quasar | 783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f

Analysis

max time kernel
141s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe
Size

2.7MB
MD5

371d95abce192df7ac5648f4f954c456
SHA1

f243994c2906525292b44b40e78aa0358589592f
SHA256

783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f
SHA512

6ef6bf42d47e3a5b4995ddd985c6726ffd1883ecbbf3c71f62511abc7d20fde208cd0371a3bcff54c855c253e1d483dd8a9ed2b661d734df3ac526a9514b3979
SSDEEP

49152:uc4IZF1R2mztVOo6Ol9ureHIge8lDNlMdCKaGv2LkmNKUSW:uc4IZvR2mztVOo6Ol9uriIge8lP

Score

10^/10

quasar serviceone spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

serviceone

serviceofflineupdate.ddnsgeek.com:4782

Mutex

17af5434-027b-475c-85b6-fca637f3330d

Attributes

encryption_key
F5275112E106580A140655595766AE270983F72B
install_name
Chrome.exe
log_directory
Logs
reconnect_delay
6000
startup_key
chrome update
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/3888-1-0x0000000000110000-0x00000000003D2000-memory.dmp family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe family_quasar

resource	yara_rule
behavioral2/memory/3888-1-0x0000000000110000-0x00000000003D2000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe	family_quasar

Detects Windows executables referencing non-Windows User-Agents 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3888-1-0x0000000000110000-0x00000000003D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3888-1-0x0000000000110000-0x00000000003D2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing common artifacts observed in infostealers 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3888-1-0x0000000000110000-0x00000000003D2000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe	INDICATOR_SUSPICIOUS_GENInfoStealer

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Chrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Chrome.exe

Executes dropped EXE 14 IoCs

Processes:

Chrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exe

pid	process
464	Chrome.exe
2444	Chrome.exe
4272	Chrome.exe
3684	Chrome.exe
2760	Chrome.exe
3088	Chrome.exe
1476	Chrome.exe
3556	Chrome.exe
4980	Chrome.exe
4504	Chrome.exe
3440	Chrome.exe
1800	Chrome.exe
3080	Chrome.exe
2892	Chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

3088 PING.EXE
436 PING.EXE
1648 PING.EXE
2496 PING.EXE
4396 PING.EXE
4664 PING.EXE
4060 PING.EXE
2716 PING.EXE
2668 PING.EXE
4416 PING.EXE
448 PING.EXE
4496 PING.EXE
3948 PING.EXE
436 PING.EXE

pid	process
3088	PING.EXE
436	PING.EXE
1648	PING.EXE
2496	PING.EXE
4396	PING.EXE
4664	PING.EXE
4060	PING.EXE
2716	PING.EXE
2668	PING.EXE
4416	PING.EXE
448	PING.EXE
4496	PING.EXE
3948	PING.EXE
436	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3660	schtasks.exe
1536	schtasks.exe
640	schtasks.exe
4580	schtasks.exe
1752	schtasks.exe
3572	schtasks.exe
3996	schtasks.exe
3288	schtasks.exe
3308	schtasks.exe
3468	schtasks.exe
3408	schtasks.exe
3992	schtasks.exe
4824	schtasks.exe
2788	schtasks.exe
2484	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exe

description	pid	process
Token: SeDebugPrivilege	3888	783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe
Token: SeDebugPrivilege	464	Chrome.exe
Token: SeDebugPrivilege	2444	Chrome.exe
Token: SeDebugPrivilege	4272	Chrome.exe
Token: SeDebugPrivilege	3684	Chrome.exe
Token: SeDebugPrivilege	2760	Chrome.exe
Token: SeDebugPrivilege	3088	Chrome.exe
Token: SeDebugPrivilege	1476	Chrome.exe
Token: SeDebugPrivilege	3556	Chrome.exe
Token: SeDebugPrivilege	4980	Chrome.exe
Token: SeDebugPrivilege	4504	Chrome.exe
Token: SeDebugPrivilege	3440	Chrome.exe
Token: SeDebugPrivilege	1800	Chrome.exe
Token: SeDebugPrivilege	3080	Chrome.exe
Token: SeDebugPrivilege	2892	Chrome.exe

