Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-09-2024 18:58
Behavioral task
behavioral1
Sample
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
Resource
win7-20240708-en
General
-
Target
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
-
Size
6.1MB
-
MD5
03778d811f241e83ccad830372313b3c
-
SHA1
11962399abf7fc0981f324e4aa5271f36f50c5ba
-
SHA256
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc
-
SHA512
2e17b881491e2cc9759dde852198622956682327abcc20519ab7099e25b22252a167cd7a4e6e90651a8b44b22c89a52c8fd004a62043f8fa30fe523302f6674f
-
SSDEEP
98304:ulFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uWJuMg53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\chrome.exe family_quasar behavioral1/memory/2884-41-0x0000000000B70000-0x0000000000BF4000-memory.dmp family_quasar behavioral1/memory/2108-48-0x0000000000E20000-0x0000000000EA4000-memory.dmp family_quasar behavioral1/memory/1884-121-0x0000000000EB0000-0x0000000000F34000-memory.dmp family_quasar behavioral1/memory/1656-133-0x0000000001000000-0x0000000001084000-memory.dmp family_quasar behavioral1/memory/560-154-0x00000000011C0000-0x0000000001244000-memory.dmp family_quasar behavioral1/memory/2464-165-0x0000000001260000-0x00000000012E4000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Executes dropped EXE 14 IoCs
Processes:
chrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 2884 chrome.exe 2804 S^X.exe 2108 chrome.exe 2376 chrome.exe 1732 chrome.exe 2200 chrome.exe 1764 chrome.exe 2704 chrome.exe 2624 chrome.exe 1884 chrome.exe 1656 chrome.exe 624 chrome.exe 560 chrome.exe 2464 chrome.exe -
Loads dropped DLL 3 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 2116 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe 2116 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe 2116 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Obfuscated with Agile.Net obfuscator 7 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2116-1-0x0000000000100000-0x0000000000714000-memory.dmp agile_net behavioral1/memory/2116-2-0x0000000005070000-0x0000000005682000-memory.dmp agile_net behavioral1/memory/2116-16-0x0000000005070000-0x000000000567C000-memory.dmp agile_net behavioral1/memory/2116-18-0x0000000005070000-0x000000000567C000-memory.dmp agile_net behavioral1/memory/2116-20-0x0000000005070000-0x000000000567C000-memory.dmp agile_net behavioral1/memory/2116-15-0x0000000005070000-0x000000000567C000-memory.dmp agile_net behavioral1/memory/2116-22-0x0000000005070000-0x000000000567C000-memory.dmp agile_net -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll themida behavioral1/memory/2116-10-0x00000000739C0000-0x0000000073FC8000-memory.dmp themida behavioral1/memory/2116-11-0x00000000739C0000-0x0000000073FC8000-memory.dmp themida behavioral1/memory/2116-13-0x00000000739C0000-0x0000000073FC8000-memory.dmp themida behavioral1/memory/2116-42-0x00000000739C0000-0x0000000073FC8000-memory.dmp themida -
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 2116 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exeS^X.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S^X.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2140 PING.EXE 2904 PING.EXE 1596 PING.EXE 1752 PING.EXE 2744 PING.EXE 2156 PING.EXE 2996 PING.EXE 1860 PING.EXE 1060 PING.EXE 1636 PING.EXE 2760 PING.EXE 2564 PING.EXE -
Runs ping.exe 1 TTPs 12 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1596 PING.EXE 1752 PING.EXE 1860 PING.EXE 2140 PING.EXE 1636 PING.EXE 2564 PING.EXE 2156 PING.EXE 2996 PING.EXE 1060 PING.EXE 2760 PING.EXE 2904 PING.EXE 2744 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2544 schtasks.exe 2184 schtasks.exe 1952 schtasks.exe 2860 schtasks.exe 2536 schtasks.exe 860 schtasks.exe 2384 schtasks.exe 2028 schtasks.exe 2276 schtasks.exe 1864 schtasks.exe 2984 schtasks.exe 2544 schtasks.exe 1148 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
chrome.exechrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription pid process Token: SeDebugPrivilege 2884 chrome.exe Token: SeDebugPrivilege 2108 chrome.exe Token: SeDebugPrivilege 2804 S^X.exe Token: SeDebugPrivilege 2376 chrome.exe Token: SeDebugPrivilege 1732 chrome.exe Token: SeDebugPrivilege 2200 chrome.exe Token: SeDebugPrivilege 1764 chrome.exe Token: SeDebugPrivilege 2704 chrome.exe Token: SeDebugPrivilege 2624 chrome.exe Token: SeDebugPrivilege 1884 chrome.exe Token: SeDebugPrivilege 1656 chrome.exe Token: SeDebugPrivilege 624 chrome.exe Token: SeDebugPrivilege 560 chrome.exe Token: SeDebugPrivilege 2464 chrome.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 2108 chrome.exe 2376 chrome.exe 1732 chrome.exe 2200 chrome.exe 1764 chrome.exe 2704 chrome.exe 2624 chrome.exe 1884 chrome.exe 1656 chrome.exe 624 chrome.exe 560 chrome.exe 2464 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.exedescription pid process target process PID 2116 wrote to memory of 2884 2116 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2116 wrote to memory of 2884 2116 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2116 wrote to memory of 2884 2116 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2116 wrote to memory of 2884 2116 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2116 wrote to memory of 2804 2116 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2116 wrote to memory of 2804 2116 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2116 wrote to memory of 2804 2116 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2116 wrote to memory of 2804 2116 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2884 wrote to memory of 2544 2884 chrome.exe schtasks.exe PID 2884 wrote to memory of 2544 2884 chrome.exe schtasks.exe PID 2884 wrote to memory of 2544 2884 chrome.exe schtasks.exe PID 2884 wrote to memory of 2108 2884 chrome.exe chrome.exe PID 2884 wrote to memory of 2108 2884 chrome.exe chrome.exe PID 2884 wrote to memory of 2108 2884 chrome.exe chrome.exe PID 2108 wrote to memory of 1864 2108 chrome.exe schtasks.exe PID 2108 wrote to memory of 1864 2108 chrome.exe schtasks.exe PID 2108 wrote to memory of 1864 2108 chrome.exe schtasks.exe PID 2108 wrote to memory of 2644 2108 chrome.exe cmd.exe PID 2108 wrote to memory of 2644 2108 chrome.exe cmd.exe PID 2108 wrote to memory of 2644 2108 chrome.exe cmd.exe PID 2644 wrote to memory of 2888 2644 cmd.exe chcp.com PID 2644 wrote to memory of 2888 2644 cmd.exe chcp.com PID 2644 wrote to memory of 2888 2644 cmd.exe chcp.com PID 2644 wrote to memory of 1860 2644 cmd.exe PING.EXE PID 2644 wrote to memory of 1860 2644 cmd.exe PING.EXE PID 2644 wrote to memory of 1860 2644 cmd.exe PING.EXE PID 2644 wrote to memory of 2376 2644 cmd.exe chrome.exe PID 2644 wrote to memory of 2376 2644 cmd.exe chrome.exe PID 2644 wrote to memory of 2376 2644 cmd.exe chrome.exe PID 2376 wrote to memory of 2028 2376 chrome.exe schtasks.exe PID 2376 wrote to memory of 2028 2376 chrome.exe schtasks.exe PID 2376 wrote to memory of 2028 2376 chrome.exe schtasks.exe PID 2376 wrote to memory of 2956 2376 chrome.exe cmd.exe PID 2376 wrote to memory of 2956 2376 chrome.exe cmd.exe PID 2376 wrote to memory of 2956 2376 chrome.exe cmd.exe PID 2956 wrote to memory of 1180 2956 cmd.exe chcp.com PID 2956 wrote to memory of 1180 2956 cmd.exe chcp.com PID 2956 wrote to memory of 1180 2956 cmd.exe chcp.com PID 2956 wrote to memory of 2140 2956 cmd.exe PING.EXE PID 2956 wrote to memory of 2140 2956 cmd.exe PING.EXE PID 2956 wrote to memory of 2140 2956 cmd.exe PING.EXE PID 2956 wrote to memory of 1732 2956 cmd.exe chrome.exe PID 2956 wrote to memory of 1732 2956 cmd.exe chrome.exe PID 2956 wrote to memory of 1732 2956 cmd.exe chrome.exe PID 1732 wrote to memory of 1148 1732 chrome.exe schtasks.exe PID 1732 wrote to memory of 1148 1732 chrome.exe schtasks.exe PID 1732 wrote to memory of 1148 1732 chrome.exe schtasks.exe PID 1732 wrote to memory of 716 1732 chrome.exe cmd.exe PID 1732 wrote to memory of 716 1732 chrome.exe cmd.exe PID 1732 wrote to memory of 716 1732 chrome.exe cmd.exe PID 716 wrote to memory of 860 716 cmd.exe chcp.com PID 716 wrote to memory of 860 716 cmd.exe chcp.com PID 716 wrote to memory of 860 716 cmd.exe chcp.com PID 716 wrote to memory of 1060 716 cmd.exe PING.EXE PID 716 wrote to memory of 1060 716 cmd.exe PING.EXE PID 716 wrote to memory of 1060 716 cmd.exe PING.EXE PID 716 wrote to memory of 2200 716 cmd.exe chrome.exe PID 716 wrote to memory of 2200 716 cmd.exe chrome.exe PID 716 wrote to memory of 2200 716 cmd.exe chrome.exe PID 2200 wrote to memory of 2276 2200 chrome.exe schtasks.exe PID 2200 wrote to memory of 2276 2200 chrome.exe schtasks.exe PID 2200 wrote to memory of 2276 2200 chrome.exe schtasks.exe PID 2200 wrote to memory of 1028 2200 chrome.exe cmd.exe PID 2200 wrote to memory of 1028 2200 chrome.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2544
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:1864
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\lTi7MwCJ5biM.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:2888
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1860
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2028
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\WvMU7EaxVqhO.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:1180
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2140
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:1148
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kwTYIMxYgVlB.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:860
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1060
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:2276
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\H1P6p4kcCA9w.bat" "10⤵PID:1028
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:2320
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1636
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1764 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:1952
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ILATv2ws16MT.bat" "12⤵PID:888
-
C:\Windows\system32\chcp.comchcp 6500113⤵PID:2316
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2760
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2704 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:2860
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dj0z4OCd9uY9.bat" "14⤵PID:2572
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:1700
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2564
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2624 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:2544
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\i6EaGakr5OcQ.bat" "16⤵PID:2736
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:1720
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2156
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1884 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:2536
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\hYRjN14ZhLZv.bat" "18⤵PID:1632
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:2988
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2996
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1656 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:2184
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\IzsT95DsPSx2.bat" "20⤵PID:2900
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:2936
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2904
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:624 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:860
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\iwQZLJh3Tbsk.bat" "22⤵PID:1420
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:1868
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1596
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:560 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:2384
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dNlEnABDzb0B.bat" "24⤵PID:1080
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:2512
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1752
