quasar | ceec77c3852dd8b1fe96799500350ecf1d8e7c3e2a5931d58a6c99a711c9bfec

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-02-2025 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.exe
Size

3.1MB
MD5

cda244bc8f0486f4bce677dc71784369
SHA1

a7639235f14ed1ad673d2bfde070c266817e58b4
SHA256

ceec77c3852dd8b1fe96799500350ecf1d8e7c3e2a5931d58a6c99a711c9bfec
SHA512

3d6cd367f888923da267830e4e497808de31eed5e1d96a5de68ed82d0090aa23e41f1963ffb7cecc74fbf09948466a74666b4abaf7973b61da182b8e0096dea4
SSDEEP

98304:mvb22SsaNYfdPBldt6+dBcjHRFGRJ6TT:Y87jxCW

Score

10^/10

quasar zulaspcx discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

zulaspcx

yeniceri99-24578.portmap.io:24578

Mutex

938aa95f-e3d4-483d-9217-ffafea133927

Attributes

encryption_key
3BBA711AB673CCE3CC23338F52513D2C4D42AFEF
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 14 IoCs

resource	yara_rule
behavioral1/memory/2220-1-0x0000000000880000-0x0000000000BA4000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016d63-6.dat	family_quasar
behavioral1/memory/2088-8-0x0000000000240000-0x0000000000564000-memory.dmp	family_quasar
behavioral1/memory/3052-23-0x00000000009D0000-0x0000000000CF4000-memory.dmp	family_quasar
behavioral1/memory/2548-44-0x0000000000C20000-0x0000000000F44000-memory.dmp	family_quasar
behavioral1/memory/2464-56-0x0000000000250000-0x0000000000574000-memory.dmp	family_quasar
behavioral1/memory/696-67-0x0000000000330000-0x0000000000654000-memory.dmp	family_quasar
behavioral1/memory/2400-79-0x00000000009C0000-0x0000000000CE4000-memory.dmp	family_quasar
behavioral1/memory/1640-101-0x0000000001040000-0x0000000001364000-memory.dmp	family_quasar
behavioral1/memory/1952-112-0x0000000001130000-0x0000000001454000-memory.dmp	family_quasar
behavioral1/memory/3068-134-0x00000000002B0000-0x00000000005D4000-memory.dmp	family_quasar
behavioral1/memory/376-146-0x0000000000230000-0x0000000000554000-memory.dmp	family_quasar
behavioral1/memory/1624-157-0x0000000000D80000-0x00000000010A4000-memory.dmp	family_quasar
behavioral1/memory/2576-168-0x0000000000E10000-0x0000000001134000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2088	svchost.exe
3052	svchost.exe
2844	svchost.exe
2548	svchost.exe
2464	svchost.exe
696	svchost.exe
2400	svchost.exe
1844	svchost.exe
1640	svchost.exe
1952	svchost.exe
548	svchost.exe
3068	svchost.exe
376	svchost.exe
1624	svchost.exe
2576	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2108	PING.EXE
1608	PING.EXE
2500	PING.EXE
2484	PING.EXE
2872	PING.EXE
1476	PING.EXE
2516	PING.EXE
1404	PING.EXE
2936	PING.EXE
780	PING.EXE
1948	PING.EXE
2700	PING.EXE
1840	PING.EXE
292	PING.EXE
2276	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1608	PING.EXE
1404	PING.EXE
292	PING.EXE
2276	PING.EXE
2700	PING.EXE
2516	PING.EXE
780	PING.EXE
2872	PING.EXE
2108	PING.EXE
1476	PING.EXE
2936	PING.EXE
1840	PING.EXE
2500	PING.EXE
2484	PING.EXE
1948	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1652	schtasks.exe
1632	schtasks.exe
2028	schtasks.exe
1836	schtasks.exe
980	schtasks.exe
1632	schtasks.exe
796	schtasks.exe
1072	schtasks.exe
1072	schtasks.exe
1948	schtasks.exe
2360	schtasks.exe
3060	schtasks.exe
1856	schtasks.exe
2124	schtasks.exe
2212	schtasks.exe
3044	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	update.exe
Token: SeDebugPrivilege	2088	svchost.exe
Token: SeDebugPrivilege	3052	svchost.exe
Token: SeDebugPrivilege	2844	svchost.exe
Token: SeDebugPrivilege	2548	svchost.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	696	svchost.exe
Token: SeDebugPrivilege	2400	svchost.exe
Token: SeDebugPrivilege	1844	svchost.exe
Token: SeDebugPrivilege	1640	svchost.exe
Token: SeDebugPrivilege	1952	svchost.exe
Token: SeDebugPrivilege	548	svchost.exe
Token: SeDebugPrivilege	3068	svchost.exe
Token: SeDebugPrivilege	376	svchost.exe
Token: SeDebugPrivilege	1624	svchost.exe
Token: SeDebugPrivilege	2576	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2088	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2212	2220	update.exe	30
PID 2220 wrote to memory of 2212	2220	update.exe	30
PID 2220 wrote to memory of 2212	2220	update.exe	30
PID 2220 wrote to memory of 2088	2220	update.exe	32
PID 2220 wrote to memory of 2088	2220	update.exe	32
PID 2220 wrote to memory of 2088	2220	update.exe	32
PID 2088 wrote to memory of 1948	2088	svchost.exe	33
PID 2088 wrote to memory of 1948	2088	svchost.exe	33
PID 2088 wrote to memory of 1948	2088	svchost.exe	33
PID 2088 wrote to memory of 604	2088	svchost.exe	35
PID 2088 wrote to memory of 604	2088	svchost.exe	35
PID 2088 wrote to memory of 604	2088	svchost.exe	35
PID 604 wrote to memory of 600	604	cmd.exe	37
PID 604 wrote to memory of 600	604	cmd.exe	37
PID 604 wrote to memory of 600	604	cmd.exe	37
PID 604 wrote to memory of 1404	604	cmd.exe	38
PID 604 wrote to memory of 1404	604	cmd.exe	38
PID 604 wrote to memory of 1404	604	cmd.exe	38
PID 604 wrote to memory of 3052	604	cmd.exe	39
PID 604 wrote to memory of 3052	604	cmd.exe	39
PID 604 wrote to memory of 3052	604	cmd.exe	39
PID 3052 wrote to memory of 2360	3052	svchost.exe	40
PID 3052 wrote to memory of 2360	3052	svchost.exe	40
PID 3052 wrote to memory of 2360	3052	svchost.exe	40
PID 3052 wrote to memory of 2680	3052	svchost.exe	42
PID 3052 wrote to memory of 2680	3052	svchost.exe	42
PID 3052 wrote to memory of 2680	3052	svchost.exe	42
PID 2680 wrote to memory of 2932	2680	cmd.exe	44
PID 2680 wrote to memory of 2932	2680	cmd.exe	44
PID 2680 wrote to memory of 2932	2680	cmd.exe	44
PID 2680 wrote to memory of 2936	2680	cmd.exe	45
PID 2680 wrote to memory of 2936	2680	cmd.exe	45
PID 2680 wrote to memory of 2936	2680	cmd.exe	45
PID 2680 wrote to memory of 2844	2680	cmd.exe	47
PID 2680 wrote to memory of 2844	2680	cmd.exe	47
PID 2680 wrote to memory of 2844	2680	cmd.exe	47
PID 2844 wrote to memory of 3060	2844	svchost.exe	48
PID 2844 wrote to memory of 3060	2844	svchost.exe	48
PID 2844 wrote to memory of 3060	2844	svchost.exe	48
PID 2844 wrote to memory of 1244	2844	svchost.exe	50
PID 2844 wrote to memory of 1244	2844	svchost.exe	50
PID 2844 wrote to memory of 1244	2844	svchost.exe	50
PID 1244 wrote to memory of 1688	1244	cmd.exe	52
PID 1244 wrote to memory of 1688	1244	cmd.exe	52
PID 1244 wrote to memory of 1688	1244	cmd.exe	52
PID 1244 wrote to memory of 1840	1244	cmd.exe	53
PID 1244 wrote to memory of 1840	1244	cmd.exe	53
PID 1244 wrote to memory of 1840	1244	cmd.exe	53
PID 1244 wrote to memory of 2548	1244	cmd.exe	54
PID 1244 wrote to memory of 2548	1244	cmd.exe	54
PID 1244 wrote to memory of 2548	1244	cmd.exe	54
PID 2548 wrote to memory of 1652	2548	svchost.exe	55
PID 2548 wrote to memory of 1652	2548	svchost.exe	55
PID 2548 wrote to memory of 1652	2548	svchost.exe	55
PID 2548 wrote to memory of 2164	2548	svchost.exe	57
PID 2548 wrote to memory of 2164	2548	svchost.exe	57
PID 2548 wrote to memory of 2164	2548	svchost.exe	57
PID 2164 wrote to memory of 1016	2164	cmd.exe	59
PID 2164 wrote to memory of 1016	2164	cmd.exe	59
PID 2164 wrote to memory of 1016	2164	cmd.exe	59
PID 2164 wrote to memory of 780	2164	cmd.exe	60
PID 2164 wrote to memory of 780	2164	cmd.exe	60
PID 2164 wrote to memory of 780	2164	cmd.exe	60
PID 2164 wrote to memory of 2464	2164	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2212
- C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1948
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\lpcEhBIR9a0n.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:604
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:600
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1404
  - - C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2360
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Fr6qcQRTvf7E.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2932
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2936
      - C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3060
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kdRw9huJtPP4.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1652
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9IaPlIt8bKZD.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:780
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:796
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VsNId1M4WzVV.bat" "
        11⤵
        
        PID:1476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1856
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eF61oCTUsIXI.bat" "
        13⤵
        
        PID:1732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1632
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WudkRlfMWLEu.bat" "
        15⤵
        
        PID:2288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2236
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1072
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rzqVvYQ1A3d3.bat" "
        17⤵
        
        PID:2848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:292
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2124
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8uiBzXTE6pMl.bat" "
        19⤵
        
        PID:2992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3044
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\M1jrXKCSgtfQ.bat" "
        21⤵
        
        PID:3008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2028
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SqJslQMkNXiS.bat" "
        23⤵
        
        PID:2552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1836
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jbjUc4Em4qln.bat" "
        25⤵
        
        PID:1868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:980
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\x2MrNBDhAT5s.bat" "
        27⤵
        
        PID:2900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2276
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1632
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KI4CYgngtpQn.bat" "
        29⤵
        
        PID:1980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1072
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tzbu3XxK7jJS.bat" "
        31⤵
        
        PID:1844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8uiBzXTE6pMl.bat

Filesize
209B

MD5
50f8f48a61bda7e6042f8d23bcb47756

SHA1
5c0078b86d12ee1873707a91d7c180a774b62d80

SHA256
ff2ac960452ae1558946543e8b8ca22282fac3b6f48a73761033ef44fdeebb62

SHA512
8c5cd44c5ec9ba30ee94980ae1e968fc9cfffbf978770dbbd820a2b405f2029097846c9bea96a6bf5ac3b4abf5d9515fb04602f70ea22b0f70f3887f1a35fa2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9IaPlIt8bKZD.bat

Filesize
209B

MD5
c884234745236cc62804646cdb2547ee

SHA1
f348caf1ec41facadd2439dd86fc38ef40559bea

SHA256
49283bb365886eae6d395ff28138a483ef827e26dcaee02ee9ce402519fa21a8

SHA512
af0bd9135b47753b444e17ee39190c40b00230e46411e5f40ad3adfba8896fce4049b7af79014a4940b8775d39d17c7c8bca848a9460109408d8eba77ffb3ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fr6qcQRTvf7E.bat

Filesize
209B

MD5
251de07391f3b8a4e6c478eb7116b7da

SHA1
f4b00101311cf4c66f8e72744d4cd1be582072d4

SHA256
14d70813a08388d059b593fb27be1c6ac389ae454bd8dcf49c9d9170d13749c2

SHA512
f888c38d30e1a7df2ef336ead39ad4391adab8e70b998d20faf213d555db7d63fa0629424cbcdd5ba70d8bf8f9617a97c549bc429f06198d6d9b90a224957b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KI4CYgngtpQn.bat

Filesize
209B

MD5
c2b433a39a3331aebd0b3a6f6bd1628c

SHA1
0b0dff1a76e0518d0b2dcc5ec0d70d3819c34fd8

SHA256
ebbe42cca7cdf2a35d9d2b3d3ede4fad7753582ea1073d7ac501817a3e91cc2d

SHA512
11eb40490b842ffd9d9560f5d9ee40fa4f4e5c18677ef87c33b6d705e23a5e4f3604d0d8c64fd9a7af3e8872226e210266d40967746adfaa9abb4be708880e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1jrXKCSgtfQ.bat

Filesize
209B

MD5
88dd6904b4fb9780ace38c2c2cd9edaa

SHA1
dc1d37d368ad794d27f8320b60cf8d8e839badef

SHA256
9605858d347a000b7d474519827ce8a1334cc4daddf3af84b7494c3423a3b7cd

SHA512
df722f6761866c1121c33b62e4c163124a131f8f65f73b68df5c2fa159ec604fb7c9cc901674297a2ba97cfa58d0a2fd27494f3748075f26f71100106d9c3805

Download Submit
C:\Users\Admin\AppData\Local\Temp\SqJslQMkNXiS.bat

Filesize
209B

MD5
d9f3df2ddaf0bd09cf7fac0739a09a47

SHA1
8cb6e1df934e6f9ecd939697a5ea4e3ae92c6b73

SHA256
21d8f19396f0a71e938c7eb944035e1c5bf32abc01dcaa690ffa0a55b41625a3

SHA512
ff9e1f42e3102ac0879d507a3ee5a3cf6b93e4c120f9b50ec496fe669c99250d24b0eb0b9fc1f4baae3cc2435f3701f6826b0e62e2d4c6e61774a2ad01790292

Download Submit
C:\Users\Admin\AppData\Local\Temp\VsNId1M4WzVV.bat

Filesize
209B

MD5
96036903a5bccfa3965ff676afd06987

SHA1
3639d05aa0a38c62b3d68ce0df2394a2e02f0c39

SHA256
48fe0f33b367195671dad32a9c627ea19dc1ef33f50cc1f1e829cd37b45c4799

SHA512
2e3c43143800117c8de8b0091527a409db3428b837e7cf1e030f5a832482d2be338c1e28348f9ab19b521f4e8c5837416eac27c258b434701ee86842ca1482a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WudkRlfMWLEu.bat

Filesize
209B

MD5
1c691ee6a30aa0b67c3a1900ce6f7966

SHA1
80d818f091e37a8c192f1add6be286febb1e166e

SHA256
b3a03b2b97c500050a5c426ba06fc0d366d9930adfe21d55e8228fbbeccac7cc

SHA512
1e9bf2578c70564b1222fce7c6250b388af9b1d47a3ac379e4cf86c70fbe37f3768e7895591b2bd08966a1f641cc5a836fe00c9f293b6ba8b759cf7868daa2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eF61oCTUsIXI.bat

Filesize
209B

MD5
3bf5205197c10597d4e78076cbcb7fcd

SHA1
023fccab04ab31979d3f3bd345f8de2f352f12d7

SHA256
5bea8ef39ec15bc012b13dc1c4dc1db7ac869bc5dde4f6327bfecc2d774e06e4

SHA512
bd2b03bd391edc38f52639331a788b28f62b55320c26a475bd76c38d8a1eb8d16297fafe8eab4ef3f06878f7930c391d209e34eca4320dcc19773240b09f41a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbjUc4Em4qln.bat

Filesize
209B

MD5
aac741d240dcab89a8e1662f1705eb07

SHA1
3850574c5e64d4d0a4958a0b2a0650dccf421c92

SHA256
edb4d045e0c09c7f6567682a0e4d56430231bce4acf3f7941e4aca4c97665b68

SHA512
ccfdf1435da78a0b690adfe65e50a2a6585e32a69a8427dd622daab561ec1bba45fa483ce0f4b1d0c67656a9001e87c7172ccca4a97cf276ab7037faff6d061b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdRw9huJtPP4.bat

Filesize
209B

MD5
54a1d9d118c165dca05d62f17de52d9c

SHA1
01c7f61b2b1cdcc623ecdfd8e9e69f05c8c7c9b9

SHA256
bf3cf288c2b874b13578b8c3f15cdd6860ebc751d1d599e48bac2c9cb28e7d43

SHA512
e312b8ef300f1843430b35d6d7eb667846a7d7e5333c738dc719588aab83e06368f031f4ec2a3fec028189a30fd5253b1f9ff9ecce5c176f098e0bd386f10b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpcEhBIR9a0n.bat

