Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01-09-2024 17:10
Behavioral task
behavioral1
Sample
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
Resource
win7-20240704-en
General
-
Target
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
-
Size
6.1MB
-
MD5
03778d811f241e83ccad830372313b3c
-
SHA1
11962399abf7fc0981f324e4aa5271f36f50c5ba
-
SHA256
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc
-
SHA512
2e17b881491e2cc9759dde852198622956682327abcc20519ab7099e25b22252a167cd7a4e6e90651a8b44b22c89a52c8fd004a62043f8fa30fe523302f6674f
-
SSDEEP
98304:ulFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uWJuMg53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar payload 11 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\chrome.exe family_quasar behavioral1/memory/2744-42-0x0000000000930000-0x00000000009B4000-memory.dmp family_quasar behavioral1/memory/2580-47-0x0000000000CC0000-0x0000000000D44000-memory.dmp family_quasar behavioral1/memory/2832-58-0x0000000000130000-0x00000000001B4000-memory.dmp family_quasar behavioral1/memory/936-69-0x00000000012D0000-0x0000000001354000-memory.dmp family_quasar behavioral1/memory/2924-91-0x0000000001360000-0x00000000013E4000-memory.dmp family_quasar behavioral1/memory/2636-102-0x00000000000C0000-0x0000000000144000-memory.dmp family_quasar behavioral1/memory/808-113-0x00000000002C0000-0x0000000000344000-memory.dmp family_quasar behavioral1/memory/2964-124-0x00000000000A0000-0x0000000000124000-memory.dmp family_quasar behavioral1/memory/1576-135-0x0000000001060000-0x00000000010E4000-memory.dmp family_quasar behavioral1/memory/2320-157-0x0000000001120000-0x00000000011A4000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Executes dropped EXE 13 IoCs
Processes:
chrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 2744 chrome.exe 2360 S^X.exe 2580 chrome.exe 2832 chrome.exe 936 chrome.exe 1860 chrome.exe 2924 chrome.exe 2636 chrome.exe 808 chrome.exe 2964 chrome.exe 1576 chrome.exe 2508 chrome.exe 2320 chrome.exe -
Loads dropped DLL 3 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 1656 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe 1656 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe 1656 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Obfuscated with Agile.Net obfuscator 7 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1656-1-0x0000000000E80000-0x0000000001494000-memory.dmp agile_net behavioral1/memory/1656-2-0x0000000005270000-0x0000000005882000-memory.dmp agile_net behavioral1/memory/1656-16-0x0000000005270000-0x000000000587C000-memory.dmp agile_net behavioral1/memory/1656-15-0x0000000005270000-0x000000000587C000-memory.dmp agile_net behavioral1/memory/1656-18-0x0000000005270000-0x000000000587C000-memory.dmp agile_net behavioral1/memory/1656-20-0x0000000005270000-0x000000000587C000-memory.dmp agile_net behavioral1/memory/1656-22-0x0000000005270000-0x000000000587C000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll themida behavioral1/memory/1656-10-0x0000000074100000-0x0000000074708000-memory.dmp themida behavioral1/memory/1656-13-0x0000000074100000-0x0000000074708000-memory.dmp themida behavioral1/memory/1656-11-0x0000000074100000-0x0000000074708000-memory.dmp themida behavioral1/memory/1656-41-0x0000000074100000-0x0000000074708000-memory.dmp themida -
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 1656 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
S^X.exe95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S^X.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 604 PING.EXE 1664 PING.EXE 2720 PING.EXE 2172 PING.EXE 1720 PING.EXE 3048 PING.EXE 2416 PING.EXE 1356 PING.EXE 2476 PING.EXE 1560 PING.EXE -
Runs ping.exe 1 TTPs 10 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1720 PING.EXE 1560 PING.EXE 2416 PING.EXE 1356 PING.EXE 604 PING.EXE 2476 PING.EXE 2720 PING.EXE 1664 PING.EXE 2172 PING.EXE 3048 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3016 schtasks.exe 2900 schtasks.exe 808 schtasks.exe 2236 schtasks.exe 1016 schtasks.exe 2604 schtasks.exe 2024 schtasks.exe 1616 schtasks.exe 1804 schtasks.exe 2180 schtasks.exe 2196 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
chrome.exechrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription pid process Token: SeDebugPrivilege 2744 chrome.exe Token: SeDebugPrivilege 2580 chrome.exe Token: SeDebugPrivilege 2360 S^X.exe Token: SeDebugPrivilege 2832 chrome.exe Token: SeDebugPrivilege 936 chrome.exe Token: SeDebugPrivilege 1860 chrome.exe Token: SeDebugPrivilege 2924 chrome.exe Token: SeDebugPrivilege 2636 chrome.exe Token: SeDebugPrivilege 808 chrome.exe Token: SeDebugPrivilege 2964 chrome.exe Token: SeDebugPrivilege 1576 chrome.exe Token: SeDebugPrivilege 2508 chrome.exe Token: SeDebugPrivilege 2320 chrome.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 2580 chrome.exe 2832 chrome.exe 936 chrome.exe 1860 chrome.exe 2924 chrome.exe 2636 chrome.exe 808 chrome.exe 2964 chrome.exe 1576 chrome.exe 2508 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.exedescription pid process target process PID 1656 wrote to memory of 2744 1656 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 1656 wrote to memory of 2744 1656 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 1656 wrote to memory of 2744 1656 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 1656 wrote to memory of 2744 1656 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 1656 wrote to memory of 2360 1656 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 1656 wrote to memory of 2360 1656 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 1656 wrote to memory of 2360 1656 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 1656 wrote to memory of 2360 1656 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2744 wrote to memory of 808 2744 chrome.exe schtasks.exe PID 2744 wrote to memory of 808 2744 chrome.exe schtasks.exe PID 2744 wrote to memory of 808 2744 chrome.exe schtasks.exe PID 2744 wrote to memory of 2580 2744 chrome.exe chrome.exe PID 2744 wrote to memory of 2580 2744 chrome.exe chrome.exe PID 2744 wrote to memory of 2580 2744 chrome.exe chrome.exe PID 2580 wrote to memory of 1804 2580 chrome.exe schtasks.exe PID 2580 wrote to memory of 1804 2580 chrome.exe schtasks.exe PID 2580 wrote to memory of 1804 2580 chrome.exe schtasks.exe PID 2580 wrote to memory of 2080 2580 chrome.exe cmd.exe PID 2580 wrote to memory of 2080 2580 chrome.exe cmd.exe PID 2580 wrote to memory of 2080 2580 chrome.exe cmd.exe PID 2080 wrote to memory of 860 2080 cmd.exe chcp.com PID 2080 wrote to memory of 860 2080 cmd.exe chcp.com PID 2080 wrote to memory of 860 2080 cmd.exe chcp.com PID 2080 wrote to memory of 2416 2080 cmd.exe PING.EXE PID 2080 wrote to memory of 2416 2080 cmd.exe PING.EXE PID 2080 wrote to memory of 2416 2080 cmd.exe PING.EXE PID 2080 wrote to memory of 2832 2080 cmd.exe chrome.exe PID 2080 wrote to memory of 2832 2080 cmd.exe chrome.exe PID 2080 wrote to memory of 2832 2080 cmd.exe chrome.exe PID 2832 wrote to memory of 2236 2832 chrome.exe schtasks.exe PID 2832 wrote to memory of 2236 2832 chrome.exe schtasks.exe PID 2832 wrote to memory of 2236 2832 chrome.exe schtasks.exe PID 2832 wrote to memory of 1564 2832 chrome.exe cmd.exe PID 2832 wrote to memory of 1564 2832 chrome.exe cmd.exe PID 2832 wrote to memory of 1564 2832 chrome.exe cmd.exe PID 1564 wrote to memory of 1868 1564 cmd.exe chcp.com PID 1564 wrote to memory of 1868 1564 cmd.exe chcp.com PID 1564 wrote to memory of 1868 1564 cmd.exe chcp.com PID 1564 wrote to memory of 1356 1564 cmd.exe PING.EXE PID 1564 wrote to memory of 1356 1564 cmd.exe PING.EXE PID 1564 wrote to memory of 1356 1564 cmd.exe PING.EXE PID 1564 wrote to memory of 936 1564 cmd.exe chrome.exe PID 1564 wrote to memory of 936 1564 cmd.exe chrome.exe PID 1564 wrote to memory of 936 1564 cmd.exe chrome.exe PID 936 wrote to memory of 2180 936 chrome.exe schtasks.exe PID 936 wrote to memory of 2180 936 chrome.exe schtasks.exe PID 936 wrote to memory of 2180 936 chrome.exe schtasks.exe PID 936 wrote to memory of 2632 936 chrome.exe cmd.exe PID 936 wrote to memory of 2632 936 chrome.exe cmd.exe PID 936 wrote to memory of 2632 936 chrome.exe cmd.exe PID 2632 wrote to memory of 1568 2632 cmd.exe chcp.com PID 2632 wrote to memory of 1568 2632 cmd.exe chcp.com PID 2632 wrote to memory of 1568 2632 cmd.exe chcp.com PID 2632 wrote to memory of 604 2632 cmd.exe PING.EXE PID 2632 wrote to memory of 604 2632 cmd.exe PING.EXE PID 2632 wrote to memory of 604 2632 cmd.exe PING.EXE PID 2632 wrote to memory of 1860 2632 cmd.exe chrome.exe PID 2632 wrote to memory of 1860 2632 cmd.exe chrome.exe PID 2632 wrote to memory of 1860 2632 cmd.exe chrome.exe PID 1860 wrote to memory of 1016 1860 chrome.exe schtasks.exe PID 1860 wrote to memory of 1016 1860 chrome.exe schtasks.exe PID 1860 wrote to memory of 1016 1860 chrome.exe schtasks.exe PID 1860 wrote to memory of 1960 1860 chrome.exe cmd.exe PID 1860 wrote to memory of 1960 1860 chrome.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:808
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:1804
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Bz3AWt8oY2aQ.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:860
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2416
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2236
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yrbda5kaVozl.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:1868
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1356
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:2180
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\xVZDeGPCutad.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:1568
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:604
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:1016
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\P9YXCd5EWDtV.bat" "10⤵PID:1960
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:1740
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1664
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2924 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:3016
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\eGLMQktY2KHP.bat" "12⤵PID:1588
-
C:\Windows\system32\chcp.comchcp 6500113⤵PID:2248
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2476
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2636 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:2196
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BD7ipbXdbMFk.bat" "14⤵PID:2480
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:2836
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2720
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:808 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:2604
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0afyonzdGBtO.bat" "16⤵PID:2740
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:856
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2172
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2964 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:2024
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\wEv4f61mmJYv.bat" "18⤵PID:2828
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:1808
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1720
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1576 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:2900
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\pzIxfgvrtSPC.bat" "20⤵PID:2180
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:2600
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3048
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2508 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:1616
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4UB414t02g6y.bat" "22⤵PID:2032
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:944
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1560
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5856c3de8943d7316ab3216c6f585a129
SHA16fa162257817074089097cfd4cab2e2f9d3ce132
SHA256ad2be663aca9cfd157fee05d845c25a26b7d435da22f25c3294f6ef238713836
SHA512835e172f28562f24baf55752e61d2c986019d5b87bcd0c1ca6e6dc03b27f18ab8b1669f278f26e6adcf5b67ca67e88e91e805862769f23d5428dcdffe11bc9c0
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
207B
MD50781d8ee2df587b5d9afef06413dbe87
SHA1b2d380dc949cadd99f8ebb3f1283c555358096b5
SHA25623c484459a068e02a326610ca78c0ca2819a022ae377f6a746c0a04baa9a26f0
SHA512940f8309ef08e92bcc6dbd80416e52708ee49e9698be2c723206a4cc67db4f4fe46eeb5a76dece2adbe85c18f02a350534995af801d97b07921cd5551c9783f3
-
Filesize
207B
MD54f254de88fd5602d9e9a36e720060773
SHA1574c40b394a8a9808687ebf3e56f6b2aac858a3a
SHA256fc8a85e0398a318f34d2356678037786fbd6952ac6237551a9fe796f94d0f59f
SHA5123a5f8111a40202cfccf9e86daa8cc0445b49f2990fdb90d59136d3f8d679cbf0e14ee993c2525aa9fa8089887e6c80f6ce52b481e615406c18af0090a04480cb
-
Filesize
207B
MD5a92ff9225ac6c7b3095ce3f1dbd257a2
SHA10447c2baa2a037bb5584e35845ccd60170b8cbc7
SHA256db39dc625af7b0104db6c8fc198d627bdd317723d90fbe762ca6de187b61e394
SHA512d7c02ecbc1213614b38813e5ec9b3ccbf0c9ba618bc5cd20a2a8adb5a7ba7a1bfb98d1b8bec206ac81acd4453152041f945edc7a104885fd1771a86a3ffe810a
-
Filesize
207B
MD5cb08fc68c9eeb7ca1e9fbb6a78597cc9
SHA1b5a474e155b7786923a177b29ddd00dfc1ef7733
SHA256fb2ce2e358188c16876f32cdeb8512714ce0b85dc085e1a2df4b3b1065be8eb7
SHA51295565563393140d97dc0639743b848bcb37180fdafb735d178653f9f51f69728b256ec8d849d75852a819f754c18b60b6704dc3229a1976dac633079c167038c
-
Filesize
207B
MD560bd35b35434f61cd1d76236ddc63f56
SHA1c280aa510fd12c959cfed1e6740fdc16617aca34
SHA256db55752be8c5c5dcebec43589d0983932aae86d6bb4ef653e0af4fa1914912d6
SHA5127414a0aa592d7b00c5d041f790439f36b4588311267bab3804377430696ba1e9bf0ce4374d9a66dc96529297860c0dd7fca56cce63c626b014b971bc52763502
-
Filesize
207B
MD5d2e1beb3b98078a027544e0f62b5b60a
SHA17a12cd50ee30bb28cde72b6d3e5aa5728734f96b
SHA256c78729003d2dbd2a50c367b4eca68917040b85e6f518b52cda42940716be32a0
SHA512400353740043760c46a05aea62efaba8d7692d30448cf691a1e8ba63a9664371667d5b1d93bf0c6e0faa990ac3ae115e2102d9be5182ce1aaf267d2a2100d94b
-
Filesize
207B
MD56734750f78f7ad332aac0ab53cef0690
SHA15bfc3c044c738af29357eb21291fff5c0724ddad
SHA256a5f169c154fc2adbe3193e4aa5fc21da66744df93955fa8afc797fc56ba467f3
SHA512352efc7bc6c21c14775af8e5cc0a89edb7a2ce21e76ad0fc7e54187a94969ed492fe0065d3a730529a1830539b36e2c6814e21675c5fb554142f81f0c62bb0c8
-
Filesize
207B
MD5c47f91f5fcbd351eed69862cd2239357
SHA14afef9d1b10301928fc3a1ed55215f93fb8a7fa9
SHA2561827ffd82850f2bc4801f3c90b0f0799bff251261d825fb4851afcbaea6f7767
SHA512cb5aeb1a26573531b6a99b8ea607a442b9d6fd065ee4e0f33d15247f5c121f4d2c659a85275b64b48f04efd81168be4754ef1f2f8941588733edf3e58b5d7375
-
Filesize
207B
MD50772987c71afed1ccaf73ff8c2ec052e
SHA1a0531185b55c14f137f15fa2d38716c6a978ea6c
SHA256d235b76f2b33b4ccfa529e82e6b47be732952c7f29c9ef8865a8eea50974df4b
SHA512e6f82b9ddd323a0bcdd50372da23cd317e7c3fb41b6ba984630bfcaa6849194ce79111faf4c9ea0f0a3f60b790939f713cf5c0a4d0e2a3603bb9284d8e234214
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c