Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
01-09-2024 14:53
Behavioral task
behavioral1
Sample
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
Resource
win7-20240705-en
General
-
Target
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
-
Size
6.1MB
-
MD5
03778d811f241e83ccad830372313b3c
-
SHA1
11962399abf7fc0981f324e4aa5271f36f50c5ba
-
SHA256
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc
-
SHA512
2e17b881491e2cc9759dde852198622956682327abcc20519ab7099e25b22252a167cd7a4e6e90651a8b44b22c89a52c8fd004a62043f8fa30fe523302f6674f
-
SSDEEP
98304:ulFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uWJuMg53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar payload 12 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\chrome.exe family_quasar behavioral1/memory/2848-43-0x00000000009A0000-0x0000000000A24000-memory.dmp family_quasar behavioral1/memory/2480-48-0x0000000000300000-0x0000000000384000-memory.dmp family_quasar behavioral1/memory/2916-62-0x00000000010F0000-0x0000000001174000-memory.dmp family_quasar behavioral1/memory/2876-83-0x00000000003D0000-0x0000000000454000-memory.dmp family_quasar behavioral1/memory/1316-95-0x0000000000C40000-0x0000000000CC4000-memory.dmp family_quasar behavioral1/memory/2824-106-0x0000000000E70000-0x0000000000EF4000-memory.dmp family_quasar behavioral1/memory/2120-117-0x00000000003F0000-0x0000000000474000-memory.dmp family_quasar behavioral1/memory/2676-129-0x0000000000B30000-0x0000000000BB4000-memory.dmp family_quasar behavioral1/memory/2176-140-0x0000000000B70000-0x0000000000BF4000-memory.dmp family_quasar behavioral1/memory/1696-151-0x0000000000FE0000-0x0000000001064000-memory.dmp family_quasar behavioral1/memory/560-172-0x0000000000360000-0x00000000003E4000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Executes dropped EXE 14 IoCs
Processes:
chrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 2848 chrome.exe 2884 S^X.exe 2480 chrome.exe 2916 chrome.exe 1808 chrome.exe 2876 chrome.exe 1316 chrome.exe 2824 chrome.exe 2120 chrome.exe 2676 chrome.exe 2176 chrome.exe 1696 chrome.exe 1792 chrome.exe 560 chrome.exe -
Loads dropped DLL 3 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 2140 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe 2140 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe 2140 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Obfuscated with Agile.Net obfuscator 7 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2140-1-0x0000000000100000-0x0000000000714000-memory.dmp agile_net behavioral1/memory/2140-2-0x0000000005240000-0x0000000005852000-memory.dmp agile_net behavioral1/memory/2140-22-0x0000000005240000-0x000000000584C000-memory.dmp agile_net behavioral1/memory/2140-20-0x0000000005240000-0x000000000584C000-memory.dmp agile_net behavioral1/memory/2140-18-0x0000000005240000-0x000000000584C000-memory.dmp agile_net behavioral1/memory/2140-16-0x0000000005240000-0x000000000584C000-memory.dmp agile_net behavioral1/memory/2140-15-0x0000000005240000-0x000000000584C000-memory.dmp agile_net -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll themida behavioral1/memory/2140-10-0x0000000073900000-0x0000000073F08000-memory.dmp themida behavioral1/memory/2140-11-0x0000000073900000-0x0000000073F08000-memory.dmp themida behavioral1/memory/2140-13-0x0000000073900000-0x0000000073F08000-memory.dmp themida behavioral1/memory/2140-41-0x0000000073900000-0x0000000073F08000-memory.dmp themida -
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 2140 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exeS^X.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S^X.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2228 PING.EXE 1240 PING.EXE 1628 PING.EXE 1260 PING.EXE 2832 PING.EXE 748 PING.EXE 2992 PING.EXE 1220 PING.EXE 376 PING.EXE 1312 PING.EXE 592 PING.EXE 2644 PING.EXE -
Runs ping.exe 1 TTPs 12 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1220 PING.EXE 592 PING.EXE 2228 PING.EXE 2644 PING.EXE 2832 PING.EXE 1312 PING.EXE 748 PING.EXE 2992 PING.EXE 1240 PING.EXE 1628 PING.EXE 376 PING.EXE 1260 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2292 schtasks.exe 2212 schtasks.exe 2316 schtasks.exe 2628 schtasks.exe 2520 schtasks.exe 2092 schtasks.exe 1300 schtasks.exe 2256 schtasks.exe 2008 schtasks.exe 2200 schtasks.exe 820 schtasks.exe 304 schtasks.exe 1200 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
chrome.exechrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription pid process Token: SeDebugPrivilege 2848 chrome.exe Token: SeDebugPrivilege 2480 chrome.exe Token: SeDebugPrivilege 2884 S^X.exe Token: SeDebugPrivilege 2916 chrome.exe Token: SeDebugPrivilege 1808 chrome.exe Token: SeDebugPrivilege 2876 chrome.exe Token: SeDebugPrivilege 1316 chrome.exe Token: SeDebugPrivilege 2824 chrome.exe Token: SeDebugPrivilege 2120 chrome.exe Token: SeDebugPrivilege 2676 chrome.exe Token: SeDebugPrivilege 2176 chrome.exe Token: SeDebugPrivilege 1696 chrome.exe Token: SeDebugPrivilege 1792 chrome.exe Token: SeDebugPrivilege 560 chrome.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 2480 chrome.exe 2916 chrome.exe 1808 chrome.exe 2876 chrome.exe 1316 chrome.exe 2824 chrome.exe 2120 chrome.exe 2676 chrome.exe 2176 chrome.exe 1696 chrome.exe 1792 chrome.exe 560 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.exedescription pid process target process PID 2140 wrote to memory of 2848 2140 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2140 wrote to memory of 2848 2140 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2140 wrote to memory of 2848 2140 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2140 wrote to memory of 2848 2140 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2140 wrote to memory of 2884 2140 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2140 wrote to memory of 2884 2140 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2140 wrote to memory of 2884 2140 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2140 wrote to memory of 2884 2140 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2848 wrote to memory of 2092 2848 chrome.exe schtasks.exe PID 2848 wrote to memory of 2092 2848 chrome.exe schtasks.exe PID 2848 wrote to memory of 2092 2848 chrome.exe schtasks.exe PID 2848 wrote to memory of 2480 2848 chrome.exe chrome.exe PID 2848 wrote to memory of 2480 2848 chrome.exe chrome.exe PID 2848 wrote to memory of 2480 2848 chrome.exe chrome.exe PID 2480 wrote to memory of 2292 2480 chrome.exe schtasks.exe PID 2480 wrote to memory of 2292 2480 chrome.exe schtasks.exe PID 2480 wrote to memory of 2292 2480 chrome.exe schtasks.exe PID 2480 wrote to memory of 2692 2480 chrome.exe cmd.exe PID 2480 wrote to memory of 2692 2480 chrome.exe cmd.exe PID 2480 wrote to memory of 2692 2480 chrome.exe cmd.exe PID 2692 wrote to memory of 1216 2692 cmd.exe chcp.com PID 2692 wrote to memory of 1216 2692 cmd.exe chcp.com PID 2692 wrote to memory of 1216 2692 cmd.exe chcp.com PID 2692 wrote to memory of 1220 2692 cmd.exe PING.EXE PID 2692 wrote to memory of 1220 2692 cmd.exe PING.EXE PID 2692 wrote to memory of 1220 2692 cmd.exe PING.EXE PID 2692 wrote to memory of 2916 2692 cmd.exe chrome.exe PID 2692 wrote to memory of 2916 2692 cmd.exe chrome.exe PID 2692 wrote to memory of 2916 2692 cmd.exe chrome.exe PID 2916 wrote to memory of 2212 2916 chrome.exe schtasks.exe PID 2916 wrote to memory of 2212 2916 chrome.exe schtasks.exe PID 2916 wrote to memory of 2212 2916 chrome.exe schtasks.exe PID 2916 wrote to memory of 2036 2916 chrome.exe cmd.exe PID 2916 wrote to memory of 2036 2916 chrome.exe cmd.exe PID 2916 wrote to memory of 2036 2916 chrome.exe cmd.exe PID 2036 wrote to memory of 2340 2036 cmd.exe chcp.com PID 2036 wrote to memory of 2340 2036 cmd.exe chcp.com PID 2036 wrote to memory of 2340 2036 cmd.exe chcp.com PID 2036 wrote to memory of 1240 2036 cmd.exe PING.EXE PID 2036 wrote to memory of 1240 2036 cmd.exe PING.EXE PID 2036 wrote to memory of 1240 2036 cmd.exe PING.EXE PID 2036 wrote to memory of 1808 2036 cmd.exe chrome.exe PID 2036 wrote to memory of 1808 2036 cmd.exe chrome.exe PID 2036 wrote to memory of 1808 2036 cmd.exe chrome.exe PID 1808 wrote to memory of 2316 1808 chrome.exe schtasks.exe PID 1808 wrote to memory of 2316 1808 chrome.exe schtasks.exe PID 1808 wrote to memory of 2316 1808 chrome.exe schtasks.exe PID 1808 wrote to memory of 1656 1808 chrome.exe cmd.exe PID 1808 wrote to memory of 1656 1808 chrome.exe cmd.exe PID 1808 wrote to memory of 1656 1808 chrome.exe cmd.exe PID 1656 wrote to memory of 1340 1656 cmd.exe chcp.com PID 1656 wrote to memory of 1340 1656 cmd.exe chcp.com PID 1656 wrote to memory of 1340 1656 cmd.exe chcp.com PID 1656 wrote to memory of 1628 1656 cmd.exe PING.EXE PID 1656 wrote to memory of 1628 1656 cmd.exe PING.EXE PID 1656 wrote to memory of 1628 1656 cmd.exe PING.EXE PID 1656 wrote to memory of 2876 1656 cmd.exe chrome.exe PID 1656 wrote to memory of 2876 1656 cmd.exe chrome.exe PID 1656 wrote to memory of 2876 1656 cmd.exe chrome.exe PID 2876 wrote to memory of 1300 2876 chrome.exe schtasks.exe PID 2876 wrote to memory of 1300 2876 chrome.exe schtasks.exe PID 2876 wrote to memory of 1300 2876 chrome.exe schtasks.exe PID 2876 wrote to memory of 1872 2876 chrome.exe cmd.exe PID 2876 wrote to memory of 1872 2876 chrome.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2092
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2292
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\NPP4fG0NXYyr.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:1216
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1220
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2212
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gh7pNScCaoTK.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:2340
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1240
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:2316
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\pSgJ1jhBeY2W.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:1340
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1628
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:1300
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\y5I9DW9Om25T.bat" "10⤵PID:1872
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:304
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:376
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1316 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:2256
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Zh7ppqmnrqdk.bat" "12⤵PID:1644
-
C:\Windows\system32\chcp.comchcp 6500113⤵PID:1680
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1260
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2824 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:2628
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\DHek4Plo03mc.bat" "14⤵PID:2196
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:2140
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2832
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2120 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:2520
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\UdRMe9ZrB2Vp.bat" "16⤵PID:904
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:3024
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1312
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2676 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:2008
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\61tGG4scxXXw.bat" "18⤵PID:668
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:684
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:592
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2176 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:2200
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\TwESmSXPbzrY.bat" "20⤵PID:1104
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:336
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:748
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1696 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:820
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kvTPAcwTKtyw.bat" "22⤵PID:2984
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:1920
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2992
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1792 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:304
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tf8QbwVYFcT2.bat" "24⤵PID:1812
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:1528
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2228
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:560 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:1200
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\MpeBGhraJTmr.bat" "26⤵PID:2820
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:2628
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD57e661f7f7dfee426d136cbb4b833c493
SHA144443230d62d2de482e3e8ba0f243258e417fd62
SHA256393b5e1903812fe956e10710899e8da3c6e81766d74b6c36804289630f9a5e5e
SHA5129b8be92ec3fa41375da5ea7587a0a036719b3c9ba7095307be630278da4b6b7aee8707f35af5d952731f531b5cdd4e4d0d9600f00fcf58c98c878f53c7b01dde
-
Filesize
207B
MD52d14c6d732c590b946585b280d0b57be
SHA18bb42488f2b61b2f8c38168eeb457f0c113cc10f
SHA256a8dde0e8a5728d867c0392be1224a935ec06da66a6fcaabd978b701184ed59df
SHA512ff8554389a3fb58221e38e4b85da7e3484f22495942d14196c7cae1af7f4083f5be4401fc7a0cfe6b0566d1f27f7bcb500332138795718ede7d2fbbcfb62f534
-
Filesize
207B
MD5d796f3dfd3466e2a82a5b8d10aa28df0
SHA190ddf7bffb90a2569244155f5db53847a7b97468
SHA2569f8dae2ac07f68cd9cf597b9d10aff0383e5d220dba1877c7ab8e1991b1bb9b6
SHA5121031a9e757869b70380566d6720a46a12f4255023b509297fa7c93e611d213d0f15266ca986b77508cc6cc52e389252b7390baefc59796a78cd5d0f2500a349e
-
Filesize
207B
MD5643ee272a80abfbd52fe1d158fcd3c17
SHA18514d4f5f590a0e8a17c52db011a853bde9fbd8e
SHA256bf7434398adcd24729c2c9d7e2a8b752c46dd656fa27a5b88534fe739a10fe33
SHA512a73b21d4779e803db0f26049b0946f83788ea24603dbbeceef0f738200a8a40694861f64717e90e4c4a32ee31f7a5a6bcad225d229c1dc2b02d77a5a060d740d
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
207B
MD56153bb69a4dce7aaf9365dd67f879505
SHA137cdf3dd41e25e32e7c145d770acc40490a494b4
SHA25687198de0b168434955d967b6e323fc52ff16925b0a73a0351372f65c775ce0f0
SHA512c3bea1c494934eaeff49d757f3849696e76fae87ce7d8d7dc06a2ee88fd5fe8240cc6eaeccdc82552c8c614d0cf24fe280777c7dfe59bdba067f063072606703
-
Filesize
207B
MD54f8265fab345ebfde73a4a351af01b7e
SHA19b4fd88046e0bb4984c1e3bee650e627c2a53751
SHA256a09b61a7fe62ca046eb76a43553e961c1f82a623c095918ad01189134f37f381
SHA5129be14002d7ab1f04e8f39b937af6bbf5082f04b054f7c71a932af1afa8f5db59fce731c81192c57861c36e3efb5fe0b36e1d125a23a8f084820ff45504b0f86e
-
Filesize
207B
MD51cde5cf1626934cd47304a894bf5bd74
SHA126ad37dd27ae42467fdebea0c56aca4794589e4a
SHA2567898469d7e9172a3c4cde0bcb882a8b389270ec16c93d0965f1097a6e936a76e
SHA512b08b1353bbf1d4ad6b3996f1bd0648055bc13e2ceda24b49a929a9576e88830631c2016190a4708fb99d5d6fc31f53283a22d87663d8f419e84b8d7bf5990959
-
Filesize
207B
MD5dd93115093517e622eee4fec09ca7c10
SHA1c4afedf32ad15ea108909807be2880b005a16cb7
SHA256e0a0a7faac8fae5ffe6d36b13d8d3990d56c096d89c86cf9ed011db09d867f66
SHA51265d9d0e7c475c580510eff961d8c750edfe4f94ebd080f6a845f1af4996907794db81131ffc4f17d6b367bc5c413c0460f2578764cd1815d23ca62a0f73fc0f8
-
Filesize
207B
MD5c5824769269e9a4c5ee48d89c390e9f9
SHA1f29a1af25931275ce3248bffe45e787690c1e736
SHA256b0acccfb392e1557d259645283ba34d2d608fc32201cd9038acdaf4efde1cdc7
SHA51259126779e11ff268600ec1ced8add72ba70f2bb5bf8928243fa4fa481a8aebd8e42b881d37ec1750d2f5bf95d26491b748eacdb561385a9ba5063f99b4689d46
-
Filesize
207B
MD57f0b7af3831c4954b5aae1b3c9c12dcd
SHA1abd8425337ffc339de7b20f2ae672e249a9b1345
SHA256d99203a43249a78c1ffb11e16a372a1c5164743f103a40a8246eafcbe284d676
SHA512b8656131047858cb824d60f4c1ae58e37f890ba819852e01c78af60ef9f9d39c0941355f04aa8f28b361e74da810435783e0b8b1610a2f0cfe0450b44eeff9de
-
Filesize
207B
MD573320d94a5c5578edb02968536dabb1c
SHA19b9be2555bd2fe73d44e7d4d26007ece8afcb35b
SHA2560c55e49e9213c52fee6105ada0a536f58a610bb3b6ef7e41192a57ddc86dd0e5
SHA51214f61110c02c50bff9d429fb335f63a809486260043908d5d9162188ac573a80df066ce82d4540debc8150491108f9ba8fb4c64eb42047b4d10e62631fd4ee9f
-
Filesize
207B
MD5f44ea40a739e38727fed4a34430592ca
SHA10f84a92d2f867a1546162348fe283c7091d89024
SHA25685823dd76668b2f502446a444fdddcce87fdc72dd508f1379138bf794e045e0e
SHA512f12e3f24cadd03e621ebadb1fd721cdf3f0292ca5f153b8bc37c116b1997a139b24ce2389a5439b7c4ae822aa71d2f122e27cd08db6d5937d62c6120b7d1da06
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c