Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 17:10
Behavioral task
behavioral1
Sample
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
Resource
win7-20240704-en
General
-
Target
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
-
Size
6.1MB
-
MD5
03778d811f241e83ccad830372313b3c
-
SHA1
11962399abf7fc0981f324e4aa5271f36f50c5ba
-
SHA256
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc
-
SHA512
2e17b881491e2cc9759dde852198622956682327abcc20519ab7099e25b22252a167cd7a4e6e90651a8b44b22c89a52c8fd004a62043f8fa30fe523302f6674f
-
SSDEEP
98304:ulFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uWJuMg53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\chrome.exe family_quasar behavioral2/memory/4236-50-0x0000000000610000-0x0000000000694000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
chrome.exechrome.exe95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation chrome.exe -
Executes dropped EXE 17 IoCs
Processes:
chrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 4236 chrome.exe 3644 S^X.exe 2900 chrome.exe 2816 chrome.exe 4128 chrome.exe 1436 chrome.exe 1984 chrome.exe 2420 chrome.exe 824 chrome.exe 4304 chrome.exe 2832 chrome.exe 2192 chrome.exe 3940 chrome.exe 3720 chrome.exe 3652 chrome.exe 4560 chrome.exe 1652 chrome.exe -
Loads dropped DLL 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 1536 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Obfuscated with Agile.Net obfuscator 7 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/1536-1-0x0000000000A40000-0x0000000001054000-memory.dmp agile_net behavioral2/memory/1536-2-0x0000000005A10000-0x0000000006022000-memory.dmp agile_net behavioral2/memory/1536-16-0x0000000005A10000-0x000000000601C000-memory.dmp agile_net behavioral2/memory/1536-18-0x0000000005A10000-0x000000000601C000-memory.dmp agile_net behavioral2/memory/1536-22-0x0000000005A10000-0x000000000601C000-memory.dmp agile_net behavioral2/memory/1536-20-0x0000000005A10000-0x000000000601C000-memory.dmp agile_net behavioral2/memory/1536-15-0x0000000005A10000-0x000000000601C000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll themida behavioral2/memory/1536-11-0x0000000071E70000-0x0000000072478000-memory.dmp themida behavioral2/memory/1536-12-0x0000000071E70000-0x0000000072478000-memory.dmp themida behavioral2/memory/1536-13-0x0000000071E70000-0x0000000072478000-memory.dmp themida behavioral2/memory/1536-56-0x0000000071E70000-0x0000000072478000-memory.dmp themida -
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 1536 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
S^X.exe95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S^X.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 448 PING.EXE 2332 PING.EXE 4280 PING.EXE 4376 PING.EXE 3484 PING.EXE 1316 PING.EXE 884 PING.EXE 4872 PING.EXE 1904 PING.EXE 3256 PING.EXE 4464 PING.EXE 2796 PING.EXE 2428 PING.EXE 3776 PING.EXE 3548 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4280 PING.EXE 4872 PING.EXE 4376 PING.EXE 1316 PING.EXE 2428 PING.EXE 1904 PING.EXE 3484 PING.EXE 2332 PING.EXE 3776 PING.EXE 2796 PING.EXE 3548 PING.EXE 884 PING.EXE 448 PING.EXE 3256 PING.EXE 4464 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1700 schtasks.exe 2180 schtasks.exe 4044 schtasks.exe 2204 schtasks.exe 3904 schtasks.exe 376 schtasks.exe 4740 schtasks.exe 1860 schtasks.exe 3688 schtasks.exe 2472 schtasks.exe 1656 schtasks.exe 1220 schtasks.exe 2728 schtasks.exe 1864 schtasks.exe 1656 schtasks.exe 2928 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
chrome.exechrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription pid process Token: SeDebugPrivilege 4236 chrome.exe Token: SeDebugPrivilege 2900 chrome.exe Token: SeDebugPrivilege 3644 S^X.exe Token: SeDebugPrivilege 2816 chrome.exe Token: SeDebugPrivilege 4128 chrome.exe Token: SeDebugPrivilege 1436 chrome.exe Token: SeDebugPrivilege 1984 chrome.exe Token: SeDebugPrivilege 2420 chrome.exe Token: SeDebugPrivilege 824 chrome.exe Token: SeDebugPrivilege 4304 chrome.exe Token: SeDebugPrivilege 2832 chrome.exe Token: SeDebugPrivilege 2192 chrome.exe Token: SeDebugPrivilege 3940 chrome.exe Token: SeDebugPrivilege 3720 chrome.exe Token: SeDebugPrivilege 3652 chrome.exe Token: SeDebugPrivilege 4560 chrome.exe Token: SeDebugPrivilege 1652 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exedescription pid process target process PID 1536 wrote to memory of 4236 1536 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 1536 wrote to memory of 4236 1536 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 1536 wrote to memory of 3644 1536 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 1536 wrote to memory of 3644 1536 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 1536 wrote to memory of 3644 1536 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 4236 wrote to memory of 2204 4236 chrome.exe schtasks.exe PID 4236 wrote to memory of 2204 4236 chrome.exe schtasks.exe PID 4236 wrote to memory of 2900 4236 chrome.exe chrome.exe PID 4236 wrote to memory of 2900 4236 chrome.exe chrome.exe PID 2900 wrote to memory of 3904 2900 chrome.exe schtasks.exe PID 2900 wrote to memory of 3904 2900 chrome.exe schtasks.exe PID 2900 wrote to memory of 3452 2900 chrome.exe cmd.exe PID 2900 wrote to memory of 3452 2900 chrome.exe cmd.exe PID 3452 wrote to memory of 1904 3452 cmd.exe chcp.com PID 3452 wrote to memory of 1904 3452 cmd.exe chcp.com PID 3452 wrote to memory of 2796 3452 cmd.exe PING.EXE PID 3452 wrote to memory of 2796 3452 cmd.exe PING.EXE PID 3452 wrote to memory of 2816 3452 cmd.exe chrome.exe PID 3452 wrote to memory of 2816 3452 cmd.exe chrome.exe PID 2816 wrote to memory of 2472 2816 chrome.exe schtasks.exe PID 2816 wrote to memory of 2472 2816 chrome.exe schtasks.exe PID 2816 wrote to memory of 3296 2816 chrome.exe cmd.exe PID 2816 wrote to memory of 3296 2816 chrome.exe cmd.exe PID 3296 wrote to memory of 2148 3296 cmd.exe chcp.com PID 3296 wrote to memory of 2148 3296 cmd.exe chcp.com PID 3296 wrote to memory of 4280 3296 cmd.exe PING.EXE PID 3296 wrote to memory of 4280 3296 cmd.exe PING.EXE PID 3296 wrote to memory of 4128 3296 cmd.exe chrome.exe PID 3296 wrote to memory of 4128 3296 cmd.exe chrome.exe PID 4128 wrote to memory of 1656 4128 chrome.exe schtasks.exe PID 4128 wrote to memory of 1656 4128 chrome.exe schtasks.exe PID 4128 wrote to memory of 2024 4128 chrome.exe cmd.exe PID 4128 wrote to memory of 2024 4128 chrome.exe cmd.exe PID 2024 wrote to memory of 4640 2024 cmd.exe chcp.com PID 2024 wrote to memory of 4640 2024 cmd.exe chcp.com PID 2024 wrote to memory of 3548 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 3548 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1436 2024 cmd.exe chrome.exe PID 2024 wrote to memory of 1436 2024 cmd.exe chrome.exe PID 1436 wrote to memory of 1220 1436 chrome.exe schtasks.exe PID 1436 wrote to memory of 1220 1436 chrome.exe schtasks.exe PID 1436 wrote to memory of 4236 1436 chrome.exe cmd.exe PID 1436 wrote to memory of 4236 1436 chrome.exe cmd.exe PID 4236 wrote to memory of 3904 4236 cmd.exe chcp.com PID 4236 wrote to memory of 3904 4236 cmd.exe chcp.com PID 4236 wrote to memory of 884 4236 cmd.exe PING.EXE PID 4236 wrote to memory of 884 4236 cmd.exe PING.EXE PID 4236 wrote to memory of 1984 4236 cmd.exe chrome.exe PID 4236 wrote to memory of 1984 4236 cmd.exe chrome.exe PID 1984 wrote to memory of 1700 1984 chrome.exe schtasks.exe PID 1984 wrote to memory of 1700 1984 chrome.exe schtasks.exe PID 1984 wrote to memory of 116 1984 chrome.exe cmd.exe PID 1984 wrote to memory of 116 1984 chrome.exe cmd.exe PID 116 wrote to memory of 1900 116 cmd.exe chcp.com PID 116 wrote to memory of 1900 116 cmd.exe chcp.com PID 116 wrote to memory of 1316 116 cmd.exe PING.EXE PID 116 wrote to memory of 1316 116 cmd.exe PING.EXE PID 116 wrote to memory of 2420 116 cmd.exe chrome.exe PID 116 wrote to memory of 2420 116 cmd.exe chrome.exe PID 2420 wrote to memory of 2728 2420 chrome.exe schtasks.exe PID 2420 wrote to memory of 2728 2420 chrome.exe schtasks.exe PID 2420 wrote to memory of 2864 2420 chrome.exe cmd.exe PID 2420 wrote to memory of 2864 2420 chrome.exe cmd.exe PID 2864 wrote to memory of 396 2864 cmd.exe chcp.com -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2204
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:3904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsAHwsMgIOz9.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:1904
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2796
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CxsC39WyHBs6.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:2148
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4280
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:1656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lNoRR79K7Lhp.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:4640
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3548
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:1220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwdBmMPJAY7a.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:3904
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:884
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:1700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYAD1SECwfRK.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:1900
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1316
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:2728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rVWEMd85hHGA.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\system32\chcp.comchcp 6500115⤵PID:396
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2428
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:824 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:1864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lp8aO7c98pbJ.bat" "16⤵PID:4120
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:4632
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4872
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4304 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:1656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\novjz7wz4GUI.bat" "18⤵PID:4640
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:3684
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4376
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:2180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aevjuYchZ1Qz.bat" "20⤵PID:948
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:1220
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:448
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\19XoeLe7pZ8B.bat" "22⤵PID:4836
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:4432
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1904
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3940 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:1860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oVV7QK3VHmv9.bat" "24⤵PID:4380
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:2584
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3484
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3720 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:4044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sekEobJ8H1gY.bat" "26⤵PID:1640
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:2348
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3256
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3652 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
PID:4740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GuS8iIKcvssh.bat" "28⤵PID:2816
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:4632
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4464
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4560 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f30⤵
- Scheduled Task/Job: Scheduled Task
PID:3688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\00gyt9fsGQWN.bat" "30⤵PID:4904
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:3444
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2332
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f32⤵
- Scheduled Task/Job: Scheduled Task
PID:2928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8f1YoER9weCL.bat" "32⤵PID:756
-
C:\Windows\system32\chcp.comchcp 6500133⤵PID:3416
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
207B
MD52f88367dad174db0f7d8bf618f3b1aeb
SHA1100b9be15c0fb31e1f9c26c6d675129b2968c719
SHA2567bfbbf66250dbd17da43e68dc2c7f278ba7d4087d320dd93dff7966e15a55d5d
SHA5123c27c92404b3d0dac41d56f6db681a37de6c6452d1df77503203c3a9af1d77f317367acfde5ebc587492ae8aa64b675c23773feb974311c6c1af06dab5f00091
-
Filesize
207B
MD56bcc5cda54337b12235246789316162a
SHA1c0f4788bd78541637cf4774c96d9f262521a8f34
SHA256a38f0c61e74a501159cfa19083f605bd7b3185555cd8034852c4f245e44698d2
SHA512bf7240e545fdbe7c7f0c63642ab2ef9825dc02a358d2ffac01354d55ad3dc2c7febffb5c4615136f0acc64edd9459d65c608ad9beac96619f039a236a7064e85
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
207B
MD5e94397e2d040010564608f2976d2bd97
SHA10dde2f93feebbe8a432f96a42ab1066ec4ae3480
SHA256fb04730176e552680208e3a1a94d69abe8b9eb60078b007fa8226aeec81b9871
SHA5123add6c76d6d7cc35cf0ba4570b0d7e17c0504bcac6ac35f5c0e97410945afb678a2e9c8f79f010793a53557317c0ef53413fa90172cb44975c5f6068a98f3dc1
-
Filesize
207B
MD5d23005eebc7680b24fb6656452214733
SHA1e3451363c3aa1cfbf0a27f31a300efc6923ceef0
SHA256edf90cfc160dce780f7e75f2c9fe6086c228546d2986da74fcb575d006607c69
SHA5128d566de776982d91a40d014508fd35c13029d616850853cdfeff72ac925585ab5e2d3e1e1fa60b29da8826b7b17e58131ed793ddf8044c03786edd749ddc89f5
-
Filesize
207B
MD5b6bf2c0bd373f2b112f938738a8796d2
SHA1fa0ad70bff36941f1a33e0c183c9f76e0ca39e73
SHA25630e8ee1a8b51db2fb957506b255c5987163c27b70f0f2b199070934c7ac47494
SHA5124e091b6cf496281215e9a92bca298f1a0c8e0bb525fe5a79b7f2c2fbcf89b922b3ad6c9748cd60e29895d6e21066df97879cf28d876a33359c6733a42389a064
-
Filesize
207B
MD505bdde5e765d6962da68b8c87976cb1c
SHA1fcbfb3c823e0b7bbd2c61572df94fb005f3c5867
SHA256bd468bb54c1fb7d18f73d4d74ff4c7b70924296835b13628c80df44065c0d95f
SHA512c3b451d1b465e34c25073e6d043a9cf9ebfdabf5215536c7fe67fcfc538df67b47e2eff8deced854214f8f99cae1ffc96554ba4da62812ac4db186d5e8fb294a
-
Filesize
207B
MD597d5594256fe4fcad5a52336a92e68ee
SHA132fe0db049ecc8a855865b5a8a504f0c247ef2ad
SHA256555de5552f7912be973fbac72495e6ee06bb7b7ebb026cfd5cacc1c9746749b3
SHA5125ae8ae369b6ac6d8b2616d14a9db94382a6fa1136d5d9d408ae1915a2f20193a8a36ea56b3060161e4495657ef95d0ebfd357565093ea950782c75fcf95a44de
-
Filesize
207B
MD5c6659a83e25d0e6771096bdf877743c7
SHA170ade31ca748386dcfa679a55f302364ad3b0395
SHA2569bbbc01d6a78696505716a06e090d21c6a78e4442c71746d0aafdfc7272d2cc2
SHA51248a836bae138289749c341b73e446e250cd47d4906f01eae2adabf80d54c713cd7a4015068ab77513bb8e2f5609ec7e0f02614a5f0ff26d861faf4fcaee9cbf0
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
207B
MD5785c073c48bf600f2f572a449e07ead4
SHA13023e1bec9b8295dab2fe74a60bbba684957d543
SHA2563c8659252f7db53cf1cf84a3f585100e7da3211bf7ccc4b7106f107f3181a461
SHA5127cdfa5a16d753fa7d6a1f8ae12d0fc8731f1a93902626fc4e134fae8965480a18095f2c3c099ed1798b6cadf056d0cd04fbc840897e332683f1d3872bd47cffa
-
Filesize
207B
MD50a64233a149736e56e51cd25334f135b
SHA1cd9393e1610438a3ac226884dec1993a76d9d33e
SHA25601d93af1bf217d9bd9e75b808b718f6a129ee634e7e9d5e93b9fc88aa50b5f9a
SHA5122c5b72ae9864c0d26256c905314241dc3fe87c55bf70c06ca5a68631028fa6120df5c08b0d12fb0e1ccecee6ed994e110b1ff1228e3b88250065c04b3287ac19
-
Filesize
207B
MD5e71563080885961fffc83c7a9e8155cb
SHA1cd8a5126df9045b610688e751aaa9c6a886155a4
SHA25641ba777007278d6b4261b860745cde0670b45552652893d55268fab6a664c30e
SHA512e6a2a4e2c37ff7d06fb46fbcb7181a7f9a61a155ed06c37d951a2d18ce106de029771337916da13a80245a3480feacfc6c15e28f84be4ca7a7a1ca211f93eafc
-
Filesize
207B
MD509ba13e95caf0a71e79ad2393431d9dd
SHA16a8e4048aed92ddab60177f54d127959bbf2ce0d
SHA2562850a5b3fa3191c518a4a771a7a5340576358a5096fe29b4af955c4636d6084b
SHA5123ee2db255fe447bd75b3ddabc04d53bd4c4b939cae3c5825e7f353699d3d2d2d52610c5020d9a089fc4e093673cef6d4c1623f841d422e5815bb7ccf34a8858a
-
Filesize
207B
MD5e5c5a665c0c6f2daf4efb097262a4d8d
SHA1ac7e6193e4e7b066bfd3bafee59ec918aead7750
SHA2565388f29900faa36b0b9466938a356c86adceaecb453f58d32e9c139efbc1e221
SHA51203e79593edc06b9f43bf294df643c8b02c466cba9377dd207ce24a6089ca45d4e1a3d4d7ad12b97fc651950fe58cf8b2f0286eb37b69a91f791e9f48a115cad7
-
Filesize
207B
MD522b1d7d271f199e8c7f121446c776a39
SHA1d5ba93cfc2e30bcc9ccd3e33a70960ff7824fb10
SHA256dceeaafa8c42651715242f533bbb010381de209cbf62af044a216b157aa433b9
SHA512f0d0f7eadc21b8d0648275088e09a78b8a29a6aaf3983f53be1ef54aa2ea3ab1c7ecf24ae0348aec620c8e0a2a3a3b353ac637353387bbaf1710e6add5664c7b
-
Filesize
207B
MD5e547092f53907b17b5617ac94c0bcb21
SHA17af8e54c35c8e22d6f27eaee0dc2e373849c93a3
SHA256263c11b06d9e4d9b26da6491d444f602f21c47087474f0cb79cea33566d623eb
SHA512b642585639139ad48e0d1e987394395ad33ea712b632c5745ad9058ff6419c45cbd01b2a2d595ab6f9ca984a98c5001b8f007962daf67f3cf1653454688a7961
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c