Analysis
-
max time kernel
303s -
max time network
313s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04-12-2024 16:23
Errors
General
-
Target
virusbomb.zip
-
Size
3.0MB
-
MD5
52917c0a946305fc5559792a8bebf8bd
-
SHA1
374d7c957fe6633c597e74e086ced767db328f36
-
SHA256
56f01de80d010ece0209f6b266462b28305a4373b7d5fcafa0268d2f7e3921be
-
SHA512
ed7f6c6efb52739fb25bdb34140a461b7ef6c80905055b9bb6527c63918982c1b31d1193c293d0c9f2428be1b2ad15fbc823f4d6ae5e3ad05aa2c92535d8218d
-
SSDEEP
49152:/+PoMNvrqvm2lpQBHZyZTrw1YK7wyI1UcpRxSRIM2jePjiki3EAGPfj/KM2qTHT0:2g02rpuHZyZwR0yI1UuRxrNkNexkjiCE
Malware Config
Extracted
quasar
1.4.1
Office04
riprealworld.ddns.net:4782
6a893031-8f7c-4e00-9e79-83e39719887d
-
encryption_key
3388F603979BF351F677D18F04E7A89AEBEE7BE8
-
install_name
Windows.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows
-
subdirectory
SubDir
Extracted
toxiceye
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/sendMessage?chat_id=5569740835
Extracted
gurcu
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/sendMessage?chat_id=5569740835
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/getUpdate
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/getUpdates?offset=
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/getUpdates?offset=1
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/getUpdates?offset=87029332
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/getUpdates?offset=87029333
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/getUpdates?offset=87029334
https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/sendDocument?chat_id=556974083
Signatures
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
ToxicEye
ToxicEye is a trojan written in C#.
-
Toxiceye family
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 41 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 51 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 39 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Runs ping.exe 1 TTPs 39 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 43 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\virusbomb.zip"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\Wargods.exe"C:\Users\Admin\Desktop\Wargods.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\Wargods.exe"C:\Users\Admin\Desktop\Wargods.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\cs2go.exe"C:\Users\Admin\Desktop\cs2go.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\cs2go.exe"C:\Users\Admin\Desktop\cs2go.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\cs2go.exe"C:\Users\Admin\Desktop\cs2go.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\windows.exe"C:\Users\Admin\Desktop\windows.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t40QhnFzyW4x.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoDIIAflM8Af.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsoUxavgEd5j.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dc8bgwnO1DeM.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMoR1Zp9v0V6.bat" "11⤵
