Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 14:55
Behavioral task
behavioral1
Sample
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
Resource
win7-20240708-en
General
-
Target
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
-
Size
6.1MB
-
MD5
03778d811f241e83ccad830372313b3c
-
SHA1
11962399abf7fc0981f324e4aa5271f36f50c5ba
-
SHA256
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc
-
SHA512
2e17b881491e2cc9759dde852198622956682327abcc20519ab7099e25b22252a167cd7a4e6e90651a8b44b22c89a52c8fd004a62043f8fa30fe523302f6674f
-
SSDEEP
98304:ulFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uWJuMg53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\chrome.exe family_quasar behavioral2/memory/3800-51-0x0000000000B50000-0x0000000000BD4000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation chrome.exe -
Executes dropped EXE 17 IoCs
Processes:
chrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 3800 chrome.exe 3916 S^X.exe 1788 chrome.exe 4756 chrome.exe 1544 chrome.exe 3100 chrome.exe 3772 chrome.exe 988 chrome.exe 5096 chrome.exe 3308 chrome.exe 1932 chrome.exe 4020 chrome.exe 4604 chrome.exe 3192 chrome.exe 2508 chrome.exe 956 chrome.exe 1412 chrome.exe -
Loads dropped DLL 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 4640 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Obfuscated with Agile.Net obfuscator 7 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4640-1-0x0000000000B20000-0x0000000001134000-memory.dmp agile_net behavioral2/memory/4640-2-0x0000000005A60000-0x0000000006072000-memory.dmp agile_net behavioral2/memory/4640-17-0x0000000005A60000-0x000000000606C000-memory.dmp agile_net behavioral2/memory/4640-19-0x0000000005A60000-0x000000000606C000-memory.dmp agile_net behavioral2/memory/4640-23-0x0000000005A60000-0x000000000606C000-memory.dmp agile_net behavioral2/memory/4640-21-0x0000000005A60000-0x000000000606C000-memory.dmp agile_net behavioral2/memory/4640-16-0x0000000005A60000-0x000000000606C000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll themida behavioral2/memory/4640-12-0x00000000718A0000-0x0000000071EA8000-memory.dmp themida behavioral2/memory/4640-11-0x00000000718A0000-0x0000000071EA8000-memory.dmp themida behavioral2/memory/4640-14-0x00000000718A0000-0x0000000071EA8000-memory.dmp themida behavioral2/memory/4640-52-0x00000000718A0000-0x0000000071EA8000-memory.dmp themida -
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 4640 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
S^X.exe95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S^X.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEcmd.exePING.EXEPING.EXEpid process 2644 PING.EXE 1992 PING.EXE 2148 PING.EXE 1464 PING.EXE 2724 PING.EXE 3472 PING.EXE 396 PING.EXE 3688 PING.EXE 4532 PING.EXE 836 PING.EXE 1276 PING.EXE 3568 PING.EXE 4732 PING.EXE 2608 cmd.exe 956 PING.EXE 3700 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 3472 PING.EXE 3568 PING.EXE 1276 PING.EXE 2644 PING.EXE 396 PING.EXE 1992 PING.EXE 2148 PING.EXE 956 PING.EXE 836 PING.EXE 1464 PING.EXE 4732 PING.EXE 3688 PING.EXE 4532 PING.EXE 3700 PING.EXE 2724 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4708 schtasks.exe 1160 schtasks.exe 3824 schtasks.exe 1624 schtasks.exe 860 schtasks.exe 2036 schtasks.exe 4724 schtasks.exe 636 schtasks.exe 4532 schtasks.exe 1260 schtasks.exe 3596 schtasks.exe 3352 schtasks.exe 228 schtasks.exe 1412 schtasks.exe 3412 schtasks.exe 4412 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
chrome.exechrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription pid process Token: SeDebugPrivilege 3800 chrome.exe Token: SeDebugPrivilege 1788 chrome.exe Token: SeDebugPrivilege 3916 S^X.exe Token: SeDebugPrivilege 4756 chrome.exe Token: SeDebugPrivilege 1544 chrome.exe Token: SeDebugPrivilege 3100 chrome.exe Token: SeDebugPrivilege 3772 chrome.exe Token: SeDebugPrivilege 988 chrome.exe Token: SeDebugPrivilege 5096 chrome.exe Token: SeDebugPrivilege 3308 chrome.exe Token: SeDebugPrivilege 1932 chrome.exe Token: SeDebugPrivilege 4020 chrome.exe Token: SeDebugPrivilege 4604 chrome.exe Token: SeDebugPrivilege 3192 chrome.exe Token: SeDebugPrivilege 2508 chrome.exe Token: SeDebugPrivilege 956 chrome.exe Token: SeDebugPrivilege 1412 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
chrome.exepid process 4604 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exedescription pid process target process PID 4640 wrote to memory of 3800 4640 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 4640 wrote to memory of 3800 4640 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 4640 wrote to memory of 3916 4640 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 4640 wrote to memory of 3916 4640 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 4640 wrote to memory of 3916 4640 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 3800 wrote to memory of 860 3800 chrome.exe schtasks.exe PID 3800 wrote to memory of 860 3800 chrome.exe schtasks.exe PID 3800 wrote to memory of 1788 3800 chrome.exe chrome.exe PID 3800 wrote to memory of 1788 3800 chrome.exe chrome.exe PID 1788 wrote to memory of 2036 1788 chrome.exe schtasks.exe PID 1788 wrote to memory of 2036 1788 chrome.exe schtasks.exe PID 1788 wrote to memory of 5052 1788 chrome.exe cmd.exe PID 1788 wrote to memory of 5052 1788 chrome.exe cmd.exe PID 5052 wrote to memory of 1244 5052 cmd.exe chcp.com PID 5052 wrote to memory of 1244 5052 cmd.exe chcp.com PID 5052 wrote to memory of 2148 5052 cmd.exe PING.EXE PID 5052 wrote to memory of 2148 5052 cmd.exe PING.EXE PID 5052 wrote to memory of 4756 5052 cmd.exe chrome.exe PID 5052 wrote to memory of 4756 5052 cmd.exe chrome.exe PID 4756 wrote to memory of 4708 4756 chrome.exe schtasks.exe PID 4756 wrote to memory of 4708 4756 chrome.exe schtasks.exe PID 4756 wrote to memory of 4392 4756 chrome.exe cmd.exe PID 4756 wrote to memory of 4392 4756 chrome.exe cmd.exe PID 4392 wrote to memory of 3180 4392 cmd.exe chcp.com PID 4392 wrote to memory of 3180 4392 cmd.exe chcp.com PID 4392 wrote to memory of 3700 4392 cmd.exe PING.EXE PID 4392 wrote to memory of 3700 4392 cmd.exe PING.EXE PID 4392 wrote to memory of 1544 4392 cmd.exe chrome.exe PID 4392 wrote to memory of 1544 4392 cmd.exe chrome.exe PID 1544 wrote to memory of 228 1544 chrome.exe schtasks.exe PID 1544 wrote to memory of 228 1544 chrome.exe schtasks.exe PID 1544 wrote to memory of 728 1544 chrome.exe cmd.exe PID 1544 wrote to memory of 728 1544 chrome.exe cmd.exe PID 728 wrote to memory of 2816 728 cmd.exe chcp.com PID 728 wrote to memory of 2816 728 cmd.exe chcp.com PID 728 wrote to memory of 956 728 cmd.exe PING.EXE PID 728 wrote to memory of 956 728 cmd.exe PING.EXE PID 728 wrote to memory of 3100 728 cmd.exe chrome.exe PID 728 wrote to memory of 3100 728 cmd.exe chrome.exe PID 3100 wrote to memory of 4724 3100 chrome.exe schtasks.exe PID 3100 wrote to memory of 4724 3100 chrome.exe schtasks.exe PID 3100 wrote to memory of 1996 3100 chrome.exe cmd.exe PID 3100 wrote to memory of 1996 3100 chrome.exe cmd.exe PID 1996 wrote to memory of 2644 1996 cmd.exe chcp.com PID 1996 wrote to memory of 2644 1996 cmd.exe chcp.com PID 1996 wrote to memory of 1276 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1276 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 3772 1996 cmd.exe chrome.exe PID 1996 wrote to memory of 3772 1996 cmd.exe chrome.exe PID 3772 wrote to memory of 636 3772 chrome.exe schtasks.exe PID 3772 wrote to memory of 636 3772 chrome.exe schtasks.exe PID 3772 wrote to memory of 2148 3772 chrome.exe cmd.exe PID 3772 wrote to memory of 2148 3772 chrome.exe cmd.exe PID 2148 wrote to memory of 4384 2148 cmd.exe chcp.com PID 2148 wrote to memory of 4384 2148 cmd.exe chcp.com PID 2148 wrote to memory of 1464 2148 cmd.exe PING.EXE PID 2148 wrote to memory of 1464 2148 cmd.exe PING.EXE PID 2148 wrote to memory of 988 2148 cmd.exe chrome.exe PID 2148 wrote to memory of 988 2148 cmd.exe chrome.exe PID 988 wrote to memory of 4532 988 chrome.exe schtasks.exe PID 988 wrote to memory of 4532 988 chrome.exe schtasks.exe PID 988 wrote to memory of 2608 988 chrome.exe cmd.exe PID 988 wrote to memory of 2608 988 chrome.exe cmd.exe PID 2608 wrote to memory of 1540 2608 cmd.exe chcp.com -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:860
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xBLmw1hQvozl.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:1244
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2148
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:4708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biGXRFR6MXQS.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:3180
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3700
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h8DjqxB2HOKi.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:2816
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:956
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avhp4H7HLRfA.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:2644
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1276
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CFgWuVug1NHL.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:4384
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1464
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e5pINGIqQjZL.bat" "14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\system32\chcp.comchcp 6500115⤵PID:1540
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2724
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:1260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZM301tlsBqj8.bat" "16⤵PID:1544
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:3480
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3472
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3308 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:1412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCVnIEh3c97Q.bat" "18⤵PID:648
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:4588
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2644
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1932 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:1160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UTI0z71MlcLR.bat" "20⤵PID:1308
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:3408
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3568
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4020 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:1624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VRPwkoA4zMdP.bat" "22⤵PID:5052
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:3940
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:396
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4604 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:3412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xc4Puk4MbBFg.bat" "24⤵PID:1136
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:4012
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1992
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3192 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:4412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EjLMrInu0xGj.bat" "26⤵PID:1788
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:4004
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4732
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
PID:3824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6TqJOblx4S91.bat" "28⤵PID:692
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:2952
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3688
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:956 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f30⤵
- Scheduled Task/Job: Scheduled Task
PID:3596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyZ4sHm9tzOH.bat" "30⤵PID:536
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:4016
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4532
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1412 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f32⤵
- Scheduled Task/Job: Scheduled Task
PID:3352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7Gfzxcqb0xDB.bat" "32⤵PID:452
-
C:\Windows\system32\chcp.comchcp 6500133⤵PID:1452
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:836
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
207B
MD550ff3cc7082255750c2c820babd30c68
SHA1ec4a9038e30ebd00fcee58e8fd28e62d09af3925
SHA2568b462bcaaebbebffef1472c78a3c79f0dc728da355455a42966892748583c69d
SHA512cd84b6af279921fc372a89fa8a22c1d2c80b0ff640904ac0e56fef1764eab107cf411c0bbffd4ade0e7fa1330405ca952ecd14c87be390088ef2a0e29844ff5e
-
Filesize
207B
MD5d9abe6eb6f803a17af9b2507a0b8066a
SHA1236a94dbcf66dc4bff97115aabce649d55626132
SHA25683a6a2a4ae522efc3911318cc0fe0cdece7f4855eee9459397f999dde061b88c
SHA512cd8378243f021f7c85bb70f74641e90d573f9ab9854a82b05cb024f5e8d27031089ba774343cfbbdc4fb0d947e71a0777e3118d4dee9aecab446423163b8393c
-
Filesize
207B
MD5522ffcf6aba6d2742c4111733cdc2bed
SHA1a63a4229471492d4a77bc61d6ef82d3a63e1aefe
SHA256a7e2ee4bdbdaa430e6a7603619000568073a52883f2a0d2c21524fef518095f5
SHA51206d590cf44f054de5f6273a777618ead9c9f7850286bcc4933aa8bc3993ef389d2f776aaeab03069ae4291ab1e9ab605846902a252dad0f8f6993435dfe4fec7
-
Filesize
207B
MD5d7250fd9a25e838da657b6150e71cca3
SHA1b25d377eefb008255c31634878b23906c4cc7bac
SHA256dca569004dd7cfa6b8b575ce99efd61fd1b675bc518affde010fd22517d81219
SHA512372638d27a3336fb4bb9780694017e0ac7a3681c97415305a1dabfcd106d3e10ac2a5f3ab63342f0562bbed1cbc76948d32763771b8058d25d32b6162cd54f61
-
Filesize
207B
MD5e8a676d7b8e62ea19609a12f1e3d8fc9
SHA1de3515d7c061e87a411db0329c61664f3e2ce9af
SHA25634ef9dd8c4b59d5456fd55974a9e9ed32e58b103db0196767eeb1aa72b0e0282
SHA512727398b7df8fd4433c70d36a86425ede3fadf1c7b3d5a17f913fa02337a86f5b0d5c4a6d4abf15035dac89641c624f7b672b1172ca77f8f4c35942e441cbff73
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
207B
MD5e18e5f4371248fc450742e9a5c715a39
SHA14148f19673ef30ca4c69842c04304d2ec20729c0
SHA2567361f8adf31a455334b1b730dc137dc0a884d852eb71c19f155750548f4cc7b2
SHA512382fd891348ba9b00e01e424bb8fa67c6d82fbaed24eddb3daea60b5bb86cda1002f16309f346979661d73000907626f7f4b15b3ef08a4501e5f80307aafca10
-
Filesize
207B
MD52e678752cd8414ce4ca3f5ef8c9f1983
SHA16e098b1b562ab071cbba17f7996e902719ec0db4
SHA25682c05828f6ecc3a39259c2e73836abb20bf4fb97bf956f41f4bbc9e8d0a8ca64
SHA512ae4868c2dc9316453a748d09b3c0dabcd3ea425d2746296d63d849bae3f4d39656ff371b8ffa3f47d5ee6f3bb7447b68b32cd5fda15d103e831f39b13328a1c0
-
Filesize
207B
MD526f5081e29fab17420f35f147159f2f4
SHA1f7ba25855810b73ee95b70fd9a1f14986fa0bc1b
SHA25624aa3cbb814638fff7ffcd16cdb92785374542cdd3e5866285a2b2cada5f1e4c
SHA512a515f4e8d6d66949855918c695b336aac6438738efd1be6f750e7781f44ac6234e6f829da0275f2fe07e3f50a7f1dacbc557594f34daff3988ed7d7d7dfb6c22
-
Filesize
207B
MD55be34f90bbbdfb872913b81729713607
SHA16d91a51cae83929e21fca2d5b7ef2f566d37e0cc
SHA256e40a1c44e5872fa8303cf80350fbc032d61843cc3dc7ac9edd605af144c09456
SHA51251c5b3d84108e9e50f90f1c80c72704da1e0cabf2e576575dfbfbd40ef1c36cd3e49099a58716ed03035429b8a1ca0caaff50626f98c1cdf9033d14acef0f92a
-
Filesize
207B
MD5ef4377f80869b1500902d7bf4dd0d314
SHA17ac13e40e4ee2df2b3a81a9d5bdd90312ed038b8
SHA2564ab34e799e3fce7de8793b07c674845c814251ce85593c80165ff0a2342e7efa
SHA512d2167adec7b24f10b08b5f8751a079724bc8c330713911e19557581dca3228c1e98dc8e217d0751a69d2cc86fccd18d2abd3f8c22e96b90702d697c1c789e099
-
Filesize
207B
MD5a9b10fe626ad626edcfeb5963ec73efa
SHA141d48163e909e37b385c7c640c931a202458f962
SHA2567dcbc10209cd6d043775f10bfaea16426b0048732315f30af309567f01431ce3
SHA512f98179d49131390586eee0da26c8756ac4f97e5d42078e8c3e788aaae72dab82c8212d909ab04f98f365cbfb791b1231445f9f5bb18f1e3b57d7a9feeb6e2cd5
-
Filesize
207B
MD59128393160f74cff5d12e4230b60d4b8
SHA17e1905ae73da0b4bea549080457592858b72dc1e
SHA2566392ed89dbca8e24e17d6e43c1639c473805f0ef5ccd68778c5796d023723bbf
SHA51241c471a186e3a06bc066cc60cd9e1da029b45781a4953d437362de2834fa422221dd6eb8bdbbee4d633205b9a88136e6cf3090d27dab75d76105dc362e3beda6
-
Filesize
207B
MD50cfb661bfd8a4bfb72afb6ff4d4a3c7c
SHA13229fec9ffce918529c2342e25850b305eb76ddd
SHA256456ec0ba9faf7714a1555d1028d3ca464eee67679c7ad9f9287b127a985718c1
SHA512b59fbaedae2206bb330c0e54d444727477c2bb2c0a06b191a1aae2ccd5ab48d7ccb2cc189920600ac18e80a856ab5dfdb9bd7c67e1a5cbbefe3f74f21b1cd445
-
Filesize
207B
MD507b34a10e8cedcea220a21c75b3722eb
SHA17cdddc96ba65add3678330b64bb1564f29a93f44
SHA2562196fac1ed92c9abba1cf80c65360b35837d98e6db839034765ad9532fd0236b
SHA5127cff5692fe3651506833ff1ad4934489c8876d84a3835ede8e5ddaae47c50d41d2b06cfe95dabe0efc67e488940d8b5caa897c95e93a60647ce94d8605802f48
-
Filesize
207B
MD5d54a610dd84cbfc6c9a9c69e5e1a1e74
SHA1c3ecb6603df10c1b3280b9e1b0deafd301354dc1
SHA256f2a444744f555e2325179308bc119f713ccfaaab1859cd35cbfdefe7db7adfc8
SHA512b0386be01a2c40cb110441a12dbb2cc1f7dcd2b92b895facbfa93bc40add708011e0a9b971a59ade43b7eb67f1531b46c82ee8b46e23752cb9e6ae4155ee85af
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c