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2464 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:2984
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\N0f1srjZIuN4.bat" "26⤵PID:2604
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:1928
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5a2b217d31469eb87ce255a717bd0d835
SHA1a327633601ffe2b3123127f349fa12232f362c55
SHA25616ba4e9506d344e088afb8d06392a1b4d3827c8fe885ee939cccfa4a5f94ab53
SHA512401a2ae4ae0ebb8e9549a76e9f4878b95f8f9c345142872690fc48ef0a44621bfc0f21202c0f6f72a5081964991c22f7f373a8a96f09985f0355bca4b2890d93
-
Filesize
207B
MD5df90938b3c0a1ee514b3de5b694ef34f
SHA196b272dcaf9b5b83ae5bb1ac6aeec02c2b55b365
SHA256c93f745cdb1c142c552cead6d90c3464634b006ed600eece918e6f928ca5d54b
SHA51273ff2e33f6d7f7c5d826a6a693974f3e2716abe3114e15e9a3587bffffa38d555f1cc3e8a8764f060b74b6f80e62a0b6bc74e47eccd54555fdce2c43b349cba5
-
Filesize
207B
MD574c4c9cb3bfdc01ef2c8321e67140f11
SHA184727ef564958c23d15efe6c809785dbb9ca7a5e
SHA256af6629eccfe36b4bcb8135cc3ae67fe823cf4b316a97c3e77d4858968e953207
SHA512ff0c1fc817fd4254e2955420e98f58e789ca13f39b35a610d7e76221bf60dc39daeca68eed526414320d510df8a0b1bb86c8ec6d28592003a4e164fc03bd866b
-
Filesize
207B
MD54759f3ce7a37d1a66124db0b335488aa
SHA17b12b30b3374438b071035f2d8904668c633f73e
SHA25628432746fde9de7be499176a215646744fff3da0d528def90c23d651b5b63f89
SHA51290d4b2640fc7bbbe0265c88d362824574f038605a93c279aa76fcdfa77431399b5baf9931ef407a192e164615ae8c0735144a81531afdd9b134a7274dc48092d
-
Filesize
207B
MD5d4594a34ee90ad7d5d2141a16ab876cc
SHA17262d5cc7cab2ec42afe4b216c46adb58212b358
SHA256af7d9f5039514c30c62515be74b5f3c2baed991054de7af579980d426cf7fa10
SHA5120cc99d994e8b6f1d444a61745e068f1899beb2b2fc3c906c5b351434bab1a615b40d511f200b12ac4afc0963a9e61ebff25ac1849271bc11e9f6bff4af257fb8
-
Filesize
207B
MD56df2dddce32cb3ed45a869d24988009c
SHA163fd096d02ee2f9398538eebd2c2dfe48864e379
SHA256cd4ff842aceb62d2e56a7f1c9019a43a5e918aa1243904119a92375aca5be019
SHA5125b202a3170ed8ec9826c265a8d84e0939d3a3f2fe7783d2934b34d522960fb2a5ebde82484d45051130c00b37e53b0200d023f29a28deb2b37069de984ef8af7
-
Filesize
207B
MD53e46a7533d898a3b8cd01b0409a5ce1d
SHA1708e135c69dd0ac1d67c7b42eb3e303e4fc8daae
SHA2562e45c219271da900fe4a8ef975b2b5fce5a51881536268f3f36763aa98e92969
SHA512ce6423df7949e0f722fd471d51ac0581bc7537f93c6d379a0ea966412485947b7b54e98e9654bdddd50bbf6b478fdf82889917e5d156cfd0687db21d13971798
-
Filesize
207B
MD56303856c1c01edcbc7dbbbd1bd1f08ad
SHA1b8e735caf5b454d5c049592d4968e1075a514af8
SHA25631dcb646dda43cb9ae185318d9e23ad7916872eb230c1f9c143a75f52e107adf
SHA512afc85657695b7563e71957d8afe9ab390d102d662b5d080029fddda4f543c2009a3d60c1a21f94dc76edd85aa6b6a0ff917b385292a05754650360140d82b096
-
Filesize
207B
MD5a46cf8df0dcf66ea583150f272a34683
SHA1a042d1f33652240663e4a2c337e05c9a2c717096
SHA2561ee5012234004ae141224d34c82c57ec3711086a6d12fb0fbf144d125484a94f
SHA512dd5af1a1de762c54cfbd7508c94e7b95d4a61b1f17a0ed72893da162b26e605815c400a8c0853d2da74a338e4e3860b4839d78c1ac1fc758042f4eef3fe2b3e5
-
Filesize
207B
MD59150a98df8e7c7c1da4dc5331c07f52b
SHA1010d689a026208cc8840e61eeeea44dea2edbbf0
SHA256c42c58e4e21a9db945282e4624ebdf0713a5ae1d95dd795d6145eea39c810181
SHA51272ad5e5518c9a2abb04ff243039c6e5c78bd915dcbecf406a7c9c96f792f50fb9ab08108c664ad78f51af1bd53ca86766c73d5a52929eeaa6798aa53e280c96c
-
Filesize
207B
MD59a8c43550f47a177123742f6ebd83b92
SHA141825567352135c97a74d50cb55ad3c73da060e5
SHA2567d2a95e4604f930ab8422ddfb7feeed336d9c697441aa59e1700cecc8ceae023
SHA5128a5aef7b0d36866ccdcd6e0c4266d1d3249723a164f369c098d927a76fe488df18646f40aa0a2a7bb256880cd5c75e723f994cebdc8135290bb6a2da62f40a48
-
Filesize
207B
MD56e1a4c22b801fbfd2e1a340f04da563e
SHA13240e0169341569a5da830a252c08afcb71ffd13
SHA256cca28960f65bca17d8465405a943770d92f548e1620fa422e4be509deab4ff24
SHA512abad1707e65eb81d3eb26955b0458d44bdb2d43d3e6bab85424f3858716a5a938a1cd4285e63989de808bf29e87465d30b1a843cbfbac96ab779d5924e0bde0a
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019