quasar | b4becc32cef140dcc804424b9c4e030a1ce245b13e7f1baeca854b8897f2df5f

Analysis

max time kernel
141s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe
Size

16.7MB
MD5

dfa43d929d93cd09310d9dbdb6ad082d
SHA1

a9f5d6128404cd438bc5617740cc3d7ccb1064f5
SHA256

b4becc32cef140dcc804424b9c4e030a1ce245b13e7f1baeca854b8897f2df5f
SHA512

c7a4aed1966a26bd99554a82d3749a01a80ef49f2abfbbafcd9a6c6fb19010f423de75acc6f9344c381fff631f7ff9017416e31edddf538c8991c5d8b00a6f29
SSDEEP

393216:urN50n4bwQq7t3J086sIB6ehAAJ2u653xVu7vHhqBa4Cs:uka9ZPBxKJpHCpqBa4C

Score

10^/10

quasar chrome agilenet discovery evasion spyware themida trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Chrome

live.nodenet.ml:8863

Mutex

754ce6d6-f75b-4c6f-964c-3996e749369e

Attributes

encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
install_name
chrome.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System
subdirectory
chrome

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016dc1-69.dat	family_quasar
behavioral1/memory/1912-80-0x0000000000F00000-0x0000000000F84000-memory.dmp	family_quasar
behavioral1/memory/2100-86-0x0000000000210000-0x0000000000294000-memory.dmp	family_quasar
behavioral1/memory/2312-97-0x00000000012B0000-0x0000000001334000-memory.dmp	family_quasar
behavioral1/memory/696-108-0x0000000000320000-0x00000000003A4000-memory.dmp	family_quasar
behavioral1/memory/1788-119-0x0000000001160000-0x00000000011E4000-memory.dmp	family_quasar
behavioral1/memory/2296-130-0x0000000001280000-0x0000000001304000-memory.dmp	family_quasar
behavioral1/memory/2572-141-0x0000000000100000-0x0000000000184000-memory.dmp	family_quasar
behavioral1/memory/2796-152-0x0000000000DB0000-0x0000000000E34000-memory.dmp	family_quasar
behavioral1/memory/636-173-0x00000000002E0000-0x0000000000364000-memory.dmp	family_quasar
behavioral1/memory/2452-184-0x0000000001370000-0x00000000013F4000-memory.dmp	family_quasar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AVB.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AVB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AVB.exe

Executes dropped EXE 15 IoCs

pid	Process
2516	AVB.exe
1912	chrome.exe
2608	S^X.exe
2100	chrome.exe
2312	chrome.exe
696	chrome.exe
1788	chrome.exe
2296	chrome.exe
2572	chrome.exe
2796	chrome.exe
592	chrome.exe
636	chrome.exe
2452	chrome.exe
1988	chrome.exe
1536	chrome.exe

Loads dropped DLL 6 IoCs

pid	Process
2380	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe
2380	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe
2516	AVB.exe
2516	AVB.exe
2516	AVB.exe
2516	AVB.exe

Obfuscated with Agile.Net obfuscator 8 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x0009000000015fba-16.dat	agile_net
behavioral1/memory/2516-24-0x0000000000D00000-0x0000000001850000-memory.dmp	agile_net
behavioral1/memory/2516-37-0x0000000005A40000-0x0000000006052000-memory.dmp	agile_net
behavioral1/memory/2516-57-0x0000000005A40000-0x000000000604C000-memory.dmp	agile_net
behavioral1/memory/2516-61-0x0000000005A40000-0x000000000604C000-memory.dmp	agile_net
behavioral1/memory/2516-59-0x0000000005A40000-0x000000000604C000-memory.dmp	agile_net
behavioral1/memory/2516-55-0x0000000005A40000-0x000000000604C000-memory.dmp	agile_net
behavioral1/memory/2516-54-0x0000000005A40000-0x000000000604C000-memory.dmp	agile_net

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000800000001650a-6.dat	themida
behavioral1/memory/2380-9-0x0000000072880000-0x0000000072E88000-memory.dmp	themida
behavioral1/memory/2380-10-0x0000000072880000-0x0000000072E88000-memory.dmp	themida
behavioral1/memory/2380-11-0x0000000072880000-0x0000000072E88000-memory.dmp	themida
behavioral1/memory/2380-21-0x0000000072880000-0x0000000072E88000-memory.dmp	themida
behavioral1/memory/2516-32-0x0000000073EE0000-0x00000000744E8000-memory.dmp	themida
behavioral1/memory/2516-34-0x0000000073EE0000-0x00000000744E8000-memory.dmp	themida
behavioral1/memory/2516-33-0x0000000073EE0000-0x00000000744E8000-memory.dmp	themida
behavioral1/memory/2516-44-0x00000000704A0000-0x0000000070AA8000-memory.dmp	themida
behavioral1/memory/2516-47-0x00000000704A0000-0x0000000070AA8000-memory.dmp	themida
behavioral1/memory/2516-45-0x00000000704A0000-0x0000000070AA8000-memory.dmp	themida
behavioral1/memory/2516-78-0x0000000073EE0000-0x00000000744E8000-memory.dmp	themida
behavioral1/memory/2516-79-0x00000000704A0000-0x0000000070AA8000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AVB.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2380	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe
2516	AVB.exe
2516	AVB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AVB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2280	PING.EXE
1872	PING.EXE
1680	PING.EXE
108	PING.EXE
912	PING.EXE
752	PING.EXE
2640	PING.EXE
1728	PING.EXE
1520	PING.EXE
2892	PING.EXE
2624	PING.EXE
3032	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2892	PING.EXE
912	PING.EXE
2280	PING.EXE
1872	PING.EXE
1680	PING.EXE
1520	PING.EXE
2624	PING.EXE
3032	PING.EXE
108	PING.EXE
752	PING.EXE
2640	PING.EXE
1728	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1880	schtasks.exe
3024	schtasks.exe
2064	schtasks.exe
2300	schtasks.exe
1892	schtasks.exe
1924	schtasks.exe
324	schtasks.exe
2648	schtasks.exe
2160	schtasks.exe
2036	schtasks.exe
2376	schtasks.exe
2076	schtasks.exe
2844	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	chrome.exe
Token: SeDebugPrivilege	2100	chrome.exe
Token: SeDebugPrivilege	2608	S^X.exe
Token: SeDebugPrivilege	2312	chrome.exe
Token: SeDebugPrivilege	696	chrome.exe
Token: SeDebugPrivilege	1788	chrome.exe
Token: SeDebugPrivilege	2296	chrome.exe
Token: SeDebugPrivilege	2572	chrome.exe
Token: SeDebugPrivilege	2796	chrome.exe
Token: SeDebugPrivilege	592	chrome.exe
Token: SeDebugPrivilege	636	chrome.exe
Token: SeDebugPrivilege	2452	chrome.exe
Token: SeDebugPrivilege	1988	chrome.exe
Token: SeDebugPrivilege	1536	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2100	chrome.exe
2312	chrome.exe
696	chrome.exe
1788	chrome.exe
2296	chrome.exe
2572	chrome.exe
2796	chrome.exe
592	chrome.exe
636	chrome.exe
2452	chrome.exe
1988	chrome.exe
1536	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2516	2380	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe	31
PID 2380 wrote to memory of 2516	2380	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe	31
PID 2380 wrote to memory of 2516	2380	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe	31
PID 2380 wrote to memory of 2516	2380	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe	31
PID 2516 wrote to memory of 1912	2516	AVB.exe	32
PID 2516 wrote to memory of 1912	2516	AVB.exe	32
PID 2516 wrote to memory of 1912	2516	AVB.exe	32
PID 2516 wrote to memory of 1912	2516	AVB.exe	32
PID 2516 wrote to memory of 2608	2516	AVB.exe	33
PID 2516 wrote to memory of 2608	2516	AVB.exe	33
PID 2516 wrote to memory of 2608	2516	AVB.exe	33
PID 2516 wrote to memory of 2608	2516	AVB.exe	33
PID 1912 wrote to memory of 2036	1912	chrome.exe	34
PID 1912 wrote to memory of 2036	1912	chrome.exe	34
PID 1912 wrote to memory of 2036	1912	chrome.exe	34
PID 1912 wrote to memory of 2100	1912	chrome.exe	36
PID 1912 wrote to memory of 2100	1912	chrome.exe	36
PID 1912 wrote to memory of 2100	1912	chrome.exe	36
PID 2100 wrote to memory of 2376	2100	chrome.exe	37
PID 2100 wrote to memory of 2376	2100	chrome.exe	37
PID 2100 wrote to memory of 2376	2100	chrome.exe	37
PID 2100 wrote to memory of 1256	2100	chrome.exe	39
PID 2100 wrote to memory of 1256	2100	chrome.exe	39
PID 2100 wrote to memory of 1256	2100	chrome.exe	39
PID 1256 wrote to memory of 2992	1256	cmd.exe	41
PID 1256 wrote to memory of 2992	1256	cmd.exe	41
PID 1256 wrote to memory of 2992	1256	cmd.exe	41
PID 1256 wrote to memory of 2280	1256	cmd.exe	42
PID 1256 wrote to memory of 2280	1256	cmd.exe	42
PID 1256 wrote to memory of 2280	1256	cmd.exe	42
PID 1256 wrote to memory of 2312	1256	cmd.exe	43
PID 1256 wrote to memory of 2312	1256	cmd.exe	43
PID 1256 wrote to memory of 2312	1256	cmd.exe	43
PID 2312 wrote to memory of 1892	2312	chrome.exe	44
PID 2312 wrote to memory of 1892	2312	chrome.exe	44
PID 2312 wrote to memory of 1892	2312	chrome.exe	44
PID 2312 wrote to memory of 2020	2312	chrome.exe	46
PID 2312 wrote to memory of 2020	2312	chrome.exe	46
PID 2312 wrote to memory of 2020	2312	chrome.exe	46
PID 2020 wrote to memory of 3028	2020	cmd.exe	48
PID 2020 wrote to memory of 3028	2020	cmd.exe	48
PID 2020 wrote to memory of 3028	2020	cmd.exe	48
PID 2020 wrote to memory of 1872	2020	cmd.exe	49
PID 2020 wrote to memory of 1872	2020	cmd.exe	49
PID 2020 wrote to memory of 1872	2020	cmd.exe	49
PID 2020 wrote to memory of 696	2020	cmd.exe	50
PID 2020 wrote to memory of 696	2020	cmd.exe	50
PID 2020 wrote to memory of 696	2020	cmd.exe	50
PID 696 wrote to memory of 1924	696	chrome.exe	51
PID 696 wrote to memory of 1924	696	chrome.exe	51
PID 696 wrote to memory of 1924	696	chrome.exe	51
PID 696 wrote to memory of 1252	696	chrome.exe	53
PID 696 wrote to memory of 1252	696	chrome.exe	53
PID 696 wrote to memory of 1252	696	chrome.exe	53
PID 1252 wrote to memory of 892	1252	cmd.exe	55
PID 1252 wrote to memory of 892	1252	cmd.exe	55
PID 1252 wrote to memory of 892	1252	cmd.exe	55
PID 1252 wrote to memory of 1680	1252	cmd.exe	56
PID 1252 wrote to memory of 1680	1252	cmd.exe	56
PID 1252 wrote to memory of 1680	1252	cmd.exe	56
PID 1252 wrote to memory of 1788	1252	cmd.exe	57
PID 1252 wrote to memory of 1788	1252	cmd.exe	57
PID 1252 wrote to memory of 1788	1252	cmd.exe	57
PID 1788 wrote to memory of 324	1788	chrome.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Roaming\AVB.exe
  "C:\Users\Admin\AppData\Roaming\AVB.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Roaming\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2036
  - - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
      "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2376
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nlZh1cl4xqHV.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1256
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2992
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2280
      - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1892
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\q7cqldQe9an6.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1924
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pCltNvgbzH8K.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:324
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vtvSQpBMjYKM.bat" "
        11⤵
        
        PID:896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2076
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\P9ilS4gFeeaI.bat" "
        13⤵
        
        PID:2820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2844
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tfdAOMlWJUkt.bat" "
        15⤵
        
        PID:2208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2648
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TrFgreBXJ84p.bat" "
        17⤵
        
        PID:2752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3032
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:592
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1880
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\C2C3obtC3VVV.bat" "
        19⤵
        
        PID:2404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:912
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:636
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3024
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\w1aRpRHqKbMG.bat" "
        21⤵
        
        PID:1440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:108
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2064
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yMYk5qqYZAwm.bat" "
        23⤵
        
        PID:340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:752
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2300
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mChaL2uem29B.bat" "
        25⤵
        
        PID:2784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2160
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Z0fRtAhNiPXm.bat" "
        27⤵
        
        PID:3060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1728
- - C:\Users\Admin\AppData\Local\Temp\S^X.exe
    "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C2C3obtC3VVV.bat

Filesize
207B

MD5
6167deea22844d8b7636d838a5c681dd

SHA1
2552fe53882ab998d5b78be2c2ab79ab45e8d52f

SHA256
032a4bc0a7ab911cf25ae75ea3474a09b3519529e384b6f986dea11ad38dab1b

SHA512
3cd54cc8344780baa5dbb7a85b3b936a1ecfe53c05747209c0a6ea36c562c3eb990db176bf0130c1f62ae1e45736e86f48b382eb2d96a9c6ba1bbcbb381d2902

Download Submit
C:\Users\Admin\AppData\Local\Temp\P9ilS4gFeeaI.bat

Filesize
207B

MD5
107a82e0fea53098ace546662fed8d21

SHA1
813bd51d24840edf8a14bcbdd96a61883b595714

SHA256
5ecd05702cbfaf294d3a4fa7b9daa138facddcd5c3592136b54fb633c8a00520

SHA512
54d6f75df04c38c5c88bf4885686a6e6c4da800d0fedffdfb2ad6e09b56a18042d591996336d821330a312c37f695787c2bc177ca44ea970a3f1c266adf3d98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\S^X.exe

Filesize
789KB

MD5
e2437ac017506bbde9a81fb1f618457b

SHA1
adef2615312b31e041ccf700b3982dd50b686c7f

SHA256
94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12

SHA512
9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrFgreBXJ84p.bat

Filesize
207B

MD5
cc22b88f6fbcaa7135fe7f409c9d6a99

SHA1
e2c69c6c56cfa1dcfd8c882ac937a63a0220c5bc

SHA256
37bfeb3dce3535ee8cbb808e8a16e785d92c55172cac23a42ed023218bf748e1

SHA512
c764ceb356c7882ebd13e199f80226d3ea4c9aa85aafc1f37fa2dba253ac0e9b5fa3b4c1aa048159f247654716f9a972237bf7a160321aec11e2d229b81fe8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z0fRtAhNiPXm.bat

Filesize
207B

MD5
984399e94c455c95d98c728f2def0659

SHA1
0ebd4ee11c8cbea27aaada5d6d30c04016b961d1

SHA256
ed12eadc7f7e81a26e4a4b247a0fe5697a2151691c24dc2e81d6d536ffab34e0

SHA512
d5f131d3dafaebcaa3ebfff02c0bb6f0a6381a4a4a585da0801be6c295c18e1f541aa5bb8d5b41291d8c6f0b3d441e73c2a13e18b68fca5bda33f652f4717712

Download Submit
C:\Users\Admin\AppData\Local\Temp\mChaL2uem29B.bat

Filesize
207B

MD5
5b59bd625d4181ec7aa70b783360c1ab

SHA1
264bb6aec06dc6cbbd442be11a67cfb49f4003a3

SHA256
0cc3678b715172d9fd19328e75b2bd0f6a904024d35e2590a2704e8238d1935c

SHA512
a168bc5e99d84d7b736a1886ef9325e630e78636895e50801e369150571aa5b83e2f6bc71e42e27176046f6f0f59db56ac7bf8851d9d90db1e41dc04aa95e116

Download Submit
C:\Users\Admin\AppData\Local\Temp\nlZh1cl4xqHV.bat

Filesize
207B

MD5
6667486e98338dabc8fbe9ee27cbe8d9

SHA1
b2ae0c3b8ae0c38ca5584a6b1c782db89eb104b9

SHA256
40e301f9febf59725c9c0d9cfa5e2e98ad2c759cbed049a9741768f1a556bc4b

SHA512
55c5f4974ef931bd0b12fffd34c72af951b563ed91facf9cd84caed24bb853926bf288e2821fab432f613beb4c80d5b84b7d651b2a4034a3757f6c3fdc85e901

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCltNvgbzH8K.bat

Filesize
207B

MD5
fd5c11aecafde11a4f4c5594686f68f6

SHA1
0741c1f8b0cf1f7916638b19eec7239151180767

SHA256
e6b4de699283649d045d938483eec37e578f578278c6e51681d35570a001df0c

SHA512
deae6a29337e8daa51883bc62e9fe308cbe1f39da55e7ac957caba34ef6ef4c8e8c18404ef57db7e411fae77cf063252ed2335e2d21d727b1aa2fffe5e5a563b

Download Submit
C:\Users\Admin\AppData\Local\Temp\q7cqldQe9an6.bat

Filesize
207B

MD5
dd7d923e2a8508991e35de16fffe05d5

SHA1
bcbf820704ffe34a0439f12f4885071e738ba0f8

SHA256
2bd8d75961e2edfe51fdda05af88e66a787cb58dfd98119d721a802130411788

SHA512
1e65b2876c7acfc46a71293b3667f6da0f64de271d65ef1346b10ead6df833d47abe76fce6ffcd79e52a41bae6e29f5e53fbdd26f6a4f835bf6df9f95ab69369

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfdAOMlWJUkt.bat

Filesize
207B

MD5
6efd621662885bfc9865c2c3f7d6480e

SHA1
71db93cc3d98403d84f8fef8bd07552327abc86a

SHA256
9a5355d575746c13b4cfdde41844c89bcd197cfd4b994f981ca8d020be80059c

SHA512
e7bb9444918456dd2cf80c488dcfc43ea65b09fcd2b3859106bd0c0ff8ad4292538cacbbdab4dc97d8dc4022bf115b4cba1a6305694201af08e346f7c95772c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtvSQpBMjYKM.bat

Filesize
207B

MD5
fe3d06f03a1240162f10cabb6a9adaf2

SHA1
89250fada32ecf751cd8431f0bbc6cfecaf3278b

SHA256
e646ac7f27311b4d74f4d7c5356cdf6b8f25b83b7a9718d5871599b28008c64d

SHA512
290f95495dfd4994e032efa31a744e55550475eda0cfc4574c128bff1a8f502bb503df0939db19b438431e8073b6eb50a7350ae8d3bef1bf81c9d751c5b8f148

Download Submit
C:\Users\Admin\AppData\Local\Temp\w1aRpRHqKbMG.bat

Filesize
207B

MD5
fba4485665ab0c360f0f85994bc5c59a

SHA1
0c850a85a74c9c3f22b7eccb8e0c0d58f47c1b19

SHA256
3d8d33a8a90487bd9e65c5cbd9de8aac37f14b77b73e77a375d7eab4800d64b8

SHA512
37d4cb6f78fa999cf26d7daf4047108a9f310ef160cb64b47423fb89fc88f587459101781e062e473bc9fc2ec58f8736088b7bdc22e57bdc4bf3c294e7011f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMYk5qqYZAwm.bat

Filesize
207B

MD5
d14049f1d56670ac271dbc147c8bf15b

SHA1
32c89e5d39f4907dc2a998b8a12a962d3ad24cc4

SHA256
ec3ab95ba9b5abe9aa1e6fa0e204be021f7ee919ae5a7ff208f45b604e933f6b

SHA512
3b497b2906c1b4c138d40ffebbc8b13c7d9acc06b19f64a55a6c2a4427fc886e65b40caabe57c95756dfa8d199a0be2ae1c152ea0544b29f285539c5bf146d8e

Download Submit
C:\Users\Admin\AppData\Roaming\chrome.exe

Filesize
502KB

MD5
92479f1615fd4fa1dd3ac7f2e6a1b329

SHA1
0a6063d27c9f991be2053b113fcef25e071c57fd

SHA256
0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569

SHA512
9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

Download Submit
\Users\Admin\AppData\Local\Temp\c73c9c9b-1adc-4deb-a031-aebb4e3010ac\AgileDotNetRT.dll

Filesize
2.2MB

MD5
2d86c4ad18524003d56c1cb27c549ba8

SHA1
123007f9337364e044b87deacf6793c2027c8f47

SHA256
091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280

SHA512
0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

Download Submit
\Users\Admin\AppData\Roaming\AVB.exe

Filesize
11.3MB

MD5
04d5fbe1ca0ee0d8b82c9c47786de31d

SHA1
e63bc0f81cb9d1b4439e62c5018ae30120a5a8a3

SHA256
8bde20ee2c5183c9d13716242130b6fc5f8f4bf317e7908645dc460f3ed15715

SHA512
dcd3213f484cbb301e8fb17b98fff51d6003cefd401e0d9358f0f2219e906f25f2fa0f66c81aa8bb031b327c6c19412b99472f2815262de86e73c635622b413a

Download Submit
memory/636-173-0x00000000002E0000-0x0000000000364000-memory.dmp

Filesize
528KB

Download
memory/696-108-0x0000000000320000-0x00000000003A4000-memory.dmp

Filesize
528KB

Download
memory/1788-119-0x0000000001160000-0x00000000011E4000-memory.dmp

Filesize
528KB

Download
memory/1912-80-0x0000000000F00000-0x0000000000F84000-memory.dmp

Filesize
528KB

Download
memory/2100-86-0x0000000000210000-0x0000000000294000-memory.dmp

Filesize
528KB

Download
memory/2296-130-0x0000000001280000-0x0000000001304000-memory.dmp

Filesize
528KB

Download
memory/2312-97-0x00000000012B0000-0x0000000001334000-memory.dmp

Filesize
528KB

Download
memory/2380-0-0x0000000074611000-0x0000000074612000-memory.dmp

Filesize
4KB

Download
memory/2380-22-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2380-21-0x0000000072880000-0x0000000072E88000-memory.dmp

Filesize
6.0MB

Download
memory/2380-13-0x0000000074490000-0x00000000744EB000-memory.dmp

Filesize
364KB

Download
memory/2380-11-0x0000000072880000-0x0000000072E88000-memory.dmp

Filesize
6.0MB

Download
memory/2380-12-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2380-10-0x0000000072880000-0x0000000072E88000-memory.dmp

Filesize
6.0MB

Download
memory/2380-9-0x0000000072880000-0x0000000072E88000-memory.dmp

Filesize
6.0MB

Download
memory/2380-2-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2380-1-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2452-184-0x0000000001370000-0x00000000013F4000-memory.dmp

Filesize
528KB

Download
memory/2516-32-0x0000000073EE0000-0x00000000744E8000-memory.dmp

Filesize
6.0MB

Download
memory/2516-45-0x00000000704A0000-0x0000000070AA8000-memory.dmp

Filesize
6.0MB

Download
memory/2516-78-0x0000000073EE0000-0x00000000744E8000-memory.dmp

Filesize
6.0MB

Download
memory/2516-79-0x00000000704A0000-0x0000000070AA8000-memory.dmp

Filesize
6.0MB

Download
memory/2516-23-0x0000000071F4E000-0x0000000071F4F000-memory.dmp

Filesize
4KB

Download
memory/2516-63-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download
memory/2516-62-0x0000000006AF0000-0x0000000006BA2000-memory.dmp

Filesize
712KB

Download
memory/2516-46-0x0000000071F40000-0x000000007262E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-54-0x0000000005A40000-0x000000000604C000-memory.dmp

Filesize
6.0MB

Download
memory/2516-55-0x0000000005A40000-0x000000000604C000-memory.dmp

Filesize
6.0MB

Download
memory/2516-59-0x0000000005A40000-0x000000000604C000-memory.dmp

Filesize
6.0MB

Download
memory/2516-61-0x0000000005A40000-0x000000000604C000-memory.dmp

Filesize
6.0MB

Download
memory/2516-57-0x0000000005A40000-0x000000000604C000-memory.dmp

Filesize
6.0MB

Download
memory/2516-81-0x0000000071F40000-0x000000007262E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-24-0x0000000000D00000-0x0000000001850000-memory.dmp

Filesize
11.3MB

Download
memory/2516-47-0x00000000704A0000-0x0000000070AA8000-memory.dmp

Filesize
6.0MB

Download
memory/2516-25-0x0000000071F40000-0x000000007262E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-44-0x00000000704A0000-0x0000000070AA8000-memory.dmp

Filesize
6.0MB

Download
memory/2516-37-0x0000000005A40000-0x0000000006052000-memory.dmp

Filesize
6.1MB

Download
memory/2516-36-0x0000000074B40000-0x0000000074BC0000-memory.dmp

Filesize
512KB

Download
memory/2516-33-0x0000000073EE0000-0x00000000744E8000-memory.dmp

Filesize
6.0MB

Download
memory/2516-34-0x0000000073EE0000-0x00000000744E8000-memory.dmp

Filesize
6.0MB

Download
memory/2516-35-0x0000000071F40000-0x000000007262E000-memory.dmp

Filesize
6.9MB

Download
memory/2572-141-0x0000000000100000-0x0000000000184000-memory.dmp

Filesize
528KB

Download
memory/2608-77-0x0000000000ED0000-0x0000000000F9C000-memory.dmp

Filesize
816KB

Download
memory/2796-152-0x0000000000DB0000-0x0000000000E34000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads