quasar | ceec77c3852dd8b1fe96799500350ecf1d8e7c3e2a5931d58a6c99a711c9bfec

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2025 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.exe
Size

3.1MB
MD5

cda244bc8f0486f4bce677dc71784369
SHA1

a7639235f14ed1ad673d2bfde070c266817e58b4
SHA256

ceec77c3852dd8b1fe96799500350ecf1d8e7c3e2a5931d58a6c99a711c9bfec
SHA512

3d6cd367f888923da267830e4e497808de31eed5e1d96a5de68ed82d0090aa23e41f1963ffb7cecc74fbf09948466a74666b4abaf7973b61da182b8e0096dea4
SSDEEP

98304:mvb22SsaNYfdPBldt6+dBcjHRFGRJ6TT:Y87jxCW

Score

10^/10

quasar zulaspcx discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

zulaspcx

yeniceri99-24578.portmap.io:24578

Mutex

938aa95f-e3d4-483d-9217-ffafea133927

Attributes

encryption_key
3BBA711AB673CCE3CC23338F52513D2C4D42AFEF
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1712-1-0x0000000000B50000-0x0000000000E74000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023dc4-6.dat	family_quasar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
48	3844	Process not Found

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 14 IoCs

pid	Process
3908	svchost.exe
2316	svchost.exe
2448	svchost.exe
4388	svchost.exe
3932	svchost.exe
1784	svchost.exe
4088	svchost.exe
1356	svchost.exe
1692	svchost.exe
1096	svchost.exe
4384	svchost.exe
540	svchost.exe
3028	svchost.exe
3928	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1528	PING.EXE
4460	MicrosoftEdgeUpdate.exe
4668	PING.EXE
1004	PING.EXE
4400	PING.EXE
2320	PING.EXE
3672	PING.EXE
3524	PING.EXE
2108	PING.EXE
1000	PING.EXE
3932	PING.EXE
3680	PING.EXE
4652	PING.EXE
3876	PING.EXE

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

pid	Process
1528	PING.EXE
3524	PING.EXE
2320	PING.EXE
3672	PING.EXE
4652	PING.EXE
1004	PING.EXE
3876	PING.EXE
4668	PING.EXE
3680	PING.EXE
1000	PING.EXE
4400	PING.EXE
3932	PING.EXE
2108	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3628	schtasks.exe
4400	schtasks.exe
440	schtasks.exe
3628	schtasks.exe
3060	schtasks.exe
2544	schtasks.exe
1708	schtasks.exe
3396	schtasks.exe
4200	schtasks.exe
1512	schtasks.exe
4504	schtasks.exe
4596	schtasks.exe
2064	schtasks.exe
872	schtasks.exe
4444	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	update.exe
Token: SeDebugPrivilege	3908	svchost.exe
Token: SeDebugPrivilege	2316	svchost.exe
Token: SeDebugPrivilege	2448	svchost.exe
Token: SeDebugPrivilege	4388	svchost.exe
Token: SeDebugPrivilege	3932	svchost.exe
Token: SeDebugPrivilege	1784	svchost.exe
Token: SeDebugPrivilege	4088	svchost.exe
Token: SeDebugPrivilege	1356	svchost.exe
Token: SeDebugPrivilege	1692	svchost.exe
Token: SeDebugPrivilege	1096	svchost.exe
Token: SeDebugPrivilege	4384	svchost.exe
Token: SeDebugPrivilege	540	svchost.exe
Token: SeDebugPrivilege	3028	svchost.exe
Token: SeDebugPrivilege	3928	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3908	svchost.exe
3932	svchost.exe
1784	svchost.exe
4088	svchost.exe
1356	svchost.exe
540	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 4444	1712	update.exe	89
PID 1712 wrote to memory of 4444	1712	update.exe	89
PID 1712 wrote to memory of 3908	1712	update.exe	91
PID 1712 wrote to memory of 3908	1712	update.exe	91
PID 3908 wrote to memory of 2544	3908	svchost.exe	92
PID 3908 wrote to memory of 2544	3908	svchost.exe	92
PID 3908 wrote to memory of 1004	3908	svchost.exe	94
PID 3908 wrote to memory of 1004	3908	svchost.exe	94
PID 1004 wrote to memory of 1968	1004	cmd.exe	96
PID 1004 wrote to memory of 1968	1004	cmd.exe	96
PID 1004 wrote to memory of 1000	1004	cmd.exe	97
PID 1004 wrote to memory of 1000	1004	cmd.exe	97
PID 1004 wrote to memory of 2316	1004	cmd.exe	98
PID 1004 wrote to memory of 2316	1004	cmd.exe	98
PID 2316 wrote to memory of 4200	2316	svchost.exe	99
PID 2316 wrote to memory of 4200	2316	svchost.exe	99
PID 2316 wrote to memory of 400	2316	svchost.exe	101
PID 2316 wrote to memory of 400	2316	svchost.exe	101
PID 400 wrote to memory of 5104	400	cmd.exe	103
PID 400 wrote to memory of 5104	400	cmd.exe	103
PID 400 wrote to memory of 2320	400	cmd.exe	104
PID 400 wrote to memory of 2320	400	cmd.exe	104
PID 400 wrote to memory of 2448	400	cmd.exe	107
PID 400 wrote to memory of 2448	400	cmd.exe	107
PID 2448 wrote to memory of 3628	2448	svchost.exe	109
PID 2448 wrote to memory of 3628	2448	svchost.exe	109
PID 2448 wrote to memory of 2348	2448	svchost.exe	111
PID 2448 wrote to memory of 2348	2448	svchost.exe	111
PID 2348 wrote to memory of 4708	2348	cmd.exe	113
PID 2348 wrote to memory of 4708	2348	cmd.exe	113
PID 2348 wrote to memory of 3672	2348	cmd.exe	114
PID 2348 wrote to memory of 3672	2348	cmd.exe	114
PID 2348 wrote to memory of 4388	2348	cmd.exe	119
PID 2348 wrote to memory of 4388	2348	cmd.exe	119
PID 4388 wrote to memory of 4400	4388	svchost.exe	120
PID 4388 wrote to memory of 4400	4388	svchost.exe	120
PID 4388 wrote to memory of 3448	4388	svchost.exe	122
PID 4388 wrote to memory of 3448	4388	svchost.exe	122
PID 3448 wrote to memory of 5052	3448	cmd.exe	124
PID 3448 wrote to memory of 5052	3448	cmd.exe	124
PID 3448 wrote to memory of 4652	3448	cmd.exe	125
PID 3448 wrote to memory of 4652	3448	cmd.exe	125
PID 3448 wrote to memory of 3932	3448	cmd.exe	127
PID 3448 wrote to memory of 3932	3448	cmd.exe	127
PID 3932 wrote to memory of 4504	3932	svchost.exe	128
PID 3932 wrote to memory of 4504	3932	svchost.exe	128
PID 3932 wrote to memory of 1940	3932	svchost.exe	130
PID 3932 wrote to memory of 1940	3932	svchost.exe	130
PID 1940 wrote to memory of 2388	1940	cmd.exe	132
PID 1940 wrote to memory of 2388	1940	cmd.exe	132
PID 1940 wrote to memory of 1004	1940	cmd.exe	133
PID 1940 wrote to memory of 1004	1940	cmd.exe	133
PID 1940 wrote to memory of 1784	1940	cmd.exe	135
PID 1940 wrote to memory of 1784	1940	cmd.exe	135
PID 1784 wrote to memory of 440	1784	svchost.exe	136
PID 1784 wrote to memory of 440	1784	svchost.exe	136
PID 1784 wrote to memory of 4540	1784	svchost.exe	138
PID 1784 wrote to memory of 4540	1784	svchost.exe	138
PID 4540 wrote to memory of 1060	4540	cmd.exe	140
PID 4540 wrote to memory of 1060	4540	cmd.exe	140
PID 4540 wrote to memory of 3876	4540	cmd.exe	141
PID 4540 wrote to memory of 3876	4540	cmd.exe	141
PID 4540 wrote to memory of 4088	4540	cmd.exe	142
PID 4540 wrote to memory of 4088	4540	cmd.exe	142

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4444
- C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSLQyld8nCoj.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1968
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1000
  - - C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4200
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u3wjHXI1qZFm.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:400
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5104
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2320
      - C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\prmkbdetZV8M.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3672
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goJF3jiNfy2c.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:5052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4652
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vo8slIDghnJm.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wvmXnRABD76r.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3876
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4088
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qxC5iCRajjyV.bat" "
        15⤵
        
        PID:1636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4668
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCg0IjX7bVEi.bat" "
        17⤵
        
        PID:3928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4400
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zs9dsULZZ0PM.bat" "
        19⤵
        
        PID:4968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKKmeRq4SgHs.bat" "
        21⤵
        
        PID:3552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3932
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f36JvycHATuZ.bat" "
        23⤵
        
        PID:1160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3524
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MDyvSdiZrVTr.bat" "
        25⤵
        
        PID:4188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\75OmZBqp32WY.bat" "
        27⤵
        
        PID:4536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:5028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3680
        
        C:\Users\Admin\AppData\Roaming\Windows\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\svchost.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ocku3PfgxwoZ.bat" "
        29⤵
        
        PID:4832

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTc0RTc4MTQtMTk3Mi00MDA5LTkzMDgtMTQzODY3MzIxNUU4fSIgdXNlcmlkPSJ7MURDODk4NzMtQjA0Mi00REU0LTg1M0QtMUY0N0VBOTg3QUUzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QUY1QjM1NjAtQ0QzRC00NjcxLTlBOUUtMkUxNzk1RTRDNUYxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ0OTciIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNjkzODEzMjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjIyMjY0MzIyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\75OmZBqp32WY.bat

Filesize
209B

MD5
bd2aee21dbc0304b3b3479afc54a025a

SHA1
e59b252b366b0db11ee481cc2a20f4a8816be482

SHA256
741ee73c8d1353a5f959033099c372f31db1046c8edcbc840d1a330e13d4f6f7

SHA512
f96ef4fef711ae501eb3acaf17c1ae9f933afbbdc9c1141827ba934099bc906a0b1b536dcb3caef1d9b6a85d6914bbc26433168c9f5db2da3ad90f69fff01017

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKKmeRq4SgHs.bat

Filesize
209B

MD5
6887f0f218e3e80d733f638856866465

SHA1
c08c6130977ce63b0e1fc0d2979fa69c6d4d6f6d

SHA256
f2ddebb62bb0e35e6852b3ec291cc77e250ced8afca601f357bd02466f3e687b

SHA512
38b6b7755b7818929142b3bd9d49e65dfbbe4e45d390baf23b95984ebb4cba5f2c766dd9d271d2fb2e20bc1abd6df7bde3ce7f11a5fabe6fc0249fbe287a6c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MDyvSdiZrVTr.bat

Filesize
209B

MD5
6ba5bb551e457caa72887477d1746c8a

SHA1
9f64f3ceb69ea65e465890e9d8db62d50c14376e

SHA256
c15995f5d301184867fd0f0be938c6d5b1190ab6e0acefa8e0131f8ff7f08f1b

SHA512
f9d9e20b7a98c086bd6a975f773d6e5b6c445f4c3d4b02bbb57e024ba26a2589d90a679c77dbaa05dc95920a94c0c7bc6ff12ce4dcfbf824860f8bf2d00c3053

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vo8slIDghnJm.bat

Filesize
209B

MD5
e5dc2d3d8724ea671b0df5adec5950c7

SHA1
0c7c6c62fe625f0621f5a584927c7342129b8205

SHA256
c6d9f7d251480aeecc3cc00a55e6218b465326493ae8dd5605018db1c8ed05eb

SHA512
12fd67d1ede9675146c0e96c67f67bb6eb9ee6f3bcaf019b4039c060988737e74cf0b18ed993d74204036525b8cd4f77a064c3c5f2fed18f8f589a96d1e396c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YCg0IjX7bVEi.bat

Filesize
209B

MD5
d66eaa2747aa9820525f119eadaa57b0

SHA1
f7cd0ade6438ed5bfaf93c952355e03162055dc6

SHA256
12b92c45bea3f493ba8509d9bd08b06ac9dca61f7a5afc436122bfb626d41bfc

SHA512
6a023343829703c7513e0b0cd83fb26ba32c216613569a03414c73c6fc1f756ca291f1572b063d0abd8c7b81a3348782b88eac273c5c9bb54799e9f8da7927fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zs9dsULZZ0PM.bat

Filesize
209B

MD5
fd411ce1e5a7957d4a29ec249c825802

SHA1
312edd0f8874b95a01cadeafc6802528d4644b32

SHA256
963e0b1427ee603c1e61b302b41631a1bc9281e4e91db91f87d2088fb5b72c9e

SHA512
387e667e64c826968e5be8d167707144168093f9e7829b938930875a41d0280c9ebf8f422d777511a6f5384400d0a635d84ad63542eae49ba9d80282e269a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36JvycHATuZ.bat

Filesize
209B

MD5
f17886e5f91bbd76e9011225e8d06584

SHA1
d475ae4db35c9f5282292ffe77df7f0c33cb779f

SHA256
85ffc7d697500b276dcb7086e5f561fae63d16ccfa8573c42c27e8154abe87d9

SHA512
794e8fee37c58bbad5dda1927b21cb8f3afc63992926d1b19d6ef52479addf1ae3abc0eaf184602c2cf3d88e8c05a026054498860d4013b7731f459cd724899b

Download Submit
C:\Users\Admin\AppData\Local\Temp\goJF3jiNfy2c.bat

Filesize
209B

MD5
cd2ba6b5b8c2324069c959c43b520ab6

SHA1
7180f294a92f0a5adf8b399de2d4003e4a581e1e

SHA256
c7db844025c9230daf187ba3ec4d1a55208543f3323e93c4d02466c2a31f091c

SHA512
833ee43531c4add583534915226ae8d694a845c793161976f62d5c21d12a58ff5a9bd258bf799a318f0a3a172688eb83e8888a866df36e325adb563c145be392

Download Submit
C:\Users\Admin\AppData\Local\Temp\iSLQyld8nCoj.bat

Filesize
209B

MD5
852aef056c4c7dd9342cb47e11ec658f

SHA1
a3f01bbb0e685eb6a88240fe3e0e63dbac52003f

SHA256
c9e22d2b84378c62118f046a6b8cacf92ae2f0899e21249bbbdfbd5dae425162

SHA512
67a41c8980b44a76b02604c3330905ad22263d5d175e0e9f93362de6822f0b115950f8180f4b8457f5eaad0401e95104e821d716e7a90eed95e0afd4d9853a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\prmkbdetZV8M.bat

Filesize
209B

MD5
1aae80a97d0b65a8330c926a59873280

SHA1
8b322407abe1dc4fca93f165485c875d709bd71a

SHA256
e22664861a180f761865209631daabf12d375132097d0cac41b63ce8647ee598

SHA512
7ba424f68d4caab6adf97e9b5854c238373e776580ecc0272c2ff888829169266283a59c03a00a1e85f535120785d6cf8eaf8a350318665a01a436f1a7a000b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxC5iCRajjyV.bat

Filesize
209B

MD5
978843781ce076b37c6305e50bb00706

SHA1
60a1816737804dff3cc8719fb1ccebed894adfe9

SHA256
65d6572f95a39217cc5acb4c3e84fc6741e5c5b008fc96a40eeb8a17fa963b27

SHA512
42edbf1ad2a118c4115a6928e6c3b6e62043afbc322001ecf9745785355ef3e56f1fd7cb6813826bd444530c7e299dd845b3391a790915ab515fe6117f6bccde

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3wjHXI1qZFm.bat

Filesize
209B

MD5
f9f4092c5e866af2612753291827161f

SHA1
e443fa04541d4e4f25d92e5a90b4b7bcc63caf32

SHA256
b9d9911c3542a8ea26e9c12b7b14e42ca8811e5b0358b41cb9892829a87150b1

SHA512
f4f6d4919f3f46153bba2cf17f8d11528b149cc68b6a811d8357330796308df544ea1b1c570537217e29a88be83559cb4b13b7f2e4da9b033322887eec47cf0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvmXnRABD76r.bat

Filesize
209B

MD5
c50225cf42137d290fecd73d889061ff

SHA1
7b4196d18ad2734b129db06333537ecfa8b3224f

SHA256
221a59bb6be7d64a6cd7b99c6e7fc689e1675a4bae7475149f3a3819d1a6c667

SHA512
ab943315ef2fc87e38832d018c9aa9646e49e2c5fd01ef57451d44aeff48c7bc94a824359f72608aff7668fb8beda97a1c3e2b3598007122cc67aa28ecf62f4f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\svchost.exe

Filesize
3.1MB

MD5
cda244bc8f0486f4bce677dc71784369

SHA1
a7639235f14ed1ad673d2bfde070c266817e58b4

SHA256
ceec77c3852dd8b1fe96799500350ecf1d8e7c3e2a5931d58a6c99a711c9bfec

SHA512
3d6cd367f888923da267830e4e497808de31eed5e1d96a5de68ed82d0090aa23e41f1963ffb7cecc74fbf09948466a74666b4abaf7973b61da182b8e0096dea4

Download Submit
memory/1712-0-0x00007FFEC0ED3000-0x00007FFEC0ED5000-memory.dmp

Filesize
8KB

Download
memory/1712-10-0x00007FFEC0ED0000-0x00007FFEC1991000-memory.dmp

Filesize
10.8MB

Download
memory/1712-2-0x00007FFEC0ED0000-0x00007FFEC1991000-memory.dmp

Filesize
10.8MB

Download
memory/1712-1-0x0000000000B50000-0x0000000000E74000-memory.dmp

Filesize
3.1MB

Download
memory/3908-17-0x00007FFEC0ED0000-0x00007FFEC1991000-memory.dmp

Filesize
10.8MB

Download
memory/3908-12-0x000000001D460000-0x000000001D512000-memory.dmp

Filesize
712KB

Download
memory/3908-11-0x000000001D350000-0x000000001D3A0000-memory.dmp

Filesize
320KB

Download
memory/3908-9-0x00007FFEC0ED0000-0x00007FFEC1991000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads