Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 14:57
Behavioral task
behavioral1
Sample
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
Resource
win7-20240704-en
General
-
Target
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
-
Size
6.1MB
-
MD5
03778d811f241e83ccad830372313b3c
-
SHA1
11962399abf7fc0981f324e4aa5271f36f50c5ba
-
SHA256
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc
-
SHA512
2e17b881491e2cc9759dde852198622956682327abcc20519ab7099e25b22252a167cd7a4e6e90651a8b44b22c89a52c8fd004a62043f8fa30fe523302f6674f
-
SSDEEP
98304:ulFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uWJuMg53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\chrome.exe family_quasar behavioral2/memory/4616-51-0x0000000000BB0000-0x0000000000C34000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation chrome.exe -
Executes dropped EXE 17 IoCs
Processes:
chrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 4616 chrome.exe 4980 S^X.exe 3332 chrome.exe 1440 chrome.exe 3780 chrome.exe 2776 chrome.exe 2448 chrome.exe 4252 chrome.exe 1812 chrome.exe 2904 chrome.exe 4524 chrome.exe 756 chrome.exe 1156 chrome.exe 2904 chrome.exe 4496 chrome.exe 4528 chrome.exe 1156 chrome.exe -
Loads dropped DLL 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 3776 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Obfuscated with Agile.Net obfuscator 7 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3776-1-0x0000000000F60000-0x0000000001574000-memory.dmp agile_net behavioral2/memory/3776-2-0x0000000006020000-0x0000000006632000-memory.dmp agile_net behavioral2/memory/3776-16-0x0000000006020000-0x000000000662C000-memory.dmp agile_net behavioral2/memory/3776-22-0x0000000006020000-0x000000000662C000-memory.dmp agile_net behavioral2/memory/3776-20-0x0000000006020000-0x000000000662C000-memory.dmp agile_net behavioral2/memory/3776-18-0x0000000006020000-0x000000000662C000-memory.dmp agile_net behavioral2/memory/3776-15-0x0000000006020000-0x000000000662C000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll themida behavioral2/memory/3776-11-0x0000000071B40000-0x0000000072148000-memory.dmp themida behavioral2/memory/3776-12-0x0000000071B40000-0x0000000072148000-memory.dmp themida behavioral2/memory/3776-13-0x0000000071B40000-0x0000000072148000-memory.dmp themida behavioral2/memory/3776-50-0x0000000071B40000-0x0000000072148000-memory.dmp themida -
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 3776 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
S^X.exe95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S^X.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4312 PING.EXE 3656 PING.EXE 1176 PING.EXE 4204 PING.EXE 4120 PING.EXE 4980 PING.EXE 2960 PING.EXE 3692 PING.EXE 1896 PING.EXE 2928 PING.EXE 2492 PING.EXE 2684 PING.EXE 1592 PING.EXE 400 PING.EXE 4388 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4312 PING.EXE 3656 PING.EXE 1896 PING.EXE 4980 PING.EXE 2492 PING.EXE 1176 PING.EXE 3692 PING.EXE 2960 PING.EXE 4388 PING.EXE 2928 PING.EXE 2684 PING.EXE 1592 PING.EXE 400 PING.EXE 4204 PING.EXE 4120 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2900 schtasks.exe 624 schtasks.exe 1356 schtasks.exe 5112 schtasks.exe 5024 schtasks.exe 2912 schtasks.exe 2644 schtasks.exe 3560 schtasks.exe 2640 schtasks.exe 5008 schtasks.exe 1556 schtasks.exe 1252 schtasks.exe 2280 schtasks.exe 3816 schtasks.exe 2800 schtasks.exe 4832 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
chrome.exechrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription pid process Token: SeDebugPrivilege 4616 chrome.exe Token: SeDebugPrivilege 3332 chrome.exe Token: SeDebugPrivilege 4980 S^X.exe Token: SeDebugPrivilege 1440 chrome.exe Token: SeDebugPrivilege 3780 chrome.exe Token: SeDebugPrivilege 2776 chrome.exe Token: SeDebugPrivilege 2448 chrome.exe Token: SeDebugPrivilege 4252 chrome.exe Token: SeDebugPrivilege 1812 chrome.exe Token: SeDebugPrivilege 2904 chrome.exe Token: SeDebugPrivilege 4524 chrome.exe Token: SeDebugPrivilege 756 chrome.exe Token: SeDebugPrivilege 1156 chrome.exe Token: SeDebugPrivilege 2904 chrome.exe Token: SeDebugPrivilege 4496 chrome.exe Token: SeDebugPrivilege 4528 chrome.exe Token: SeDebugPrivilege 1156 chrome.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
chrome.exechrome.exepid process 3332 chrome.exe 4528 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exedescription pid process target process PID 3776 wrote to memory of 4616 3776 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 3776 wrote to memory of 4616 3776 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 3776 wrote to memory of 4980 3776 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 3776 wrote to memory of 4980 3776 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 3776 wrote to memory of 4980 3776 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 4616 wrote to memory of 2640 4616 chrome.exe schtasks.exe PID 4616 wrote to memory of 2640 4616 chrome.exe schtasks.exe PID 4616 wrote to memory of 3332 4616 chrome.exe chrome.exe PID 4616 wrote to memory of 3332 4616 chrome.exe chrome.exe PID 3332 wrote to memory of 1356 3332 chrome.exe schtasks.exe PID 3332 wrote to memory of 1356 3332 chrome.exe schtasks.exe PID 3332 wrote to memory of 2084 3332 chrome.exe cmd.exe PID 3332 wrote to memory of 2084 3332 chrome.exe cmd.exe PID 2084 wrote to memory of 60 2084 cmd.exe chcp.com PID 2084 wrote to memory of 60 2084 cmd.exe chcp.com PID 2084 wrote to memory of 2684 2084 cmd.exe PING.EXE PID 2084 wrote to memory of 2684 2084 cmd.exe PING.EXE PID 2084 wrote to memory of 1440 2084 cmd.exe chrome.exe PID 2084 wrote to memory of 1440 2084 cmd.exe chrome.exe PID 1440 wrote to memory of 5112 1440 chrome.exe schtasks.exe PID 1440 wrote to memory of 5112 1440 chrome.exe schtasks.exe PID 1440 wrote to memory of 4228 1440 chrome.exe cmd.exe PID 1440 wrote to memory of 4228 1440 chrome.exe cmd.exe PID 4228 wrote to memory of 4332 4228 cmd.exe chcp.com PID 4228 wrote to memory of 4332 4228 cmd.exe chcp.com PID 4228 wrote to memory of 4312 4228 cmd.exe PING.EXE PID 4228 wrote to memory of 4312 4228 cmd.exe PING.EXE PID 4228 wrote to memory of 3780 4228 cmd.exe chrome.exe PID 4228 wrote to memory of 3780 4228 cmd.exe chrome.exe PID 3780 wrote to memory of 5024 3780 chrome.exe schtasks.exe PID 3780 wrote to memory of 5024 3780 chrome.exe schtasks.exe PID 3780 wrote to memory of 3636 3780 chrome.exe cmd.exe PID 3780 wrote to memory of 3636 3780 chrome.exe cmd.exe PID 3636 wrote to memory of 4428 3636 cmd.exe chcp.com PID 3636 wrote to memory of 4428 3636 cmd.exe chcp.com PID 3636 wrote to memory of 1592 3636 cmd.exe PING.EXE PID 3636 wrote to memory of 1592 3636 cmd.exe PING.EXE PID 3636 wrote to memory of 2776 3636 cmd.exe chrome.exe PID 3636 wrote to memory of 2776 3636 cmd.exe chrome.exe PID 2776 wrote to memory of 5008 2776 chrome.exe schtasks.exe PID 2776 wrote to memory of 5008 2776 chrome.exe schtasks.exe PID 2776 wrote to memory of 2488 2776 chrome.exe cmd.exe PID 2776 wrote to memory of 2488 2776 chrome.exe cmd.exe PID 2488 wrote to memory of 1260 2488 cmd.exe chcp.com PID 2488 wrote to memory of 1260 2488 cmd.exe chcp.com PID 2488 wrote to memory of 400 2488 cmd.exe PING.EXE PID 2488 wrote to memory of 400 2488 cmd.exe PING.EXE PID 2488 wrote to memory of 2448 2488 cmd.exe chrome.exe PID 2488 wrote to memory of 2448 2488 cmd.exe chrome.exe PID 2448 wrote to memory of 1556 2448 chrome.exe schtasks.exe PID 2448 wrote to memory of 1556 2448 chrome.exe schtasks.exe PID 2448 wrote to memory of 4804 2448 chrome.exe cmd.exe PID 2448 wrote to memory of 4804 2448 chrome.exe cmd.exe PID 4804 wrote to memory of 4520 4804 cmd.exe chcp.com PID 4804 wrote to memory of 4520 4804 cmd.exe chcp.com PID 4804 wrote to memory of 3656 4804 cmd.exe PING.EXE PID 4804 wrote to memory of 3656 4804 cmd.exe PING.EXE PID 4804 wrote to memory of 4252 4804 cmd.exe chrome.exe PID 4804 wrote to memory of 4252 4804 cmd.exe chrome.exe PID 4252 wrote to memory of 2900 4252 chrome.exe schtasks.exe PID 4252 wrote to memory of 2900 4252 chrome.exe schtasks.exe PID 4252 wrote to memory of 4800 4252 chrome.exe cmd.exe PID 4252 wrote to memory of 4800 4252 chrome.exe cmd.exe PID 4800 wrote to memory of 3300 4800 cmd.exe chcp.com -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2640
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:1356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TiO2x4T1iMHw.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:60
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2684
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:5112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V5vYhonXox7B.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:4332
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4312
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:5024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rrH8RC6Cqb4U.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:4428
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1592
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:5008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0Jq6v8MQqba6.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:1260
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:400
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:1556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaDly6luJKfo.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:4520
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3656
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:2900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkRfqyzAeuC5.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\system32\chcp.comchcp 6500115⤵PID:3300
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2928
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1812 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:2800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b4HPmBq25jFh.bat" "16⤵PID:3780
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:2772
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2492
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:2912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7wssTq9a2idU.bat" "18⤵PID:2144
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:4768
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1176
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4524 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:1252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gLS8sxroRDz3.bat" "20⤵PID:4724
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:1572
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3692
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:756 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cdiwTGuls5CO.bat" "22⤵PID:2184
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:2440
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4204
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1156 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:2280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lpZwYkFlSXLZ.bat" "24⤵PID:392
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:5044
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4120
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:3816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RPNiXERGK92f.bat" "26⤵PID:3924
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:320
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1896
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4496 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TdcC7oPPZfP2.bat" "28⤵PID:4712
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:4520
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4980
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4528 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f30⤵
- Scheduled Task/Job: Scheduled Task
PID:2644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2xbX3CQyoIF.bat" "30⤵PID:4244
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:4636
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2960
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1156 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f32⤵
- Scheduled Task/Job: Scheduled Task
PID:3560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YhXDXisMRfHD.bat" "32⤵PID:2920
-
C:\Windows\system32\chcp.comchcp 6500133⤵PID:3444
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
207B
MD5f32de3802c6cbf6d3aba7f57874d7352
SHA10ed829a6c433534236fb57d99db723a820e6990c
SHA256fdb810e759620151d6d662fca1ef22d3c43b2b08d200fc939caf031ddbf70d5d
SHA512f100e127021b4aaa8c93366f20920a6d392abde3c6d2cc0c93c0f8fba59ea4af8b5ade09d72326bdcb328caba3917ed01c21ee99a13de8226fd7203403e5211b
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
207B
MD51099cd0f80bcfd025ea4ca95d423b552
SHA15eabd8742e7484e08cf8c79316c7028e36d4aa16
SHA256b90f4d040240c821577bc7bf7baaa9b2697158405a6b7cc10177ce303f2c852e
SHA512ae2c2106ae2968832fc924020b45ffcd60a99a9c92e70c4641625c4499fe7b37912f84bbf1ae0674ca23f3223b507921577a016743d1cf2fa05144c262ad143d
-
Filesize
207B
MD591e74abf3c49522f88ad2c44eec276e8
SHA15324d3da7bc1850eca13bdafd1e88b1b80a42773
SHA25652d0d5357cbc0979462c70d7376259cea3b18d0ae8e8b8eb88d1dee5145ced91
SHA512dabf95210618bec848217b7f6023c460ff7440ce6ddad893e465d11db99043aeb6a8bba39a904799bd299186acc4356433a09fa26f056af78e898a5faf9d7263
-
Filesize
207B
MD543ebd6e866d007f5c1a5301433fb3ca7
SHA1cfc91b26b54685342ace9366b54ccd8a9d9b7109
SHA2568719916f0748a73dc37dd193e38ff8785f664fb0fbd926062e53832d2ed0da0b
SHA5123f52192218db1de75c42a6764645d2c87fd1f84e0c5da155a9c695113f762fac4f1855cf756fe01bcf2cc2067b36aa517769986ee0b6f56c0a659814118606c7
-
Filesize
207B
MD5d439eeaf720b1bc0e786f50f345f0418
SHA1b12de7a5791ab234714b840aa0f172b8ed4de282
SHA2569d026d48a6cc04a568446fc003728fcf78903840f8e5c448852a930a55a0f562
SHA512cf5b26da49245132ed1dc91b3fcc0f94f0213e5c39b57e978cf4dc2347e3b5c6b18a6042287b72ee87110f3fb487437aaaad639895dc70ec546b587c87f9fa26
-
Filesize
207B
MD5898acd16a042ed1677d257cfedcde4c2
SHA1e72c2856ea32bb6579ce88fa6d015252ae2052d4
SHA256858ad82fa85c24efbb56c53fd975026b0a7281cebe5f5c3a271d78b433347f05
SHA5125b8b660d80d6526d63586d1a3cb9a27516063af09a8955ffde477b924d3481e0d008c79c3c060320179f83fb673004e54c6a5b6577f622a05d0c15d66879f1a7
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
207B
MD5ee4b372d11bd9cfdb97a1a956640a9a7
SHA1042042b747966bc2cef0aa71aa61aedf8949d1d2
SHA2568fd4ed1bc683e0238b5aaf0346d4f4ad2c38f40fc0cd5cddbdee6959cec1d4f8
SHA512ab5afe2afa9060ec380c1c2440be2d932d0271d4e7a87f87f614911212b3b5f5c5db835a032dddef1f8d913558182a783c58050449366b0c82448071c3a274a1
-
Filesize
207B
MD5b6f3d4c6ba905d99aeca54c8864de6ec
SHA13b75c3d52ae850cbbe71c8666b2571dca27eac2f
SHA256a6eb8de8d9dab52ea770d95dac9184f717b06428daa3208261c539249455a343
SHA512ee493f7e6b476f8921e37816683f532af412e699b58beab903ba636843c05df04699dac2fd149f6b9b8a479ffeea35449b41bd5de4bf1920a8b90cd54a6a59ce
-
Filesize
207B
MD5afdef4dba7493b79d32d251afe2cd794
SHA1384a56c375565142ba7edc55d39c177ec15cc157
SHA2566ed84fcad8888d3c1758b3bdfa3e6991c037f09bebf4b5343e4ca4b236e0ce89
SHA5129bc87d93d85064f2bb82306871c729a4ab3aa4847b39cd8ca060fe6f28f73926b900dc7d3fa90302f0a2478adfc1a5c3d3111e69f9b89ce474518bed1132b64c
-
Filesize
207B
MD527f2a94137619ccdbb7858d263410058
SHA1aa558a6da002d5738139c66c8583784c44291d8a
SHA256628ff10c33fb53e5e4403304523bca9d413d5350a56ac678623f0798c0d308f0
SHA512f4f344796e00554014c229fc3bb410c4e8305b495db2292e2cec0d303e3120f612fd3f27905e0ed10bce5b7a31273bdca3883ecdd27aa53698935b2b310f9752
-
Filesize
207B
MD5442e9156b557f1eb3b0e15e5964c05b4
SHA1c5278a33b21b1b639f8bcef1e23a70ff5d090ff8
SHA2566a2c8161d1b771747a3c0fefbb8713e6fed01d0b8d3e3a49ff64945846e975e9
SHA5129d4a2c14e2d6474f5e4e90971cf1cf436c4461d7d771d00eedba05a3243548fa8c951be9140444dc4de463e6459caf1237fdcdf96d243ca8768e1ed394090016
-
Filesize
207B
MD5007b524401a4e293868e5706d69079f2
SHA1a1ba39298b6c8b7ba4abf5f60959208057a394b9
SHA2564bc9994a35c11b1f78a55078403eb20ec3619e46da0d6958c013691f73df6a6c
SHA512f3efec4df7da7b859b855396166c01c6cfbbc9b5fed95ea107e7510ad0e1eb91736e93648a0af9945f4706be45b530495e50866034b911d6429d610b96a365ee
-
Filesize
207B
MD5c73f161d233f51c299aaae240a535b3f
SHA1321f0c8b9deae1a9b0749f4f0e5a7cc92a285ccd
SHA25622381321819aebac6f48759195bbf5e048d4f7680195a9a2af2473750fb4db2a
SHA512a63d16a7b3d8ab291c6472ab048ef5b0dbe745e7394f5edabf30f2d2f3046cb21b99232644b899dcadc89cdce1b1be4cccab7e2f5a1da9fda7b84dcd2e970020
-
Filesize
207B
MD59ff22bfff9b76d0d0f018c41b6cf075f
SHA13c300bd8b08f44efa89a6439755ad794a9722f19
SHA2563112a35c44ff78b51c439b5746f73a09ff623e5bcb64950e68e3b948c3ede5e1
SHA512580e1142a8131d1f8ff0e21c6eaba6d401248a61a2946ddc7ce9c9bd9bf98c09726d47c8a72e020ed91c32860d90ed75d72cfdb2af5c9182b0ad6b4059c002f1
-
Filesize
207B
MD501ed264a01942d159c428e62cabf2543
SHA17fb7ca8c4a7acb4ed6d3a3cc64514e26f7d67dfe
SHA256c43bc14b24811cd901fb437a334e2f67beb0594f7a97e9a78f4ef255fffc7b60
SHA512bbd49c870137544c25996d6ce1626eefe0c77910f67842ca87057c2b42b0619098eb3a9f6dfcf16807727454c1ac2c10f5e52bd5ed33237809bbd204afe2aad1
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c