Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01-09-2024 14:52
Behavioral task
behavioral1
Sample
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
Resource
win7-20240704-en
General
-
Target
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
-
Size
6.1MB
-
MD5
03778d811f241e83ccad830372313b3c
-
SHA1
11962399abf7fc0981f324e4aa5271f36f50c5ba
-
SHA256
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc
-
SHA512
2e17b881491e2cc9759dde852198622956682327abcc20519ab7099e25b22252a167cd7a4e6e90651a8b44b22c89a52c8fd004a62043f8fa30fe523302f6674f
-
SSDEEP
98304:ulFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uWJuMg53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar payload 9 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\chrome.exe family_quasar behavioral1/memory/2612-42-0x0000000001000000-0x0000000001084000-memory.dmp family_quasar behavioral1/memory/432-47-0x0000000000270000-0x00000000002F4000-memory.dmp family_quasar behavioral1/memory/820-58-0x0000000000E50000-0x0000000000ED4000-memory.dmp family_quasar behavioral1/memory/2492-70-0x0000000000110000-0x0000000000194000-memory.dmp family_quasar behavioral1/memory/1468-81-0x0000000001340000-0x00000000013C4000-memory.dmp family_quasar behavioral1/memory/2916-124-0x00000000001D0000-0x0000000000254000-memory.dmp family_quasar behavioral1/memory/2184-135-0x0000000000D90000-0x0000000000E14000-memory.dmp family_quasar behavioral1/memory/1164-146-0x0000000000EB0000-0x0000000000F34000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Executes dropped EXE 13 IoCs
Processes:
chrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 2612 chrome.exe 2628 S^X.exe 432 chrome.exe 820 chrome.exe 2492 chrome.exe 1468 chrome.exe 3020 chrome.exe 2608 chrome.exe 2788 chrome.exe 2916 chrome.exe 2184 chrome.exe 1164 chrome.exe 3048 chrome.exe -
Loads dropped DLL 3 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 2732 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe 2732 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe 2732 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Obfuscated with Agile.Net obfuscator 7 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2732-1-0x0000000000250000-0x0000000000864000-memory.dmp agile_net behavioral1/memory/2732-2-0x0000000005470000-0x0000000005A82000-memory.dmp agile_net behavioral1/memory/2732-21-0x0000000005470000-0x0000000005A7C000-memory.dmp agile_net behavioral1/memory/2732-19-0x0000000005470000-0x0000000005A7C000-memory.dmp agile_net behavioral1/memory/2732-17-0x0000000005470000-0x0000000005A7C000-memory.dmp agile_net behavioral1/memory/2732-15-0x0000000005470000-0x0000000005A7C000-memory.dmp agile_net behavioral1/memory/2732-22-0x0000000005470000-0x0000000005A7C000-memory.dmp agile_net -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll themida behavioral1/memory/2732-10-0x00000000736B0000-0x0000000073CB8000-memory.dmp themida behavioral1/memory/2732-11-0x00000000736B0000-0x0000000073CB8000-memory.dmp themida behavioral1/memory/2732-12-0x00000000736B0000-0x0000000073CB8000-memory.dmp themida behavioral1/memory/2732-40-0x00000000736B0000-0x0000000073CB8000-memory.dmp themida -
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 2732 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exeS^X.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S^X.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2072 PING.EXE 2528 PING.EXE 2688 PING.EXE 2980 PING.EXE 1660 PING.EXE 2208 PING.EXE 1296 PING.EXE 2924 PING.EXE 1432 PING.EXE 1928 PING.EXE 2988 PING.EXE -
Runs ping.exe 1 TTPs 11 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2072 PING.EXE 1432 PING.EXE 2528 PING.EXE 1660 PING.EXE 2208 PING.EXE 2924 PING.EXE 2688 PING.EXE 2980 PING.EXE 1928 PING.EXE 2988 PING.EXE 1296 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1100 schtasks.exe 2380 schtasks.exe 916 schtasks.exe 2140 schtasks.exe 2104 schtasks.exe 1136 schtasks.exe 2764 schtasks.exe 2764 schtasks.exe 1616 schtasks.exe 2616 schtasks.exe 2260 schtasks.exe 1952 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
chrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription pid process Token: SeDebugPrivilege 2612 chrome.exe Token: SeDebugPrivilege 2628 S^X.exe Token: SeDebugPrivilege 432 chrome.exe Token: SeDebugPrivilege 820 chrome.exe Token: SeDebugPrivilege 2492 chrome.exe Token: SeDebugPrivilege 1468 chrome.exe Token: SeDebugPrivilege 3020 chrome.exe Token: SeDebugPrivilege 2608 chrome.exe Token: SeDebugPrivilege 2788 chrome.exe Token: SeDebugPrivilege 2916 chrome.exe Token: SeDebugPrivilege 2184 chrome.exe Token: SeDebugPrivilege 1164 chrome.exe Token: SeDebugPrivilege 3048 chrome.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 432 chrome.exe 820 chrome.exe 2492 chrome.exe 1468 chrome.exe 3020 chrome.exe 2608 chrome.exe 2788 chrome.exe 2916 chrome.exe 2184 chrome.exe 1164 chrome.exe 3048 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.exedescription pid process target process PID 2732 wrote to memory of 2612 2732 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2732 wrote to memory of 2612 2732 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2732 wrote to memory of 2612 2732 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2732 wrote to memory of 2612 2732 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2732 wrote to memory of 2628 2732 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2732 wrote to memory of 2628 2732 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2732 wrote to memory of 2628 2732 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2732 wrote to memory of 2628 2732 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2612 wrote to memory of 916 2612 chrome.exe schtasks.exe PID 2612 wrote to memory of 916 2612 chrome.exe schtasks.exe PID 2612 wrote to memory of 916 2612 chrome.exe schtasks.exe PID 2612 wrote to memory of 432 2612 chrome.exe chrome.exe PID 2612 wrote to memory of 432 2612 chrome.exe chrome.exe PID 2612 wrote to memory of 432 2612 chrome.exe chrome.exe PID 432 wrote to memory of 2764 432 chrome.exe schtasks.exe PID 432 wrote to memory of 2764 432 chrome.exe schtasks.exe PID 432 wrote to memory of 2764 432 chrome.exe schtasks.exe PID 432 wrote to memory of 2828 432 chrome.exe cmd.exe PID 432 wrote to memory of 2828 432 chrome.exe cmd.exe PID 432 wrote to memory of 2828 432 chrome.exe cmd.exe PID 2828 wrote to memory of 2912 2828 cmd.exe chcp.com PID 2828 wrote to memory of 2912 2828 cmd.exe chcp.com PID 2828 wrote to memory of 2912 2828 cmd.exe chcp.com PID 2828 wrote to memory of 2924 2828 cmd.exe PING.EXE PID 2828 wrote to memory of 2924 2828 cmd.exe PING.EXE PID 2828 wrote to memory of 2924 2828 cmd.exe PING.EXE PID 2828 wrote to memory of 820 2828 cmd.exe chrome.exe PID 2828 wrote to memory of 820 2828 cmd.exe chrome.exe PID 2828 wrote to memory of 820 2828 cmd.exe chrome.exe PID 820 wrote to memory of 2140 820 chrome.exe schtasks.exe PID 820 wrote to memory of 2140 820 chrome.exe schtasks.exe PID 820 wrote to memory of 2140 820 chrome.exe schtasks.exe PID 820 wrote to memory of 2168 820 chrome.exe cmd.exe PID 820 wrote to memory of 2168 820 chrome.exe cmd.exe PID 820 wrote to memory of 2168 820 chrome.exe cmd.exe PID 2168 wrote to memory of 1984 2168 cmd.exe chcp.com PID 2168 wrote to memory of 1984 2168 cmd.exe chcp.com PID 2168 wrote to memory of 1984 2168 cmd.exe chcp.com PID 2168 wrote to memory of 2072 2168 cmd.exe PING.EXE PID 2168 wrote to memory of 2072 2168 cmd.exe PING.EXE PID 2168 wrote to memory of 2072 2168 cmd.exe PING.EXE PID 2168 wrote to memory of 2492 2168 cmd.exe chrome.exe PID 2168 wrote to memory of 2492 2168 cmd.exe chrome.exe PID 2168 wrote to memory of 2492 2168 cmd.exe chrome.exe PID 2492 wrote to memory of 2104 2492 chrome.exe schtasks.exe PID 2492 wrote to memory of 2104 2492 chrome.exe schtasks.exe PID 2492 wrote to memory of 2104 2492 chrome.exe schtasks.exe PID 2492 wrote to memory of 2088 2492 chrome.exe cmd.exe PID 2492 wrote to memory of 2088 2492 chrome.exe cmd.exe PID 2492 wrote to memory of 2088 2492 chrome.exe cmd.exe PID 2088 wrote to memory of 556 2088 cmd.exe chcp.com PID 2088 wrote to memory of 556 2088 cmd.exe chcp.com PID 2088 wrote to memory of 556 2088 cmd.exe chcp.com PID 2088 wrote to memory of 1432 2088 cmd.exe PING.EXE PID 2088 wrote to memory of 1432 2088 cmd.exe PING.EXE PID 2088 wrote to memory of 1432 2088 cmd.exe PING.EXE PID 2088 wrote to memory of 1468 2088 cmd.exe chrome.exe PID 2088 wrote to memory of 1468 2088 cmd.exe chrome.exe PID 2088 wrote to memory of 1468 2088 cmd.exe chrome.exe PID 1468 wrote to memory of 1616 1468 chrome.exe schtasks.exe PID 1468 wrote to memory of 1616 1468 chrome.exe schtasks.exe PID 1468 wrote to memory of 1616 1468 chrome.exe schtasks.exe PID 1468 wrote to memory of 3056 1468 chrome.exe cmd.exe PID 1468 wrote to memory of 3056 1468 chrome.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:916
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2764
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XNfYcUu3iswT.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:2912
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2924
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2140
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5nRGSyfhBM5h.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:1984
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2072
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:2104
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QBMQCO6uJOfD.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:556
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1432
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:1616
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EPrbzEjoAZ0Y.bat" "10⤵PID:3056
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:2020
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2528
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3020 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:1136
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4x1VlMn8cvQA.bat" "12⤵PID:2812
-
C:\Windows\system32\chcp.comchcp 6500113⤵PID:2736
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2688
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2608 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:2616
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Cl5Gb7yvsur3.bat" "14⤵PID:2124
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:2468
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2980
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2788 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:2764
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\N78bzO93wEzv.bat" "16⤵PID:2408
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:1992
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1660
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2916 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:1100
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Lu5hkh4jCKCn.bat" "18⤵PID:2092
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:2248
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1928
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2184 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:2260
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7nMvm0NFUT4P.bat" "20⤵PID:1972
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:2180
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2208
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1164 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:1952
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\F0pdR8lbCKtt.bat" "22⤵PID:1728
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:2668
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2988
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3048 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:2380
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\lkZdCuLxZmyb.bat" "24⤵PID:1380
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:1664
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1296
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD52891da17ebc201d8103dc9e0b6296edf
SHA18958214a386903a2e4ec810fbe9336b96a2be55c
SHA25620e9c7a83b47910899c791596816ccaa7e500149724a17e0076b6a8448bc490b
SHA5120f6206fe6540f23e1bad61d15424dbdcef4d9998921060034710ac644790e7690edcb62a8084c83b7617e71a165987b6130c85b0e04d51dcc9058fb1f8dc1a95
-
Filesize
207B
MD5e14d6395cf317e985c24c837b558b784
SHA14a2e1f5db21c6167c4455a42aaea5337b882ff88
SHA256675edc91b79da25f1e38340c690abcac612b61a5fef9da5d9644440c426af906
SHA512e80c22297540a92b1c2c13c2d3df87e25c0b85f92ba8ddc91d25891ed179ef4c85265e3bcce4771d16818238cb3efb96cc682ce1488c85b54d692eaaa9ca9083
-
Filesize
207B
MD597eafdcf9b41d68a97e8c734cfe93776
SHA194158cca9aed3a1836b9f0a7dffab47c8ee0c93f
SHA256e4308e256c505bf59376ee3c72e9203eca5654eecca0e8358686f971379cc115
SHA512b5e98faf0fa88e4df1e634856788eaac91c638a2bda01605f3e898e62f5e47ea6e53e40ff2486be9ddb2c085610935b217e5ca96c5bc2b4382dc6e2c14f46269
-
Filesize
207B
MD5033d5ffe31164647f585077f09afbc5b
SHA1d5d95c1804b929ecf27e1c1a2c3d174d7dc4ef5a
SHA2561404fb0265b07c203f1cdd2cf3b9438c90ae94b2159e6f4bcc894d2720f2cc6a
SHA512ed79f7572de1ae19d2363cd871d2b87098ba7bebd1e9c15b488039a835123d5a1d15593a6c94c70ac1a82cb073182debb66de649e5b3132bf0ba0e96b9d97ad0
-
Filesize
207B
MD5fefad7610cd6a79a5c55a728cd67a1f7
SHA1129fc4d917704236c8776f465bca97cf5434f122
SHA256b6e24fff63a2d3fb8ac3ce4e84c0520c3f21f358700b9b4d76203587e5f23220
SHA512c2335065b8c373b7520fea88c7223e33bf607d54067d449ec1752805ba7bc1f5304268140ddee9ec9654bbb0ca263b26a6b457dfd2ad7367a3c6580900df480a
-
Filesize
207B
MD5a2b33eef0f9f210a7223fc69f1c2da90
SHA149d76b7d7b6b19e6238654be238cbc1a2fca1909
SHA25688d19ba40fc06e860d7a78027c341e6d12f8c95d8fe35382382fd762a2a84480
SHA512b0df5f593577e774ee1d750dd2e18855cc1c564cdf5a2d9ebd3710accc882cd74e7883a56a100f0322f6a8d6a01ec0b5279c06904122a6917c46390ce29ef3c2
-
Filesize
207B
MD541e0da7e64b0fb0520387a433484a812
SHA114728937f290685bb4e772a7a9afac9e09e648a3
SHA2568e6d9afca7f918959adf5dbdd518607c05dbbfb737910bc036d523c476b644b5
SHA5120db14d2cefadd8028db5e2b9566825c8993fdc22f8aab2c0d0d75cc7701fdecce9bb4fc8874f39b5079254c54427a19ab29d44f4e812462da03a42a939659233
-
Filesize
207B
MD5536fd0e7b6d79dbed89ece6968a3fe0b
SHA12f6d53432d2b0a04345bb7f0452d9b13a6dcc939
SHA2564324999caf8abac61dec6669d3ba77b872a461c19ad3233f80b8649838985f1c
SHA5126f7ac076b7c8ec0a5bf94cc2a3246008e6e88dbe9af8015af0f6129eb48bc248102ef8d3b49612c3ca39c770c59cefb3427f27cc0976523643c8c4a02638964d
-
Filesize
207B
MD59a0494e2d3401369a3ee7d65e847df6f
SHA15e7522b1d60a67dfea9c2b810830925a6b3fd14b
SHA256f142d40d188e1386c7f5bdf9d8789665f72ab3ef396dfbee0396fd999ee9cdef
SHA512b3e7351f51984ef38ae7bf7890cf0aa4d182e2d283a234e8ae88a1646b2373415b83417ed42b1f9986d34d5271b28fb2a9c1d332a99832345598add2ddab7939
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
207B
MD57ab048444f99dc78730d65e251fce2ce
SHA12ec8d4ee477b6476a37c22bd11cb6bc7c7989ad6
SHA256a26a31fc0cda9de364dc0f4ee8ad0df7622b249778a87d964c6c8d80f27bd553
SHA5128ad228ebd54dd1a61893091326a6a20819a0a3d0e5547724318d1441229f2507f8dfa29c1099517f2f0ada5c1d784d8aa50f433d85d04d5bc23b59e542dece72
-
Filesize
207B
MD565f9c9d774ac143421cc701086cd56d2
SHA1c0cc65ef011b25f01dfcffa8bcd5152164b53bef
SHA2565b57f5a4d40693927edb11ba1a46ab879b8860985c2d5749367900f1079fa088
SHA5122ef64675287088025a9c678ce97d40383bb6f0c7d32d28785ddbda9b4f9dd1138cc4f4b7b851357f206dcd699e14d258a4b77928cb9a6aad1c531fa233e93301
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c