Overview
overview
10Static
static
3Chaos_V3_2...o).exe
windows7-x64
1Chaos_V3_2...o).exe
windows10-2004-x64
1Chaos_V3_2...V3.exe
windows7-x64
10Chaos_V3_2...V3.exe
windows10-2004-x64
10Chaos_V3_2...er.exe
windows7-x64
1Chaos_V3_2...er.exe
windows10-2004-x64
1Chaos_V3_2...nd.exe
windows7-x64
1Chaos_V3_2...nd.exe
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25/04/2024, 21:38
Static task
static1
Behavioral task
behavioral1
Sample
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/Anti-Crash (Anti-Crash method by 13ooeo).exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/Anti-Crash (Anti-Crash method by 13ooeo).exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/Chaos Launcher V3.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/Chaos Launcher V3.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/fpsunlocker.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/fpsunlocker.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/pssuspend.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/pssuspend.exe
Resource
win10v2004-20240412-en
General
-
Target
Chaos_V3_2/Chaos_V3 (2)/Chaos V3/Chaos Launcher V3.exe
-
Size
37.8MB
-
MD5
719fd2b752f99f9ad1da3e2f439ec717
-
SHA1
900a578b55324712b3fc2edc8b44c6f336932849
-
SHA256
a12504ad741383782b4e0ef4cc808903195484080f5770966aceb1d117b09697
-
SHA512
b1822f059810e50a072fcd871e81b2c5d83eaf343f7322384ad34013bed3f4d6a98ed6d37c1840dfc03a925eb334981911b86de534903a941346fcac3b820601
-
SSDEEP
786432:SulzfQX0ZlAime/FtbB9lNdnl8/A539IyPA:bQXknme/FhB9PtgA539IyPA
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.0.78:4782
4616ad00-4709-44bd-a2b4-9a61d621574d
-
encryption_key
DDE23047BCC4F649ACA444E89F2DBB5D52A3004D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral4/files/0x00070000000234a6-184.dat family_quasar behavioral4/memory/4216-310-0x0000000000F40000-0x0000000001264000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation Chaos Launcher V3.exe Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation Chaos Launcher V3.exe -
Executes dropped EXE 7 IoCs
pid Process 1316 Chaos Launcher V3.exe 1480 Loader.exe 836 Loader.exe 1760 main.exe 4216 ChaosUPD.exe 1428 main.exe 4404 Client.exe -
Loads dropped DLL 64 IoCs
pid Process 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 1428 main.exe 1428 main.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 1428 main.exe 1428 main.exe 1428 main.exe 1428 main.exe 1428 main.exe 1428 main.exe 1428 main.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 1428 main.exe 1428 main.exe 1428 main.exe 1428 main.exe 1428 main.exe 1428 main.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 1428 main.exe 1428 main.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral4/memory/836-138-0x00007FFE26E30000-0x00007FFE2729E000-memory.dmp upx behavioral4/files/0x0007000000023465-145.dat upx behavioral4/memory/836-151-0x00007FFE2C490000-0x00007FFE2C4B4000-memory.dmp upx behavioral4/memory/836-182-0x00007FFE2C470000-0x00007FFE2C489000-memory.dmp upx behavioral4/memory/836-261-0x00007FFE29950000-0x00007FFE29984000-memory.dmp upx behavioral4/memory/836-243-0x00007FFE2C420000-0x00007FFE2C44D000-memory.dmp upx behavioral4/memory/836-278-0x00007FFE39A00000-0x00007FFE39A0D000-memory.dmp upx behavioral4/files/0x000700000002346a-306.dat upx behavioral4/memory/836-335-0x00007FFE2C450000-0x00007FFE2C469000-memory.dmp upx behavioral4/files/0x0007000000023466-347.dat upx behavioral4/memory/836-349-0x00007FFE298D0000-0x00007FFE298EF000-memory.dmp upx behavioral4/files/0x00070000000234d9-353.dat upx behavioral4/files/0x0007000000023454-352.dat upx behavioral4/memory/836-358-0x00007FFE29730000-0x00007FFE2974C000-memory.dmp upx behavioral4/memory/836-359-0x00007FFE29440000-0x00007FFE2946E000-memory.dmp upx behavioral4/memory/836-362-0x00007FFE25010000-0x00007FFE25385000-memory.dmp upx behavioral4/memory/836-363-0x00007FFE24F50000-0x00007FFE25008000-memory.dmp upx behavioral4/memory/1428-364-0x00007FFE293F0000-0x00007FFE29414000-memory.dmp upx behavioral4/memory/1428-365-0x00007FFE36830000-0x00007FFE3683F000-memory.dmp upx behavioral4/memory/1428-366-0x00007FFE293D0000-0x00007FFE293E9000-memory.dmp upx behavioral4/memory/836-370-0x00007FFE24D70000-0x00007FFE24E88000-memory.dmp upx behavioral4/memory/1428-372-0x00007FFE24EC0000-0x00007FFE24ED9000-memory.dmp upx behavioral4/memory/1428-374-0x00007FFE33EA0000-0x00007FFE33EAD000-memory.dmp upx behavioral4/memory/1428-375-0x00007FFE24D40000-0x00007FFE24D6E000-memory.dmp upx behavioral4/memory/1428-376-0x00007FFE24C80000-0x00007FFE24D3C000-memory.dmp upx behavioral4/memory/836-378-0x00007FFE2C410000-0x00007FFE2C41B000-memory.dmp upx behavioral4/memory/836-379-0x00007FFE24C30000-0x00007FFE24C3B000-memory.dmp upx behavioral4/memory/836-381-0x00007FFE24C10000-0x00007FFE24C1B000-memory.dmp upx behavioral4/memory/836-382-0x00007FFE24C00000-0x00007FFE24C0C000-memory.dmp upx behavioral4/memory/836-384-0x00007FFE24BE0000-0x00007FFE24BEC000-memory.dmp upx behavioral4/memory/836-385-0x00007FFE24BD0000-0x00007FFE24BDC000-memory.dmp upx behavioral4/memory/836-387-0x00007FFE24BB0000-0x00007FFE24BBC000-memory.dmp upx behavioral4/memory/836-388-0x00007FFE24BA0000-0x00007FFE24BAB000-memory.dmp upx behavioral4/memory/836-389-0x00007FFE24B90000-0x00007FFE24B9B000-memory.dmp upx behavioral4/memory/836-391-0x00007FFE24B70000-0x00007FFE24B7C000-memory.dmp upx behavioral4/memory/836-392-0x00007FFE24B60000-0x00007FFE24B6D000-memory.dmp upx behavioral4/memory/836-393-0x00007FFE24B40000-0x00007FFE24B52000-memory.dmp upx behavioral4/memory/836-394-0x00007FFE244E0000-0x00007FFE244EC000-memory.dmp upx behavioral4/memory/836-396-0x00007FFE24270000-0x00007FFE2427A000-memory.dmp upx behavioral4/memory/836-397-0x00007FFE24240000-0x00007FFE24269000-memory.dmp upx behavioral4/memory/1428-398-0x00007FFE24210000-0x00007FFE2423B000-memory.dmp upx behavioral4/memory/836-395-0x00007FFE24280000-0x00007FFE244D2000-memory.dmp upx behavioral4/memory/4216-400-0x000000001BE50000-0x000000001BE60000-memory.dmp upx behavioral4/memory/836-401-0x00007FFE29420000-0x00007FFE29434000-memory.dmp upx behavioral4/memory/836-402-0x00007FFE36350000-0x00007FFE3635B000-memory.dmp upx behavioral4/memory/1428-399-0x00007FFE26580000-0x00007FFE269EE000-memory.dmp upx behavioral4/memory/836-390-0x00007FFE24B80000-0x00007FFE24B8C000-memory.dmp upx behavioral4/memory/836-386-0x00007FFE24BC0000-0x00007FFE24BCE000-memory.dmp upx behavioral4/memory/836-383-0x00007FFE24BF0000-0x00007FFE24BFB000-memory.dmp upx behavioral4/memory/836-380-0x00007FFE24C20000-0x00007FFE24C2C000-memory.dmp upx behavioral4/memory/836-377-0x00007FFE24C40000-0x00007FFE24C78000-memory.dmp upx behavioral4/memory/1428-373-0x00007FFE35EC0000-0x00007FFE35ECD000-memory.dmp upx behavioral4/memory/836-369-0x00007FFE24E90000-0x00007FFE24EB6000-memory.dmp upx behavioral4/memory/1428-368-0x00007FFE24EE0000-0x00007FFE24F14000-memory.dmp upx behavioral4/memory/1428-367-0x00007FFE24F20000-0x00007FFE24F4D000-memory.dmp upx behavioral4/files/0x0007000000023464-345.dat upx behavioral4/files/0x000700000002345a-343.dat upx behavioral4/memory/836-348-0x00007FFE298F0000-0x00007FFE2991B000-memory.dmp upx behavioral4/files/0x0007000000023500-339.dat upx behavioral4/memory/836-338-0x00007FFE29920000-0x00007FFE2994E000-memory.dmp upx behavioral4/memory/836-311-0x00007FFE26BF0000-0x00007FFE26D61000-memory.dmp upx behavioral4/memory/836-307-0x00007FFE26D70000-0x00007FFE26E2C000-memory.dmp upx behavioral4/files/0x0007000000023471-276.dat upx behavioral4/files/0x0007000000023459-265.dat upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 40 discord.com 43 raw.githubusercontent.com 44 raw.githubusercontent.com 85 discord.com 38 discord.com -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 ip-api.com 69 ipapi.co 72 ipapi.co 80 ipapi.co 25 api.ipify.org 26 api.ipify.org 28 ipapi.co 30 ipapi.co -
Detects Pyinstaller 2 IoCs
resource yara_rule behavioral4/files/0x0008000000023379-20.dat pyinstaller behavioral4/files/0x0007000000023468-110.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4112 schtasks.exe 3396 schtasks.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 2380 reg.exe 1020 reg.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 836 Loader.exe 836 Loader.exe 836 Loader.exe 836 Loader.exe 1428 main.exe 1428 main.exe 1428 main.exe 1428 main.exe 4216 powershell.exe 4216 powershell.exe 4216 powershell.exe 2716 powershell.exe 2716 powershell.exe 2716 powershell.exe 1428 main.exe 1428 main.exe 1428 main.exe 1428 main.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 836 Loader.exe Token: SeDebugPrivilege 4216 ChaosUPD.exe Token: SeDebugPrivilege 1316 Chaos Launcher V3.exe Token: SeDebugPrivilege 1428 main.exe Token: SeDebugPrivilege 4404 Client.exe Token: SeIncreaseQuotaPrivilege 2176 WMIC.exe Token: SeSecurityPrivilege 2176 WMIC.exe Token: SeTakeOwnershipPrivilege 2176 WMIC.exe Token: SeLoadDriverPrivilege 2176 WMIC.exe Token: SeSystemProfilePrivilege 2176 WMIC.exe Token: SeSystemtimePrivilege 2176 WMIC.exe Token: SeProfSingleProcessPrivilege 2176 WMIC.exe Token: SeIncBasePriorityPrivilege 2176 WMIC.exe Token: SeCreatePagefilePrivilege 2176 WMIC.exe Token: SeBackupPrivilege 2176 WMIC.exe Token: SeRestorePrivilege 2176 WMIC.exe Token: SeShutdownPrivilege 2176 WMIC.exe Token: SeDebugPrivilege 2176 WMIC.exe Token: SeSystemEnvironmentPrivilege 2176 WMIC.exe Token: SeRemoteShutdownPrivilege 2176 WMIC.exe Token: SeUndockPrivilege 2176 WMIC.exe Token: SeManageVolumePrivilege 2176 WMIC.exe Token: 33 2176 WMIC.exe Token: 34 2176 WMIC.exe Token: 35 2176 WMIC.exe Token: 36 2176 WMIC.exe Token: SeIncreaseQuotaPrivilege 2176 WMIC.exe Token: SeSecurityPrivilege 2176 WMIC.exe Token: SeTakeOwnershipPrivilege 2176 WMIC.exe Token: SeLoadDriverPrivilege 2176 WMIC.exe Token: SeSystemProfilePrivilege 2176 WMIC.exe Token: SeSystemtimePrivilege 2176 WMIC.exe Token: SeProfSingleProcessPrivilege 2176 WMIC.exe Token: SeIncBasePriorityPrivilege 2176 WMIC.exe Token: SeCreatePagefilePrivilege 2176 WMIC.exe Token: SeBackupPrivilege 2176 WMIC.exe Token: SeRestorePrivilege 2176 WMIC.exe Token: SeShutdownPrivilege 2176 WMIC.exe Token: SeDebugPrivilege 2176 WMIC.exe Token: SeSystemEnvironmentPrivilege 2176 WMIC.exe Token: SeRemoteShutdownPrivilege 2176 WMIC.exe Token: SeUndockPrivilege 2176 WMIC.exe Token: SeManageVolumePrivilege 2176 WMIC.exe Token: 33 2176 WMIC.exe Token: 34 2176 WMIC.exe Token: 35 2176 WMIC.exe Token: 36 2176 WMIC.exe Token: SeIncreaseQuotaPrivilege 5048 WMIC.exe Token: SeSecurityPrivilege 5048 WMIC.exe Token: SeTakeOwnershipPrivilege 5048 WMIC.exe Token: SeLoadDriverPrivilege 5048 WMIC.exe Token: SeSystemProfilePrivilege 5048 WMIC.exe Token: SeSystemtimePrivilege 5048 WMIC.exe Token: SeProfSingleProcessPrivilege 5048 WMIC.exe Token: SeIncBasePriorityPrivilege 5048 WMIC.exe Token: SeCreatePagefilePrivilege 5048 WMIC.exe Token: SeBackupPrivilege 5048 WMIC.exe Token: SeRestorePrivilege 5048 WMIC.exe Token: SeShutdownPrivilege 5048 WMIC.exe Token: SeDebugPrivilege 5048 WMIC.exe Token: SeSystemEnvironmentPrivilege 5048 WMIC.exe Token: SeRemoteShutdownPrivilege 5048 WMIC.exe Token: SeUndockPrivilege 5048 WMIC.exe Token: SeManageVolumePrivilege 5048 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4404 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4404 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4404 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1048 wrote to memory of 1316 1048 Chaos Launcher V3.exe 90 PID 1048 wrote to memory of 1316 1048 Chaos Launcher V3.exe 90 PID 1048 wrote to memory of 1480 1048 Chaos Launcher V3.exe 91 PID 1048 wrote to memory of 1480 1048 Chaos Launcher V3.exe 91 PID 1480 wrote to memory of 836 1480 Loader.exe 93 PID 1480 wrote to memory of 836 1480 Loader.exe 93 PID 1048 wrote to memory of 1760 1048 Chaos Launcher V3.exe 92 PID 1048 wrote to memory of 1760 1048 Chaos Launcher V3.exe 92 PID 1048 wrote to memory of 4216 1048 Chaos Launcher V3.exe 114 PID 1048 wrote to memory of 4216 1048 Chaos Launcher V3.exe 114 PID 1760 wrote to memory of 1428 1760 main.exe 95 PID 1760 wrote to memory of 1428 1760 main.exe 95 PID 1428 wrote to memory of 2008 1428 main.exe 96 PID 1428 wrote to memory of 2008 1428 main.exe 96 PID 836 wrote to memory of 1280 836 Loader.exe 98 PID 836 wrote to memory of 1280 836 Loader.exe 98 PID 4216 wrote to memory of 4112 4216 ChaosUPD.exe 100 PID 4216 wrote to memory of 4112 4216 ChaosUPD.exe 100 PID 4216 wrote to memory of 4404 4216 ChaosUPD.exe 106 PID 4216 wrote to memory of 4404 4216 ChaosUPD.exe 106 PID 1280 wrote to memory of 2176 1280 cmd.exe 107 PID 1280 wrote to memory of 2176 1280 cmd.exe 107 PID 4404 wrote to memory of 3396 4404 Client.exe 108 PID 4404 wrote to memory of 3396 4404 Client.exe 108 PID 1428 wrote to memory of 2100 1428 main.exe 111 PID 1428 wrote to memory of 2100 1428 main.exe 111 PID 2100 wrote to memory of 5048 2100 cmd.exe 113 PID 2100 wrote to memory of 5048 2100 cmd.exe 113 PID 1316 wrote to memory of 4216 1316 Chaos Launcher V3.exe 114 PID 1316 wrote to memory of 4216 1316 Chaos Launcher V3.exe 114 PID 1316 wrote to memory of 2716 1316 Chaos Launcher V3.exe 116 PID 1316 wrote to memory of 2716 1316 Chaos Launcher V3.exe 116 PID 1428 wrote to memory of 3132 1428 main.exe 119 PID 1428 wrote to memory of 3132 1428 main.exe 119 PID 3132 wrote to memory of 2380 3132 cmd.exe 121 PID 3132 wrote to memory of 2380 3132 cmd.exe 121 PID 1428 wrote to memory of 2468 1428 main.exe 122 PID 1428 wrote to memory of 2468 1428 main.exe 122 PID 2468 wrote to memory of 1020 2468 cmd.exe 124 PID 2468 wrote to memory of 1020 2468 cmd.exe 124 PID 1428 wrote to memory of 4532 1428 main.exe 125 PID 1428 wrote to memory of 4532 1428 main.exe 125 PID 4532 wrote to memory of 2824 4532 cmd.exe 127 PID 4532 wrote to memory of 2824 4532 cmd.exe 127 PID 1428 wrote to memory of 3248 1428 main.exe 129 PID 1428 wrote to memory of 3248 1428 main.exe 129 PID 3248 wrote to memory of 4108 3248 cmd.exe 131 PID 3248 wrote to memory of 4108 3248 cmd.exe 131 PID 1428 wrote to memory of 3476 1428 main.exe 132 PID 1428 wrote to memory of 3476 1428 main.exe 132 PID 3476 wrote to memory of 4892 3476 cmd.exe 134 PID 3476 wrote to memory of 4892 3476 cmd.exe 134 PID 1428 wrote to memory of 4524 1428 main.exe 135 PID 1428 wrote to memory of 4524 1428 main.exe 135 PID 4524 wrote to memory of 4944 4524 cmd.exe 137 PID 4524 wrote to memory of 4944 4524 cmd.exe 137 PID 1428 wrote to memory of 4672 1428 main.exe 139 PID 1428 wrote to memory of 4672 1428 main.exe 139 PID 4672 wrote to memory of 3528 4672 cmd.exe 141 PID 4672 wrote to memory of 3528 4672 cmd.exe 141 PID 1428 wrote to memory of 3252 1428 main.exe 142 PID 1428 wrote to memory of 3252 1428 main.exe 142 PID 3252 wrote to memory of 2836 3252 cmd.exe 144 PID 3252 wrote to memory of 2836 3252 cmd.exe 144 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chaos_V3_2\Chaos_V3 (2)\Chaos V3\Chaos Launcher V3.exe"C:\Users\Admin\AppData\Local\Temp\Chaos_V3_2\Chaos_V3 (2)\Chaos V3\Chaos Launcher V3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\Chaos Launcher V3.exe"C:\Users\Admin\AppData\Local\Temp\Chaos Launcher V3.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Chaos Launcher V3.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chaos Launcher V3.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"4⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe csproduct get uuid5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"4⤵PID:2008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"4⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe csproduct get uuid5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"4⤵
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\system32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f5⤵
- Modifies registry key
PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"4⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:1020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"4⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe csproduct get uuid5⤵PID:2824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"4⤵
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe csproduct get uuid5⤵PID:4108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"4⤵
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe csproduct get uuid5⤵PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"4⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"4⤵
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:3528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"4⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:2836
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ChaosUPD.exe"C:\Users\Admin\AppData\Local\Temp\ChaosUPD.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4112
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:3396
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
265KB
MD55cc694e159b34a66c68512e333772427
SHA156a1167290c880b7c581e4ffe904865d443dd6b3
SHA2561eaa491f5252f5e36c3e6f4955e42ce738f2ac11ab476efb4b9cbbf62982740e
SHA512efe956122aa35c481422c3b0d33afa3ca5e6faecb5aa7e771320070d43c07fed141038754ca025ed703c066f8a5782330b82b263bca2afaa0f549c444a1ab87d
-
Filesize
3.1MB
MD5cf19f3097c3605dcb9fe14283b318622
SHA12300f90815b44685ea480622cdce31b82c0d429e
SHA256b7438077689006b12262914245e04bc67e7c4cbacda3aa99f100a894d33fd43a
SHA51212a9c62e0bf5ebeaa1f104979cf1a3477b4e0b455ff2cf413cdc43589f91c3bcccc1a3b54cd7cf463ff9aff481a870425c7b2e3738be27187a7cb71b38f0ef69
-
Filesize
152KB
MD573bd1e15afb04648c24593e8ba13e983
SHA14dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA5126eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7
-
Filesize
124KB
MD59618e15b04a4ddb39ed6c496575f6f95
SHA11c28f8750e5555776b3c80b187c5d15a443a7412
SHA256a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26
-
Filesize
16.1MB
MD5137c2a6610b55f77004ff0bb52bb12e2
SHA1202e8bce20e5b2b0341f5cc2c8767881717b7022
SHA2560cb19bda3eafb8edae3d7902e8af0bf2a7896c225669c338565423f63558d841
SHA51275fa9eb00ba2f8d49c606e9d508c0ec5e6d372edc31d56736a0a60e24454643e16709f0da915f066aaf42ea6d78163ff923ff5449d3e7549f44b7cf8dc1a83df
-
Filesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
Filesize
48KB
MD5bba9680bc310d8d25e97b12463196c92
SHA19a480c0cf9d377a4caedd4ea60e90fa79001f03a
SHA256e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab
SHA5121575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739
-
Filesize
46KB
MD513f9af35bc2ca51e1a0d9f912280832b
SHA13b94ed1baa8c1dd1cc9ba73800127367f28177e6
SHA2565cfa3e2d465614a5f7bdbfe8bbbae012d075bbe83d9561da3f93f4c19f9b94b3
SHA5120234136e9944963d672bb45abb76540a3ca82dcbc16d6f6185195316f2280253f02173840ccee8db7601f08b08c753b4d46a206e5d2ffbaa40b62e7599e1c3d7
-
Filesize
56KB
MD534bc30cb64fb692589e6df7cf62f14af
SHA1e42884b73090ee37ead7743f161491f04500cdb7
SHA2565d5c80b2e8a1cf081aa41c35c48f73df384cf526f358e91f80ba2ad48b6e52f7
SHA51269a6bb5689f33bfa13e5ef9532632a82cd26983d73e2d9ad920588840d7636c86f224553d3cc988e7500bbee9d67d15deb3382af03675e97043cd59707924c2f
-
Filesize
33KB
MD547552c83d1890ff91037eecd02b730a2
SHA1e9ab5c304f0a2817eba6fdc758722600615c30be
SHA256c3024b95f7f1757d9496c8171eaca5f8b9bb8c7cd7f6077077b5aaa1302b0ca4
SHA512d9d42b253fddca0eff99ff47ef5ff05a8ef53966c79e040ebe22757b31d478f71709460a36c8dbde67a43bd992983d3e4ae7775e9d687295763ffd283d0746d4
-
Filesize
84KB
MD573eb1d56265f92ceef7948c5b74a11c1
SHA1a1d60de9930fd9ed9be920c4d650d42fe07ebc22
SHA256ee390c28c14e0c33a5601f12eb5d04bdff0ecfb334ce402f4380b8e0ebf7d4de
SHA512ebc9bc622ad7ef27b16b85db2be7b1f68f2b5de9de5eb2684b5fb3a02e9e851a939f63459cc2eb911263e799ff2c4a918ae98141f61132eb3d110828741f833f
-
Filesize
24KB
MD5d301ac14f79443990a227ec0aee1788c
SHA1e6ba16b0ec6ac2ed63e3c2424bf92d4fe66405f9
SHA256890d3522062a81f970a2c91acea9c68b91c9d77013afc34d5a950269b9e994b6
SHA5122c2a3dda038309590965a6a2cb1ff86b6ba8a2fe9e97511c1e2a2cc63fda96ac7782b5eedfcf61479838249a064482b11657c0f4a6c3ed1f6338ebe0e0171ec1
-
Filesize
41KB
MD526a6147d9ffd545fd80c9ed664d66d06
SHA1b17b5ec05c012210adb7f0408273d0a40ae4f755
SHA25635f18dd2452642cefb6f883afc74d560e22aa71bdb6b26e63b076d7ea4246d38
SHA512447c72662de5fcffa07da8682e4d08f8ced791bfba9a742529766527e5d41ccfef5fa694c8a88bb8798c53c9fc48c33f57dd6c74b5dc49e8f8b15832593e155c
-
Filesize
48KB
MD5c528dc5f5e7d87c63f09f31d8e2e8b7a
SHA16d09a5c9266876d8e466059fa3c0ef6f71f59a74
SHA2562ea4fe9500ee3669ac29a7451ee775b3bc7e2104fe9e840af563499e23867a46
SHA512358fb50590b958dca4138b12f31f5b053b5c2a251958b68662390ddd761f02185b283f23801a2cc0a15f12dc0f7ec9a4213228af27e9988889ccb7d3727b9c6a
-
Filesize
60KB
MD5d3b40bb8131722d77dab6fd9bd135fca
SHA1170143f91ebf1f1a41da05725f3d659d070e969e
SHA256e33e96ee3e4135b92cbdb987337d3cf8e438f1cca96c87dec682b586b6807ce9
SHA512b48730d8dd5c0dd43b300b3fc997b6a083d9d4c45816bbcf15428cd2ee8664b49bbfd9e645d9e27d707b243bfe061d12822accbe466822ba723fc23c13e41f69
-
Filesize
812KB
MD5524a85217dc9edc8c9efc73159ca955d
SHA1a4238cbde50443262d00a843ffe814435fb0f4e2
SHA256808549964adb09afafb410cdc030df4813c5c2a7276a94e7f116103af5de7621
SHA512f5a929b35a63f073bdc7600155ba2f0f262e6f60cf67efb38fa44e8b3be085cf1d5741d66d25a1ecaaf3f94abfe9bbe97d135f8a47c11f2b811d2aac6876f46c
-
Filesize
1.1MB
MD5c702b01b9d16f58ad711bf53c0c73203
SHA1dc6bb8e20c3e243cc342bbbd6605d3ae2ae8ae5b
SHA25649363cba6a25b49a29c6add58258e9feb1c9531460f2716d463ab364d15120e1
SHA512603d710eb21e2844739edcc9b6d2b0d7193cdbc9b9efe87c748c17fdc88fa66bc3fdae2dca83a42a17d91c4fdf571f93f5cc7cd15004f7cb0695d0130813aa7e
-
Filesize
23KB
MD5ce7d4f152de90a24b0069e3c95fa2b58
SHA198e921d9dd396b86ae785d9f8d66f1dc612111c2
SHA25685ac46f9d1fd15ab12f961e51ba281bff8c0141fa122bfa21a66e13dd4f943e7
SHA5127b0a1bd9fb5666fe5388cabcef11e2e4038bbdb62bdca46f6e618555c90eb2e466cb5becd7773f1136ee929f10f74c35357b65b038f51967de5c2b62f7045b1f
-
Filesize
203KB
MD5eed3b4ac7fca65d8681cf703c71ea8de
SHA1d50358d55cd49623bf4267dbee154b0cdb796931
SHA25645c7be6f6958db81d9c0dacf2b63a2c4345d178a367cd33bbbb8f72ac765e73f
SHA512df85605bc9f535bd736cafc7be236895f0a3a99cf1b45c1f2961c855d161bcb530961073d0360a5e9f1e72f7f6a632ce58760b0a4111c74408e3fcc7bfa41edd
-
Filesize
34KB
MD57454e05b8b7b276bacbca3577f36a866
SHA13157ce432e7c2052fef149e5d6f94646814d8b02
SHA256c4cccc0793f5b294752b8820b627c7d22b5bb9dfa82a1a5de9ada38a7596d059
SHA512346a91d29a6e0b02c61aab4c43486091d9638126fb7f074c1c26457524fe7cb784efc6a5883822f07c20d006c93ceca24f4613b02e23a889cfd5565e66889810
-
Filesize
86KB
MD5bca9783990260b2bc48475fb919c036b
SHA15e1d9c5250724906bfe92821544ddafcd11cdbd8
SHA2566266dc31c5774e2ea835092cf3f5f80c06afb423cc18ef372c7cfec1596bda55
SHA5125bb3c5fa7e4f8ff5fde2511dde40b45a7ce8dff38ad8a02e541bd2ac2e712f65635b0ce44643cc5d4c316874af47759da31c25dead5282ae3f370f3f57a498c8
-
Filesize
1.4MB
MD5bbcb74867bd3f8a691b1f0a394336908
SHA1aea4b231b9f09bedcd5ce02e1962911edd4b35ad
SHA256800b5e9a08c3a0f95a2c6f4a3355df8bbbc416e716f95bd6d42b6f0d6fb92f41
SHA51200745ddd468504b3652bdda757d42ebe756e419d6432ceb029ed3ccde3b99c8ae21b4fc004938bb0babaa169768db385374b29ac121608c5630047e55c40f481
-
Filesize
193KB
MD563c2e16fcd14f54b8c6165fef49d74e0
SHA13d00e9e6f2224c5808b5c2108234657d3bb42272
SHA256a436ef349278d1efb223e86a4aee5332185363c0ac33468247a5dd8e6a4a61f1
SHA512fdff546eb940a2c2bec00332d48aee8be06bcda11aee596d65d387462b8c3759ec174fdb5b11aaa18979ca59b7ac4f4aa98dff418b3e52629c92683c11e29b7b
-
Filesize
62KB
MD551a19a965e387d0ceb64708a47149c9d
SHA1f047a81b69c42f269f923c5f741a44613cbcb1d5
SHA256b00a1a46c425ca266ea0080e5216bf00862dd3064e8c5ebd5fd3b6845b62f363
SHA5125feab90c7f5c7156a7bf2bc41888d18cdf34c303d24402ae2e4c0a067c7fca1ff6d277df6b7533a3fd8bf158548badd34e99bdb948e129c5d3f7bacfb712300b
-
Filesize
24KB
MD5a3837dc2e2a80fd286c2b07f839738a2
SHA1b80a20896de81beab905439013adb9e9421f1d2f
SHA256eee7c64ef7de30dbda1d826bb3b1c3282602d9ef86e5e999a0cd6551287f29d8
SHA512b14922e30b138401d7b301365644174c3a4b32872fc5688b22ffe759fdfd906f2fa91029f8f6ea235428f07519875aaeb2c4cdb786ca676d4f3ee9d81cddc96d
-
Filesize
608KB
MD5b23329381855b6520ff86cf42838f84e
SHA179667fd09bc8b3a1a13658fbb5b6237725426d08
SHA2562a1d451b5c7003200e3314bd195b48d1093c7583a667a25b1b6473c6d50efa74
SHA51235f2fb242b5381ebc2267301a6efbc3331dfb0d479d61275386c73195344377f784534cc330d6b5d9456fc8d398161ae0b21506a8a311608220efaf4d5707fe8
-
Filesize
48KB
MD529532841da8544665cb1ad1a127e4296
SHA1b8852f095cbd0029480dfdfc04702cd6dd409001
SHA256f611b06669774e42bda967a11d4ec2990c327492d5bc0f8afb555c8501214c77
SHA5122b4059b38fe5314798e7b7de6065f6f5f9746bc59937e8c8842d293588c6cabb8979736d7b4693753301997a4b283020c7dc5bec0d8a70627b92510e3d1ddd6c
-
Filesize
56KB
MD56ca9a99c75a0b7b6a22681aa8e5ad77b
SHA1dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8
SHA256d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8
SHA512b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe
-
Filesize
4B
MD5365c9bfeb7d89244f2ce01c1de44cb85
SHA1d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1
-
Filesize
812KB
MD5fbd6be906ac7cd45f1d98f5cb05f8275
SHA15d563877a549f493da805b4d049641604a6a0408
SHA256ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0
SHA5121547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a
-
Filesize
63KB
MD5c17b7a4b853827f538576f4c3521c653
SHA16115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA5128e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7
-
Filesize
1.4MB
MD569d4f13fbaeee9b551c2d9a4a94d4458
SHA169540d8dfc0ee299a7ff6585018c7db0662aa629
SHA256801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046
SHA5128e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
20.7MB
MD5c6d3097d7f4377fdb93ed93e8453bb5c
SHA1da30212e78d079ded3d68711ef8e1367958406c1
SHA256ef5a50b9159ab00cee86e16962495beaf7f0c60f5464e8b7786abc5edeec3b2e
SHA512903dc8441e1373862a24a7f55ceeb2b7d1ea71b098fff07e2b51218dbabae743cc71f1865fccdac49668ac913e384196476b4c294b8d267b33fd05f98caad604