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

Chrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exe

pid	process
464	Chrome.exe
2444	Chrome.exe
4272	Chrome.exe
3684	Chrome.exe
2760	Chrome.exe
3088	Chrome.exe
1476	Chrome.exe
3556	Chrome.exe
4980	Chrome.exe
4504	Chrome.exe
3440	Chrome.exe
1800	Chrome.exe
3080	Chrome.exe
2892	Chrome.exe

Suspicious use of SendNotifyMessage 14 IoCs

Processes:

Chrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exeChrome.exe

pid	process
464	Chrome.exe
2444	Chrome.exe
4272	Chrome.exe
3684	Chrome.exe
2760	Chrome.exe
3088	Chrome.exe
1476	Chrome.exe
3556	Chrome.exe
4980	Chrome.exe
4504	Chrome.exe
3440	Chrome.exe
1800	Chrome.exe
3080	Chrome.exe
2892	Chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exeChrome.execmd.exeChrome.execmd.exeChrome.execmd.exeChrome.execmd.exeChrome.execmd.exeChrome.execmd.exe

description	pid	process	target process
PID 3888 wrote to memory of 4824	3888	783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe	schtasks.exe
PID 3888 wrote to memory of 4824	3888	783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe	schtasks.exe
PID 3888 wrote to memory of 464	3888	783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe	Chrome.exe
PID 3888 wrote to memory of 464	3888	783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe	Chrome.exe
PID 464 wrote to memory of 2788	464	Chrome.exe	schtasks.exe
PID 464 wrote to memory of 2788	464	Chrome.exe	schtasks.exe
PID 464 wrote to memory of 4556	464	Chrome.exe	cmd.exe
PID 464 wrote to memory of 4556	464	Chrome.exe	cmd.exe
PID 4556 wrote to memory of 2576	4556	cmd.exe	chcp.com
PID 4556 wrote to memory of 2576	4556	cmd.exe	chcp.com
PID 4556 wrote to memory of 448	4556	cmd.exe	PING.EXE
PID 4556 wrote to memory of 448	4556	cmd.exe	PING.EXE
PID 4556 wrote to memory of 2444	4556	cmd.exe	Chrome.exe
PID 4556 wrote to memory of 2444	4556	cmd.exe	Chrome.exe
PID 2444 wrote to memory of 4580	2444	Chrome.exe	schtasks.exe
PID 2444 wrote to memory of 4580	2444	Chrome.exe	schtasks.exe
PID 2444 wrote to memory of 988	2444	Chrome.exe	cmd.exe
PID 2444 wrote to memory of 988	2444	Chrome.exe	cmd.exe
PID 988 wrote to memory of 4900	988	cmd.exe	chcp.com
PID 988 wrote to memory of 4900	988	cmd.exe	chcp.com
PID 988 wrote to memory of 3088	988	cmd.exe	PING.EXE
PID 988 wrote to memory of 3088	988	cmd.exe	PING.EXE
PID 988 wrote to memory of 4272	988	cmd.exe	Chrome.exe
PID 988 wrote to memory of 4272	988	cmd.exe	Chrome.exe
PID 4272 wrote to memory of 3660	4272	Chrome.exe	schtasks.exe
PID 4272 wrote to memory of 3660	4272	Chrome.exe	schtasks.exe
PID 4272 wrote to memory of 4032	4272	Chrome.exe	cmd.exe
PID 4272 wrote to memory of 4032	4272	Chrome.exe	cmd.exe
PID 4032 wrote to memory of 384	4032	cmd.exe	chcp.com
PID 4032 wrote to memory of 384	4032	cmd.exe	chcp.com
PID 4032 wrote to memory of 4396	4032	cmd.exe	PING.EXE
PID 4032 wrote to memory of 4396	4032	cmd.exe	PING.EXE
PID 4032 wrote to memory of 3684	4032	cmd.exe	Chrome.exe
PID 4032 wrote to memory of 3684	4032	cmd.exe	Chrome.exe
PID 3684 wrote to memory of 3288	3684	Chrome.exe	schtasks.exe
PID 3684 wrote to memory of 3288	3684	Chrome.exe	schtasks.exe
PID 3684 wrote to memory of 1208	3684	Chrome.exe	cmd.exe
PID 3684 wrote to memory of 1208	3684	Chrome.exe	cmd.exe
PID 1208 wrote to memory of 4376	1208	cmd.exe	chcp.com
PID 1208 wrote to memory of 4376	1208	cmd.exe	chcp.com
PID 1208 wrote to memory of 4664	1208	cmd.exe	PING.EXE
PID 1208 wrote to memory of 4664	1208	cmd.exe	PING.EXE
PID 1208 wrote to memory of 2760	1208	cmd.exe	Chrome.exe
PID 1208 wrote to memory of 2760	1208	cmd.exe	Chrome.exe
PID 2760 wrote to memory of 2484	2760	Chrome.exe	schtasks.exe
PID 2760 wrote to memory of 2484	2760	Chrome.exe	schtasks.exe
PID 2760 wrote to memory of 3696	2760	Chrome.exe	cmd.exe
PID 2760 wrote to memory of 3696	2760	Chrome.exe	cmd.exe
PID 3696 wrote to memory of 3948	3696	cmd.exe	chcp.com
PID 3696 wrote to memory of 3948	3696	cmd.exe	chcp.com
PID 3696 wrote to memory of 4060	3696	cmd.exe	PING.EXE
PID 3696 wrote to memory of 4060	3696	cmd.exe	PING.EXE
PID 3696 wrote to memory of 3088	3696	cmd.exe	Chrome.exe
PID 3696 wrote to memory of 3088	3696	cmd.exe	Chrome.exe
PID 3088 wrote to memory of 3308	3088	Chrome.exe	schtasks.exe
PID 3088 wrote to memory of 3308	3088	Chrome.exe	schtasks.exe
PID 3088 wrote to memory of 4976	3088	Chrome.exe	cmd.exe
PID 3088 wrote to memory of 4976	3088	Chrome.exe	cmd.exe
PID 4976 wrote to memory of 3252	4976	cmd.exe	chcp.com
PID 4976 wrote to memory of 3252	4976	cmd.exe	chcp.com
PID 4976 wrote to memory of 4496	4976	cmd.exe	PING.EXE
PID 4976 wrote to memory of 4496	4976	cmd.exe	PING.EXE
PID 4976 wrote to memory of 1476	4976	cmd.exe	Chrome.exe
PID 4976 wrote to memory of 1476	4976	cmd.exe	Chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe
"C:\Users\Admin\AppData\Local\Temp\783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fHXHC6h8irAY.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2576

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:448

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqHwZW5Pf17A.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:4900

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:3088

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dnyt2FrS8vOz.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:384

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4396

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VxzeK6uLhPxO.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:4376

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4664

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKIj1Z7EuLoA.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:3948

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4060

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M3oSUvL81Lnp.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:3252

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:4496

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1476

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U8tYZMfKS4fX.bat" "
15⤵
PID:4668

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:2456

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:436

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3556

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MFIjck8CTOFO.bat" "
17⤵
PID:3184

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:2584

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2716

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4980

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIJO6yl2JuIE.bat" "
19⤵
PID:2868

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:3900

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:3948

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4504

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tlPyMPDBSsDX.bat" "
21⤵
PID:3308

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:4492

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1648

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3440

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
23⤵
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsK7ePCxSf8o.bat" "
23⤵
PID:2456

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:852

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:436

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1800

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
25⤵
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fa9RUPzTDE32.bat" "
25⤵
PID:1120

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:4648

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:2668

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3080

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
27⤵
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l3OcltTxmfNl.bat" "
27⤵
PID:3844

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:2272

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:4416

C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2892

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "chrome update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe" /rl HIGHEST /f
29⤵
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nE4J6KhDhne4.bat" "
29⤵
PID:3740

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:1036

C:\Windows\system32\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:2496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=1268 /prefetch:8
1⤵
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Chrome.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fa9RUPzTDE32.bat
Filesize
207B

MD5
9e0aec070f9c9a8e03f5c8852222ceba

SHA1
e8a9ee7b62fb4c5e224a05e52b2bcd06b6d27db7

SHA256
90721b9f47c7d71293230afd7b8e507cb1da1e12a4f6ea6ae3ce9b546c9a6465

SHA512
43f863ba0bf6b839f401eb059547e71fe8dc48ebd3e2466ef5528e7c505773feb32b4fdd5449c38c1c2e8a261625056e2179e894a291f1a30434d5907ce3e499

Download Submit
C:\Users\Admin\AppData\Local\Temp\M3oSUvL81Lnp.bat
Filesize
207B

MD5
aea31dfd0046648cca454e072e1a814f

SHA1
636e6353d316f651ce44b31d4da57e925f634a18

SHA256
4f0f16019db5cbcf9e814ae68c63e3b07de7a3bc3887493fdf86d56784a63232

SHA512
c9189056e9221b582fb51630c09f8a86373b92ba92cf44f42a6ac41233b6af706657789567b907ed51a10ee702452d00d79d069827f677d8fbb57d128bf299d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFIjck8CTOFO.bat
Filesize
207B

MD5
77af074ebaa24cf7d4b82b6832708eef

SHA1
79fd3d161bc20bb78e005bd691aead3d34d4eab5

SHA256
63a26d1db22b5b990e3074739003d9ac9cb6914f11a5103fc26ab39866bf1558

SHA512
760e84356054d9742a06b525f426e7a4db9c80007f84c06e88ef19a9e579a457e3d9451521342f254afaa97193cf3acc87522b48b597bdb72b8286bba58f334f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIJO6yl2JuIE.bat
Filesize
207B

MD5
f61fc082008780108794347d30cb5843

SHA1
e21df3ffc998300013792c38c27b12d58550bd14

SHA256
84081021ffb243ecf4a6e8c5fe4c53325f4ea66111a2044372308a250a70751c

SHA512
34cfbc515e9c0f0444b613e14c8254a606ac1a410ed07380f24a52e11160baccc7625b34546be899c82d57081080dfb7a134e40d3e442de372242f1d02715ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NsK7ePCxSf8o.bat
Filesize
207B

MD5
8c6ea8816068d15629b099865efc7ba9

SHA1
fcf6cef7b37123fe10be44568b3048bf381dd4d4

SHA256
aa1a8ed63c31e7fe7630482e9d1bc3cf64dd08965708446e4334a126744de36e

SHA512
924fb2f8bfcc9679d91837f536d63c56f0d53e2eff6f253a1c209001f98c4afe8884e90278389ab17f07732402a6ff3f1017806a05b823217c2f20ae2f75c7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\U8tYZMfKS4fX.bat
Filesize
207B

MD5
94564d04fcf1eddec201a808891bcc14

SHA1
93cd6e6d684047f90dba6b8a5beb254ab0357a50

SHA256
c53739d0ad56ff74396a85f2c31c7f9a24d5d8b7758b1a03d69e308dc9c4ea71

SHA512
380d49c17718a237633ff71b2fa1d39c1bd9caca403be52c038bb508f6133cbd96a3569778474ab0067a073247b17434085439da54110c5cdcb110684f9412a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\VxzeK6uLhPxO.bat
Filesize
207B

MD5
1f9687563fb6f50da33001099e367eed

SHA1
3007eb0e09f2ae75f86d78fcbbc407dd7cdf7eec

SHA256
b2703e5cf7961cf443ff44a584ecba362786226e7b491d00f1bd3cf295553252

SHA512
e5cba5109bd4b53e7ada8896783fd025c823ae6fab678d5fa6c1c613af6cf2190421451255bca3e65c544608894135bb3595a59d0079b2f7d885ba22a41f059d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnyt2FrS8vOz.bat
Filesize
207B

MD5
88f624de44625a12e37c4dd8632ad464

SHA1
f55245a8f95e6ad6df9d0407796939ebbd511c69

SHA256
6a9117372f3723bc0f310aa672a2ede2ec1b4f8c242d045d0de11e275a9da5cb

SHA512
b60a6d7ad239d71af84bb8d45a31b2c1a3d4189c3e9bccee9cf0a63bd526b6ab94a42cfc964cdc8c9d8b7c628b1bc1cfed453719a48faced641aeb3f5a0c5797

Download Submit
C:\Users\Admin\AppData\Local\Temp\fHXHC6h8irAY.bat
Filesize
207B

MD5
bb1d10e39f13aeaffacc109af5a66ce5

SHA1
914ebee324aa257492900d6d345421344182e3c6

SHA256
8e5ee2588ab4e70e7393d2717624178930e8dff0e064a988bdab3b927c911512

SHA512
ccb29e9a8378e1424466866f99411a19d2b59271aa8bd95e7f6f8e0a351dc0f9a14caceaa86f65771877504f69585f07b64f60c177d020f5a5f4f7db578e3ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqHwZW5Pf17A.bat
Filesize
207B

MD5
d1bd7049c6e1d4499ce96c7898d0ed4b

SHA1
0f3ca22a5e24985deb20fa9ae2950cd377b84014

SHA256
f77b61b976a8e83c4de4b6dc028029e972dd374d54b78cfdbde134df5075558a

SHA512
8911d8df4733f61253cec81dab2b4aa754386f12f26d1afa96a489173783d0358d0226e57bf5fd324f5bc83e208f726e3e0b8ddc140771b07e37a8368b32e8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jKIj1Z7EuLoA.bat
Filesize
207B

MD5
f32d9ca691e6e4e1205067766350bd3d

SHA1
9e3840b9fef97c9298f5f9793c4ad1cd864b92f3

SHA256
87f5cec7569cd022a0f7afb24c7045d802584082522529878b60e3dbd275824d

SHA512
f1a40c4f4587a4b830665c2c7c07889a83179d9914f1aef7c0807dd27c232a6b293ab51682563696301fdebe7cc22b5b3ef189ed01a7fe610adca13eeaf57932

Download Submit
C:\Users\Admin\AppData\Local\Temp\l3OcltTxmfNl.bat
Filesize
207B

MD5
62e562bcef5e3fa9e482032ed425afca

SHA1
19ea1569dedc46cf57b17d52ca42881c9f4aaaaa

SHA256
f48426a02605f7402adecd17207032ea137a91a0af10656e0e9f589683ad67eb

SHA512
f0d12d3a10104d70c111b2689e14159c4aba24f07ce7ab0f2d9a757504497a3db54f2eb493e74db4442a5788880663c4566ed928451caac839f81d1e4066a818

Download Submit
C:\Users\Admin\AppData\Local\Temp\nE4J6KhDhne4.bat
Filesize
207B

MD5
cea3d1f6abb9d58ead09f764858cf436

SHA1
3a4be4f2e146f6e6008146af5cf736f48bf9e441

SHA256
70f69b022cba6c480245e7b19b05857afadb60ecb1b6d79493dafe8071127796

SHA512
624d99fffb166a252d92e59f46a5bab2ff06c9ab21364e2a323f91fd1158929590d04e3cb4b1b39fc3ea38530b894196f62f6a708ac6b891ca19bc0931b25b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlPyMPDBSsDX.bat
Filesize
207B

MD5
28643c2525332fed50c1759adb35a3ca

SHA1
714bd70a76ecf5473439c9d22408bafd669af7a0

SHA256
bd8f10cb6334e8b16deee70e98f3189dd80b4f8aa4bf40a628a3d467f85b4061

SHA512
43b9d3ddf89ab737a9d5b69a5b4cd3d2efb53df76a7a5cc37a3fe8d448cc80224bed62512185605991d1df74cf8d68a664d9157992693fefe7ecc8220c7785cf

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Chrome.exe
Filesize
2.7MB

MD5
371d95abce192df7ac5648f4f954c456

SHA1
f243994c2906525292b44b40e78aa0358589592f

SHA256
783e6ea626cd72ba14c844f7de9cb57e6d56bb894aec3dbe223e81f065b2bc2f

SHA512
6ef6bf42d47e3a5b4995ddd985c6726ffd1883ecbbf3c71f62511abc7d20fde208cd0371a3bcff54c855c253e1d483dd8a9ed2b661d734df3ac526a9514b3979

Download Submit
memory/464-12-0x000000001D500000-0x000000001D550000-memory.dmp

Filesize
320KB

Download
memory/464-10-0x00007FF992650000-0x00007FF993111000-memory.dmp

Filesize
10.8MB

Download
memory/464-11-0x00007FF992650000-0x00007FF993111000-memory.dmp

Filesize
10.8MB

Download
memory/464-18-0x00007FF992650000-0x00007FF993111000-memory.dmp

Filesize
10.8MB

Download
memory/464-13-0x000000001D610000-0x000000001D6C2000-memory.dmp

Filesize
712KB

Download
memory/3888-9-0x00007FF992650000-0x00007FF993111000-memory.dmp

Filesize
10.8MB

Download
memory/3888-2-0x00007FF992650000-0x00007FF993111000-memory.dmp

Filesize
10.8MB

Download
memory/3888-1-0x0000000000110000-0x00000000003D2000-memory.dmp

Filesize
2.8MB

Download
memory/3888-0-0x00007FF992653000-0x00007FF992655000-memory.dmp

Filesize
8KB

Download