Analysis
-
max time kernel
143s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 06:56
Behavioral task
behavioral1
Sample
JY7XH_Client-built.exe
Resource
win7-20241023-en
General
-
Target
JY7XH_Client-built.exe
-
Size
3.1MB
-
MD5
f9fd797dbef56a3900d2fe9d0a6e2e86
-
SHA1
c5d002cc63bd21fa35fdad428ca4c909f34c4309
-
SHA256
b2de1e13497b1864e100fea605fa1136adc6f782b1dea5f6fe5f11656b098c0e
-
SHA512
c4d170855397e2e62d754883b2caab00d14f58787463924141d2077997ee03b25cd752565354c1c4cbace637cf1c053c45a162d0b61b31caa73f1ec70b998ce1
-
SSDEEP
49152:ivkt62XlaSFNWPjljiFa2RoUYIobRJ6MbR3LoGdNwhTHHB72eh2NT:iv462XlaSFNWPjljiFXRoUYIobRJ6WK
Malware Config
Extracted
quasar
1.4.1
Office04
biseo-48321.portmap.host:48321
cb74f432-50f1-4947-8163-7687a0292fb0
-
encryption_key
D1BBEF3C04D88FE8F97EE2745041632CE9C760EE
-
install_name
Svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Svchost
-
subdirectory
Svchost
Signatures
-
Quasar family
-
Quasar payload 9 IoCs
resource yara_rule behavioral1/memory/1972-1-0x00000000002A0000-0x00000000005C4000-memory.dmp family_quasar behavioral1/files/0x0008000000016c66-6.dat family_quasar behavioral1/memory/2516-8-0x0000000000CC0000-0x0000000000FE4000-memory.dmp family_quasar behavioral1/memory/2768-23-0x0000000000DD0000-0x00000000010F4000-memory.dmp family_quasar behavioral1/memory/2916-44-0x0000000000EA0000-0x00000000011C4000-memory.dmp family_quasar behavioral1/memory/1544-106-0x0000000000F50000-0x0000000001274000-memory.dmp family_quasar behavioral1/memory/1516-138-0x0000000001200000-0x0000000001524000-memory.dmp family_quasar behavioral1/memory/3064-149-0x0000000001240000-0x0000000001564000-memory.dmp family_quasar behavioral1/memory/2488-160-0x00000000001C0000-0x00000000004E4000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2516 Svchost.exe 2768 Svchost.exe 2268 Svchost.exe 2916 Svchost.exe 1196 Svchost.exe 1464 Svchost.exe 1428 Svchost.exe 2744 Svchost.exe 380 Svchost.exe 1544 Svchost.exe 2232 Svchost.exe 956 Svchost.exe 1516 Svchost.exe 3064 Svchost.exe 2488 Svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1112 PING.EXE 1940 PING.EXE 2952 PING.EXE 1732 PING.EXE 2432 PING.EXE 2648 PING.EXE 2120 PING.EXE 1396 PING.EXE 2252 PING.EXE 2692 PING.EXE 2828 PING.EXE 1824 PING.EXE 2564 PING.EXE 940 PING.EXE 2252 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 940 PING.EXE 2692 PING.EXE 2432 PING.EXE 1112 PING.EXE 1824 PING.EXE 2252 PING.EXE 1940 PING.EXE 2120 PING.EXE 1732 PING.EXE 2828 PING.EXE 1396 PING.EXE 2564 PING.EXE 2648 PING.EXE 2952 PING.EXE 2252 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2604 schtasks.exe 1456 schtasks.exe 1888 schtasks.exe 908 schtasks.exe 2968 schtasks.exe 788 schtasks.exe 2084 schtasks.exe 2512 schtasks.exe 2316 schtasks.exe 2112 schtasks.exe 2116 schtasks.exe 2504 schtasks.exe 1560 schtasks.exe 2712 schtasks.exe 1016 schtasks.exe 2640 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1972 JY7XH_Client-built.exe Token: SeDebugPrivilege 2516 Svchost.exe Token: SeDebugPrivilege 2768 Svchost.exe Token: SeDebugPrivilege 2268 Svchost.exe Token: SeDebugPrivilege 2916 Svchost.exe Token: SeDebugPrivilege 1196 Svchost.exe Token: SeDebugPrivilege 1464 Svchost.exe Token: SeDebugPrivilege 1428 Svchost.exe Token: SeDebugPrivilege 2744 Svchost.exe Token: SeDebugPrivilege 380 Svchost.exe Token: SeDebugPrivilege 1544 Svchost.exe Token: SeDebugPrivilege 2232 Svchost.exe Token: SeDebugPrivilege 956 Svchost.exe Token: SeDebugPrivilege 1516 Svchost.exe Token: SeDebugPrivilege 3064 Svchost.exe Token: SeDebugPrivilege 2488 Svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1972 wrote to memory of 2512 1972 JY7XH_Client-built.exe 30 PID 1972 wrote to memory of 2512 1972 JY7XH_Client-built.exe 30 PID 1972 wrote to memory of 2512 1972 JY7XH_Client-built.exe 30 PID 1972 wrote to memory of 2516 1972 JY7XH_Client-built.exe 32 PID 1972 wrote to memory of 2516 1972 JY7XH_Client-built.exe 32 PID 1972 wrote to memory of 2516 1972 JY7XH_Client-built.exe 32 PID 2516 wrote to memory of 2316 2516 Svchost.exe 33 PID 2516 wrote to memory of 2316 2516 Svchost.exe 33 PID 2516 wrote to memory of 2316 2516 Svchost.exe 33 PID 2516 wrote to memory of 2752 2516 Svchost.exe 35 PID 2516 wrote to memory of 2752 2516 Svchost.exe 35 PID 2516 wrote to memory of 2752 2516 Svchost.exe 35 PID 2752 wrote to memory of 2836 2752 cmd.exe 37 PID 2752 wrote to memory of 2836 2752 cmd.exe 37 PID 2752 wrote to memory of 2836 2752 cmd.exe 37 PID 2752 wrote to memory of 2828 2752 cmd.exe 38 PID 2752 wrote to memory of 2828 2752 cmd.exe 38 PID 2752 wrote to memory of 2828 2752 cmd.exe 38 PID 2752 wrote to memory of 2768 2752 cmd.exe 40 PID 2752 wrote to memory of 2768 2752 cmd.exe 40 PID 2752 wrote to memory of 2768 2752 cmd.exe 40 PID 2768 wrote to memory of 2604 2768 Svchost.exe 41 PID 2768 wrote to memory of 2604 2768 Svchost.exe 41 PID 2768 wrote to memory of 2604 2768 Svchost.exe 41 PID 2768 wrote to memory of 2184 2768 Svchost.exe 43 PID 2768 wrote to memory of 2184 2768 Svchost.exe 43 PID 2768 wrote to memory of 2184 2768 Svchost.exe 43 PID 2184 wrote to memory of 2360 2184 cmd.exe 45 PID 2184 wrote to memory of 2360 2184 cmd.exe 45 PID 2184 wrote to memory of 2360 2184 cmd.exe 45 PID 2184 wrote to memory of 1112 2184 cmd.exe 46 PID 2184 wrote to memory of 1112 2184 cmd.exe 46 PID 2184 wrote to memory of 1112 2184 cmd.exe 46 PID 2184 wrote to memory of 2268 2184 cmd.exe 47 PID 2184 wrote to memory of 2268 2184 cmd.exe 47 PID 2184 wrote to memory of 2268 2184 cmd.exe 47 PID 2268 wrote to memory of 908 2268 Svchost.exe 48 PID 2268 wrote to memory of 908 2268 Svchost.exe 48 PID 2268 wrote to memory of 908 2268 Svchost.exe 48 PID 2268 wrote to memory of 2012 2268 Svchost.exe 50 PID 2268 wrote to memory of 2012 2268 Svchost.exe 50 PID 2268 wrote to memory of 2012 2268 Svchost.exe 50 PID 2012 wrote to memory of 1364 2012 cmd.exe 52 PID 2012 wrote to memory of 1364 2012 cmd.exe 52 PID 2012 wrote to memory of 1364 2012 cmd.exe 52 PID 2012 wrote to memory of 1824 2012 cmd.exe 53 PID 2012 wrote to memory of 1824 2012 cmd.exe 53 PID 2012 wrote to memory of 1824 2012 cmd.exe 53 PID 2012 wrote to memory of 2916 2012 cmd.exe 54 PID 2012 wrote to memory of 2916 2012 cmd.exe 54 PID 2012 wrote to memory of 2916 2012 cmd.exe 54 PID 2916 wrote to memory of 2968 2916 Svchost.exe 55 PID 2916 wrote to memory of 2968 2916 Svchost.exe 55 PID 2916 wrote to memory of 2968 2916 Svchost.exe 55 PID 2916 wrote to memory of 2972 2916 Svchost.exe 57 PID 2916 wrote to memory of 2972 2916 Svchost.exe 57 PID 2916 wrote to memory of 2972 2916 Svchost.exe 57 PID 2972 wrote to memory of 1200 2972 cmd.exe 59 PID 2972 wrote to memory of 1200 2972 cmd.exe 59 PID 2972 wrote to memory of 1200 2972 cmd.exe 59 PID 2972 wrote to memory of 1396 2972 cmd.exe 60 PID 2972 wrote to memory of 1396 2972 cmd.exe 60 PID 2972 wrote to memory of 1396 2972 cmd.exe 60 PID 2972 wrote to memory of 1196 2972 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JY7XH_Client-built.exe"C:\Users\Admin\AppData\Local\Temp\JY7XH_Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2512
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2316
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\TirRLi4POsyi.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2836
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2828
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2604
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0vJW4wUbpKSL.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2360
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1112
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:908
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FuGZyDIvbNPL.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1364
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1824
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2968
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0UiZBBajgk1O.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1200
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1396
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1196 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:2112
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\qKyMdcP7CYIX.bat" "11⤵PID:2572
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2696
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1940
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1464 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1456
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\A0TXAJ8Qo8FD.bat" "13⤵PID:1836
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:2484
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2252
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2116
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Hk2d45QRn9li.bat" "15⤵PID:2508
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2896
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2564
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2744 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2504
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\wPrZkjWIAc6s.bat" "17⤵PID:2792
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2800
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2648
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:380 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2712
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\W8bLc5zpnpxE.bat" "19⤵PID:2728
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1740
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:940
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1544 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:1016
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\OZviM2Y4Nz6B.bat" "21⤵PID:1364
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1684
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2952
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2640
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kiArc1PqpPL9.bat" "23⤵PID:1828
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2832
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1732
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:956 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1560
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RKYDoNNw6NLh.bat" "25⤵PID:1928
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1632
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2120
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1516 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:788
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\l33cXpBoTRmX.bat" "27⤵PID:972
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:776
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2252
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1888
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\OKsbnZLdqlAY.bat" "29⤵PID:1616
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:1032
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2692
-
-
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2488 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2084
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\UZ1OZiA3RUM1.bat" "31⤵PID:2528
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2516
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209B
MD5977a1563583acfd7183f16dbd2f48147
SHA1726bd87079973550f9ecc65c453e7dc1b40e43e1
SHA256bb68da4ed384312df1d9614ace4232565fa14268d3cfedf59df195f95b7035e9
SHA512f09a360f2b4123d173526688e6468403826075a52a88eb31e7d511c15ae38d1956bf9656c6ed7575145ac8f91172516aedf47f6f222cf5007a664822232d3975
-
Filesize
209B
MD5ed92a3b1f66c54dcd4f2c0769e3f1f62
SHA147c8f01bab4a8b334b0230f77ca4a768f0d58e88
SHA2560624a47d1d0224527280593917f8ead7889a28fc74c4c9f29d04f06e7a24dbfd
SHA5122916c01697937ef17e1b0d213843ae22451f4dfbcf7acb9cb935eef3a1b211988f2a65d0b1d4154549195c8fb547bc2c890cc6dc188bb1b253b7bdc6c0a24af5
-
Filesize
209B
MD5f0288e6d54a258c2e52ea4aa3401e329
SHA14db0aac73d7df40ad1be361b57b5746fe5d73171
SHA256ef1c267d1a7ce8e0ca9b2b2e25c080f18e7a018823fac5e8e940547b4eea43ad
SHA5129bd4e6ff2090db6aab0d7891aa6840506b04d2563915d1a6b5305b90f534d56d9295d3c3b5ec3d9b2acd06e83efdf54400c54f606cd3fb3f30d8d51b93cd7f51
-
Filesize
209B
MD5c79df7fef22509f906bdc5630783ab93
SHA1c80758eff50ce6061531bb53cae44cfcc826f500
SHA2562eb9e5090c9f63b681848c2953de67f8babb9f098b0d5a7c983e8529aff00d28
SHA5126b994f55f05f57edef6f2f0782347f5a547988c1ba733eca2226865b2309df61c4a544fa83cfe41320897a8d0138adc8907d08dfaf3fce932a440e6e0f255954
-
Filesize
209B
MD53d4d2354021aef915a9add8506ab370d
SHA1a06e16d23975e0093166889a3153bf09f831f975
SHA2564c0bff10d341eacec9c96034d4bfb095a2e48083e4f7baad57f8d5731e5ad621
SHA512b51adc4b25e4daec4b203bd95ee6acb5aac76eae28a7df74ea4308586aa149ecb30894b7cb9fba42510b1543be2739c53a8181b641d920ca0e6987fef4375913
-
Filesize
209B
MD57a043611d10be41151e27f5fc8709a81
SHA1f21777a19a346b88a1f43add6bc0a4e6d683017b
SHA256495b1e39f75f91b92452159892efdf41b47e18c3e508d9ab11e76f8178489ef9
SHA512a3475ddecd5930495a2d4c4d24e5c215524cf0c9b727c54ee5f55ae7c628a532970789c021d2dfd639b6a9ae58be96e9dced9f7b36b829ac7fc0a795102c56af
-
Filesize
209B
MD5430d1c98b6815008e898fceb0cdb1721
SHA1113d4c95610ecc6c2b99d11ad9b5113defe0e527
SHA256c3d5dca3f691a00a32b2c1d0e788e801b9d07dbf362ca11ca7c740883b246515
SHA5124ee49aaf9f54956872e618299d4c3b55721007ff01bd32516f29d6e40a5a3c5613821f56524619315e745fce0f7bf2e659dda3467f3830a5b7db325848805ef8
-
Filesize
209B
MD56c9c0c5e80dff390ef56abc7dec26291
SHA106139083de7af62ec1ee74c690d267c31e1d03a3
SHA256325cf66ae18cac4dd31e222d9eb504baba96a65c8c55ec7a42461836a51e2630
SHA512dc0e0688dd87a58bac6c85e78fc3b113131891be8cc9a3d51477dc9bdd2f2fdc8d1397031f40a8681940787c83090bd163c84e958998ac74aafa539d4ed3a094
-
Filesize
209B
MD5251e69acd30fe42258a1126bf3d22566
SHA1a0e6176f9e03210f81d024658aff6b3b3b7691d2
SHA25665833e6f98bc2d595ebb78d768aa956e68153612ad94a69cae380eeff838f63e
SHA5126db468997133b23187346261b5dee5afc1e87723378893ea7a356062f61a6494963288ed6bbe7185c75942f67e3792a980598a0a8de737496403a3a3a3c070ec
-
Filesize
209B
MD52324be2552312ade7690e7f4fd132105
SHA1f0e28c346af9d25ae57dc32559c63da2b3960dd1
SHA2566100210c2cda265f110e4b36d41e271bb568e87a80fcf3d8cf942f71dc2dfc73
SHA512241be3b65a4efecdd27ea84b19b0199c620623513f2b215a1dd7c28d67b308516c022946c8f7781b61197675f9ccab45cfd94133cabc66ae6b66863828a7f42d
-
Filesize
209B
MD5b6d1e0548f623ca6928a642daae425c3
SHA144fcaf0047b9e7bb0f9b439461d0c00f1fbee7e8
SHA25651ceecd9e2fecccd1d48e904db36b7f9f96f8b88285981533e2690a2890b71e9
SHA512422d530983954b031704d2afe3ced4bbdd24cda7a14ec2e708c8c27080b0396e294da99496382f6c4af37591f636fb878008516f4d302fd85430b6f654ab1aca
-
Filesize
209B
MD5f52a49d61fd61b84cdda3879ee492152
SHA139e804b82a5f419a169aa9fe93bc3c2196c571c8
SHA25699ac7835f8fef42ec1c10910b7cea3974b010a310010e0bca9484fec5154b22d
SHA512532f43bd84ae13dc8983a0109c3a0e318f525632f794e37265648beaa698e202ad0aa50f3f9d6f3308c5481f905304bd84974de8d9aaaee4015dbc6d450a25ab
-
Filesize
209B
MD555de8dbb066f315c4fa9a92f7bc11ca3
SHA1dc966f8afbe1f7d54f19e1039e253568e0d86323
SHA2563bcde3f341d5d6d91a249810f229b1815507ea9f80a5f5b66502814bff71e654
SHA5128aef4c6b2e98ef7545f317a97fba20af10be465075662ce0eb2b8fddacd9de04d764872a6b95b56ca3bd912c39cbbefbfe3dae56656c0c027f36c220517cb34f
-
Filesize
209B
MD5db693d2192832c1f84c480d4e75df1c2
SHA1b8053e39b1dc80b87c0c9ac65ec0a15aca561ddd
SHA256215f3637c87b4fa42bee158548f4bb1f0023ecdb502cd615280bbbb10134502e
SHA512d10af8824ed98d9bb0e4d4d205f97c634bfec2fb56265e6ee6b6fd893cc2d3f25a94cf3ccd4769e6275d57072db5c86251794c483cf90d998a2367b33c16fe2c
-
Filesize
209B
MD5b11463d3cafe549f43a6837f4949a967
SHA124896353d3973cd9a219aa89dd839b137e50dd4a
SHA256742c256a78e17a173422ef88038cd5b77995219b2b325d50cdfe4aaf510f6c5b
SHA51275fb84349ecbf44a9c8bc982e838bce01a9f9a9a643a735e65328462799737c8e37aa76d2f3a4e39013b926dc3e748ac6ebd3babe634b5e7e24e506634511385
-
Filesize
3.1MB
MD5f9fd797dbef56a3900d2fe9d0a6e2e86
SHA1c5d002cc63bd21fa35fdad428ca4c909f34c4309
SHA256b2de1e13497b1864e100fea605fa1136adc6f782b1dea5f6fe5f11656b098c0e
SHA512c4d170855397e2e62d754883b2caab00d14f58787463924141d2077997ee03b25cd752565354c1c4cbace637cf1c053c45a162d0b61b31caa73f1ec70b998ce1