quasar | e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

Analysis

max time kernel
143s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
28-09-2023 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84196815c135e19db65295a1cea9a522.exe
Size

3.1MB
MD5

84196815c135e19db65295a1cea9a522
SHA1

fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256

e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA512

3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
SSDEEP

49152:7vWhBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaYiRJ6TbR3LoGdjTHHB72eh2NT:7v4t2d5aKCuVPzlEmVQ0wvwfYiRJ6F

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

slave

cherrywoods-29890.portmap.host:29890:16243

Mutex

5d49d039-8bce-40c5-82b6-413e6ca1279a

Attributes

encryption_key
2E34CBDFC0A612A970A99A781D3AB0C010E1A59C
install_name
cvvhost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security notification icon
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1692-0-0x00000000010E0000-0x0000000001404000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\system32\SubDir\cvvhost.exe	family_quasar
behavioral1/memory/2716-9-0x0000000000D90000-0x00000000010B4000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
behavioral1/memory/1064-64-0x0000000001330000-0x0000000001654000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
behavioral1/memory/3008-132-0x0000000000240000-0x0000000000564000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
behavioral1/memory/1620-159-0x0000000000010000-0x0000000000334000-memory.dmp	family_quasar
C:\Windows\System32\SubDir\cvvhost.exe	family_quasar
behavioral1/memory/2316-175-0x0000000001260000-0x0000000001584000-memory.dmp	family_quasar

Executes dropped EXE 13 IoCs

Processes:

cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exe

pid	process
2716	cvvhost.exe
2528	cvvhost.exe
2368	cvvhost.exe
2764	cvvhost.exe
1064	cvvhost.exe
780	cvvhost.exe
608	cvvhost.exe
1712	cvvhost.exe
2704	cvvhost.exe
3008	cvvhost.exe
472	cvvhost.exe
1620	cvvhost.exe
2316	cvvhost.exe

Drops file in System32 directory 29 IoCs

Processes:

cvvhost.execvvhost.execvvhost.execvvhost.exe84196815c135e19db65295a1cea9a522.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	84196815c135e19db65295a1cea9a522.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File created	C:\Windows\system32\SubDir\cvvhost.exe	84196815c135e19db65295a1cea9a522.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	84196815c135e19db65295a1cea9a522.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir\cvvhost.exe	cvvhost.exe
File opened for modification	C:\Windows\system32\SubDir	cvvhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1232	schtasks.exe
2360	schtasks.exe
2492	schtasks.exe
1132	schtasks.exe
2884	schtasks.exe
1476	schtasks.exe
1904	schtasks.exe
1908	schtasks.exe
472	schtasks.exe
2320	schtasks.exe
2996	schtasks.exe
1556	schtasks.exe
768	schtasks.exe
1532	schtasks.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2160	PING.EXE
1340	PING.EXE
2708	PING.EXE
1916	PING.EXE
548	PING.EXE
2120	PING.EXE
2484	PING.EXE
2988	PING.EXE
1400	PING.EXE
2264	PING.EXE
2656	PING.EXE
1412	PING.EXE
1808	PING.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

84196815c135e19db65295a1cea9a522.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exe

description	pid	process
Token: SeDebugPrivilege	1692	84196815c135e19db65295a1cea9a522.exe
Token: SeDebugPrivilege	2716	cvvhost.exe
Token: SeDebugPrivilege	2528	cvvhost.exe
Token: SeDebugPrivilege	2368	cvvhost.exe
Token: SeDebugPrivilege	2764	cvvhost.exe
Token: SeDebugPrivilege	1064	cvvhost.exe
Token: SeDebugPrivilege	780	cvvhost.exe
Token: SeDebugPrivilege	608	cvvhost.exe
Token: SeDebugPrivilege	1712	cvvhost.exe
Token: SeDebugPrivilege	2704	cvvhost.exe
Token: SeDebugPrivilege	3008	cvvhost.exe
Token: SeDebugPrivilege	472	cvvhost.exe
Token: SeDebugPrivilege	1620	cvvhost.exe
Token: SeDebugPrivilege	2316	cvvhost.exe

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exe

pid	process
2716	cvvhost.exe
2528	cvvhost.exe
2368	cvvhost.exe
2764	cvvhost.exe
1064	cvvhost.exe
780	cvvhost.exe
608	cvvhost.exe
1712	cvvhost.exe
2704	cvvhost.exe
3008	cvvhost.exe
472	cvvhost.exe
1620	cvvhost.exe
2316	cvvhost.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exe

pid	process
2716	cvvhost.exe
2528	cvvhost.exe
2368	cvvhost.exe
2764	cvvhost.exe
1064	cvvhost.exe
780	cvvhost.exe
608	cvvhost.exe
1712	cvvhost.exe
2704	cvvhost.exe
3008	cvvhost.exe
472	cvvhost.exe
1620	cvvhost.exe
2316	cvvhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cvvhost.exe

pid process

2716 cvvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

84196815c135e19db65295a1cea9a522.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.exe

description	pid	process	target process
PID 1692 wrote to memory of 1908	1692	84196815c135e19db65295a1cea9a522.exe	schtasks.exe
PID 1692 wrote to memory of 1908	1692	84196815c135e19db65295a1cea9a522.exe	schtasks.exe
PID 1692 wrote to memory of 1908	1692	84196815c135e19db65295a1cea9a522.exe	schtasks.exe
PID 1692 wrote to memory of 2716	1692	84196815c135e19db65295a1cea9a522.exe	cvvhost.exe
PID 1692 wrote to memory of 2716	1692	84196815c135e19db65295a1cea9a522.exe	cvvhost.exe
PID 1692 wrote to memory of 2716	1692	84196815c135e19db65295a1cea9a522.exe	cvvhost.exe
PID 2716 wrote to memory of 2492	2716	cvvhost.exe	schtasks.exe
PID 2716 wrote to memory of 2492	2716	cvvhost.exe	schtasks.exe
PID 2716 wrote to memory of 2492	2716	cvvhost.exe	schtasks.exe
PID 2716 wrote to memory of 2624	2716	cvvhost.exe	cmd.exe
PID 2716 wrote to memory of 2624	2716	cvvhost.exe	cmd.exe
PID 2716 wrote to memory of 2624	2716	cvvhost.exe	cmd.exe
PID 2624 wrote to memory of 2600	2624	cmd.exe	chcp.com
PID 2624 wrote to memory of 2600	2624	cmd.exe	chcp.com
PID 2624 wrote to memory of 2600	2624	cmd.exe	chcp.com
PID 2624 wrote to memory of 2484	2624	cmd.exe	PING.EXE
PID 2624 wrote to memory of 2484	2624	cmd.exe	PING.EXE
PID 2624 wrote to memory of 2484	2624	cmd.exe	PING.EXE
PID 2624 wrote to memory of 2528	2624	cmd.exe	cvvhost.exe
PID 2624 wrote to memory of 2528	2624	cmd.exe	cvvhost.exe
PID 2624 wrote to memory of 2528	2624	cmd.exe	cvvhost.exe
PID 2528 wrote to memory of 2996	2528	cvvhost.exe	schtasks.exe
PID 2528 wrote to memory of 2996	2528	cvvhost.exe	schtasks.exe
PID 2528 wrote to memory of 2996	2528	cvvhost.exe	schtasks.exe
PID 2528 wrote to memory of 2832	2528	cvvhost.exe	cmd.exe
PID 2528 wrote to memory of 2832	2528	cvvhost.exe	cmd.exe
PID 2528 wrote to memory of 2832	2528	cvvhost.exe	cmd.exe
PID 2832 wrote to memory of 2968	2832	cmd.exe	chcp.com
PID 2832 wrote to memory of 2968	2832	cmd.exe	chcp.com
PID 2832 wrote to memory of 2968	2832	cmd.exe	chcp.com
PID 2832 wrote to memory of 2988	2832	cmd.exe	PING.EXE
PID 2832 wrote to memory of 2988	2832	cmd.exe	PING.EXE
PID 2832 wrote to memory of 2988	2832	cmd.exe	PING.EXE
PID 2832 wrote to memory of 2368	2832	cmd.exe	cvvhost.exe
PID 2832 wrote to memory of 2368	2832	cmd.exe	cvvhost.exe
PID 2832 wrote to memory of 2368	2832	cmd.exe	cvvhost.exe
PID 2368 wrote to memory of 472	2368	cvvhost.exe	schtasks.exe
PID 2368 wrote to memory of 472	2368	cvvhost.exe	schtasks.exe
PID 2368 wrote to memory of 472	2368	cvvhost.exe	schtasks.exe
PID 2368 wrote to memory of 112	2368	cvvhost.exe	cmd.exe
PID 2368 wrote to memory of 112	2368	cvvhost.exe	cmd.exe
PID 2368 wrote to memory of 112	2368	cvvhost.exe	cmd.exe
PID 112 wrote to memory of 1952	112	cmd.exe	chcp.com
PID 112 wrote to memory of 1952	112	cmd.exe	chcp.com
PID 112 wrote to memory of 1952	112	cmd.exe	chcp.com
PID 112 wrote to memory of 2160	112	cmd.exe	PING.EXE
PID 112 wrote to memory of 2160	112	cmd.exe	PING.EXE
PID 112 wrote to memory of 2160	112	cmd.exe	PING.EXE
PID 112 wrote to memory of 2764	112	cmd.exe	cvvhost.exe
PID 112 wrote to memory of 2764	112	cmd.exe	cvvhost.exe
PID 112 wrote to memory of 2764	112	cmd.exe	cvvhost.exe
PID 2764 wrote to memory of 1132	2764	cvvhost.exe	schtasks.exe
PID 2764 wrote to memory of 1132	2764	cvvhost.exe	schtasks.exe
PID 2764 wrote to memory of 1132	2764	cvvhost.exe	schtasks.exe
PID 2764 wrote to memory of 1784	2764	cvvhost.exe	cmd.exe
PID 2764 wrote to memory of 1784	2764	cvvhost.exe	cmd.exe
PID 2764 wrote to memory of 1784	2764	cvvhost.exe	cmd.exe
PID 1784 wrote to memory of 1532	1784	cmd.exe	chcp.com
PID 1784 wrote to memory of 1532	1784	cmd.exe	chcp.com
PID 1784 wrote to memory of 1532	1784	cmd.exe	chcp.com
PID 1784 wrote to memory of 1400	1784	cmd.exe	PING.EXE
PID 1784 wrote to memory of 1400	1784	cmd.exe	PING.EXE
PID 1784 wrote to memory of 1400	1784	cmd.exe	PING.EXE
PID 1784 wrote to memory of 1064	1784	cmd.exe	cvvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1908

C:\Users\Admin\AppData\Local\Temp\84196815c135e19db65295a1cea9a522.exe
"C:\Users\Admin\AppData\Local\Temp\84196815c135e19db65295a1cea9a522.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZDTQG4jhbM5m.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2600

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2484

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fClJRyXOndIm.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2968

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2988

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:472

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\m1luPA9JceVY.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:1952

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2160

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\91V1I7JKeznu.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:1532

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1400

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1064

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\b2s1c3RSXuqb.bat" "
11⤵
PID:2388

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:2024

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1340

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:780

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QZJzk7xWB84y.bat" "
13⤵
PID:1836

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:1924

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2264

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:608

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:1232

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qlsmBIfVQlQt.bat" "
15⤵
PID:888

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:2452

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2708

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1712

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\G73NCKqhiHMU.bat" "
17⤵
PID:2744

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:2032

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1916

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:768

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pWGkhoTokLhT.bat" "
19⤵
PID:3028

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:2488

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2656

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3008

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\D92CUUrksXvv.bat" "
21⤵
PID:2376

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:2856

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1412

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:472

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5oaMrQidT9bO.bat" "
23⤵
PID:2160

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:628

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:548

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1620

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cL6dGe21uqfK.bat" "
25⤵
PID:1060

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:1160

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:2120

C:\Windows\system32\SubDir\cvvhost.exe
"C:\Windows\system32\SubDir\cvvhost.exe"
26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2316

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WZJMZCdWxIou.bat" "
27⤵
PID:1520

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:1548

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:1808

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5oaMrQidT9bO.bat
Filesize
197B

MD5
3f75a67a965af9557c54db2ae8e469f3

SHA1
ac9f92469dfca8ad2c448487d6f3864b5533144a

SHA256
131d22935075294a003fa888f6f3c64557a1d6d69d57c6610b3905df28f2923c

SHA512
6c86c4949d5aff0933f5f22521a0d6d0f934a0b832dce17e4cc7e61275620e6e38177551a1e64ba665a2271e6be0165d6d14bfc78330d2e0298f09803e0eb7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5oaMrQidT9bO.bat
Filesize
197B

MD5
3f75a67a965af9557c54db2ae8e469f3

SHA1
ac9f92469dfca8ad2c448487d6f3864b5533144a

SHA256
131d22935075294a003fa888f6f3c64557a1d6d69d57c6610b3905df28f2923c

SHA512
6c86c4949d5aff0933f5f22521a0d6d0f934a0b832dce17e4cc7e61275620e6e38177551a1e64ba665a2271e6be0165d6d14bfc78330d2e0298f09803e0eb7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\91V1I7JKeznu.bat
Filesize
197B

MD5
88ea1b2489b9a314f1ae9c667a1a6a4a

SHA1
9b27c8faa39f74fe1a4c2e72beb4d4529c37e63d

SHA256
76dd586c71f9b4336d0254700f14f8d01f9887f6874fca33d1243e62caed4b69

SHA512
2606afb9613b41e55f3151f413db8809d3ad901321445ca74124069f0c0d268fd06a91c7b3ede7463c57b8966e4f3df29293da902a07fb79b431103085f0520d

Download Submit
C:\Users\Admin\AppData\Local\Temp\91V1I7JKeznu.bat
Filesize
197B

MD5
88ea1b2489b9a314f1ae9c667a1a6a4a

SHA1
9b27c8faa39f74fe1a4c2e72beb4d4529c37e63d

SHA256
76dd586c71f9b4336d0254700f14f8d01f9887f6874fca33d1243e62caed4b69

SHA512
2606afb9613b41e55f3151f413db8809d3ad901321445ca74124069f0c0d268fd06a91c7b3ede7463c57b8966e4f3df29293da902a07fb79b431103085f0520d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D92CUUrksXvv.bat
Filesize
197B

MD5
07da808baac41d20725bb4f7daf0c279

SHA1
c3b6a18f770d93ffc5039ddcba4fd6ba075515fc

SHA256
e1505027be2520dd28c4511d0b9f0ab0f75fadf3cbe53a24f49b6eb41ed692d8

SHA512
716782e3ccfb782765ba7dba21b6054e7aa6a3a1ddef94eedf06bf93fcc81e00c39e1bcd320d9143a67d567b2f7ee39b4cdb04393d0de6ce7086011ccaff54e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\D92CUUrksXvv.bat
Filesize
197B

MD5
07da808baac41d20725bb4f7daf0c279

SHA1
c3b6a18f770d93ffc5039ddcba4fd6ba075515fc

SHA256
e1505027be2520dd28c4511d0b9f0ab0f75fadf3cbe53a24f49b6eb41ed692d8

SHA512
716782e3ccfb782765ba7dba21b6054e7aa6a3a1ddef94eedf06bf93fcc81e00c39e1bcd320d9143a67d567b2f7ee39b4cdb04393d0de6ce7086011ccaff54e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\G73NCKqhiHMU.bat
Filesize
197B

MD5
7a698fb6968de9f2e74870adc2fd9fce

SHA1
cae137e3cdf4968bb33c9377faec328397e54a6b

SHA256
802024ef9a5210a2ec2ad947d3aa8070a323a34e50ddc6e7d2cb1907ac08f482

SHA512
3043390a9d02c273d15dd6fb71f2a4b37b2ebf17aaf03e48c223672e4ef0ef57564ebe7e0b56c903734fc4264fce0eb8953a58aa0c2c5e02d41c5509dfa9c9e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\G73NCKqhiHMU.bat
Filesize
197B

