Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01-09-2024 14:57
Behavioral task
behavioral1
Sample
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
Resource
win7-20240704-en
General
-
Target
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
-
Size
6.1MB
-
MD5
03778d811f241e83ccad830372313b3c
-
SHA1
11962399abf7fc0981f324e4aa5271f36f50c5ba
-
SHA256
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc
-
SHA512
2e17b881491e2cc9759dde852198622956682327abcc20519ab7099e25b22252a167cd7a4e6e90651a8b44b22c89a52c8fd004a62043f8fa30fe523302f6674f
-
SSDEEP
98304:ulFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uWJuMg53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar payload 12 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\chrome.exe family_quasar behavioral1/memory/2328-39-0x0000000000F60000-0x0000000000FE4000-memory.dmp family_quasar behavioral1/memory/2716-46-0x0000000000FB0000-0x0000000001034000-memory.dmp family_quasar behavioral1/memory/1312-57-0x0000000001370000-0x00000000013F4000-memory.dmp family_quasar behavioral1/memory/1212-68-0x0000000000320000-0x00000000003A4000-memory.dmp family_quasar behavioral1/memory/800-79-0x00000000008B0000-0x0000000000934000-memory.dmp family_quasar behavioral1/memory/1568-90-0x00000000003D0000-0x0000000000454000-memory.dmp family_quasar behavioral1/memory/112-101-0x00000000011C0000-0x0000000001244000-memory.dmp family_quasar behavioral1/memory/1292-123-0x0000000001340000-0x00000000013C4000-memory.dmp family_quasar behavioral1/memory/2928-145-0x0000000000110000-0x0000000000194000-memory.dmp family_quasar behavioral1/memory/2204-156-0x0000000000180000-0x0000000000204000-memory.dmp family_quasar behavioral1/memory/988-167-0x00000000013C0000-0x0000000001444000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Executes dropped EXE 15 IoCs
Processes:
chrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 2328 chrome.exe 804 S^X.exe 2716 chrome.exe 1312 chrome.exe 1212 chrome.exe 800 chrome.exe 1568 chrome.exe 112 chrome.exe 2304 chrome.exe 1292 chrome.exe 1184 chrome.exe 2928 chrome.exe 2204 chrome.exe 988 chrome.exe 2068 chrome.exe -
Loads dropped DLL 3 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 2088 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe 2088 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe 2088 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Obfuscated with Agile.Net obfuscator 7 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2088-1-0x00000000003D0000-0x00000000009E4000-memory.dmp agile_net behavioral1/memory/2088-2-0x0000000005180000-0x0000000005792000-memory.dmp agile_net behavioral1/memory/2088-16-0x0000000005180000-0x000000000578C000-memory.dmp agile_net behavioral1/memory/2088-18-0x0000000005180000-0x000000000578C000-memory.dmp agile_net behavioral1/memory/2088-20-0x0000000005180000-0x000000000578C000-memory.dmp agile_net behavioral1/memory/2088-15-0x0000000005180000-0x000000000578C000-memory.dmp agile_net behavioral1/memory/2088-22-0x0000000005180000-0x000000000578C000-memory.dmp agile_net -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll themida behavioral1/memory/2088-10-0x0000000073C10000-0x0000000074218000-memory.dmp themida behavioral1/memory/2088-11-0x0000000073C10000-0x0000000074218000-memory.dmp themida behavioral1/memory/2088-13-0x0000000073C10000-0x0000000074218000-memory.dmp themida behavioral1/memory/2088-40-0x0000000073C10000-0x0000000074218000-memory.dmp themida -
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 2088 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exeS^X.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S^X.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1144 PING.EXE 1712 PING.EXE 1660 PING.EXE 2964 PING.EXE 2956 PING.EXE 2016 PING.EXE 2988 PING.EXE 1956 PING.EXE 1968 PING.EXE 892 PING.EXE 2032 PING.EXE 1748 PING.EXE -
Runs ping.exe 1 TTPs 12 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1144 PING.EXE 1956 PING.EXE 892 PING.EXE 1660 PING.EXE 2016 PING.EXE 1748 PING.EXE 2964 PING.EXE 2988 PING.EXE 2956 PING.EXE 1968 PING.EXE 1712 PING.EXE 2032 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2924 schtasks.exe 1912 schtasks.exe 2356 schtasks.exe 2564 schtasks.exe 1948 schtasks.exe 2228 schtasks.exe 1516 schtasks.exe 3048 schtasks.exe 2232 schtasks.exe 2604 schtasks.exe 2792 schtasks.exe 1696 schtasks.exe 2488 schtasks.exe 620 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
chrome.exechrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription pid process Token: SeDebugPrivilege 2328 chrome.exe Token: SeDebugPrivilege 2716 chrome.exe Token: SeDebugPrivilege 804 S^X.exe Token: SeDebugPrivilege 1312 chrome.exe Token: SeDebugPrivilege 1212 chrome.exe Token: SeDebugPrivilege 800 chrome.exe Token: SeDebugPrivilege 1568 chrome.exe Token: SeDebugPrivilege 112 chrome.exe Token: SeDebugPrivilege 2304 chrome.exe Token: SeDebugPrivilege 1292 chrome.exe Token: SeDebugPrivilege 1184 chrome.exe Token: SeDebugPrivilege 2928 chrome.exe Token: SeDebugPrivilege 2204 chrome.exe Token: SeDebugPrivilege 988 chrome.exe Token: SeDebugPrivilege 2068 chrome.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 2716 chrome.exe 1312 chrome.exe 1212 chrome.exe 800 chrome.exe 1568 chrome.exe 112 chrome.exe 2304 chrome.exe 1292 chrome.exe 1184 chrome.exe 2928 chrome.exe 2204 chrome.exe 988 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.exedescription pid process target process PID 2088 wrote to memory of 2328 2088 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2088 wrote to memory of 2328 2088 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2088 wrote to memory of 2328 2088 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2088 wrote to memory of 2328 2088 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2088 wrote to memory of 804 2088 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2088 wrote to memory of 804 2088 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2088 wrote to memory of 804 2088 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2088 wrote to memory of 804 2088 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2328 wrote to memory of 2792 2328 chrome.exe schtasks.exe PID 2328 wrote to memory of 2792 2328 chrome.exe schtasks.exe PID 2328 wrote to memory of 2792 2328 chrome.exe schtasks.exe PID 2328 wrote to memory of 2716 2328 chrome.exe chrome.exe PID 2328 wrote to memory of 2716 2328 chrome.exe chrome.exe PID 2328 wrote to memory of 2716 2328 chrome.exe chrome.exe PID 2716 wrote to memory of 2924 2716 chrome.exe schtasks.exe PID 2716 wrote to memory of 2924 2716 chrome.exe schtasks.exe PID 2716 wrote to memory of 2924 2716 chrome.exe schtasks.exe PID 2716 wrote to memory of 3032 2716 chrome.exe cmd.exe PID 2716 wrote to memory of 3032 2716 chrome.exe cmd.exe PID 2716 wrote to memory of 3032 2716 chrome.exe cmd.exe PID 3032 wrote to memory of 3040 3032 cmd.exe chcp.com PID 3032 wrote to memory of 3040 3032 cmd.exe chcp.com PID 3032 wrote to memory of 3040 3032 cmd.exe chcp.com PID 3032 wrote to memory of 2032 3032 cmd.exe PING.EXE PID 3032 wrote to memory of 2032 3032 cmd.exe PING.EXE PID 3032 wrote to memory of 2032 3032 cmd.exe PING.EXE PID 3032 wrote to memory of 1312 3032 cmd.exe chrome.exe PID 3032 wrote to memory of 1312 3032 cmd.exe chrome.exe PID 3032 wrote to memory of 1312 3032 cmd.exe chrome.exe PID 1312 wrote to memory of 1696 1312 chrome.exe schtasks.exe PID 1312 wrote to memory of 1696 1312 chrome.exe schtasks.exe PID 1312 wrote to memory of 1696 1312 chrome.exe schtasks.exe PID 1312 wrote to memory of 1796 1312 chrome.exe cmd.exe PID 1312 wrote to memory of 1796 1312 chrome.exe cmd.exe PID 1312 wrote to memory of 1796 1312 chrome.exe cmd.exe PID 1796 wrote to memory of 1948 1796 cmd.exe chcp.com PID 1796 wrote to memory of 1948 1796 cmd.exe chcp.com PID 1796 wrote to memory of 1948 1796 cmd.exe chcp.com PID 1796 wrote to memory of 1748 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1748 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1748 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1212 1796 cmd.exe chrome.exe PID 1796 wrote to memory of 1212 1796 cmd.exe chrome.exe PID 1796 wrote to memory of 1212 1796 cmd.exe chrome.exe PID 1212 wrote to memory of 2604 1212 chrome.exe schtasks.exe PID 1212 wrote to memory of 2604 1212 chrome.exe schtasks.exe PID 1212 wrote to memory of 2604 1212 chrome.exe schtasks.exe PID 1212 wrote to memory of 1600 1212 chrome.exe cmd.exe PID 1212 wrote to memory of 1600 1212 chrome.exe cmd.exe PID 1212 wrote to memory of 1600 1212 chrome.exe cmd.exe PID 1600 wrote to memory of 2240 1600 cmd.exe chcp.com PID 1600 wrote to memory of 2240 1600 cmd.exe chcp.com PID 1600 wrote to memory of 2240 1600 cmd.exe chcp.com PID 1600 wrote to memory of 2016 1600 cmd.exe PING.EXE PID 1600 wrote to memory of 2016 1600 cmd.exe PING.EXE PID 1600 wrote to memory of 2016 1600 cmd.exe PING.EXE PID 1600 wrote to memory of 800 1600 cmd.exe chrome.exe PID 1600 wrote to memory of 800 1600 cmd.exe chrome.exe PID 1600 wrote to memory of 800 1600 cmd.exe chrome.exe PID 800 wrote to memory of 1912 800 chrome.exe schtasks.exe PID 800 wrote to memory of 1912 800 chrome.exe schtasks.exe PID 800 wrote to memory of 1912 800 chrome.exe schtasks.exe PID 800 wrote to memory of 900 800 chrome.exe cmd.exe PID 800 wrote to memory of 900 800 chrome.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2792
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2924
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\i0eLT3CDrcsP.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:3040
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2032
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:1696
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\lgy77yBnfgd4.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:1948
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1748
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:2604
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\x1sOgQvrmJpW.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:2240
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2016
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:1912
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zcB5uutlq6lA.bat" "10⤵PID:900
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:2320
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2964
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1568 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:2488
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4ExnliY9lQHH.bat" "12⤵PID:1368
-
C:\Windows\system32\chcp.comchcp 6500113⤵PID:1552
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2988
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:112 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:620
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RXsEs3akRUBY.bat" "14⤵PID:2400
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:2760
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2956
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2304 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:2356
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kMpbiBvEGy5W.bat" "16⤵PID:2596
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:2580
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1144
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1292 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:2564
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7xUK3UEXFuny.bat" "18⤵PID:2524
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:2300
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1956
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1184 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:1948
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\aA0V4lxnv0tG.bat" "20⤵PID:1044
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:996
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1968
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2928 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:2228
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\cHWIGHONmkPF.bat" "22⤵PID:1852
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:1736
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1712
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2204 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:1516
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\CtAV2ZffacSe.bat" "24⤵PID:1924
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:1672
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:892
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:988 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:3048
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\rv3TtwJUxUYx.bat" "26⤵PID:3064
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:1916
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1660
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
PID:2232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD599b55040d0399e8dd71c1d658b40ccff
SHA1e55c100b87205b691de629d5afee08ba685a00b2
SHA256f639b2d28b1ae89d668b74c561026b3686c4e5c82825dbc9427f0a930d573c06
SHA51219a83e37960171d263321d93359ff726cee30feacedac354dd0ccc6dce750ac48050ca9d3ae097b52c0765104e9730e7a482dcae7955688bc7862aa8b59d0a9f
-
Filesize
207B
MD5ccfd20748cc6e3bdfba753c06bd18e31
SHA10cf83fac723a86c0787c72bef5ae69e6fb9614c7
SHA256bac21b88ffb6fe287e48b4f2b9d4edb06a6e5251f6668c5484bd70bd2add1b5a
SHA5122c026068276e04675c9f5ab3fe113dea707841d057780699e47677797ba5eb4b9248f846fff4076bc3502eebfdf2bda90cb2f7682f459b2f02abd82cab0f1897
-
Filesize
207B
MD5af249ed787f0cd9656c005fab6863fb0
SHA1985116a66ecc5ae92dfd366aded082eb2667e84f
SHA256a86d69dcb9b6b0cbe1240c1dbc3b7eae31f7d340d38e2fb9598822f0e271ef95
SHA51282fce7466aaa53bbcc349bb90d24a791141eb1855cd8183eefc0e45c808f69deb5b00b46e4b18c4465fec7923e0b2b7da383e86ed029dbaeedd45c3753857eb1
-
Filesize
207B
MD5f04e69d8c9229c5231f8fe68aaab5617
SHA1bd2136d155d309b3631f84bf89e6ac7e9b768699
SHA256c6ca074c8f3efeb7b93405a8cb138688c268e7a0b71c160e5f844850261c6254
SHA51245f32568b5797c8ddfa3b7f25db63cd030d76e9c95d86e819010ed1ff218888292ae257a07172068d26eb03fb81b9a29bd63055462706442367a1cf3bfcc69f2
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
207B
MD5fb604e0650254fbdcde4eeed7c0cee4f
SHA18b37a0023668390d4d1863955aa2fc585229a5cb
SHA256e422cdcfdb5a166ca1e9f17e49fcefe74a843fc8928c617f7821d7f455bc1dda
SHA51253e0c842a76261dcd222deb5d1b272fa759aab948a6e88029fe03b03bdb09ee3880ccadcda32f8137ba5b9d1f2d3fb35ae7542ed3ea6a29d6a5a2d3c4edc33e1
-
Filesize
207B
MD505d0c9fa24f3849c7d4ab0810628ace7
SHA169eac2cf3602157d7f612888c954ba3ac238a13a
SHA25695ab3743a40e2a7c3b8146077ea5d045b5f3d443d4036d966d0bb6d817eed916
SHA5129793e8000331a944258f1269bd4984757eb3e5d5ebef54d8702b7d44d75d08f4a843ca6cd885c03f6516bfc2e5078097b28a2c3376358d169177716cbe813f99
-
Filesize
207B
MD511a3f682422c894ffcf7ff74c8c37777
SHA1253f00d9e3ced673f70ec75e2e19d49afaa02c19
SHA256441165aaf4c7c750fa4da7a221c44f42c8115c8ae8c5c8f01aee6e544ccceda7
SHA51200db475985b59547f05ce05ad0c4cb8ae9c67a10254d110e2e12e64354cf6af8a53c2dd4caa15731a1f8ff94d51a25f74e0ab03356ef65516d08142f61889f20
-
Filesize
207B
MD5bbd031c13d05fff36ecc3cdb6b054cca
SHA1418ce242b351c90086101000202c2dc8ed4a5fe3
SHA256308ec0ddc5bcccee8a5fb1e87be74f77139a75e7af36d502c5d6018120490a02
SHA512c106f5a707e8fecc84e205497ca07329b4f6c6826c77f0a4e81ef2b327bbb0ad1224575f6a99f0917a79ce32421842406965c60190c0e841282aac6de23af4b9
-
Filesize
207B
MD5f5d9bab7e7b3b084f68bfc2b9958f518
SHA1a9490386eecc066bf08b7ac431eb9be09229cee5
SHA256e3f68651641bd4e2e14c61bfb017c46f00b97ea93d4cc3602cbcc6a41c56ad4f
SHA512d40b0716a1ab6bc2fc6113db29ab623ecfd9e7ee6eb1a2cd45f9bf36ea138a2c1b92c9813eed7ac59dbd454bbf137c96b6e1c486e7a65850a80f7ee4e6717fd0
-
Filesize
207B
MD55248c136f1e5632c8ee8811dc90bfd8f
SHA151f64cefe26036e2ea83b362a1c57afaa0f7742c
SHA25636db850314f0e075baa65631ef5c72244d7e0b9771fe0ff6a62181181f5753cd
SHA51229a8bad4962f6277f000e3d5fabfb14f8a3f69fdb00551d39780b126d3c8f076545be8913f4891ff870cc92ff3999bdbd746216bb430ff803ad5fbc7f5ac9d8b
-
Filesize
207B
MD59d5f4362a6e6f39153f3f9fd8cc7175c
SHA1f57260683217119d914f80b7d3f74109edc79f4c
SHA2560b88ce448aceae0aa135272d3561f6ebd152ec7123c9b6aca438e5356006ec56
SHA512695b6d149ff857aeb125e11785bdfce2084fe3712181db2e46a4a76f57ffe734a69118bbc0930b8561e9c7ed16c47910f3dfcbfd54b19af47b8cd4106b29a967
-
Filesize
207B
MD5228e49854952a287beaafbac94a1b658
SHA17d29e116e3228d2589a6e7c1525b85f034f0406f
SHA256a4e268c4ae6d8c8e64417c80d50990229426371847e48cc295b955625a37f54c
SHA512a5e80bd757e48f1bf36602bd054b7dde836bcaf89845e16c5bc9a2b07bc861eda016a925a52f9681ba5a1c718e276078084a5f7eec9d1ffe70e2f43b36633504
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c