavioral1/memory/2404-159-0x0000000001200000-0x0000000001284000-memory.dmp	family_quasar
behavioral1/memory/2184-170-0x00000000002A0000-0x0000000000324000-memory.dmp	family_quasar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe

Executes dropped EXE 15 IoCs

pid	Process
2436	chrome.exe
2956	S^X.exe
2628	chrome.exe
300	chrome.exe
1196	chrome.exe
1300	chrome.exe
764	chrome.exe
2288	chrome.exe
2424	chrome.exe
1356	chrome.exe
2312	chrome.exe
2952	chrome.exe
904	chrome.exe
2404	chrome.exe
2184	chrome.exe

Loads dropped DLL 3 IoCs

pid	Process
1840	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe
1840	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe
1840	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0008000000019030-6.dat	themida
behavioral1/memory/1840-9-0x00000000729D0000-0x0000000072FD8000-memory.dmp	themida
behavioral1/memory/1840-10-0x00000000729D0000-0x0000000072FD8000-memory.dmp	themida
behavioral1/memory/1840-12-0x00000000729D0000-0x0000000072FD8000-memory.dmp	themida
behavioral1/memory/1840-28-0x00000000729D0000-0x0000000072FD8000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1840	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
828	PING.EXE
848	PING.EXE
2408	PING.EXE
1224	PING.EXE
1888	PING.EXE
2476	PING.EXE
1696	PING.EXE
2224	PING.EXE
2644	PING.EXE
1136	PING.EXE
792	PING.EXE
2272	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
828	PING.EXE
848	PING.EXE
792	PING.EXE
2408	PING.EXE
1888	PING.EXE
2476	PING.EXE
1696	PING.EXE
2224	PING.EXE
2644	PING.EXE
1136	PING.EXE
1224	PING.EXE
2272	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3024	schtasks.exe
2832	schtasks.exe
1608	schtasks.exe
768	schtasks.exe
2668	schtasks.exe
2860	schtasks.exe
3048	schtasks.exe
588	schtasks.exe
692	schtasks.exe
1740	schtasks.exe
1744	schtasks.exe
2248	schtasks.exe
1560	schtasks.exe
2400	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	chrome.exe
Token: SeDebugPrivilege	2628	chrome.exe
Token: SeDebugPrivilege	2956	S^X.exe
Token: SeDebugPrivilege	300	chrome.exe
Token: SeDebugPrivilege	1196	chrome.exe
Token: SeDebugPrivilege	1300	chrome.exe
Token: SeDebugPrivilege	764	chrome.exe
Token: SeDebugPrivilege	2288	chrome.exe
Token: SeDebugPrivilege	2424	chrome.exe
Token: SeDebugPrivilege	1356	chrome.exe
Token: SeDebugPrivilege	2312	chrome.exe
Token: SeDebugPrivilege	2952	chrome.exe
Token: SeDebugPrivilege	904	chrome.exe
Token: SeDebugPrivilege	2404	chrome.exe
Token: SeDebugPrivilege	2184	chrome.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2628	chrome.exe
300	chrome.exe
1196	chrome.exe
1300	chrome.exe
764	chrome.exe
2288	chrome.exe
2424	chrome.exe
1356	chrome.exe
2312	chrome.exe
2952	chrome.exe
904	chrome.exe
2404	chrome.exe
2184	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2436	1840	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe	30
PID 1840 wrote to memory of 2436	1840	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe	30
PID 1840 wrote to memory of 2436	1840	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe	30
PID 1840 wrote to memory of 2436	1840	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe	30
PID 1840 wrote to memory of 2956	1840	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe	31
PID 1840 wrote to memory of 2956	1840	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe	31
PID 1840 wrote to memory of 2956	1840	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe	31
PID 1840 wrote to memory of 2956	1840	JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe	31
PID 2436 wrote to memory of 2668	2436	chrome.exe	32
PID 2436 wrote to memory of 2668	2436	chrome.exe	32
PID 2436 wrote to memory of 2668	2436	chrome.exe	32
PID 2436 wrote to memory of 2628	2436	chrome.exe	34
PID 2436 wrote to memory of 2628	2436	chrome.exe	34
PID 2436 wrote to memory of 2628	2436	chrome.exe	34
PID 2628 wrote to memory of 2832	2628	chrome.exe	35
PID 2628 wrote to memory of 2832	2628	chrome.exe	35
PID 2628 wrote to memory of 2832	2628	chrome.exe	35
PID 2628 wrote to memory of 2588	2628	chrome.exe	37
PID 2628 wrote to memory of 2588	2628	chrome.exe	37
PID 2628 wrote to memory of 2588	2628	chrome.exe	37
PID 2588 wrote to memory of 2556	2588	cmd.exe	39
PID 2588 wrote to memory of 2556	2588	cmd.exe	39
PID 2588 wrote to memory of 2556	2588	cmd.exe	39
PID 2588 wrote to memory of 828	2588	cmd.exe	40
PID 2588 wrote to memory of 828	2588	cmd.exe	40
PID 2588 wrote to memory of 828	2588	cmd.exe	40
PID 2588 wrote to memory of 300	2588	cmd.exe	42
PID 2588 wrote to memory of 300	2588	cmd.exe	42
PID 2588 wrote to memory of 300	2588	cmd.exe	42
PID 300 wrote to memory of 2248	300	chrome.exe	43
PID 300 wrote to memory of 2248	300	chrome.exe	43
PID 300 wrote to memory of 2248	300	chrome.exe	43
PID 300 wrote to memory of 1732	300	chrome.exe	45
PID 300 wrote to memory of 1732	300	chrome.exe	45
PID 300 wrote to memory of 1732	300	chrome.exe	45
PID 1732 wrote to memory of 1868	1732	cmd.exe	47
PID 1732 wrote to memory of 1868	1732	cmd.exe	47
PID 1732 wrote to memory of 1868	1732	cmd.exe	47
PID 1732 wrote to memory of 1888	1732	cmd.exe	48
PID 1732 wrote to memory of 1888	1732	cmd.exe	48
PID 1732 wrote to memory of 1888	1732	cmd.exe	48
PID 1732 wrote to memory of 1196	1732	cmd.exe	49
PID 1732 wrote to memory of 1196	1732	cmd.exe	49
PID 1732 wrote to memory of 1196	1732	cmd.exe	49
PID 1196 wrote to memory of 2860	1196	chrome.exe	50
PID 1196 wrote to memory of 2860	1196	chrome.exe	50
PID 1196 wrote to memory of 2860	1196	chrome.exe	50
PID 1196 wrote to memory of 2500	1196	chrome.exe	52
PID 1196 wrote to memory of 2500	1196	chrome.exe	52
PID 1196 wrote to memory of 2500	1196	chrome.exe	52
PID 2500 wrote to memory of 2208	2500	cmd.exe	54
PID 2500 wrote to memory of 2208	2500	cmd.exe	54
PID 2500 wrote to memory of 2208	2500	cmd.exe	54
PID 2500 wrote to memory of 2476	2500	cmd.exe	55
PID 2500 wrote to memory of 2476	2500	cmd.exe	55
PID 2500 wrote to memory of 2476	2500	cmd.exe	55
PID 2500 wrote to memory of 1300	2500	cmd.exe	56
PID 2500 wrote to memory of 1300	2500	cmd.exe	56
PID 2500 wrote to memory of 1300	2500	cmd.exe	56
PID 1300 wrote to memory of 692	1300	chrome.exe	57
PID 1300 wrote to memory of 692	1300	chrome.exe	57
PID 1300 wrote to memory of 692	1300	chrome.exe	57
PID 1300 wrote to memory of 1700	1300	chrome.exe	59
PID 1300 wrote to memory of 1700	1300	chrome.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d04352c69e8d56db5f9eb8f0b6573365.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Roaming\chrome.exe
  "C:\Users\Admin\AppData\Roaming\chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2668
- - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2832
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\DrdaGTkgeuNX.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2556
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:828
    - - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:300
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2248
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Naydq6bFleHO.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1888
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2860
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fC8NwY66kb8U.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:692
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XroKY5RFBwjZ.bat" "
        10⤵
        
        PID:1700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:764
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1560
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LgvvOJiBpiw4.bat" "
        12⤵
        
        PID:3044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2224
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2400
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cKhSrSKgpQad.bat" "
        14⤵
        
        PID:344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1608
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GHK7b5ITmds6.bat" "
        16⤵
        
        PID:2568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1136
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:768
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6g6Hibohfugc.bat" "
        18⤵
        
        PID:1876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:848
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1740
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Xknxq6p4HvtD.bat" "
        20⤵
        
        PID:2612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:792
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1744
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SRNCGwbp22MT.bat" "
        22⤵
        
        PID:1648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1224
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:904
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:588
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Su7hCetonKgQ.bat" "
        24⤵
        
        PID:2052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3048
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Pft2vHUWTw5Q.bat" "
        26⤵
        
        PID:1880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2184
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3024
- C:\Users\Admin\AppData\Local\Temp\S^X.exe
  "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6g6Hibohfugc.bat

Filesize
207B

MD5
f61ab1384a45bd8c7a8b7787bb5bea85

SHA1
9585d1c8c002515756ad1aad165c4c5b5d3a6de3

SHA256
4c487c86d84728e155dba3be85eabc00194a317f594aca893356428cf1e297b9

SHA512
9e7226d1533f10e20f6393e110e8ccc8b01e7f34be1f6b6ddde7d37fe0685cab1b5c3014ce839b8fef3867eb69c7eadc7c5c9072a161abde13f783f74e080286

Download Submit
C:\Users\Admin\AppData\Local\Temp\DrdaGTkgeuNX.bat

Filesize
207B

MD5
ccde00407852ea1c53fa8a89fe5a1ef7

SHA1
0ae3e82d8590d3c1a74fc155cd575d15e86760f7

SHA256
d20b8383f466e67d89027bc0d5bedb56a5e239a83d2f9aa7eba6a404d191340f

SHA512
da6ab14e15e2dd82aa61e881bb1b1c53f1fe54fb964d0dd2d3f3b79d3ab7ad7a685c2552f9af59cff9ed1e79fb319b1a2226376bcc4d6bd3c1530143688cda4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GHK7b5ITmds6.bat

Filesize
207B

MD5
c3a8b10cc8238ba859b338b659b9c788

SHA1
259ac778ce6d1eb2dbddd26b9c7f84f89e55bde2

SHA256
cb5fe782c9d98bc2af5e114d07a6756f2d772865f75f693cbdf2bc6ce19df462

SHA512
a647d91ea3086b5f7a626a32c882bc5b5c9a96e89e577b7a82c27ce556c473f2c02983a0ab5184d389d56b5d28de3aa49f0554ceae83d2d56899c21827248654

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgvvOJiBpiw4.bat

Filesize
207B

MD5
d8d77d8a014d1bbd0112ff1ab5d64a6f

SHA1
af8eb10202bf527156a157ca4cf61bdfe5fc618c

SHA256
2f0608655bdef302c860000ff5f4525a7c7261c47355489bee01dcfd6355e94e

SHA512
d6795e3297d4cb7e1653043e25472f1110147e251d3a43a5bd37b2a168f0bfc4bf876f46d5b0ff7a950318898c7f82cad31898654aa7bf3da61bf39e0461abf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Naydq6bFleHO.bat

Filesize
207B

MD5
4de9099ac2a335e6988e7c032072185a

SHA1
571a54f2bb778955c31000910c2d48fabce83e6f

SHA256
4fdc76c35e797ca5717ca46c380606435aca6880241ab7752feacc5917e3e072

SHA512
1863d3bbaeac809dd8e832ddb371e91108c2fba7305f63b69fcb17c659133df47740a6da18143544b219745a48b3d5a9c5c99821722ff9dbb435ccf0375b0e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pft2vHUWTw5Q.bat

Filesize
207B

MD5
fae0b6a68a7a848927163531125c743c

SHA1
bce8c10c5ba9cc913cebadb46c825bdaf6d8f7ba

SHA256
79fb830eee9881d1b76d7c73aba21072f7df3d5b1d7a6d3b60fb04a92df5ae60

SHA512
25e79696fd9230f4a34a12313d9fded102a6892cc9112f41f1224263d18acbd992ca569ee450e7682d1a269aa6f59de277a1c34d457ba63a40ac598bd749dc29

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRNCGwbp22MT.bat

Filesize
207B

MD5
71f8e01a2912e960492295ace068e2ba

SHA1
e53ea410b86a74aaa428552a9db252edf4d1260b

SHA256
24c4abbb2edb6120e0c2bb07276c9f8b89956c8a8dddb42cd413fd8eeddf2f3d

SHA512
67d874a9a2a0ed52dad5518a5e19a72545b949a9c90d12735770252e825eb15d5c5ae33c525faed504166cef734c4fa7aa18db63ed650e30c746e9b534b8828e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Su7hCetonKgQ.bat

Filesize
207B

MD5
21bbab4dcde43c84fc39f682baa870b3

SHA1
55815b0afd82234da6ec0fee6b1f45d992ac9064

SHA256
4a4413d62a410deaae9bda6c624ba1b3447b10a5e35cc020def631a7ec85f901

SHA512
a88af4db222f346cf1e3d5c7e90e4661bb15086309657e427ae76fe989c91150bb6f80cb6a7bad2f064ee2f30efc3f65f3054292561e639f4af903984f1a3f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xknxq6p4HvtD.bat

Filesize
207B

MD5
57c1a9e16f52032e9abf72586131ef34

SHA1
e384884a79dd5851122929a912eecc93ed4bc098

SHA256
f82cc80df7d4d574487e1a5dccfef6800777aa4b3843fac0987b5a7eca2a22a1

SHA512
fcf3819d2b07ec5fc81c3e21b4c6245e5a4950a24739ab1d0db283ca494a05c6a27f8bde081ce4ccb02f62b5d91df77324a4d1cd08b3ee2e0704d368abc47633

Download Submit
C:\Users\Admin\AppData\Local\Temp\XroKY5RFBwjZ.bat

Filesize
207B

MD5
14408d5803bb6dfdf92d3e47f9069119

SHA1
124440b0c587043372ad889edf05f548c3e17aab

SHA256
61ecd3e011babf3baea2b6d51aeec35b7ffe95c850f914ddbbb0a0653de1db07

SHA512
3b34698da5e93d24aad02fa0599ac3c6d8d522514f6f6543f7c2f9872bbc7976bfd258c46c59cee6a02323805bcb1726af41a0dabd48bd5a90abb707caad959c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKhSrSKgpQad.bat

Filesize
207B

MD5
ee97a540093a1508f663b6f0d5a2eaa5

SHA1
8d72425231921d4af773de45aef07aaaedbb06cc

SHA256
f214d2aea957ef74fca07ffee23cea4aa5c3ac5561b091d301e0c4e7ac8faaf0

SHA512
78b8d612764c3f8cc8191cedc5034f0182e2632b10d66bd921d54a45f19b04e31b62a30b3538cb09ffe54c65936b08f0e04e4d86d0f9a33af651e7a85f0fed62

Download Submit
C:\Users\Admin\AppData\Local\Temp\fC8NwY66kb8U.bat

Filesize
207B

MD5
38ccdd60678b2b0c1023c199c5d9e9ec

SHA1
ce9f72172e379c1b5e825e5e8deaebfcdccc148f

SHA256
022a77dda3ba52b2bd00658bc6a6978f010bae6658d3ae5418d6ef009187e87f

SHA512
c9ba5351e3942b6130f6666ccf54232617b18c405ac43d92d62aec5196590fc19057bf0a4417c4c1968dbde586eb3847884a6d7cebbe3c84fe3c7068ed5c835d

Download Submit
C:\Users\Admin\AppData\Roaming\chrome.exe

Filesize
502KB

MD5
92479f1615fd4fa1dd3ac7f2e6a1b329

SHA1
0a6063d27c9f991be2053b113fcef25e071c57fd

SHA256
0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569

SHA512
9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

Download Submit
\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll

Filesize
2.2MB

MD5
2d86c4ad18524003d56c1cb27c549ba8

SHA1
123007f9337364e044b87deacf6793c2027c8f47

SHA256
091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280

SHA512
0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

Download Submit
\Users\Admin\AppData\Local\Temp\S^X.exe

Filesize
789KB

MD5
e2437ac017506bbde9a81fb1f618457b

SHA1
adef2615312b31e041ccf700b3982dd50b686c7f

SHA256
94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12

SHA512
9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

Download Submit
memory/300-47-0x0000000000C30000-0x0000000000CB4000-memory.dmp

Filesize
528KB

Download
memory/764-82-0x0000000000E70000-0x0000000000EF4000-memory.dmp

Filesize
528KB

Download
memory/904-148-0x0000000000F50000-0x0000000000FD4000-memory.dmp

Filesize
528KB

Download
memory/1196-59-0x0000000000EA0000-0x0000000000F24000-memory.dmp

Filesize
528KB

Download
memory/1300-70-0x00000000003F0000-0x0000000000474000-memory.dmp

Filesize
528KB

Download
memory/1356-114-0x0000000001270000-0x00000000012F4000-memory.dmp

Filesize
528KB

Download
memory/1840-13-0x0000000074690000-0x00000000746EB000-memory.dmp

Filesize
364KB

Download
memory/1840-9-0x00000000729D0000-0x0000000072FD8000-memory.dmp

Filesize
6.0MB

Download
memory/1840-30-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/1840-0-0x00000000746F1000-0x00000000746F2000-memory.dmp

Filesize
4KB

Download
memory/1840-28-0x00000000729D0000-0x0000000072FD8000-memory.dmp

Filesize
6.0MB

Download
memory/1840-1-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/1840-12-0x00000000729D0000-0x0000000072FD8000-memory.dmp

Filesize
6.0MB

Download
memory/1840-2-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/1840-10-0x00000000729D0000-0x0000000072FD8000-memory.dmp

Filesize
6.0MB

Download
memory/1840-11-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/2184-170-0x00000000002A0000-0x0000000000324000-memory.dmp

Filesize
528KB

Download
memory/2288-93-0x0000000000FE0000-0x0000000001064000-memory.dmp

Filesize
528KB

Download
memory/2404-159-0x0000000001200000-0x0000000001284000-memory.dmp

Filesize
528KB

Download
memory/2436-29-0x0000000001060000-0x00000000010E4000-memory.dmp

Filesize
528KB

Download
memory/2436-25-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

Filesize
4KB

Download
memory/2628-36-0x0000000000190000-0x0000000000214000-memory.dmp

Filesize
528KB

Download
memory/2952-136-0x00000000001F0000-0x0000000000274000-memory.dmp

Filesize
528KB

Download
memory/2956-31-0x0000000000EA0000-0x0000000000F6C000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads