quasar | c846b98acb1e0423fa8b07228f06e3816cd0d5c8c076ff8c847622731aec5562

Analysis

max time kernel
141s
max time network
141s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10/01/2025, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe
Size

6.0MB
MD5

dc341a4899e1a077f128b79dbe296954
SHA1

e1f1e167595b85784a78f2c3902a4e57082daff9
SHA256

c846b98acb1e0423fa8b07228f06e3816cd0d5c8c076ff8c847622731aec5562
SHA512

978acecbb0cc55a3e8ede7ef78572e3c09ae42553a01de3e82ac8a5f085a937a43f90f0acabf2cfa80e05b1a570c05c41191cc5f76b03492cdfc9c6a2445f949
SSDEEP

196608:HS35uBog53HRVu7vHDpS1IqBRU7kCs2q:HS3YBr53xVu7vHhqBa4Cs

Score

10^/10

quasar chrome discovery evasion spyware themida trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Chrome

live.nodenet.ml:8863

Mutex

754ce6d6-f75b-4c6f-964c-3996e749369e

Attributes

encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
install_name
chrome.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System
subdirectory
chrome

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral1/files/0x0033000000016d17-18.dat	family_quasar
behavioral1/memory/2944-28-0x0000000000A90000-0x0000000000B14000-memory.dmp	family_quasar
behavioral1/memory/1012-36-0x0000000001270000-0x00000000012F4000-memory.dmp	family_quasar
behavioral1/memory/2044-47-0x00000000001A0000-0x0000000000224000-memory.dmp	family_quasar
behavioral1/memory/2248-58-0x0000000001100000-0x0000000001184000-memory.dmp	family_quasar
behavioral1/memory/2140-132-0x00000000000F0000-0x0000000000174000-memory.dmp	family_quasar
behavioral1/memory/2580-144-0x00000000001E0000-0x0000000000264000-memory.dmp	family_quasar
behavioral1/memory/2156-155-0x0000000000330000-0x00000000003B4000-memory.dmp	family_quasar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe

Executes dropped EXE 14 IoCs

pid	Process
2944	chrome.exe
2988	S^X.exe
1012	chrome.exe
2044	chrome.exe
2248	chrome.exe
1616	chrome.exe
864	chrome.exe
2712	chrome.exe
2560	chrome.exe
2736	chrome.exe
2164	chrome.exe
2140	chrome.exe
2580	chrome.exe
2156	chrome.exe

Loads dropped DLL 3 IoCs

pid	Process
2832	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe
2832	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe
2832	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2832-9-0x0000000072560000-0x0000000072B68000-memory.dmp	themida
behavioral1/files/0x0008000000016d42-8.dat	themida
behavioral1/memory/2832-10-0x0000000072560000-0x0000000072B68000-memory.dmp	themida
behavioral1/memory/2832-12-0x0000000072560000-0x0000000072B68000-memory.dmp	themida
behavioral1/memory/2832-29-0x0000000072560000-0x0000000072B68000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2832	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
984	PING.EXE
1896	PING.EXE
2424	PING.EXE
1660	PING.EXE
2868	PING.EXE
2452	PING.EXE
2256	PING.EXE
1576	PING.EXE
1120	PING.EXE
3024	PING.EXE
856	PING.EXE
1336	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
1120	PING.EXE
856	PING.EXE
1896	PING.EXE
2424	PING.EXE
1660	PING.EXE
984	PING.EXE
1576	PING.EXE
2256	PING.EXE
3024	PING.EXE
1336	PING.EXE
2868	PING.EXE
2452	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1756	schtasks.exe
2872	schtasks.exe
2656	schtasks.exe
2868	schtasks.exe
1136	schtasks.exe
312	schtasks.exe
1844	schtasks.exe
2508	schtasks.exe
2652	schtasks.exe
1932	schtasks.exe
2588	schtasks.exe
1416	schtasks.exe
1252	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	chrome.exe
Token: SeDebugPrivilege	1012	chrome.exe
Token: SeDebugPrivilege	2988	S^X.exe
Token: SeDebugPrivilege	2044	chrome.exe
Token: SeDebugPrivilege	2248	chrome.exe
Token: SeDebugPrivilege	1616	chrome.exe
Token: SeDebugPrivilege	864	chrome.exe
Token: SeDebugPrivilege	2712	chrome.exe
Token: SeDebugPrivilege	2560	chrome.exe
Token: SeDebugPrivilege	2736	chrome.exe
Token: SeDebugPrivilege	2164	chrome.exe
Token: SeDebugPrivilege	2140	chrome.exe
Token: SeDebugPrivilege	2580	chrome.exe
Token: SeDebugPrivilege	2156	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1012	chrome.exe
2044	chrome.exe
2248	chrome.exe
1616	chrome.exe
864	chrome.exe
2712	chrome.exe
2560	chrome.exe
2736	chrome.exe
2164	chrome.exe
2140	chrome.exe
2580	chrome.exe
2156	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2944	2832	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe	30
PID 2832 wrote to memory of 2944	2832	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe	30
PID 2832 wrote to memory of 2944	2832	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe	30
PID 2832 wrote to memory of 2944	2832	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe	30
PID 2832 wrote to memory of 2988	2832	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe	31
PID 2832 wrote to memory of 2988	2832	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe	31
PID 2832 wrote to memory of 2988	2832	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe	31
PID 2832 wrote to memory of 2988	2832	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe	31
PID 2944 wrote to memory of 312	2944	chrome.exe	32
PID 2944 wrote to memory of 312	2944	chrome.exe	32
PID 2944 wrote to memory of 312	2944	chrome.exe	32
PID 2944 wrote to memory of 1012	2944	chrome.exe	34
PID 2944 wrote to memory of 1012	2944	chrome.exe	34
PID 2944 wrote to memory of 1012	2944	chrome.exe	34
PID 1012 wrote to memory of 1844	1012	chrome.exe	35
PID 1012 wrote to memory of 1844	1012	chrome.exe	35
PID 1012 wrote to memory of 1844	1012	chrome.exe	35
PID 1012 wrote to memory of 2188	1012	chrome.exe	37
PID 1012 wrote to memory of 2188	1012	chrome.exe	37
PID 1012 wrote to memory of 2188	1012	chrome.exe	37
PID 2188 wrote to memory of 1268	2188	cmd.exe	39
PID 2188 wrote to memory of 1268	2188	cmd.exe	39
PID 2188 wrote to memory of 1268	2188	cmd.exe	39
PID 2188 wrote to memory of 2868	2188	cmd.exe	40
PID 2188 wrote to memory of 2868	2188	cmd.exe	40
PID 2188 wrote to memory of 2868	2188	cmd.exe	40
PID 2188 wrote to memory of 2044	2188	cmd.exe	41
PID 2188 wrote to memory of 2044	2188	cmd.exe	41
PID 2188 wrote to memory of 2044	2188	cmd.exe	41
PID 2044 wrote to memory of 2508	2044	chrome.exe	42
PID 2044 wrote to memory of 2508	2044	chrome.exe	42
PID 2044 wrote to memory of 2508	2044	chrome.exe	42
PID 2044 wrote to memory of 380	2044	chrome.exe	44
PID 2044 wrote to memory of 380	2044	chrome.exe	44
PID 2044 wrote to memory of 380	2044	chrome.exe	44
PID 380 wrote to memory of 2144	380	cmd.exe	46
PID 380 wrote to memory of 2144	380	cmd.exe	46
PID 380 wrote to memory of 2144	380	cmd.exe	46
PID 380 wrote to memory of 2452	380	cmd.exe	47
PID 380 wrote to memory of 2452	380	cmd.exe	47
PID 380 wrote to memory of 2452	380	cmd.exe	47
PID 380 wrote to memory of 2248	380	cmd.exe	49
PID 380 wrote to memory of 2248	380	cmd.exe	49
PID 380 wrote to memory of 2248	380	cmd.exe	49
PID 2248 wrote to memory of 1416	2248	chrome.exe	50
PID 2248 wrote to memory of 1416	2248	chrome.exe	50
PID 2248 wrote to memory of 1416	2248	chrome.exe	50
PID 2248 wrote to memory of 2132	2248	chrome.exe	52
PID 2248 wrote to memory of 2132	2248	chrome.exe	52
PID 2248 wrote to memory of 2132	2248	chrome.exe	52
PID 2132 wrote to memory of 1068	2132	cmd.exe	54
PID 2132 wrote to memory of 1068	2132	cmd.exe	54
PID 2132 wrote to memory of 1068	2132	cmd.exe	54
PID 2132 wrote to memory of 984	2132	cmd.exe	55
PID 2132 wrote to memory of 984	2132	cmd.exe	55
PID 2132 wrote to memory of 984	2132	cmd.exe	55
PID 2132 wrote to memory of 1616	2132	cmd.exe	56
PID 2132 wrote to memory of 1616	2132	cmd.exe	56
PID 2132 wrote to memory of 1616	2132	cmd.exe	56
PID 1616 wrote to memory of 1756	1616	chrome.exe	57
PID 1616 wrote to memory of 1756	1616	chrome.exe	57
PID 1616 wrote to memory of 1756	1616	chrome.exe	57
PID 1616 wrote to memory of 608	1616	chrome.exe	59
PID 1616 wrote to memory of 608	1616	chrome.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Roaming\chrome.exe
  "C:\Users\Admin\AppData\Roaming\chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:312
- - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1844
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\IPySct3BqodA.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1268
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2868
    - - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2044
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2508
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QKnucnmh3su0.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2452
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1416
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nq2YmHSPAbtP.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:984
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1756
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Wx2HM6wMZ3Wc.bat" "
        10⤵
        
        PID:608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:864
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1252
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\L3ttt1DMuvVJ.bat" "
        12⤵
        
        PID:2964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2872
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oiXybCGSx6RT.bat" "
        14⤵
        
        PID:2752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1120
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2656
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0URSBBlRzTHB.bat" "
        16⤵
        
        PID:1608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2868
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KbqNvwGNpiKs.bat" "
        18⤵
        
        PID:1040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:856
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1136
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\c2GTwQ6aNvJw.bat" "
        20⤵
        
        PID:1580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1896
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2652
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tFulu9u7W79w.bat" "
        22⤵
        
        PID:1752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1852
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1336
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1932
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kbqPm6ixUFsw.bat" "
        24⤵
        
        PID:2972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2588
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\K1EnMmHUEMUw.bat" "
        26⤵
        
        PID:2700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1660
- C:\Users\Admin\AppData\Local\Temp\S^X.exe
  "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0URSBBlRzTHB.bat

Filesize
207B

MD5
b4266c3ce121fcc9dce0a90a1d0b786d

SHA1
3ec550ba3d8fd61320856e738f9a5d6f88b6ec53

SHA256
2e7ea9a5d663716849ac5bc4d08b802dcd18b53940ee9bc87522f381754616aa

SHA512
7bfab6ac109e0e3424e2b720fc2a4d0eaea03356bb73933a188926aa4bed91d9c84fd7bb3c93cdd288192bb0d937d05020919571b8f7ae84a874bb2c9f7b1470

Download Submit
C:\Users\Admin\AppData\Local\Temp\IPySct3BqodA.bat

Filesize
207B

MD5
1bcedde9cc8c39ccec785ab94bbc6c73

SHA1
69ba5d1abfe392aaa766bf812cab3148aaaa877f

SHA256
5f49d6e5f0c93b93f7e5aa3f40c7e3082c4743218488b08b2dd5d8a1ae6df460

SHA512
a705ba007ddd333e04ca26bac84f0b00d4757f6a291bf65d05651c439ecafa42c6e3943c52c4e44dcea535cfce8ca5f18e83161ff80afe77f4b932b0fcd4b87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\K1EnMmHUEMUw.bat

Filesize
207B

MD5
958b633aa70e12238c707c6d803f270e

SHA1
025857a4a4229e1d42a782e8d542e8030d52ccf6

SHA256
9fae945a8dc8099a82c5ec0b3b9f32c5bb7e26b364a9d2534b9ba7cb99fb53c4

SHA512
4bcbe9493bb07abbbc3a942b95f2f0d39e26973f3c61433ddbbc536171ff25d8ca88d7fafb96ba1cbba6cfd9c5d50d7ac2ac9b694f27c562c6ea7b6410c61478

Download Submit
C:\Users\Admin\AppData\Local\Temp\KbqNvwGNpiKs.bat

Filesize
207B

MD5
ff90f9381abdcf623a8398a87f1d90c7

SHA1
2319518e870a4fd1b828defc654e74b9eab3c4c5

SHA256
476d68ac2ab350f66cc93e2a4fd6b1b0ae9c4e6f157770276455800a75e489ba

SHA512
51a1e2875c3af4d5744944e7b317c31c398add78ce5575d15d78de1b1023c161e8ad8b250949d4b21bfb22e9887c0161c5b99c03f2324f6b99d0864789d7d39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\L3ttt1DMuvVJ.bat

Filesize
207B

MD5
fa0cc20fff58bae23c30dcc37e615ce2

SHA1
a28a0881c9e2c0f5cd8704cc72bae860414ff421

SHA256
ee2c932275e966d55dd07f2bdfbc47a1ac2c1b3fa97e79ba6471671629787f13

SHA512
bd18df8a3529cc93745d307e23ae2d3f56b00c9e0f580e23ae3b33bc438e4cbed0b3582570c67bf5a6421505fb17e685f68d23c25ee2c79735ceaa132abd4a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\QKnucnmh3su0.bat

Filesize
207B

MD5
1b6b534868fbc2e422b76e53ebf03bbb

SHA1
70bc00ba78d45b567b120d61b319d77b3b5ad9f9

SHA256
dfc15dcc3d2791d026f2faf0b0d45d835d25bd0fdad7baaeb4343e4102a67b8d

SHA512
b13e3aa9d66b8897e2b0008cfa35a9a1718be05a8d27b8a7091d36ec78ab1834de8bb4213adeb6a2d2d134c5c6ecd0b7d2d578d9adf9349ea6b2a5621b0ff0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\S^X.exe

Filesize
789KB

MD5
e2437ac017506bbde9a81fb1f618457b

SHA1
adef2615312b31e041ccf700b3982dd50b686c7f

SHA256
94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12

SHA512
9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wx2HM6wMZ3Wc.bat

Filesize
207B

MD5
7662d657d3088516eb83cd9d15539785

SHA1
79163ea72fceb6d16a744bd902b977201cc0df8d

SHA256
9a90c221e149730f752ee81f53b835a568b6cc9e273d465c4dc1e2c4639705bb

SHA512
9404fe957f8fadcfd73c43c1eae79f3fc441f0ef78933d9d942cd20286c6c64cdf0d8c6fab83ea8f01450943c4c55f9005742a1c7b760aa0595361cfd3a4f731

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2GTwQ6aNvJw.bat

Filesize
207B

MD5
f8125de02b701e75a36743805cdf5c23

SHA1
a47b568cd3cc1748587d4b1e6cb91b85094d4b7f

SHA256
efa2ab046dc5a985756e73f9acbf8fac6c188e6d29a9fdce726b0a9f35a18125

SHA512
0b53cffa8c001392cc1ee610287d43b2dc7e401e50ce02cf8c0b2c23c315ad6dc01b6211d70d0d8a589e22ea7c9d663291378dcf3a4512b922d0ceadbdebd112

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5e62d65-5f6c-40b2-b1cb-74dc607f952a\AgileDotNetRT.dll

Filesize
2.2MB

MD5
2d86c4ad18524003d56c1cb27c549ba8

SHA1
123007f9337364e044b87deacf6793c2027c8f47

SHA256
091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280

SHA512
0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbqPm6ixUFsw.bat

Filesize
207B

MD5
b907cdf564ec30ded71d2254ff8657e4

SHA1
c98fe04866351f3be1e63d9c27ab77040da04f44

SHA256
9d65e893ed253bb120015f7c748c463bb64a45398e3e9a0f72db5e4c809ab9ea

SHA512
b60abaa27373e216f4ddadf3607732f3ddf19d33d1f67988be959409df7e56c1ff518d96d5de5740145f015f7b54cecd84c6dd63e79805f5330b7216b05eb7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nq2YmHSPAbtP.bat

Filesize
207B

MD5
6c0f0aab54400ba5e68eecebc9542c61

SHA1
31fb7f473e672f6c5028b601c50ba7e534755fe2

SHA256
1b68b0ccc3875efc63c4c603709a46ba130d74831cc8f4f502d895ca7b957e09

SHA512
5e48f81731dab555ecd82524bb683839939a924bcc50f684375aacb303dc3e6d14633fd26a3fc6119d2633da00a5b19f728170b3b00a384151617cb5af60d226

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiXybCGSx6RT.bat

Filesize
207B

MD5
da1a91b54c59d7cd83c37f78af8b89d3

SHA1
4e23ee0bf9ba06403eea807d14d2b652e1914fa9

SHA256
a7dc5ee9d2c1ae2d6f0eae042d226993755c222d1364d749afc552ba5336a0a9

SHA512
782edc9254681e1c469f6906d978779125622d1235bce382db1a0968db1d306237a659c6cc6535e525cfd10ab24bf4670f342892d5cb2a3321c0006cc58679b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tFulu9u7W79w.bat

Filesize
207B

MD5
c88a5b16deec20fcc1111737f36833a2

SHA1
6cfbe28dbc394b840ea93665c8d21e6bf926468f

SHA256
3b82fbb8ca632f52ca0c29b66cff2333807541fa671a711de4bef3aba6bc3453

SHA512
7f49babe381a9dbe2b4bc1c71d36bc3771405d6d29aca6b36bf98b85982eae3a7f2634fb8fbd65ca94141610208b69643af5abf50d527cb887c58a310910b36e

Download Submit
C:\Users\Admin\AppData\Roaming\chrome.exe

Filesize
502KB

MD5
92479f1615fd4fa1dd3ac7f2e6a1b329

SHA1
0a6063d27c9f991be2053b113fcef25e071c57fd

SHA256
0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569

SHA512
9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

Download Submit
memory/1012-36-0x0000000001270000-0x00000000012F4000-memory.dmp

Filesize
528KB

Download
memory/2044-47-0x00000000001A0000-0x0000000000224000-memory.dmp

Filesize
528KB

Download
memory/2140-132-0x00000000000F0000-0x0000000000174000-memory.dmp

Filesize
528KB

Download
memory/2156-155-0x0000000000330000-0x00000000003B4000-memory.dmp

Filesize
528KB

Download
memory/2248-58-0x0000000001100000-0x0000000001184000-memory.dmp

Filesize
528KB

Download
memory/2580-144-0x00000000001E0000-0x0000000000264000-memory.dmp

Filesize
528KB

Download
memory/2832-29-0x0000000072560000-0x0000000072B68000-memory.dmp

Filesize
6.0MB

Download
memory/2832-13-0x0000000074240000-0x000000007429B000-memory.dmp

Filesize
364KB

Download
memory/2832-12-0x0000000072560000-0x0000000072B68000-memory.dmp

Filesize
6.0MB

Download
memory/2832-10-0x0000000072560000-0x0000000072B68000-memory.dmp

Filesize
6.0MB

Download
memory/2832-11-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-30-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-9-0x0000000072560000-0x0000000072B68000-memory.dmp

Filesize
6.0MB

Download
memory/2832-0-0x00000000743C1000-0x00000000743C2000-memory.dmp

Filesize
4KB

Download
memory/2832-2-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-1-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2944-28-0x0000000000A90000-0x0000000000B14000-memory.dmp

Filesize
528KB

Download
memory/2944-27-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

Filesize
4KB

Download
memory/2988-31-0x0000000001000000-0x00000000010CC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads