Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 06:39
Behavioral task
behavioral1
Sample
defender64.exe
Resource
win7-20240903-en
General
-
Target
defender64.exe
-
Size
3.1MB
-
MD5
a3ffca2a5a9a4917a64bcabccb4f9fad
-
SHA1
9cfc0318809849ab6f2edfc18f6975da812a9f51
-
SHA256
21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb
-
SHA512
d491dcf7bf4d7d20632b31e82eee824ffb1eedca18f0f25b46aae1750f40240589e4600566e327bd866374ec36321db2d79f05fe6fc49ed3d30901e31bfc384e
-
SSDEEP
49152:nv3I22SsaNYfdPBldt698dBcjHKPRJ6CbR3LoGd2THHB72eh2NT:nv422SsaNYfdPBldt6+dBcjHKPRJ68
Malware Config
Extracted
quasar
1.4.1
dilly
lvke-45989.portmap.host:45989
0cb49dc2-fd0d-4581-ae1e-04154c41f310
-
encryption_key
E5250226804167CB0B1B4B0E9667D0C056694DCA
-
install_name
defenderx64.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender Helper
-
subdirectory
en
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4916-1-0x00000000000E0000-0x0000000000404000-memory.dmp family_quasar behavioral2/files/0x0007000000023cbf-5.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation defenderx64.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation defenderx64.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation defenderx64.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation defenderx64.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation defenderx64.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation defenderx64.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation defenderx64.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation defenderx64.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation defenderx64.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation defenderx64.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation defenderx64.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation defenderx64.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation defenderx64.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation defenderx64.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation defenderx64.exe -
Executes dropped EXE 15 IoCs
pid Process 2332 defenderx64.exe 1248 defenderx64.exe 3540 defenderx64.exe 1564 defenderx64.exe 4040 defenderx64.exe 2656 defenderx64.exe 5068 defenderx64.exe 4988 defenderx64.exe 740 defenderx64.exe 4012 defenderx64.exe 3952 defenderx64.exe 4008 defenderx64.exe 364 defenderx64.exe 3492 defenderx64.exe 2736 defenderx64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 212 PING.EXE 4312 PING.EXE 4656 PING.EXE 3548 PING.EXE 5084 PING.EXE 4384 PING.EXE 3752 PING.EXE 3672 PING.EXE 2536 PING.EXE 1960 PING.EXE 5052 PING.EXE 312 PING.EXE 2968 PING.EXE 2320 PING.EXE 2632 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 212 PING.EXE 2536 PING.EXE 4656 PING.EXE 4384 PING.EXE 2632 PING.EXE 3672 PING.EXE 1960 PING.EXE 3548 PING.EXE 5052 PING.EXE 5084 PING.EXE 4312 PING.EXE 312 PING.EXE 2320 PING.EXE 2968 PING.EXE 3752 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3684 schtasks.exe 3120 schtasks.exe 4860 schtasks.exe 4328 schtasks.exe 4564 schtasks.exe 828 schtasks.exe 2636 schtasks.exe 1848 schtasks.exe 3024 schtasks.exe 2112 schtasks.exe 2632 schtasks.exe 4112 schtasks.exe 3492 schtasks.exe 2188 schtasks.exe 1940 schtasks.exe 3748 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4916 defender64.exe Token: SeDebugPrivilege 2332 defenderx64.exe Token: SeDebugPrivilege 1248 defenderx64.exe Token: SeDebugPrivilege 3540 defenderx64.exe Token: SeDebugPrivilege 1564 defenderx64.exe Token: SeDebugPrivilege 4040 defenderx64.exe Token: SeDebugPrivilege 2656 defenderx64.exe Token: SeDebugPrivilege 5068 defenderx64.exe Token: SeDebugPrivilege 4988 defenderx64.exe Token: SeDebugPrivilege 740 defenderx64.exe Token: SeDebugPrivilege 4012 defenderx64.exe Token: SeDebugPrivilege 3952 defenderx64.exe Token: SeDebugPrivilege 4008 defenderx64.exe Token: SeDebugPrivilege 364 defenderx64.exe Token: SeDebugPrivilege 3492 defenderx64.exe Token: SeDebugPrivilege 2736 defenderx64.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 2332 defenderx64.exe 1248 defenderx64.exe 3540 defenderx64.exe 1564 defenderx64.exe 4040 defenderx64.exe 2656 defenderx64.exe 5068 defenderx64.exe 4988 defenderx64.exe 740 defenderx64.exe 4012 defenderx64.exe 3952 defenderx64.exe 4008 defenderx64.exe 364 defenderx64.exe 3492 defenderx64.exe 2736 defenderx64.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 2332 defenderx64.exe 1248 defenderx64.exe 3540 defenderx64.exe 1564 defenderx64.exe 4040 defenderx64.exe 2656 defenderx64.exe 5068 defenderx64.exe 4988 defenderx64.exe 740 defenderx64.exe 4012 defenderx64.exe 3952 defenderx64.exe 4008 defenderx64.exe 364 defenderx64.exe 3492 defenderx64.exe 2736 defenderx64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4916 wrote to memory of 2188 4916 defender64.exe 83 PID 4916 wrote to memory of 2188 4916 defender64.exe 83 PID 4916 wrote to memory of 2332 4916 defender64.exe 85 PID 4916 wrote to memory of 2332 4916 defender64.exe 85 PID 2332 wrote to memory of 1940 2332 defenderx64.exe 86 PID 2332 wrote to memory of 1940 2332 defenderx64.exe 86 PID 2332 wrote to memory of 2200 2332 defenderx64.exe 88 PID 2332 wrote to memory of 2200 2332 defenderx64.exe 88 PID 2200 wrote to memory of 4016 2200 cmd.exe 90 PID 2200 wrote to memory of 4016 2200 cmd.exe 90 PID 2200 wrote to memory of 212 2200 cmd.exe 91 PID 2200 wrote to memory of 212 2200 cmd.exe 91 PID 2200 wrote to memory of 1248 2200 cmd.exe 99 PID 2200 wrote to memory of 1248 2200 cmd.exe 99 PID 1248 wrote to memory of 2636 1248 defenderx64.exe 100 PID 1248 wrote to memory of 2636 1248 defenderx64.exe 100 PID 1248 wrote to memory of 1924 1248 defenderx64.exe 104 PID 1248 wrote to memory of 1924 1248 defenderx64.exe 104 PID 1924 wrote to memory of 1956 1924 cmd.exe 106 PID 1924 wrote to memory of 1956 1924 cmd.exe 106 PID 1924 wrote to memory of 4312 1924 cmd.exe 107 PID 1924 wrote to memory of 4312 1924 cmd.exe 107 PID 1924 wrote to memory of 3540 1924 cmd.exe 113 PID 1924 wrote to memory of 3540 1924 cmd.exe 113 PID 3540 wrote to memory of 3120 3540 defenderx64.exe 114 PID 3540 wrote to memory of 3120 3540 defenderx64.exe 114 PID 3540 wrote to memory of 4820 3540 defenderx64.exe 117 PID 3540 wrote to memory of 4820 3540 defenderx64.exe 117 PID 4820 wrote to memory of 1400 4820 cmd.exe 119 PID 4820 wrote to memory of 1400 4820 cmd.exe 119 PID 4820 wrote to memory of 2536 4820 cmd.exe 120 PID 4820 wrote to memory of 2536 4820 cmd.exe 120 PID 4820 wrote to memory of 1564 4820 cmd.exe 125 PID 4820 wrote to memory of 1564 4820 cmd.exe 125 PID 1564 wrote to memory of 1848 1564 defenderx64.exe 126 PID 1564 wrote to memory of 1848 1564 defenderx64.exe 126 PID 1564 wrote to memory of 2500 1564 defenderx64.exe 129 PID 1564 wrote to memory of 2500 1564 defenderx64.exe 129 PID 2500 wrote to memory of 5024 2500 cmd.exe 131 PID 2500 wrote to memory of 5024 2500 cmd.exe 131 PID 2500 wrote to memory of 4656 2500 cmd.exe 132 PID 2500 wrote to memory of 4656 2500 cmd.exe 132 PID 2500 wrote to memory of 4040 2500 cmd.exe 134 PID 2500 wrote to memory of 4040 2500 cmd.exe 134 PID 4040 wrote to memory of 4860 4040 defenderx64.exe 135 PID 4040 wrote to memory of 4860 4040 defenderx64.exe 135 PID 4040 wrote to memory of 4480 4040 defenderx64.exe 138 PID 4040 wrote to memory of 4480 4040 defenderx64.exe 138 PID 4480 wrote to memory of 2112 4480 cmd.exe 140 PID 4480 wrote to memory of 2112 4480 cmd.exe 140 PID 4480 wrote to memory of 1960 4480 cmd.exe 141 PID 4480 wrote to memory of 1960 4480 cmd.exe 141 PID 4480 wrote to memory of 2656 4480 cmd.exe 143 PID 4480 wrote to memory of 2656 4480 cmd.exe 143 PID 2656 wrote to memory of 2632 2656 defenderx64.exe 144 PID 2656 wrote to memory of 2632 2656 defenderx64.exe 144 PID 2656 wrote to memory of 4452 2656 defenderx64.exe 147 PID 2656 wrote to memory of 4452 2656 defenderx64.exe 147 PID 4452 wrote to memory of 4768 4452 cmd.exe 149 PID 4452 wrote to memory of 4768 4452 cmd.exe 149 PID 4452 wrote to memory of 3548 4452 cmd.exe 150 PID 4452 wrote to memory of 3548 4452 cmd.exe 150 PID 4452 wrote to memory of 5068 4452 cmd.exe 152 PID 4452 wrote to memory of 5068 4452 cmd.exe 152 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\defender64.exe"C:\Users\Admin\AppData\Local\Temp\defender64.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2188
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SjjKPzoF9867.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4016
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:212
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xxhEsNlHC79r.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1956
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4312
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:3120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8k9l4IapXwwR.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1400
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2536
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BLpnWzdmkBy5.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:5024
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4656
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pms4eUuM6OjH.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2112
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1960
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sm32bTYgIMcl.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4768
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3548
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5068 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:4112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FpSEaAVvOZx4.bat" "15⤵PID:3712
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4716
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5052
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4988 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:4328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GbWDFEvzlj3Z.bat" "17⤵PID:3036
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1928
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:312
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:740 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q4YtABFbyCrD.bat" "19⤵PID:1408
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:4056
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2320
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4012 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0es5kJcVeRmY.bat" "21⤵PID:4480
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1956
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2632
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3952 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:3024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aXb6iXZ0N0Q4.bat" "23⤵PID:1976
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:3548
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2968
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4008 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:3748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCkIGXMsIeDb.bat" "25⤵PID:3632
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:3184
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5084
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:364 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:4564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jLMWHj4blQYf.bat" "27⤵PID:1640
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1372
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4384
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3492 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:3684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZT08yPywwdmC.bat" "29⤵PID:3204
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2600
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3672
-
-
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2736 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceBFzZJWyQSS.bat" "31⤵PID:4840
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:1920
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
208B
MD5905e785bb9965c76f3744ed830d17cf2
SHA1a92912d38fd57940c59985f623ba339a41717a1d
SHA256a3137df9d39cbff5c7955b0a0d61a634944f2afb49918f595622335dc914667c
SHA512082eddcee9e0348e17e637e557cc855ac0e5714317c2ba1796318837885920d53edde271235dcf8dcfe000afcd32785ddb6bb83fb72252160c5e075de63d873d
-
Filesize
208B
MD51f62a57665f4959c5feaf6ac5359bb1b
SHA106860c7fd4624a42315ac464933f799ff1e3ef89
SHA25652115594e9c58849b76bc3fa313f100c96fd1c9d6ea3621837eb6bc2f8ed3ecf
SHA5120f651acf3dd25f5c8216af897f7b62bfddaab2248d3266ecb4490554df1947768945798b8c49e88d7caf869366e76c053cd808563bd793e1f2158a7f755e9d54
-
Filesize
208B
MD5e72db0939cd4d7e13f7de404fea7bb81
SHA129f9ef96251454c7ae8bd47e0c5189aaa15f8103
SHA2564338925186705d56e7b6f97e58bda99cab750bcc177b29969583d3e37b97e839
SHA512f5e5ee51812d49c5235bc0af28e20e3a111d8d36b363089a35ce5c0d8d1a2df16d1b1df02e05873964d7d27ed685592891c20d91854f56da9a8ec42ed71e0da8
-
Filesize
208B
MD5843e1801f3a57f8ab117993b470a4839
SHA1d41e26c575ebacf2d87bfa1b2e0342fce7e3d818
SHA256dcf53dac8fd86107b3caaac4c5eb7dc64318f954bb06215622d6b62e24714474
SHA512b78c3b971c6576b12d3e361582def3e6d1eb031057b8bcc67b5d46616cd65c92fb93762befd17fe03c525872ce02a271de39cad76996a67bd04a8341da7aeb34
-
Filesize
208B
MD55e6601ae62b9ca48e205f658cd556525
SHA1a363b884beff712adc71964ff6e53ec6d5b342d4
SHA256342c9346d57de6d73f06e7c94def15f9a2be23298d515b22f5e91b8cf954ae87
SHA512c73ed26d05efbee71a3f5559fe500364edc1985adf95721f33d9ff0ae56ab102139d390e7a5b67b427f7929fd74bc019ab368adcac5e5f77caa41fbb4949c05c
-
Filesize
208B
MD5bae976f9833d9c1844a5760ba2d1f17f
SHA1db7d621c677c3a02270ef9ddb542b304e1f15e0b
SHA2563d63e6292beacb36c4329cc6545d298817f61aaba52eac73e8bbcbe9bc6c19be
SHA5121ead7786faa8946863599fccbc968ebe26f76a89c196838c9ff86624dc9a544f1be5c0b1b9545ebf5af020413f9c125ea44d33c2f93afdce0bdb66b448efb838
-
Filesize
208B
MD5bff793b9978d51f651734d823721615f
SHA13df9dd5a0dd080461e404c209e81f396387b6cc6
SHA256be2136e0ad2dcf207958b40bdf9d13cff36e69767300b6d4ef2630b1839f86cb
SHA512dc3406ad7056499a57db569572ee77625aca523b7f30589fafdb68aa8a1b3c310bef84711fa344a1bd1713dfc67a877d7e3fdf0fb0688fdfc443a4a033662898
-
Filesize
208B
MD50f9b7265b9ad24a90ffdcbac4a553010
SHA1c0905b1e7bc613b5e396fe330fe36b5b7760e6df
SHA2569c5dec65a716443b32083e3d41164de60e4e654efa43a0b13db24deb9283f63a
SHA512542e847b010d839b847cbdefeb4ff010e4a9022f22d167f84e8b193c480895fe5a4ce08183c19921ae9dadd69c80f2be982091087a9d72e97577ae80a26875a0
-
Filesize
208B
MD5d791a31e66df19135b5642123e7d3639
SHA1f83f2346edbe2fe62d2b1039e5cf2670ccd28bd8
SHA2569c5c96433f2ba9c4365fbd934f91cd8dc31935ba12a9e2bc79aedbcaa5824f96
SHA512ba4b632e68ed8aebfc369f372c4d9ff05568bb6b6f3010fa027acd62dec48631349da8b3ec0eb8165761792f76fd0f285f764ce1989128c725e916051e24f368
-
Filesize
208B
MD53a0504c179f5752ae28da6b22396765f
SHA1e3355b80b3997b48487aea458228b0858b22d387
SHA256e3a17f37d45225b52d27f89fc93c3d6e68ab494e5def26c0d97a679b129b052d
SHA51207df33c9bef830e3500e520365ee91c8b2ab41942f1d36e0ffd59cc46dcdae6b0c533e80b7e8ebed2afce64c2132fed325b5ceb9770170ee8b98497f79a620a0
-
Filesize
208B
MD5480ec0ccab7b2a484b71d362b5592401
SHA1d939eed9a3e8b012e0f67ae7f143caf592d5bf50
SHA2569b5e88c52c218f878158dac8fe96afd7922f53b5821d6e1d7fdd7509303fb6af
SHA5121b7e3c8d2b65a35814859de95d45ac417a40f561c941eb8958bb0c6cc888be119e44e9e4f6650e574c896173fec58759cb27537c92c84eaccfdc7c0d0361cec2
-
Filesize
208B
MD53e3ada9ad8005a74899d473b633a003c
SHA1970970ae042f838e33a69f09655a7b48e5cc4307
SHA25643573c5c1a707c96dfa9f4281c7b0046c124acdf38d7ab93e9d226bb8d943781
SHA5121588a39677e4fd5552e8b118a01278c1bd8d77892e0f983f7e6285c56bb57a5fbf33ffa971322d0790ab002525940196f62557e7e80eac21baf8a63b4287eb4c
-
Filesize
208B
MD5cd2e8e8d579f9008e69bb7fe870fbd1d
SHA1ea32b4977726b4c16821927cabec1181c8ef0633
SHA256586e2f48cc2ebc594c3dad2ac302f1a59e04ea0d3678d46194084f072a75ceff
SHA51220d5c8043ad9a8dc61f9bf6f7c1f0643d871f67c8aa2af73d6bde4700ff847c02151ffcf5d134c9210ecdf1d6fd1b655e6c101538cea6b41f70569f7d6fbf406
-
Filesize
208B
MD5941d1db97555661bbbdf26d7607d5893
SHA10d76f72b7289d6cfd02aea21f3eb0a9a98c0337e
SHA25662fef0b0f6ee77712db9e34cc440cfb2d404a99a6f2655134187d419953087c8
SHA51235d1b3ced6597a0a081ac4fc096ac9724e2362a1eb3700c5f28235a9bee4047c0b19ffb198a552016f67d1c8d0488b1ca2e244437453155da297de0c67beb6cf
-
Filesize
208B
MD5b11e45118ded795d71aa56f72284dd90
SHA16fc991cf4e01d7ee04a9b2f78597463923f2a329
SHA256648d32d6dd6c6093dff6304e94537e663452b6e183b90e281c0715b6b1463d7c
SHA512df16552acd098c0067cf1d3bdc9fa2946561f0b490ac7c9ccee956954e1e628dadb98ae070745bc29290bdc48c176d7c29837ec7c1e248fcc06f073f6dfbb50c
-
Filesize
3.1MB
MD5a3ffca2a5a9a4917a64bcabccb4f9fad
SHA19cfc0318809849ab6f2edfc18f6975da812a9f51
SHA25621a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb
SHA512d491dcf7bf4d7d20632b31e82eee824ffb1eedca18f0f25b46aae1750f40240589e4600566e327bd866374ec36321db2d79f05fe6fc49ed3d30901e31bfc384e