Filesize
209B

MD5
502d62a4882c8881ebe263c3055f0322

SHA1
137c1b86f1a4f5a54b82f142eaf5e1339e4cb522

SHA256
19d0f23b82c1e36174d769485fa414e87134e5b7a3858cefcc01aa971d64eaa4

SHA512
6ceb299340dc616f60ffd1a89821eb0bfad7cccf59aac3219c52bf8e1d5db2734502f3cf0e29afaa81553d58db2cd0daadf596bc29576d40470b0171adf1414f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzqVvYQ1A3d3.bat

Filesize
209B

MD5
b98207771d7434741068dbf5d2026bca

SHA1
8d1d80341ced16ed59594e99f8ba01aa620ad86e

SHA256
e260e7940c1ef901296bed4b0dca62d075573a04f5ed9ed2010190e524702f1a

SHA512
58c9d277e82ce71d6e0e210d341b95049d316a415a21663a1a75c347cd5e5a8e618ad074cbb6967714a57f71e841b3fb72d214d2b13cb89f8962f061f2889cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzbu3XxK7jJS.bat

Filesize
209B

MD5
9c2f83129d742402178c22a96611d27b

SHA1
00b1c41fa7f421afdc4133fb872699bd9eab5b16

SHA256
666b6f9eebe77d101799cfbf3de74fea94402e8701f819e5777bbcf4347307d7

SHA512
ce27d6b388285871fc01edef14edca3eda9c6fad4a76774d5dec365993a7e41adbde8c7b853a669b29eeb8776ef7522c0f9615c73d1e86642552a2afcb104675

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2MrNBDhAT5s.bat

Filesize
209B

MD5
56432b87240b3acdd05179e8f964934c

SHA1
f38ba9bf5ec6c16ce292b7f572075f06e85f7452

SHA256
359caac6dc82e2532f232ff7fa51145750466a2536dbba31456ccad477f573d2

SHA512
bcf46746d1da7166e8015cb3f67f0a6b5c5c4aa49158fccb972d272331c77f0209ebc7722de970e16763b549aac99786be2af5daaffd912015fe2bf0dcfb486f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\svchost.exe

Filesize
3.1MB

MD5
cda244bc8f0486f4bce677dc71784369

SHA1
a7639235f14ed1ad673d2bfde070c266817e58b4

SHA256
ceec77c3852dd8b1fe96799500350ecf1d8e7c3e2a5931d58a6c99a711c9bfec

SHA512
3d6cd367f888923da267830e4e497808de31eed5e1d96a5de68ed82d0090aa23e41f1963ffb7cecc74fbf09948466a74666b4abaf7973b61da182b8e0096dea4

Download Submit
memory/376-146-0x0000000000230000-0x0000000000554000-memory.dmp

Filesize
3.1MB

Download
memory/696-67-0x0000000000330000-0x0000000000654000-memory.dmp

Filesize
3.1MB

Download
memory/1624-157-0x0000000000D80000-0x00000000010A4000-memory.dmp

Filesize
3.1MB

Download
memory/1640-101-0x0000000001040000-0x0000000001364000-memory.dmp

Filesize
3.1MB

Download
memory/1952-112-0x0000000001130000-0x0000000001454000-memory.dmp

Filesize
3.1MB

Download
memory/2088-9-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2088-21-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2088-8-0x0000000000240000-0x0000000000564000-memory.dmp

Filesize
3.1MB

Download
memory/2088-11-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-10-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-0-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

Filesize
4KB

Download
memory/2220-2-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-1-0x0000000000880000-0x0000000000BA4000-memory.dmp

Filesize
3.1MB

Download
memory/2400-79-0x00000000009C0000-0x0000000000CE4000-memory.dmp

Filesize
3.1MB

Download
memory/2464-56-0x0000000000250000-0x0000000000574000-memory.dmp

Filesize
3.1MB

Download
memory/2548-44-0x0000000000C20000-0x0000000000F44000-memory.dmp

Filesize
3.1MB

Download
memory/2576-168-0x0000000000E10000-0x0000000001134000-memory.dmp

Filesize
3.1MB

Download
memory/3052-23-0x00000000009D0000-0x0000000000CF4000-memory.dmp

Filesize
3.1MB

Download
memory/3068-134-0x00000000002B0000-0x00000000005D4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads