Analysis
-
max time kernel
143s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 06:50
Behavioral task
behavioral1
Sample
JY7XH_Client-built.exe
Resource
win7-20240903-en
General
-
Target
JY7XH_Client-built.exe
-
Size
3.1MB
-
MD5
f9fd797dbef56a3900d2fe9d0a6e2e86
-
SHA1
c5d002cc63bd21fa35fdad428ca4c909f34c4309
-
SHA256
b2de1e13497b1864e100fea605fa1136adc6f782b1dea5f6fe5f11656b098c0e
-
SHA512
c4d170855397e2e62d754883b2caab00d14f58787463924141d2077997ee03b25cd752565354c1c4cbace637cf1c053c45a162d0b61b31caa73f1ec70b998ce1
-
SSDEEP
49152:ivkt62XlaSFNWPjljiFa2RoUYIobRJ6MbR3LoGdNwhTHHB72eh2NT:iv462XlaSFNWPjljiFXRoUYIobRJ6WK
Malware Config
Extracted
quasar
1.4.1
Office04
biseo-48321.portmap.host:48321
cb74f432-50f1-4947-8163-7687a0292fb0
-
encryption_key
D1BBEF3C04D88FE8F97EE2745041632CE9C760EE
-
install_name
Svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Svchost
-
subdirectory
Svchost
Signatures
-
Quasar family
-
Quasar payload 14 IoCs
resource yara_rule behavioral1/memory/840-1-0x0000000000270000-0x0000000000594000-memory.dmp family_quasar behavioral1/files/0x0008000000016d46-7.dat family_quasar behavioral1/memory/2508-10-0x0000000000DD0000-0x00000000010F4000-memory.dmp family_quasar behavioral1/memory/2588-23-0x00000000013B0000-0x00000000016D4000-memory.dmp family_quasar behavioral1/memory/2276-44-0x00000000001B0000-0x00000000004D4000-memory.dmp family_quasar behavioral1/memory/2568-55-0x0000000000BD0000-0x0000000000EF4000-memory.dmp family_quasar behavioral1/memory/1684-67-0x00000000003E0000-0x0000000000704000-memory.dmp family_quasar behavioral1/memory/2436-78-0x0000000000810000-0x0000000000B34000-memory.dmp family_quasar behavioral1/memory/2692-89-0x0000000001100000-0x0000000001424000-memory.dmp family_quasar behavioral1/memory/1692-101-0x0000000001230000-0x0000000001554000-memory.dmp family_quasar behavioral1/memory/1388-112-0x00000000001C0000-0x00000000004E4000-memory.dmp family_quasar behavioral1/memory/2128-123-0x0000000000C90000-0x0000000000FB4000-memory.dmp family_quasar behavioral1/memory/1620-135-0x0000000001070000-0x0000000001394000-memory.dmp family_quasar behavioral1/memory/352-146-0x00000000011F0000-0x0000000001514000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2508 Svchost.exe 2588 Svchost.exe 1728 Svchost.exe 2276 Svchost.exe 2568 Svchost.exe 1684 Svchost.exe 2436 Svchost.exe 2692 Svchost.exe 1692 Svchost.exe 1388 Svchost.exe 2128 Svchost.exe 1620 Svchost.exe 352 Svchost.exe 2528 Svchost.exe 2780 Svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2688 PING.EXE 1396 PING.EXE 1016 PING.EXE 1108 PING.EXE 2632 PING.EXE 2848 PING.EXE 752 PING.EXE 1392 PING.EXE 2848 PING.EXE 2968 PING.EXE 768 PING.EXE 2172 PING.EXE 1244 PING.EXE 1416 PING.EXE 2892 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2892 PING.EXE 2848 PING.EXE 1016 PING.EXE 1392 PING.EXE 2172 PING.EXE 752 PING.EXE 1108 PING.EXE 2848 PING.EXE 2688 PING.EXE 2968 PING.EXE 1244 PING.EXE 1416 PING.EXE 768 PING.EXE 1396 PING.EXE 2632 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2944 schtasks.exe 1912 schtasks.exe 1628 schtasks.exe 2644 schtasks.exe 344 schtasks.exe 2208 schtasks.exe 2952 schtasks.exe 2344 schtasks.exe 680 schtasks.exe 2728 schtasks.exe 2664 schtasks.exe 2988 schtasks.exe 2868 schtasks.exe 1064 schtasks.exe 2696 schtasks.exe 944 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 840 JY7XH_Client-built.exe Token: SeDebugPrivilege 2508 Svchost.exe Token: SeDebugPrivilege 2588 Svchost.exe Token: SeDebugPrivilege 1728 Svchost.exe Token: SeDebugPrivilege 2276 Svchost.exe Token: SeDebugPrivilege 2568 Svchost.exe Token: SeDebugPrivilege 1684 Svchost.exe Token: SeDebugPrivilege 2436 Svchost.exe Token: SeDebugPrivilege 2692 Svchost.exe Token: SeDebugPrivilege 1692 Svchost.exe Token: SeDebugPrivilege 1388 Svchost.exe Token: SeDebugPrivilege 2128 Svchost.exe Token: SeDebugPrivilege 1620 Svchost.exe Token: SeDebugPrivilege 352 Svchost.exe Token: SeDebugPrivilege 2528 Svchost.exe Token: SeDebugPrivilege 2780 Svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2508 Svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 840 wrote to memory of 680 840 JY7XH_Client-built.exe 31 PID 840 wrote to memory of 680 840 JY7XH_Client-built.exe 31 PID 840 wrote to memory of 680 840 JY7XH_Client-built.exe 31 PID 840 wrote to memory of 2508 840 JY7XH_Client-built.exe 33 PID 840 wrote to memory of 2508 840 JY7XH_Client-built.exe 33 PID 840 wrote to memory of 2508 840 JY7XH_Client-built.exe 33 PID 2508 wrote to memory of 2728 2508 Svchost.exe 34 PID 2508 wrote to memory of 2728 2508 Svchost.exe 34 PID 2508 wrote to memory of 2728 2508 Svchost.exe 34 PID 2508 wrote to memory of 1108 2508 Svchost.exe 36 PID 2508 wrote to memory of 1108 2508 Svchost.exe 36 PID 2508 wrote to memory of 1108 2508 Svchost.exe 36 PID 1108 wrote to memory of 2800 1108 cmd.exe 38 PID 1108 wrote to memory of 2800 1108 cmd.exe 38 PID 1108 wrote to memory of 2800 1108 cmd.exe 38 PID 1108 wrote to memory of 2892 1108 cmd.exe 39 PID 1108 wrote to memory of 2892 1108 cmd.exe 39 PID 1108 wrote to memory of 2892 1108 cmd.exe 39 PID 1108 wrote to memory of 2588 1108 cmd.exe 40 PID 1108 wrote to memory of 2588 1108 cmd.exe 40 PID 1108 wrote to memory of 2588 1108 cmd.exe 40 PID 2588 wrote to memory of 2664 2588 Svchost.exe 41 PID 2588 wrote to memory of 2664 2588 Svchost.exe 41 PID 2588 wrote to memory of 2664 2588 Svchost.exe 41 PID 2588 wrote to memory of 1656 2588 Svchost.exe 43 PID 2588 wrote to memory of 1656 2588 Svchost.exe 43 PID 2588 wrote to memory of 1656 2588 Svchost.exe 43 PID 1656 wrote to memory of 2844 1656 cmd.exe 45 PID 1656 wrote to memory of 2844 1656 cmd.exe 45 PID 1656 wrote to memory of 2844 1656 cmd.exe 45 PID 1656 wrote to memory of 2848 1656 cmd.exe 46 PID 1656 wrote to memory of 2848 1656 cmd.exe 46 PID 1656 wrote to memory of 2848 1656 cmd.exe 46 PID 1656 wrote to memory of 1728 1656 cmd.exe 47 PID 1656 wrote to memory of 1728 1656 cmd.exe 47 PID 1656 wrote to memory of 1728 1656 cmd.exe 47 PID 1728 wrote to memory of 1912 1728 Svchost.exe 48 PID 1728 wrote to memory of 1912 1728 Svchost.exe 48 PID 1728 wrote to memory of 1912 1728 Svchost.exe 48 PID 1728 wrote to memory of 756 1728 Svchost.exe 50 PID 1728 wrote to memory of 756 1728 Svchost.exe 50 PID 1728 wrote to memory of 756 1728 Svchost.exe 50 PID 756 wrote to memory of 2676 756 cmd.exe 52 PID 756 wrote to memory of 2676 756 cmd.exe 52 PID 756 wrote to memory of 2676 756 cmd.exe 52 PID 756 wrote to memory of 1016 756 cmd.exe 53 PID 756 wrote to memory of 1016 756 cmd.exe 53 PID 756 wrote to memory of 1016 756 cmd.exe 53 PID 756 wrote to memory of 2276 756 cmd.exe 54 PID 756 wrote to memory of 2276 756 cmd.exe 54 PID 756 wrote to memory of 2276 756 cmd.exe 54 PID 2276 wrote to memory of 2988 2276 Svchost.exe 55 PID 2276 wrote to memory of 2988 2276 Svchost.exe 55 PID 2276 wrote to memory of 2988 2276 Svchost.exe 55 PID 2276 wrote to memory of 2156 2276 Svchost.exe 57 PID 2276 wrote to memory of 2156 2276 Svchost.exe 57 PID 2276 wrote to memory of 2156 2276 Svchost.exe 57 PID 2156 wrote to memory of 664 2156 cmd.exe 59 PID 2156 wrote to memory of 664 2156 cmd.exe 59 PID 2156 wrote to memory of 664 2156 cmd.exe 59 PID 2156 wrote to memory of 1244 2156 cmd.exe 60 PID 2156 wrote to memory of 1244 2156 cmd.exe 60 PID 2156 wrote to memory of 1244 2156 cmd.exe 60 PID 2156 wrote to memory of 2568 2156 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JY7XH_Client-built.exe"C:\Users\Admin\AppData\Local\Temp\JY7XH_Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:680
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2728
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tKJDvvDBeqQG.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2800
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2892
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2664
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\rvmjLrRIfZpv.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2844
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2848
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1912
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\fyVcXFu2hwlI.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2676
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1016
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2988
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\edTUQLwieFDG.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:664
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1244
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:344
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SLhRABDraBzg.bat" "11⤵PID:1936
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1160
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:752
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1684 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1064
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yTyGrAJfwmGK.bat" "13⤵PID:2448
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1660
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1416
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2436 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1628
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\cMAFtg6i9c9X.bat" "15⤵PID:1112
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2516
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1392
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2696
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\C3Wi642hFk4U.bat" "17⤵PID:1996
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2892
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1108
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1692 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2208
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\AXsyIscJxDIs.bat" "19⤵PID:1480
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2012
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2848
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1388 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2644
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\TOSmCJCeNAAj.bat" "21⤵PID:1248
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2356
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2688
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2944
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FnGX1UEkqGPK.bat" "23⤵PID:1084
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:3064
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2968
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:944
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sNbji0LP5hBZ.bat" "25⤵PID:1208
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2556
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:768
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:352 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2952
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dLC8m6VywqvO.bat" "27⤵PID:1416
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2428
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2172
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2344
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\vxj2DVczs3Yc.bat" "29⤵PID:1700
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2736
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1396
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2868
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\DLAApPlrYsFY.bat" "31⤵PID:2124
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2752
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209B
MD5bf559f3e447faac14f68240eb0a9ed77
SHA17a87b2ed9700ccdbdb982eba157506daea80c7af
SHA2560ecc3e9b1224e755bcbcd0118f4561fc25aeb1b48f98bea04a5d556f4ca35683
SHA5120a8a4a0412340f29a11c444858d21af32761154ba7c0c2bb1b130abeee260820ab8d9efc329be7c498a686ad96ade31bb20a49a90440c40d35cfc499aa0dba65
-
Filesize
209B
MD590016951f45692965ddfeb154829a5cb
SHA108e88dc47138a37ac31745fef7402be02571dd62
SHA2569bb141ea5d73abd320cac197f55e089ac202652fb8e39939fe40d95118da8c5b
SHA5120514b9a147e7c02bbd552bb83be5c11da57dd4552d603295d778984a23fdec87b9f67989642237cea992720e82d9d8beafcf036dab3a8967a16856622346ea7a
-
Filesize
209B
MD52633c2c49970c69f907a642dc8a3be76
SHA13ac16a2221da1f87443069c8d9c99eaa0678d0d0
SHA256f760b3c4ed1413c31cf30368fedf0a543fa2d30810c697731d348cbcfaec76aa
SHA512c52e96ed69ece6625746d0108a51b16033849551e4ffaf0ca452be1768ee55909393fc2621b91760d18d309632c55ec92ffe3f95e5084979c9298b73e3a649c2
-
Filesize
209B
MD56ddb449708f7705f26d48683817c0a31
SHA1e0d3d336d6dd7e907c8c54ba649675c27d3c2419
SHA256ae8286cff0802e84d8d5fbc7337b2ff78ff6097fdce4ffd94e97d23469b8e367
SHA512956b583071ca41dd8199ebceb68b76c81452fb63af7579b54c801732ace3681a056b7c48d0459652e8834c7880498c08e77afe5b0775d0a9441c40b999be07ef
-
Filesize
209B
MD54be91292bdf611e5dc57b53592335166
SHA1e753cb21c6b1434f3f7971380eb906dbd085d5a0
SHA256ff907e1e704440d2e8ab7920df4e71eddbfd53c030834970475823c3f0f37d5f
SHA51231bd01c973319cb0bab2b8d63f714f5656e9a602b230b3ac11622f08685abf66c73e6ec8fc3bd288d116a889b0cb77a7ad55b9e7f653f97db313727e0c46c67b
-
Filesize
209B
MD558222581297cda71d9024ab808f946f6
SHA10ab270c2a9e3d9117ef2044a3950f3c288e68dce
SHA2569ee0db9b6ec5240c250bf65258686c234a0f749e7992372c337a5702e1711e58
SHA512654b354544910b9b8b56c0d8fc03feb30ab484380611c45570abda06e084fa320591a0517b9bd77f52df8650d60b0de7cd9f884a0ad87f21545260371586b63c
-
Filesize
209B
MD580013a4c97d58ea5ac99a2f944cbbdd8
SHA187d882f8a3f2ebef863687b5eb46e86414bfce94
SHA2561dfac1314ffa99d2aaa15c69a14592135d3fd0a7a27aafa62de94c3769abf074
SHA512cbb5ed489c54947f745c6c889b85c27e3d78a20bb837515e4cfda28f5e466f2abb66dd00408f228b37af4ccdd81655fa27911a735c96bff0e687eb00299df94c
-
Filesize
209B
MD5979f287d7afe667c2fda4562eb1c251a
SHA1a3167df9222868cac346c2788ad49eea32af490d
SHA256d458c757974928e381ab69fc5409fed8cc19d23f4b240591ecb281fe852a03ce
SHA512b5e8be3c6504e689005e72cce119594225d84c95db30f8621d9076fedf81fb71698169e08ecbdde5be397dbec66ba9af3604b9361d578a973cff65c6c58c4beb
-
Filesize
209B
MD59ab260c44a86fa2823cb85a210ea7bd7
SHA10d5cf2fb80238d98829d7ecfa03521c5e6516dff
SHA25672327ca83efabcef17ff6e9e5daa54f30b5d271f00d8683437212e85cefc406d
SHA512cd53797e9a9b2f845c19b879574b122227584053638216eccac1be921c58c1a459294fccea0a5569a5680ef4569e3b4c454ec3c63730df3aeb9d62077b048064
-
Filesize
209B
MD50140d40c53cb46492cf2ef04824b763d
SHA1eb80c6da1a00f8f6e4a4637b54e2c2bc47c1a34f
SHA256b10c9c5c96b23b53be55e2ea0c1d67776fd28c9079d06321d22ca9f10faabab4
SHA512fddd949ff621745a976fcb36ac58270ba4e2d8fd3222c1f48b0e3edb0d322e4eb7f048b4e03db275c8fece17323077a414fc1482447a1d677e65c3aca8ba5064
-
Filesize
209B
MD5847f9525f7c41208d55a84ef3b7dfd35
SHA1159a6f724e5f1ca07a2aca3085f497d22d118ba6
SHA25686493ead24db172c50273e6f1db440de2dd768161e496bcc077747b8e11c2473
SHA5129973ede0461378587148e2a586c8c75e9012f3b1f6e871ecc3a42bb52ee4bf697589dc60a7039c6dc644b9ad7b8a9e0f54af6a7b48afb9da2c2a30beceb27422
-
Filesize
209B
MD5e99da79ead1e8ef6c59715bcbd1f42a3
SHA1427685966b8c288ef10f83c7c8ef05c2ce6d2095
SHA2569fa3ada6bee05e436d552eacbfcbe8deeb3db1660a9f823f2dc97226421fbf81
SHA512be6a57f17c0c5658c3ef7166c526c0c46d0b19f160ea318fae23bd94056184da9d0f00e5cae7f7f8905420b60c254bf21e028ac60935c72c8b70ab33a059eaeb
-
Filesize
209B
MD576cc0241bf9b4397cacf37c502c1fe6b
SHA1c42ae39fc2b686785a6a83c0c485031617b70132
SHA256eec3acabf5e589254e5de70a84b6dee2cdeb0ec26966c6a7420dc2df77f81bcb
SHA5122aaed5f882d4927e4b8269b903d5ac4f0cb54addae613d849785218b95c293b5a211abd3fc3a825586e8c817529d708d0e768909c23e731c6024b96834554944
-
Filesize
209B
MD57efbf32ef529e0505aa0ee0eeb17a26b
SHA1a2d31c1e982c4b8b1523205c2dfc3f4357c40ca3
SHA256864fbed67fd2128e111ac98c1b092fcd7afdd6b2567ed159c28dcdba4ec52076
SHA512d011bec069e0ed590def674d307d188b7e904d9a73b62fc59ae7d86a274c6d4f1372bf34cef0670342cff7c1cce9f12a8b21622bcc53b75a0e2e2b951239efc2
-
Filesize
209B
MD5c67ea08c116de42532d9fe11d8061998
SHA168c9b5f829c5a9b35861493708edb08ca3e41a56
SHA2562452c4032e47fdfde32e463e9a5d36e888b829b3b6b372040258568f5f0d1337
SHA51232b0ed147f2c87c920e79844ad825d3ed45ff7306d7b3ecab8224d9873bf7f8d2492ae6af99032f9f4979c140d6b81b9975de05eaebc408b3ca643bbeb209752
-
Filesize
3.1MB
MD5f9fd797dbef56a3900d2fe9d0a6e2e86
SHA1c5d002cc63bd21fa35fdad428ca4c909f34c4309
SHA256b2de1e13497b1864e100fea605fa1136adc6f782b1dea5f6fe5f11656b098c0e
SHA512c4d170855397e2e62d754883b2caab00d14f58787463924141d2077997ee03b25cd752565354c1c4cbace637cf1c053c45a162d0b61b31caa73f1ec70b998ce1