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esWM2WuDQRP1.bat" "13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zVgNa5wvi6db.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8heIvktVv0l4.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9wPBsthyHp3b.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCu9qLAhcQvo.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q9Gq3hZJt2TT.bat" "23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n9OwpFM7pw9g.bat" "25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vl8R8kMDOk9H.bat" "27⤵
-
C:\Windows\system32\chcp.comchcp 6500128⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M3E5ruYIHMc6.bat" "29⤵
-
C:\Windows\system32\chcp.comchcp 6500130⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SNm1KA8DKqUA.bat" "31⤵
-
C:\Windows\system32\chcp.comchcp 6500132⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f33⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\windows.exe"C:\Users\Admin\Desktop\windows.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RRoOVQ5qFm1D.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EZo7kO1ldmNB.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tPnTu9Py2p2G.bat" "7⤵
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8Y53nICWtruC.bat" "9⤵
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GlKdAVy7hM3f.bat" "11⤵
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1vfkIDbESRsh.bat" "13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jxz2yIelTXWr.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5KZgBcgSvLuD.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8Aoip4t1U7Fz.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1e5eMBSN4JBf.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZzvkP1snCJbp.bat" "23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GHHmn7tThWpi.bat" "25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOvNStLhAcCa.bat" "27⤵
-
C:\Windows\system32\chcp.comchcp 6500128⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ufQl2KHUBQfA.bat" "29⤵
-
C:\Windows\system32\chcp.comchcp 6500130⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\TelegramRAT.exe"C:\Users\Admin\Desktop\TelegramRAT.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8166.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8166.tmp.bat2⤵
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 5040"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind ":"3⤵
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Users\yanak\yanak.exe"yanak.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\Desktop\windows.exe"C:\Users\Admin\Desktop\windows.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pdsHTRvIhfd4.bat" "3⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fv6Wd3Zp90fj.bat" "5⤵
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ulaoUaWfhlgw.bat" "7⤵
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bHH94JbDvoUt.bat" "9⤵
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dV7tuiDl3Ibn.bat" "11⤵
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TZXINw8L4bq8.bat" "13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3O8EQ8xAMoQl.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIlYL6urv3ff.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\taJVbm9erl1g.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwzvfzAZGtsn.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\cs2go.exe"C:\Users\Admin\Desktop\cs2go.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\launchtm.exelaunchtm.exe /21⤵
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe" /22⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x498 0x3fc1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Peripheral Device Discovery
2Process Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
594B
MD5c515119d690584987b73ebed42c04e1a
SHA163d37848e0faa95dcde477512d0e4e22ac527b1d
SHA256e1cf02251fe5975f8fc49b55e16c20bfdca3f83c554600abe1087c9f27d8002e
SHA512c292c8e7bc7bccf947ea03a232cb150581c1b39af5929a775494dce4560b8a1aa6b9a6fd84b166fb5da0ba5f9efca7adae7342435f938c131622a4d9b799b817
-
Filesize
208B
MD5f087c54240ecf2fc2ca579403956f5b0
SHA10d1e5ebfad1c248b875d166ea502532e7ff89e3b
SHA2567aa3b20b6cba9cc9731cb6ec785c5dd2de8cd6a8ac4a6e65d008db5ee0c3f81a
SHA5121a0ec20c838b331b472163c6d26ecce537b34dc08354787719189f40e54efca23406d352275d7248628a9d1b308d73fd14428918e3918b2af97396a1a864e861
-
Filesize
208B
MD53291343cb50e40e5f7362f67d3b77212
SHA13be8fc29ac4901af1cf46ac18e73d250e8882161
SHA256301f0f3662d65830e9381856663c6363bb5773e0204e05c5eecedb1bcb39431f
SHA51276d89d7cecb6be3ba5319ba7740aebc4c7671b94903216545491e1f52972af619ac7e40b226961813ac8414eda8e53f0d033b28b7f6008b66f84efd9c8e79833
-
Filesize
208B
MD50fc88f3da1a27d5be76860529c49c335
SHA1d0a861a69b8c1f33f3b245dc9be388ce4d955c46
SHA256f2970c2c0fd0545988858a4c6cb2800a3c2951b6a957d3ffc96c332256889088
SHA5120a891bc7ce9e2aab887b2383ecd804b968a477e49f9d83e0d72d239b864ee36e2d19bedfc6e97761a2f55016f49edcb8083f3b189bc23b61ec9a405677e4a6ca
-
Filesize
208B
MD50f013911ce91bec5ceb9ab383b77ae17
SHA1eaceaa941115a1330b8626d9b6673a510a6e9371
SHA256902bd98148d6a0acc429422b272a1f814221dd902dc079f42ac7ce12a47ee94a
SHA5128695cf94c4ba1ef97b579f0698a059c063f8726046d9b065ca57dba146e1d02609183444d747dc36397675ca4def8a63497bb37a8e24f0489689e7e73d8b2a97
-
Filesize
208B
MD587897c64fa5586bddba0dbb2855e4cd0
SHA1a70c0526e02ff1818fbf1ad23dc66c7f5212fc31
SHA25633a48c7d4de47c7a8a5ec392c867aff494a891c3494aa8e65cedbba9c8b195f9
SHA512675381905b0f514f6f7eee8b57e9799e9671f8f7404243118b58a5d29eb418f336199d49797e1c0667c8f5f10b55dbc429447e7ecb6d822bdee897911e79e416
-
Filesize
208B
MD5a165c18d07e72d8dbcfa955ae3eecf8e
SHA1803da53838c25e868185d8d32e547a8dc6f1b6e0
SHA2560313c5149b5c0a7cd2a3b1de400f2739feb5789d6bd841607883bab15f7a995e
SHA51200bb0077daab74a55fa0d1d27da549944da46d46eb91f2b8d1aad28839a450d25f4914f8ad91c726bdc46ad5fac66b78cd87a651c5befe8fdfc02f276e950b1c
-
Filesize
208B
MD5f539406418c825dbf597ce0643e45320
SHA146a35f8da51e5ab3ebf02c957b5d74a10c05eab9
SHA25659a166ad00589694a0903043a20563867f2e1bd77fe79c59d13df12983c8df60
SHA512dc5ade51cacce678df3710038f9e7a56a229d84d6bd5b10543ab43dae506fe44d14a7167868704017818b76e6c3a61215790e5ee6c2facfcfad4e4f06884c3d4
-
Filesize
208B
MD5d024d0dce2bea0d376bfa91a608ff720
SHA1ffaf8b8dc2b1cf1f728fb811a2e0360d83da79ba
SHA2563f1736101abbdcabe0465beffa99a9072853386f4dec4171da274b4413302cee
SHA512f77776a308db74df4c6595d08fbb5ff0a4aac091cb4b8e5365c3f8733a3f5fc84238f63d5216455b2a8cc0c36d770cc69a1cf4c2f9919cf522325ca1e041bc55
-
Filesize
208B
MD59e615bb4920350fa656458e371366a7b
SHA1a70c75801569863c31f1c8e4e0e0a90157a9ebf9
SHA256958054e9ff377cea404775fb62380c193c7a21d75c05ac19b0edaa9823104fed
SHA512859810a56122cd2649fc72503c3ad995c8624670f46d8b91178556059e4c625179e01c5d60d323a6b4f1e834ebee36e2e98a5a91c4564a0f1591a13ac673aa53
-
Filesize
208B
MD58aa1e8cc1199062dd0f2aef90e8c39dc
SHA1db82619d5b37e76e88088b99013daaff3bdbd545
SHA2562c85b60efea828ac64ec3e17860a5fa5bc7b1b9e4b3d28fe8ee5fef2f7f46cbf
SHA512e4cdab6120e313d1731fd02f1fd40a2490d95b4c297956319fc9e49d45558abd9782970a42fac658a0093139226de4b56c99ca44761e7e6ef92b98617269ac7a
-
Filesize
208B
MD5d4b7e032f3665a82ca616e270ca183f3
SHA1d0ab1b79605a0e87a56376aa89b901a4dd759572
SHA256b48565c740d3844d45dd55683ff519151bc92f67924383aad381292e05fb9703
SHA51277a9767157476f97891d8e2fa16f2494039a3e39bf1e75bfc7ba736f0e5d916adcebc8b7d2d51e0e554f7e8dd68da428707f42b3d208cbbbf58470ab1c5e80df
-
Filesize
208B
MD5bc15e5f3c4cc0b2808454f8d4b65eda7
SHA1a98b83317f74c9e3043e91949583a69f8ffb5c39
SHA256ac8d4afe2dcb80310dce4d7c0246a5212b35b3014ae29df7688bcf066ebf5596
SHA512883fe2ce81ee1cd06322776c6c9ef1753750c7e6f46f8f856bd2b265ff920432e78775e07cab867aad1f3fc7b8a1584bffbb531c46659ac64c95b5826e5f86d7
-
Filesize
8KB
MD57f8d34f9d7943bb00a963db22078e3d3
SHA1045d6ab4504796b9b5dd674a74ebc40279993e4d
SHA2564276fb4285dac3c2ead63af2932ae6d3f6d6bbf61f409f1e6197db1ab191c004
SHA51283bd5ad20dea446c96f97bc5d212b761d4ca0b90149558c6f7e0b876a1e34707757d1c10e2921e1972f27797da3615074979c080ae9f40da3e1c605390dc0c7d
-
Filesize
208B
MD533f06faa3f1434984310dfd6034e5d17
SHA1e64d367cd23830558e83df10c1bf1a247d35c03b
SHA2562131b22f061049bf5c904b14debe9749d47a11251199aa4ed4cc38e4122b26cf
SHA5126fe7b8f901e799d02a9de829de5e6ed96710abad670725838b8331af53de654a079198086bfbf4084b656bd9495b727ac05f420df466a4a5d16a8e06e4f9fd4f
-
Filesize
208B
MD558d4a741df4d7f446c70b351b73d0ad1
SHA1fd6914cf97b633b256d9a5b5e2466fdfe096f4fe
SHA256bc07e4d48751fed0aa49c4d2964acc23c34bf3968aafb565d40e1de38f7c8559
SHA51268acf6ddf72d90f0c055f418401ca352f18b7659480941c59da4d85511524583a988f09300edcfb0ebe0a1e6f7e0212a630d57f4fce80351cdb927b6fc4d23fe
-
Filesize
208B
MD5729b6a00ddb8ead5e080ce71f679123d
SHA1b93d9501d7d7c9550b64f89b243b89a9533aa112
SHA2560c521aa4c284af4987d5d7e0735142d1c4eda3577da0286a9ed20f30b041533b
SHA5121ac58bd9d4090b97294898c1013f90f3d7ce4ffa729a9f95fcf1a589c266c5e7b2fd2a8bf421d8af715f54b358eee78fbb0a59d4077c81c88230460cfbcf8ebd
-
Filesize
208B
MD5bb44fd7618cefe5c51f89ce8c79de91c
SHA1269a5f3ee23f4c4b43d7a938ec196e96e491c4cf
SHA25693af0a71b9b0794e04dd55f5e21cef858896dc10009085244dd384b9c17204d1
SHA51296cf1d006bdadf6e324dbf02351ff5008711c36876fabea74a66d392cb214417524af35ebf8e4130519a4ee3197231cc32c3b3bd374d7d27b7641f6a229e0117
-
Filesize
208B
MD5830aca415c36e9aefd4519f4a8730e08
SHA1b583787664082d0b668b7cbcc8145da42219c4e4
SHA25677410840c1eddaabbadfcde91c62a7f2c69428dfe2f9120c83378cadcc46f6b7
SHA5126e0669a80ff1bf99f4f6873c7d67f39b9e18a37fc987141fc348a46c078d0fc72bbdd520178457cca110f8ed11e66ec2c61812dbbff0816db2953d182a4fcb20
-
Filesize
208B
MD568c8105b17d0d2f466f7be7fdf9e7535