MD5
7a698fb6968de9f2e74870adc2fd9fce

SHA1
cae137e3cdf4968bb33c9377faec328397e54a6b

SHA256
802024ef9a5210a2ec2ad947d3aa8070a323a34e50ddc6e7d2cb1907ac08f482

SHA512
3043390a9d02c273d15dd6fb71f2a4b37b2ebf17aaf03e48c223672e4ef0ef57564ebe7e0b56c903734fc4264fce0eb8953a58aa0c2c5e02d41c5509dfa9c9e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QZJzk7xWB84y.bat
Filesize
197B

MD5
62cd7222d2757ad82ce1ec225f8ef743

SHA1
d6f1da2d585391a38f4f6f6194722a3f98a60f37

SHA256
8e888fe327f7de0d934ad1d5f4b371bcdbbaa9a9c611dfe81d6d32cc56de0de9

SHA512
c90010a59bdff8675ea9d77369efe5c7eace2a000ceecba33c3d6274f72367e30985f5ef53155852fa03af6c2b67325398785653f82d99018064257c8de525b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QZJzk7xWB84y.bat
Filesize
197B

MD5
62cd7222d2757ad82ce1ec225f8ef743

SHA1
d6f1da2d585391a38f4f6f6194722a3f98a60f37

SHA256
8e888fe327f7de0d934ad1d5f4b371bcdbbaa9a9c611dfe81d6d32cc56de0de9

SHA512
c90010a59bdff8675ea9d77369efe5c7eace2a000ceecba33c3d6274f72367e30985f5ef53155852fa03af6c2b67325398785653f82d99018064257c8de525b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZJMZCdWxIou.bat
Filesize
197B

MD5
9f82ef04a02c28c7a4656eb288f1e89b

SHA1
bbc69d420fce803616d6e533678fbdb8239a2231

SHA256
d1f5abf17f74f51ae26ba8e6e30a4e63a3532177804c1050c2baba9bab10a103

SHA512
eb3dfde90817383dc1c1881dc50bae8557b7288c5b67bfe1c27e4086f0a1acc026108bb878d4e729f1a5fe302a87c2d1b152ea09f5c4d4c62068b9282387eeed

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZJMZCdWxIou.bat
Filesize
197B

MD5
9f82ef04a02c28c7a4656eb288f1e89b

SHA1
bbc69d420fce803616d6e533678fbdb8239a2231

SHA256
d1f5abf17f74f51ae26ba8e6e30a4e63a3532177804c1050c2baba9bab10a103

SHA512
eb3dfde90817383dc1c1881dc50bae8557b7288c5b67bfe1c27e4086f0a1acc026108bb878d4e729f1a5fe302a87c2d1b152ea09f5c4d4c62068b9282387eeed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZDTQG4jhbM5m.bat
Filesize
197B

MD5
dfbdef600ac50bec690785390df32a9c

SHA1
0548d60628d61fdb826db8616f202a5fdb104e19

SHA256
0de3e3941e364692d5b4c2ca85479476d3d2ac1898b48469c60a33980dc16497

SHA512
404efd907e3e360649c952d210c46302990622e763e41810a7fb31ef5476da06f80445f805737dab5f0aa793fe1410e5dea60f25ee96765520ab39927a1d92df

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZDTQG4jhbM5m.bat
Filesize
197B

MD5
dfbdef600ac50bec690785390df32a9c

SHA1
0548d60628d61fdb826db8616f202a5fdb104e19

SHA256
0de3e3941e364692d5b4c2ca85479476d3d2ac1898b48469c60a33980dc16497

SHA512
404efd907e3e360649c952d210c46302990622e763e41810a7fb31ef5476da06f80445f805737dab5f0aa793fe1410e5dea60f25ee96765520ab39927a1d92df

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2s1c3RSXuqb.bat
Filesize
197B

MD5
d3d61aaa5fae550a289916007fb35f47

SHA1
70045b8efbbe15a0c8840d04ef4be6fa2fd5e8d9

SHA256
c9642e4d78d61fba38f26755a1de14d0a7922d8c94b5bc301513c5b6cc9ab3cf

SHA512
2aa908d19d0bedc4d586d88b0102ae84814e57db21537d1aa740c8a2e6a349c6a874058607a13f404e3127de3031e9d8cc995eb40752f7ca91525ab4156cf851

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2s1c3RSXuqb.bat
Filesize
197B

MD5
d3d61aaa5fae550a289916007fb35f47

SHA1
70045b8efbbe15a0c8840d04ef4be6fa2fd5e8d9

SHA256
c9642e4d78d61fba38f26755a1de14d0a7922d8c94b5bc301513c5b6cc9ab3cf

SHA512
2aa908d19d0bedc4d586d88b0102ae84814e57db21537d1aa740c8a2e6a349c6a874058607a13f404e3127de3031e9d8cc995eb40752f7ca91525ab4156cf851

Download Submit
C:\Users\Admin\AppData\Local\Temp\cL6dGe21uqfK.bat
Filesize
197B

MD5
e6f09d230eaddf181c9122a5622c2c9d

SHA1
7b4e8e05b83136750103a96787188f426cd7b3b3

SHA256
1b4021a098529e27085cc439c0093a69416791b9dd83f28ae51ba68b8b957bf7

SHA512
d2f474d85e4aec1b3eb623b5f64af4ed32090881d467acb287fcb38ac1e71ae1d84e6c87228a104fa791455cb6e2ef0db162a0ddbccf75277c94be90d45395e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cL6dGe21uqfK.bat
Filesize
197B

MD5
e6f09d230eaddf181c9122a5622c2c9d

SHA1
7b4e8e05b83136750103a96787188f426cd7b3b3

SHA256
1b4021a098529e27085cc439c0093a69416791b9dd83f28ae51ba68b8b957bf7

SHA512
d2f474d85e4aec1b3eb623b5f64af4ed32090881d467acb287fcb38ac1e71ae1d84e6c87228a104fa791455cb6e2ef0db162a0ddbccf75277c94be90d45395e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fClJRyXOndIm.bat
Filesize
197B

MD5
1952d2e082c12000e78af4eb5afed0fd

SHA1
28c5972ae9986490f751b164d25ac9b8b71d8a4f

SHA256
f27bfe46b9972b07ade268c0940784fb486f33fb2c6c5be5473a1334560aad86

SHA512
9c09ed1287c5f7dec35979bac815b87fa2f4fbdf7bb9afb81e28b41256a6aa822eec5df4d06e312e1ef7c231bd02d30229f99c674c78d3bf35fd238532a6ec31

Download Submit
C:\Users\Admin\AppData\Local\Temp\fClJRyXOndIm.bat
Filesize
197B

MD5
1952d2e082c12000e78af4eb5afed0fd

SHA1
28c5972ae9986490f751b164d25ac9b8b71d8a4f

SHA256
f27bfe46b9972b07ade268c0940784fb486f33fb2c6c5be5473a1334560aad86

SHA512
9c09ed1287c5f7dec35979bac815b87fa2f4fbdf7bb9afb81e28b41256a6aa822eec5df4d06e312e1ef7c231bd02d30229f99c674c78d3bf35fd238532a6ec31

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1luPA9JceVY.bat
Filesize
197B

MD5
c33320a0f3dfead1c414262570c5777b

SHA1
31ec716440bbe522b8eb18770c42662b4acdc51e

SHA256
90e34ae36d6ce8518d46d5159aac2bcf5a9ad04a881a313e90d4c47614121c6e

SHA512
fcc801fc4490bcb1ba910700f09b7b4ae51848172030911acb89842fa2b484cec00cdae8f015a893aacb80bceba3a53b866a060d000b617c18d8c2360a450a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1luPA9JceVY.bat
Filesize
197B

MD5
c33320a0f3dfead1c414262570c5777b

SHA1
31ec716440bbe522b8eb18770c42662b4acdc51e

SHA256
90e34ae36d6ce8518d46d5159aac2bcf5a9ad04a881a313e90d4c47614121c6e

SHA512
fcc801fc4490bcb1ba910700f09b7b4ae51848172030911acb89842fa2b484cec00cdae8f015a893aacb80bceba3a53b866a060d000b617c18d8c2360a450a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\pWGkhoTokLhT.bat
Filesize
197B

MD5
30e341c49bdab23aa6655698c315083a

SHA1
6d8648c6ae01cba35a8607b728be622531338f78

SHA256
0721f681d74ad6653daa078606c221e2af221d9807d74b466e7421e141ef9db3

SHA512
ed35146a06d37f3d54210abceacfc17aad126f9a4688076fcd222eeb5b219102b3b0c504ed06051ef8621c7d9427e6d8e46e74d3d4cf5d9078a5952872b570ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\pWGkhoTokLhT.bat
Filesize
197B

MD5
30e341c49bdab23aa6655698c315083a

SHA1
6d8648c6ae01cba35a8607b728be622531338f78

SHA256
0721f681d74ad6653daa078606c221e2af221d9807d74b466e7421e141ef9db3

SHA512
ed35146a06d37f3d54210abceacfc17aad126f9a4688076fcd222eeb5b219102b3b0c504ed06051ef8621c7d9427e6d8e46e74d3d4cf5d9078a5952872b570ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlsmBIfVQlQt.bat
Filesize
197B

MD5
c5f190568c54cc996fa7c25e219e2cb7

SHA1
8c2d43b121141d953ac57505becc6b490a066642

SHA256
ff7c276f4e76e26c57760205a1797bc39da10a0806ccb6db6b31b1f1447415ac

SHA512
0cbb59499945685077ed2fe6147cc9e40107e89f6b7650e97de4eb4334f915144a6f199e9268b2fc9fed077bc7e1199d257d91caf1918ae24dd64e55ad1dfd06

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlsmBIfVQlQt.bat
Filesize
197B

MD5
c5f190568c54cc996fa7c25e219e2cb7

SHA1
8c2d43b121141d953ac57505becc6b490a066642

SHA256
ff7c276f4e76e26c57760205a1797bc39da10a0806ccb6db6b31b1f1447415ac

SHA512
0cbb59499945685077ed2fe6147cc9e40107e89f6b7650e97de4eb4334f915144a6f199e9268b2fc9fed077bc7e1199d257d91caf1918ae24dd64e55ad1dfd06

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\System32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
C:\Windows\system32\SubDir\cvvhost.exe
Filesize
3.1MB

MD5
84196815c135e19db65295a1cea9a522

SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f

SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8

SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/472-146-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/472-156-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/608-103-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/608-91-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/780-79-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/780-89-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/1064-77-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/1064-66-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/1064-64-0x0000000001330000-0x0000000001654000-memory.dmp

Filesize
3.1MB

Download
memory/1064-65-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-161-0x000000001B3B0000-0x000000001B430000-memory.dmp

Filesize
512KB

Download
memory/1620-160-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-159-0x0000000000010000-0x0000000000334000-memory.dmp

Filesize
3.1MB

Download
memory/1620-172-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/1692-0-0x00000000010E0000-0x0000000001404000-memory.dmp

Filesize
3.1MB

Download
memory/1692-2-0x000000001B110000-0x000000001B190000-memory.dmp

Filesize
512KB

Download
memory/1692-10-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/1692-1-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/1712-105-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/1712-115-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/2316-175-0x0000000001260000-0x0000000001584000-memory.dmp

Filesize
3.1MB

Download
memory/2316-176-0x000000001B340000-0x000000001B3C0000-memory.dmp

Filesize
512KB

Download
memory/2316-174-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2316-187-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2368-37-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/2368-36-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2368-48-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2528-34-0x000007FEF4EF0000-0x000007FEF58DC000-memory.dmp

Filesize
9.9MB

Download
memory/2528-24-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/2528-23-0x000007FEF4EF0000-0x000007FEF58DC000-memory.dmp

Filesize
9.9MB

Download
memory/2704-117-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2704-130-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2704-118-0x00000000004E0000-0x0000000000560000-memory.dmp

Filesize
512KB

Download
memory/2716-21-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-11-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2716-9-0x0000000000D90000-0x00000000010B4000-memory.dmp

Filesize
3.1MB

Download
memory/2716-8-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2764-62-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/2764-51-0x000000001AA70000-0x000000001AAF0000-memory.dmp

Filesize
512KB

Download
memory/2764-50-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-134-0x000000001B170000-0x000000001B1F0000-memory.dmp

Filesize
512KB

Download
memory/3008-133-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-132-0x0000000000240000-0x0000000000564000-memory.dmp

Filesize
3.1MB

Download
memory/3008-144-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads