Analysis
-
max time kernel
145s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 06:39
Behavioral task
behavioral1
Sample
defender64.exe
Resource
win7-20240903-en
General
-
Target
defender64.exe
-
Size
3.1MB
-
MD5
a3ffca2a5a9a4917a64bcabccb4f9fad
-
SHA1
9cfc0318809849ab6f2edfc18f6975da812a9f51
-
SHA256
21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb
-
SHA512
d491dcf7bf4d7d20632b31e82eee824ffb1eedca18f0f25b46aae1750f40240589e4600566e327bd866374ec36321db2d79f05fe6fc49ed3d30901e31bfc384e
-
SSDEEP
49152:nv3I22SsaNYfdPBldt698dBcjHKPRJ6CbR3LoGd2THHB72eh2NT:nv422SsaNYfdPBldt6+dBcjHKPRJ68
Malware Config
Extracted
quasar
1.4.1
dilly
lvke-45989.portmap.host:45989
0cb49dc2-fd0d-4581-ae1e-04154c41f310
-
encryption_key
E5250226804167CB0B1B4B0E9667D0C056694DCA
-
install_name
defenderx64.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender Helper
-
subdirectory
en
Signatures
-
Quasar family
-
Quasar payload 8 IoCs
resource yara_rule behavioral1/memory/2080-1-0x00000000009B0000-0x0000000000CD4000-memory.dmp family_quasar behavioral1/files/0x002d000000016dbe-5.dat family_quasar behavioral1/memory/2752-8-0x0000000001280000-0x00000000015A4000-memory.dmp family_quasar behavioral1/memory/568-43-0x0000000000270000-0x0000000000594000-memory.dmp family_quasar behavioral1/memory/1860-54-0x0000000000E80000-0x00000000011A4000-memory.dmp family_quasar behavioral1/memory/2676-88-0x0000000001050000-0x0000000001374000-memory.dmp family_quasar behavioral1/memory/2244-111-0x0000000001270000-0x0000000001594000-memory.dmp family_quasar behavioral1/memory/936-133-0x0000000001320000-0x0000000001644000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2752 defenderx64.exe 1000 defenderx64.exe 1620 defenderx64.exe 568 defenderx64.exe 1860 defenderx64.exe 1996 defenderx64.exe 2264 defenderx64.exe 2676 defenderx64.exe 648 defenderx64.exe 2244 defenderx64.exe 2504 defenderx64.exe 936 defenderx64.exe 2456 defenderx64.exe 2764 defenderx64.exe 344 defenderx64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1632 PING.EXE 1120 PING.EXE 1628 PING.EXE 2828 PING.EXE 1364 PING.EXE 2368 PING.EXE 2100 PING.EXE 2148 PING.EXE 1836 PING.EXE 1680 PING.EXE 796 PING.EXE 2340 PING.EXE 1524 PING.EXE 2268 PING.EXE 2824 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2100 PING.EXE 2340 PING.EXE 1628 PING.EXE 2148 PING.EXE 1364 PING.EXE 2824 PING.EXE 1120 PING.EXE 2368 PING.EXE 2268 PING.EXE 796 PING.EXE 1524 PING.EXE 2828 PING.EXE 1836 PING.EXE 1680 PING.EXE 1632 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2772 schtasks.exe 1992 schtasks.exe 1592 schtasks.exe 2652 schtasks.exe 1572 schtasks.exe 1484 schtasks.exe 1128 schtasks.exe 1048 schtasks.exe 2844 schtasks.exe 3048 schtasks.exe 2184 schtasks.exe 840 schtasks.exe 1576 schtasks.exe 2088 schtasks.exe 2300 schtasks.exe 2972 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2080 defender64.exe Token: SeDebugPrivilege 2752 defenderx64.exe Token: SeDebugPrivilege 1000 defenderx64.exe Token: SeDebugPrivilege 1620 defenderx64.exe Token: SeDebugPrivilege 568 defenderx64.exe Token: SeDebugPrivilege 1860 defenderx64.exe Token: SeDebugPrivilege 1996 defenderx64.exe Token: SeDebugPrivilege 2264 defenderx64.exe Token: SeDebugPrivilege 2676 defenderx64.exe Token: SeDebugPrivilege 648 defenderx64.exe Token: SeDebugPrivilege 2244 defenderx64.exe Token: SeDebugPrivilege 2504 defenderx64.exe Token: SeDebugPrivilege 936 defenderx64.exe Token: SeDebugPrivilege 2456 defenderx64.exe Token: SeDebugPrivilege 2764 defenderx64.exe Token: SeDebugPrivilege 344 defenderx64.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 2752 defenderx64.exe 1000 defenderx64.exe 1620 defenderx64.exe 568 defenderx64.exe 1860 defenderx64.exe 1996 defenderx64.exe 2264 defenderx64.exe 2676 defenderx64.exe 648 defenderx64.exe 2244 defenderx64.exe 2504 defenderx64.exe 936 defenderx64.exe 2456 defenderx64.exe 2764 defenderx64.exe 344 defenderx64.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 2752 defenderx64.exe 1000 defenderx64.exe 1620 defenderx64.exe 568 defenderx64.exe 1860 defenderx64.exe 1996 defenderx64.exe 2264 defenderx64.exe 2676 defenderx64.exe 648 defenderx64.exe 2244 defenderx64.exe 2504 defenderx64.exe 936 defenderx64.exe 2456 defenderx64.exe 2764 defenderx64.exe 344 defenderx64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2772 2080 defender64.exe 30 PID 2080 wrote to memory of 2772 2080 defender64.exe 30 PID 2080 wrote to memory of 2772 2080 defender64.exe 30 PID 2080 wrote to memory of 2752 2080 defender64.exe 32 PID 2080 wrote to memory of 2752 2080 defender64.exe 32 PID 2080 wrote to memory of 2752 2080 defender64.exe 32 PID 2752 wrote to memory of 2844 2752 defenderx64.exe 33 PID 2752 wrote to memory of 2844 2752 defenderx64.exe 33 PID 2752 wrote to memory of 2844 2752 defenderx64.exe 33 PID 2752 wrote to memory of 2564 2752 defenderx64.exe 35 PID 2752 wrote to memory of 2564 2752 defenderx64.exe 35 PID 2752 wrote to memory of 2564 2752 defenderx64.exe 35 PID 2564 wrote to memory of 2636 2564 cmd.exe 37 PID 2564 wrote to memory of 2636 2564 cmd.exe 37 PID 2564 wrote to memory of 2636 2564 cmd.exe 37 PID 2564 wrote to memory of 796 2564 cmd.exe 38 PID 2564 wrote to memory of 796 2564 cmd.exe 38 PID 2564 wrote to memory of 796 2564 cmd.exe 38 PID 2564 wrote to memory of 1000 2564 cmd.exe 39 PID 2564 wrote to memory of 1000 2564 cmd.exe 39 PID 2564 wrote to memory of 1000 2564 cmd.exe 39 PID 1000 wrote to memory of 2184 1000 defenderx64.exe 40 PID 1000 wrote to memory of 2184 1000 defenderx64.exe 40 PID 1000 wrote to memory of 2184 1000 defenderx64.exe 40 PID 1000 wrote to memory of 2984 1000 defenderx64.exe 42 PID 1000 wrote to memory of 2984 1000 defenderx64.exe 42 PID 1000 wrote to memory of 2984 1000 defenderx64.exe 42 PID 2984 wrote to memory of 2808 2984 cmd.exe 44 PID 2984 wrote to memory of 2808 2984 cmd.exe 44 PID 2984 wrote to memory of 2808 2984 cmd.exe 44 PID 2984 wrote to memory of 2100 2984 cmd.exe 45 PID 2984 wrote to memory of 2100 2984 cmd.exe 45 PID 2984 wrote to memory of 2100 2984 cmd.exe 45 PID 2984 wrote to memory of 1620 2984 cmd.exe 46 PID 2984 wrote to memory of 1620 2984 cmd.exe 46 PID 2984 wrote to memory of 1620 2984 cmd.exe 46 PID 1620 wrote to memory of 1992 1620 defenderx64.exe 47 PID 1620 wrote to memory of 1992 1620 defenderx64.exe 47 PID 1620 wrote to memory of 1992 1620 defenderx64.exe 47 PID 1620 wrote to memory of 2600 1620 defenderx64.exe 49 PID 1620 wrote to memory of 2600 1620 defenderx64.exe 49 PID 1620 wrote to memory of 2600 1620 defenderx64.exe 49 PID 2600 wrote to memory of 3048 2600 cmd.exe 51 PID 2600 wrote to memory of 3048 2600 cmd.exe 51 PID 2600 wrote to memory of 3048 2600 cmd.exe 51 PID 2600 wrote to memory of 1120 2600 cmd.exe 52 PID 2600 wrote to memory of 1120 2600 cmd.exe 52 PID 2600 wrote to memory of 1120 2600 cmd.exe 52 PID 2600 wrote to memory of 568 2600 cmd.exe 53 PID 2600 wrote to memory of 568 2600 cmd.exe 53 PID 2600 wrote to memory of 568 2600 cmd.exe 53 PID 568 wrote to memory of 1128 568 defenderx64.exe 54 PID 568 wrote to memory of 1128 568 defenderx64.exe 54 PID 568 wrote to memory of 1128 568 defenderx64.exe 54 PID 568 wrote to memory of 2152 568 defenderx64.exe 56 PID 568 wrote to memory of 2152 568 defenderx64.exe 56 PID 568 wrote to memory of 2152 568 defenderx64.exe 56 PID 2152 wrote to memory of 2348 2152 cmd.exe 58 PID 2152 wrote to memory of 2348 2152 cmd.exe 58 PID 2152 wrote to memory of 2348 2152 cmd.exe 58 PID 2152 wrote to memory of 2340 2152 cmd.exe 59 PID 2152 wrote to memory of 2340 2152 cmd.exe 59 PID 2152 wrote to memory of 2340 2152 cmd.exe 59 PID 2152 wrote to memory of 1860 2152 cmd.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\defender64.exe"C:\Users\Admin\AppData\Local\Temp\defender64.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2772
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2844
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yVRb8OJpyIaE.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2636
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:796
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2184
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\OUFH8oCWwziw.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2808
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2100
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1992
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\fN8KBjg8ELcq.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3048
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1120
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1128
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\V6UWlvIIo0By.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2348
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2340
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1860 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:840
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\C9UhXRh4ipx1.bat" "11⤵PID:1752
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2548
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1524
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1996 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1592
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\eZ4lu0JLHJiw.bat" "13⤵PID:3040
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1736
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1628
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2264 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1576
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tb9KbzdEeLaF.bat" "15⤵PID:2372
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:1924
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2828
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2676 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2652
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\oagmfyM8Owwr.bat" "17⤵PID:2236
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:620
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2148
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:648 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1048
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\suv5a4cT7CZt.bat" "19⤵PID:2100
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:704
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1364
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2244 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:3048
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RIPUmyYEGKTi.bat" "21⤵PID:1516
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1468
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2368
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2504 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2088
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\13N1iNMuv6l9.bat" "23⤵PID:708
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:964
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1836
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:936 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2300
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3c4kOCgo596Q.bat" "25⤵PID:1508
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2176
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2268
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2456 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2972
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\qlGBopbOYtVM.bat" "27⤵PID:2020
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:3012
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1680
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2764 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1572
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\faKM5ljoreeV.bat" "29⤵PID:1728
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2596
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2824
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:344 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:1484
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\UbYYKRIDhosV.bat" "31⤵PID:1976
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2656
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD511125a0e41654e3719009b24d8da8d46
SHA1c86201f3b53c9e0b85cc157d94b8bffe25b0c43a
SHA2560b08ec6d4b48b9d5899b649abfd3ba0e85b4de0636d040e9a147b9e2c976b7db
SHA5126aa078f4d1c55a94b4fb3f40313756c8450ea288e8cd5cee9f82d79789b7ce2f39064865d67a99cc50588b74b057b00dbe83ef112834845784338bd6e119337c
-
Filesize
208B
MD58d5e5ef1f66bce7e837460472c43a03b
SHA19078278dac3bffdf400f5566827bc63d735e3f0f
SHA256fca96d19ce5edc5601e9ff03155c820d901987d4cbf96623a117a95505444dc4
SHA512c4dc6519d6f92f4a22ff70080a7d6c7a517a6013718facecc59deaec967b815378460de2d6235fa59891bd0812ac62de3fca655658a57430e6adc0ed35cec963
-
Filesize
208B
MD55f971d0b4b87ceb2382675afdd434431
SHA1ac339c71198948a148c74c9401b0f10458a252b2
SHA2569db7f970830b96703fce7eb106385272b5b2c2930e6a0213019872928d29f3c0
SHA512e28cc12b8509c8e90a878827cbccad8340a767c7baa796f2119283377571ed9ab9d7c3f646ef0100f9f5805a0a92800253a689d489a11ab7b9a59fc1d0a4182d
-
Filesize
208B
MD59cc48a2f6ca13d3160639b056d512db6
SHA1a7f67608cc26513287dc4a5ca8ebdf3d0d9e0a95
SHA2563880d7b6977ab0ea19a9dadc677433692e1f381ea71626f00e0f1bd56c962ffe
SHA512978fc05b0d5c152a23a29f0295a749f5869cba50de47b13042fc395798d9d0617afd4088a8d43eb72262f47ca24cd330a90b477d025d9ef5564e39e73c7e3926
-
Filesize
208B
MD5cdb96965a9c3c7b60e3d98601611f557
SHA1c31220314d6457f5849fd714e6cfc6c60f7ba2b1
SHA2566823e9a753489b9d2e81cd7b0471f997322532c181b7b462e92b934304a25371
SHA5129397cda9f8262bbe85da658ec04ff9ea3ba921e77c82725e1f133dbcaecb53629abdca3bfda7e9d5ceb519c75287073c06e5c16ddf578437cb5fa621c6287360
-
Filesize
208B
MD5e78d056dec575271c2ebb8f2f5946795
SHA115936c32b2eb4fe5a7b7d1e9853345a378fbd63c
SHA256b0729da894e871d14681d51e51c4e57ea60a4210756e3360a2bb38b69d9dfba0
SHA512910e3b8e044b95b18eb3cf9d308307fd481644d35946239b83f1f97bec53928a39f7301c8507f9e2adb7c23ced42df7efbb96d0d4c1f8013336edaeced460258
-
Filesize
208B
MD5ba51898f4551214f8560e69109534893
SHA121fe054a4e28da5259d3e928a949512f002128fb
SHA25615f2949c8fd0ca81b0cc7e8a4e387043ea66de931282636d5eb19aeb911f25c6
SHA512782cc6eecab0e1cea3ee220386854082f327c7a447b83a29b0024d258121089873c1a44524a497ce787f9c58749fa8e2340e08f6d880ee61eb29b49b976fa17e
-
Filesize
208B
MD54365d9be8f740c6857f5015003fa4f60
SHA1495f25461af6f089e0b03927d012a3d21ac8eaa5
SHA2567fabf08d537240ffecfc9bbc294cf0dc43d2f540880dac853ba296dc213b0724
SHA512bcee7bbf2dd97074f6f73528991257175e807065935e804a260081a4027ea50c96a8c5d593caacb5ca8de15c04228c4761e5fef01c123bf2bc53e58a0804e4b7
-
Filesize
208B
MD54832a8adeff629e15626a46f6568cab8
SHA1dc5fd07dd553094b74d5e45460f2ee89b5db552d
SHA2566aa5f04f9db330051e1fada2bd7f2ee35075a13a6a0886595ead3bbe577b69ab
SHA5124d49590d4309d7effed95db7ab1c191def6b1d2424a635b81440fc9669a6cfcd1d9ae8d6f4855b64f4ec8fdfbc6ef1090ac222196d1a55443720ddf7d5acb9c4
-
Filesize
208B
MD569aa0ff084e045f1255e72b677a676a8
SHA17dbc781a800c511fa52ccd72fe1904a2a23558ff
SHA256db594e75001b06e363624334154abefe3b26e80546d0ff712afa5e47f971c18c
SHA5123fbca4d37f04464c8c68ca6e9e9c8c6eb7d22ce09e37fc5b5585f1cb389e0739755cdb578bba0216c74d3900a8e29d6c6367c9169d2368fa31ffa54b05d1bdbe
-
Filesize
208B
MD58dd1e20ba31d68ceb006205c790924e8
SHA1ae279f0b09739467a8a200c6b6ca9310754d251a
SHA256c8ff03deb90676cadc30899464a9f5d3b4004cabfc595ad87c659191d1c88706
SHA512f5f936ac45e0fbcfc710681cc999dd8a0807169067123bc26cb6ac808bf43f3eb2604b6a98d159ed0384a2ef4e50303e7b159f2496f60a4d04504a81387c2c32
-
Filesize
208B
MD54c06b73b79b678cf0c1a13183375008d
SHA16425b9052956ee5e1a2ba615ce79aa189e5647a4
SHA256bb4f312a4112fb9b9201d269d58a4c933ddd946bde70638a4d75bece8d2afd9b
SHA512913e75c55951e5e682552685c0da34c05bccade75e0b177004cc332a487bf2bc0d8d4ad1e03b342ae1e6ea595e516d55ac3709283b2707ea1869663d49443fa1
-
Filesize
208B
MD5572f1e47d8f5497d0a8f98f85de60625
SHA1d4e09e2f5a4bf7d08068e05cd7f72397be18d55b
SHA2561a305a0a67c75151cab70eb289eeeb246e550d3a80fea8d983966d40f9d92c4a
SHA51222336577289ca9b3a64f9d10f2370b3c8bc68ed28a21cbc6ab518c44b5580a6932804323fa451bc85a1e89d69f5599fe609a2bc550f00316d779ab8041cb915a
-
Filesize
208B
MD502102b67a2ba0eb5037f3ae5081ba262
SHA1cf18d297fad7097e8036015258f9111eb51cc973
SHA256843ec30cac1b0f4469e0baa4bf3e14344a285e5ebab05f84e8fc964f4bdd2ba7
SHA5122e83b768770ac571da5328076b6eabf8442a0bd6869bacb6643a1798af27d0216a167a20f8fffaa14a1da7bc4a93cf00114c7c391cc7af328032936863d206ae
-
Filesize
208B
MD5b057ec67392c55c7abb44c52d5a40216
SHA1aa437da6a07edc86d1ad3d690130a3f8799966b6
SHA2569cd5c909bf316592b95d78fa170fefe1111a921ca3ca844c91794f9d2364e031
SHA512dd872c1df8eaf5e80e553214a17c71e7f6e71fd0a6c0793a3a462710cfb1bf6f6c6fd892720979e579184bcf62abfbd4a0809e3f5ea17ee7d69db7a011597a48
-
Filesize
3.1MB
MD5a3ffca2a5a9a4917a64bcabccb4f9fad
SHA19cfc0318809849ab6f2edfc18f6975da812a9f51
SHA25621a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb
SHA512d491dcf7bf4d7d20632b31e82eee824ffb1eedca18f0f25b46aae1750f40240589e4600566e327bd866374ec36321db2d79f05fe6fc49ed3d30901e31bfc384e