Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 14:52
Behavioral task
behavioral1
Sample
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
Resource
win7-20240704-en
General
-
Target
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
-
Size
6.1MB
-
MD5
03778d811f241e83ccad830372313b3c
-
SHA1
11962399abf7fc0981f324e4aa5271f36f50c5ba
-
SHA256
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc
-
SHA512
2e17b881491e2cc9759dde852198622956682327abcc20519ab7099e25b22252a167cd7a4e6e90651a8b44b22c89a52c8fd004a62043f8fa30fe523302f6674f
-
SSDEEP
98304:ulFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uWJuMg53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\chrome.exe family_quasar behavioral2/memory/732-51-0x0000000000860000-0x00000000008E4000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation chrome.exe -
Executes dropped EXE 15 IoCs
Processes:
chrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 732 chrome.exe 4156 S^X.exe 4440 chrome.exe 1004 chrome.exe 2948 chrome.exe 3604 chrome.exe 2208 chrome.exe 2792 chrome.exe 4968 chrome.exe 2844 chrome.exe 3052 chrome.exe 3280 chrome.exe 2580 chrome.exe 440 chrome.exe 4344 chrome.exe -
Loads dropped DLL 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 2440 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Obfuscated with Agile.Net obfuscator 7 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/2440-1-0x00000000001E0000-0x00000000007F4000-memory.dmp agile_net behavioral2/memory/2440-2-0x0000000005010000-0x0000000005622000-memory.dmp agile_net behavioral2/memory/2440-15-0x0000000005010000-0x000000000561C000-memory.dmp agile_net behavioral2/memory/2440-19-0x0000000005010000-0x000000000561C000-memory.dmp agile_net behavioral2/memory/2440-23-0x0000000005010000-0x000000000561C000-memory.dmp agile_net behavioral2/memory/2440-21-0x0000000005010000-0x000000000561C000-memory.dmp agile_net behavioral2/memory/2440-17-0x0000000005010000-0x000000000561C000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll themida behavioral2/memory/2440-11-0x00000000716C0000-0x0000000071CC8000-memory.dmp themida behavioral2/memory/2440-12-0x00000000716C0000-0x0000000071CC8000-memory.dmp themida behavioral2/memory/2440-13-0x00000000716C0000-0x0000000071CC8000-memory.dmp themida behavioral2/memory/2440-52-0x00000000716C0000-0x0000000071CC8000-memory.dmp themida -
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 2440 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exeS^X.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S^X.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2440 PING.EXE 3632 PING.EXE 1948 PING.EXE 4804 PING.EXE 1880 PING.EXE 812 PING.EXE 2532 PING.EXE 2360 PING.EXE 2780 PING.EXE 1804 PING.EXE 3252 PING.EXE 2628 PING.EXE 3976 PING.EXE -
Runs ping.exe 1 TTPs 13 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 3252 PING.EXE 812 PING.EXE 2532 PING.EXE 2360 PING.EXE 2780 PING.EXE 3976 PING.EXE 2628 PING.EXE 1804 PING.EXE 2440 PING.EXE 4804 PING.EXE 3632 PING.EXE 1948 PING.EXE 1880 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2412 schtasks.exe 3396 schtasks.exe 2524 schtasks.exe 1920 schtasks.exe 4784 schtasks.exe 2020 schtasks.exe 1376 schtasks.exe 2396 schtasks.exe 1552 schtasks.exe 3632 schtasks.exe 876 schtasks.exe 4480 schtasks.exe 4420 schtasks.exe 184 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
chrome.exechrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription pid process Token: SeDebugPrivilege 732 chrome.exe Token: SeDebugPrivilege 4440 chrome.exe Token: SeDebugPrivilege 4156 S^X.exe Token: SeDebugPrivilege 1004 chrome.exe Token: SeDebugPrivilege 2948 chrome.exe Token: SeDebugPrivilege 3604 chrome.exe Token: SeDebugPrivilege 2208 chrome.exe Token: SeDebugPrivilege 2792 chrome.exe Token: SeDebugPrivilege 4968 chrome.exe Token: SeDebugPrivilege 2844 chrome.exe Token: SeDebugPrivilege 3052 chrome.exe Token: SeDebugPrivilege 3280 chrome.exe Token: SeDebugPrivilege 2580 chrome.exe Token: SeDebugPrivilege 440 chrome.exe Token: SeDebugPrivilege 4344 chrome.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
chrome.exechrome.exepid process 4440 chrome.exe 3052 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exedescription pid process target process PID 2440 wrote to memory of 732 2440 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2440 wrote to memory of 732 2440 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2440 wrote to memory of 4156 2440 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2440 wrote to memory of 4156 2440 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2440 wrote to memory of 4156 2440 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 732 wrote to memory of 4784 732 chrome.exe schtasks.exe PID 732 wrote to memory of 4784 732 chrome.exe schtasks.exe PID 732 wrote to memory of 4440 732 chrome.exe chrome.exe PID 732 wrote to memory of 4440 732 chrome.exe chrome.exe PID 4440 wrote to memory of 2412 4440 chrome.exe schtasks.exe PID 4440 wrote to memory of 2412 4440 chrome.exe schtasks.exe PID 4440 wrote to memory of 2880 4440 chrome.exe cmd.exe PID 4440 wrote to memory of 2880 4440 chrome.exe cmd.exe PID 2880 wrote to memory of 1884 2880 cmd.exe chcp.com PID 2880 wrote to memory of 1884 2880 cmd.exe chcp.com PID 2880 wrote to memory of 3252 2880 cmd.exe PING.EXE PID 2880 wrote to memory of 3252 2880 cmd.exe PING.EXE PID 2880 wrote to memory of 1004 2880 cmd.exe chrome.exe PID 2880 wrote to memory of 1004 2880 cmd.exe chrome.exe PID 1004 wrote to memory of 876 1004 chrome.exe schtasks.exe PID 1004 wrote to memory of 876 1004 chrome.exe schtasks.exe PID 1004 wrote to memory of 1580 1004 chrome.exe cmd.exe PID 1004 wrote to memory of 1580 1004 chrome.exe cmd.exe PID 1580 wrote to memory of 3884 1580 cmd.exe chcp.com PID 1580 wrote to memory of 3884 1580 cmd.exe chcp.com PID 1580 wrote to memory of 2440 1580 cmd.exe PING.EXE PID 1580 wrote to memory of 2440 1580 cmd.exe PING.EXE PID 1580 wrote to memory of 2948 1580 cmd.exe chrome.exe PID 1580 wrote to memory of 2948 1580 cmd.exe chrome.exe PID 2948 wrote to memory of 3396 2948 chrome.exe schtasks.exe PID 2948 wrote to memory of 3396 2948 chrome.exe schtasks.exe PID 2948 wrote to memory of 1764 2948 chrome.exe cmd.exe PID 2948 wrote to memory of 1764 2948 chrome.exe cmd.exe PID 1764 wrote to memory of 2804 1764 cmd.exe chcp.com PID 1764 wrote to memory of 2804 1764 cmd.exe chcp.com PID 1764 wrote to memory of 2628 1764 cmd.exe PING.EXE PID 1764 wrote to memory of 2628 1764 cmd.exe PING.EXE PID 1764 wrote to memory of 3604 1764 cmd.exe chrome.exe PID 1764 wrote to memory of 3604 1764 cmd.exe chrome.exe PID 3604 wrote to memory of 4480 3604 chrome.exe schtasks.exe PID 3604 wrote to memory of 4480 3604 chrome.exe schtasks.exe PID 3604 wrote to memory of 912 3604 chrome.exe cmd.exe PID 3604 wrote to memory of 912 3604 chrome.exe cmd.exe PID 912 wrote to memory of 1864 912 cmd.exe chcp.com PID 912 wrote to memory of 1864 912 cmd.exe chcp.com PID 912 wrote to memory of 812 912 cmd.exe PING.EXE PID 912 wrote to memory of 812 912 cmd.exe PING.EXE PID 912 wrote to memory of 2208 912 cmd.exe chrome.exe PID 912 wrote to memory of 2208 912 cmd.exe chrome.exe PID 2208 wrote to memory of 4420 2208 chrome.exe schtasks.exe PID 2208 wrote to memory of 4420 2208 chrome.exe schtasks.exe PID 2208 wrote to memory of 672 2208 chrome.exe cmd.exe PID 2208 wrote to memory of 672 2208 chrome.exe cmd.exe PID 672 wrote to memory of 2052 672 cmd.exe chcp.com PID 672 wrote to memory of 2052 672 cmd.exe chcp.com PID 672 wrote to memory of 2532 672 cmd.exe PING.EXE PID 672 wrote to memory of 2532 672 cmd.exe PING.EXE PID 672 wrote to memory of 2792 672 cmd.exe chrome.exe PID 672 wrote to memory of 2792 672 cmd.exe chrome.exe PID 2792 wrote to memory of 184 2792 chrome.exe schtasks.exe PID 2792 wrote to memory of 184 2792 chrome.exe schtasks.exe PID 2792 wrote to memory of 2764 2792 chrome.exe cmd.exe PID 2792 wrote to memory of 2764 2792 chrome.exe cmd.exe PID 2764 wrote to memory of 1452 2764 cmd.exe chcp.com -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4784
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iPLBKxt1WC44.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:1884
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3252
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jw8jwv1muM1c.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:3884
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2440
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:3396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkHmkajHTT4I.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:2804
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2628
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:4480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCLloocIWgCe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:1864
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:812
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:4420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kXVgFHorOD9V.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:2052
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2532
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYC8s2LejgpJ.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\chcp.comchcp 6500115⤵PID:1452
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2360
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4968 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:2020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SlbNZMxhQ8ee.bat" "16⤵PID:3040
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:3236
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3632
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:1920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b3M9mwzxBOcg.bat" "18⤵PID:1644
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:4432
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2780
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3052 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:1376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toJjsTceVr7y.bat" "20⤵PID:2828
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:1536
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1948
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3280 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:2524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4vqmUZkhunXn.bat" "22⤵PID:2156
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:3208
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3976
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:1552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l1j8jFR5fYZ7.bat" "24⤵PID:468
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:2896
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1804
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:440 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:3632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SVrdSM8UGvGR.bat" "26⤵PID:2176
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:1920
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4804
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4344 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
PID:2396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6dSb353Tjp0l.bat" "28⤵PID:2312
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:4124
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:81⤵PID:512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
207B
MD5bed43a1a0e39c4909d7e7a43158d952c
SHA11c8a493cc296116c751fb878a5529969c128bdbb
SHA2566ed6413fc9bf60dc4ffae386ccd38c8d47434c4fecf06fc687f95cfa26ff7798
SHA512960f491a10797332e8454939ba121baf2adb46d485452c2f8bef0a0dfbc233a12d49baa149727a25dc6d4b47d98a994991e2873079ea64d423ffa3ca6c5da1c5
-
Filesize
207B
MD52d6f0bbb33fb79c29e605f556bd301f7
SHA1065dfd91965ac7464e379805c0681278c1b86707
SHA2564a3075f1642207eb39cee09ea9bf60cd07df7cecf694ffb8b78683fad52453c2
SHA512d404444ad2bf51ee7f1d2b2c7751f3ca8182b4b44b16ff3fc3d568427ac5439af89ad6ddea75d8ec9f0c1ee7ec7b4bbea72e89a3228dae645b79f2cb59d25cef
-
Filesize
207B
MD5de1fbf444e8f7c6b1a57fd9b1e093333
SHA10e109a986f8eefb9a88c7ee8d9450d7ae33a6dae
SHA256c30551ffdf945c0405540f4ad7f7404a31976d8f884a002bac744decf8519518
SHA512d4a00e44660c3c46802de4a481521bb3c304f5bff99b328b6799bb5876e61bb80bfaaf056856e4d0d906695e770ee996d19d81b5d379e79c879c619cd0d15813
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
207B
MD5dbddf2bdc9122d2de24dbcc762cbec53
SHA135bc674b0535ce9f7696a63182a0cbdc257db983
SHA256edd9576b39647a6ca3d04eaf39334c9ede85d177dfd7dd6010d7e0f3927f8090
SHA5127e83cad9d3010ffde8ab7b17fc7debe9af4f4aee254bcae5e700f5484ed1c18768c7790b0d6464974da39d0f37c9c757caf5ec1865526e3744b18506c86e9828
-
Filesize
207B
MD590a179dbaa2dded91a67a5695db0c359
SHA14edca612a918be99732aa4879d1267d658866590
SHA25646569d6e88a911a28259f0cde3c208c1349177166a726b941ca01e7a0703a584
SHA512c1677d403ba12cfee37713f504a92b298f3de2effc39185a7cc413ff56e6878805dcf0227b93b4fe9f3a0b34ca0606bbe663f5ed2593518a4ba04d81e7175093
-
Filesize
207B
MD57f7a2aa2bf22bba317ad637b3ae5a8f9
SHA1bd26629ca9abf48ca1d5ca46c2d31fdfda2ae872
SHA2562c122bf9a7caa9d21390da058396153ed8ca5fb3045a3a77df2ae40bc325cdc3
SHA5124159164f7c6efb3300eddc9b921ae00e46aeabc9f7e9efa4ee73bce50139311e3cb479595e60da481e63fe3cc0cb5785e5ca18ba41e2a113d068c214772724a8
-
Filesize
207B
MD5b4a9da2695ae55dbdf12c716153ec43a
SHA17efd00af0d08d9a55c47c14ae9840efa0f80f2c4
SHA256031b33fe86751c6b304631cba907b811501c53cf3612d3922bee80cc3ee6156a
SHA51292e374675aaae2a38ffae0508343353cc51e05c0b00a10e634ac5d268a3cca29b46ae4cffb85ce4df65d118772fcdf8157fb3f276b5f1cf72e70936bf1c095aa
-
Filesize
207B
MD532aef825be63bcc40908cd83eb177771
SHA10b11d58c2deef587babcb1d3f294e67228071115
SHA2567b529ace3d3ca331f75a96deaecf606a145c1a71d3f7cb970ebf7381595b2c85
SHA5122d2e0c0870eaec8f296a34b50f40b566235b7031b959547072e81e2af7ebbe7b529eed78f30a67e368067e5aa91a31cdfcda993d1afae2402e5afd8e7fb07338
-
Filesize
207B
MD58ad9ecf8c866cbc46c7ea40752ce45f3
SHA1d6a0cec73e038f2efcaba00bd1883f9c784a9b6f
SHA256abedd9fe91bb26a5e9077da7337b8a4faba52cbf97485e3b01d5a2bcb8f6c963
SHA51230d78bf9dabf89f97474230a3d2a257681ff6b0d595289d09f0bc63be5543d8fd72eeacaa0141115b084bce90b69fdb7e9899a8ce955eb50a5128417c798a7a4
-
Filesize
207B
MD5f42f84c5ca70c0b7b670b854942fe0c8
SHA1040bcc8a73d6ade33008dbf0e9dbef9811882c3d
SHA2569ef726d8652326558dca08f26c7d3cbe699853366443db712836e6b9fc08c266
SHA51259ab5ef2bdb40fcaad9a99d032eb107c48ac1df79bf8a18a0631d4e243ff81264009731d4a3e9ac07c63774fce02ed682fbc6ddbe8f107e6a45f38c4850e1f89
-
Filesize
207B
MD5e9973f9d6eb9046c377e3462582de826
SHA199f4b3bb9ff5e613209864cab89e7720add7cb93
SHA256acc2d609b0b12d755b031de42d85199b57f087ad641925f61c9103397857c2eb
SHA512dd20089fcad461b78e30ca08faf0705973697822046c21376c601d60a8e933a6f446c23a785b5027170dd9a4a481711defef8b26444e87f9c6d2f07837f62bbe
-
Filesize
207B
MD5a72308e4d3ff17bae641a4760ec74e68
SHA10e50a6b1c59cb7f96deb1c350aedd3e59a9c35bb
SHA2564916137e925a7ed19271a18fd0edac06b6da121c7a945879a2c195f984c91b55
SHA512fa704fcd0bb8e0460949b960da59204f2bce559ef17b2478a10c229de9c20f9b543d4f34f17a9c868242a24930250d0152e79750e9549a834c42928d79360957
-
Filesize
207B
MD5c4e929969404ee6b7208a61c401ef8e2
SHA10dbe4b238ed5f27868e77615367456f71c6faba2
SHA256fd9b63d0245ce2c6ef9a94677c7e95e026a61107d4e59981ad02ccd373eef522
SHA512be06820586dc75391f2c50ae4fbf1a97a57a05e938ffe5ef550bac68b5610f5eceb727c5de608506629c08892e15621f2fdf2f7a139a1e3d67feabb84be40dd6
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c