SHA1243b54677f37f584f11dcf1ed5ddf2acd998f8d0
SHA2564fb96d41e88a46ab1ed16a309feda623f61467a7d1e6a4e8fb13c4024b214af3
SHA512d9714e3761e3610c7a9c573981ee710ec634009f441782f65fdaff56a8e5db3198a5454a0169728f9980668ef2df4029568329e63f2ef69b1fa55cd45212d871
-
Filesize
208B
MD569d658dea5f9db1eaf6c211aad0ad868
SHA136ca9b4e0e4d57f34d7c803e85e7d9852407e3ff
SHA256dbe7417e60ffc9c926d96d728723d2a534d04e4ebadfe7013659c8f5e1613350
SHA5121bc4eca73d38c10160846562659b4800b2cbbfcb87614332ea06ee2a19def432916ce9965ee156001fe381d9b9d80b8947b10924d10b8ba94d72f0b37e738588
-
Filesize
187B
MD51592ba67dffb4e14108b78363d58428e
SHA16b815d129aa9af17d0802f30565af729f83d5480
SHA25654821ed558ba0131b937b46bb0ca785768950d5af22fe3deab9d4adce51abe6c
SHA5128a2ab0ffee659a4eb25c4022374508f837932fefac0318179531073b7b6f6258badd86ec7bdd71cff81f6f0e9f787b3a52c3ee410738d96bcc28ff077b84f423
-
Filesize
208B
MD565462651472440d898003da1fb8f21c7
SHA19f7ed98bbbd73b150f3caa1eec248d901467e1dd
SHA25689d8a79a36528adb22fe3b6a176ec2c3d7060bf46e304faa6df7e46ea82c922d
SHA512b2372832a6d13b3f987ae79368696ed6b52d59b41c70644e8b520262c09ac351fc8f388209586b8bd7897bc382426bbb299f54fe8f9963ac672d11f358f6fbfd
-
Filesize
208B
MD51d16a3bc17f5a6670c7d5b0321127ef9
SHA1dfc30cf570a196e0af30978ccbf3d01cb0f4f07e
SHA25608d0f458442ba37021b3f9ac39c65e524a797ecb0c05dddc77c0018f8c8a7810
SHA5121b82c8e9a3b5f0c35f2ade36e214dfeef4a1fe6746755fb0322624e3dc924996993aed937961c2b9feb342a3c014097262c723199be68d70616bce252060c847
-
Filesize
111KB
MD5f190eabe265f87543a479e6ae30a75e3
SHA1540a3361515ef8a07f0448d71ef1f5a9987bf8f0
SHA256d00c33e6af3acfbc5653dadda59411bb4bf95a9f7a0fd1305e7cae270250dcb6
SHA512792ea11c4ccdbaba481ad2102d7b95e3da730bba155d10fa20ece922df023d12a94cf65598b2866d85126df6dc8177520488e9c4c685fed14d23b66d3d7af95e
-
Filesize
1.5MB
MD539bdc55a9e26e6eae4fa2b46cf79d79f
SHA119132aa7801a6c841af2e0de9bbb61339cda46dd
SHA25678bc50bbd753cb431221e4d2c5f67177c18611c0afcc83438f2a14c70aa0b9f2
SHA5127baba3764693b9e65ab684840ca746a83812d5f14b0fdd6114e2a25845500490241e1a89314c7123e82770d6081c18a7bd872b5ec0caa6c6c65d7781d2f257ed
-
Filesize
2.0MB
MD54847c81a02753c1035b3e79a8336898e
SHA1a44103fc0b941a2e32df4ae5c4ea647627ffeead
SHA256c2d1f2a32a49b9b5432d783c627cb0bfd17fafad4b55a39377e659d032b21d2d
SHA5124276affc21b5c40e184685dd17f52270f607e3b425f8899d078f6340cad6c1606d5c2aae5acf69dc9bec53f6e142a17043fbad8f0bf45d35cf0ddd56e9ea130b
-
Filesize
3.1MB
MD5eac5eb9f0d9a940ac2866f722640234c
SHA169c8a68fae45b0a2c8badef17a071ab395ed94e4
SHA256493fd2620331cce16d238899c269902a7002c54311901f18fb928583bb1f810b
SHA512b185d9602123ae46f94952266911e1968e5469b0bdca8442da0dbf1cb021c2349aec33b17398fc4326b5af74c6f50cb2344ff293d363a0778689e5aa0832e91f
-
Filesize
78B
MD5af33677885f5d2d6d34d42a770c5cde5
SHA1b66e28ca8e628dcfeda1a6e2a0d3751f21961937
SHA25694ea68eb712afc9329de04bfb2666d78903d634800eb8cb522fc483edbb367c7
SHA51277872b7c90185655e0330b0c1b8e4d13fbd48011c4633e9f7373d42c19ebc17e0f9a6e8a053586c8743ea3d0d0663a57baa8953d790ff510c3d48f1127ec93a5
-
Filesize
680KB
-
Filesize
40KB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
288KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
40KB
-
Filesize
3.1MB
-
Filesize
136KB